Category: Uncategorized

In the past couple of years we've become accustomed to weekly news of grand scale username and password thefts at major web services. As many people use very insecure passwords that can be cracked in seconds and by using the same passwords for many web services, usernames and passwords have become very insecure. In addition, viruses and Trojan horses try to get username and password combinations directly on PCs to get access to banking web sites and other high value targets. To me it looks like the situation is getting more and more out of control. While two factor authentication (e.g. an SMS with an additional code being sent by the bank before a transaction is made) fixes some of the issues for some web services, it's too cumbersome for everyday logins. But now Steve Gibson, famous for his SpinRite product and perhaps even more for his weekly Security Now podcast has come up with a solution that fixes all of this. Too good to be true? I thought so, too, at first but it seems he's really figured it out.

The core of his solution that he named SQRL (Secure QR Code Login) is that web services no longer store usernames and passwords but just a public key that was sent from the user when he first registered to the web site. For login, the web site sends a random number that is encrypted on the client side with the users secret key to generate a response. On the web service's side the response is decrypted with the public key agreed during initial registration. In other words, the secret password is no longer in the hands of the web service but in the hand of the user. That means that there is no longer a password database with millions of entries worth stealing on the web service's side. As each web service gets a different public key with the SQRL method and a different random number is used for each login, there's no password leakage between services due to the user of the same username and password for different sites as done by many users today to make their life simpler. Also not to underestimate is the advantage that no password has to be typed in, which fixes the issues that simple to remember and easy to crack passwords are used.

On the client side the use of SQRL is straight forward. Either a smartphone is used to scan a QR code on the login page for an out-of-band authentication which is the most secure way to access a web service in case the secret key can be stored securely on the mobile device. Also, implementations are possible with a browser plugin that detects that a web service offers SQRL login and automatically generates the response.

For more, head over to Steve's page that explains the details or listen to the podcast /videocast on the topic where he introduces SQRL starting at around 38 minutes into the podcast. I am amazed and very enthusiastic about it and hope we'll see implementations of this in the wild soon.

While LTE roaming and LTE for prepaid SIMs is still not really a reality so far I was positively surprised to see that a number of network operators are already deploying LTE on several frequency bands. This is unlike UMTS which most network operators have only deployed in one band at any one location (yes, there are a few exceptions but not many).

One multi-frequency LTE deployment I have recently observed, e.g. with my inexpensive layer 1 scanner solution (for details see here and here), is the Vodafone LTE network in Den Haag in the Netherlands where they have LTE active in the 800 MHz digital dividend band as well as in the 1800 MHz band. Add to that the capacity of their 3G network on the 2.1 GHz band and it's a fair assumption they won't run out of capacity any time soon.

And the second deployment I have observed is China Mobile Hong Kong. This one is very interesting. On the 1800 MHz band they have deployed a 3 MHz carrier (!!) while further up on the frequency dial, they are on air with a 15 MHz carrier in the 2.6 GHz band. As 3 MHz isn't really all that much I wonder if that 3 MHz carrier will still be on-air in a year or two down the road when not only most but all LTE capable phones that support the 1800 MHz band also support the 2600 MHz band. Another option would be of course to get some additional 1800 MHz spectrum and then to increase the bandwidth. But I'm not into Hong Kong spectrum assignment details so I don't know if that's an option for them down the road.

I've been to Hong Kong recently and as I like to try out local networks and also to have a plan B just in case the hotel Wi-Fi is crappy I wanted to buy a SIM card at Hong Kong airport of one of the local network operators. It turns out that Hong Kong is one of the places where it's quite easy to get a SIM at the airport. A Google search brought me over to this recent blog entry that describes a number of options.

The blog entry recommended One2Free, an MVNO on the CSL network who offers a weekly all you can eat data plan on a prepaid SIM for 79 HK dollars which is around €8. Getting the SIM card took me about 10 minutes and in the five days I was in Hong Kong, I almost burned through a gigabyte of data for everything from email to Skype video calling without the connection being throttled at some point. Data rates were o.k. with up- and downlink speeds in the 3-4 Mbit/s range, thanks in part to the CSL in-house coverage in my hotel.

And it turned out that I was in dire need for a plan B as the hotel Wi-Fi network was slow in the evening to be positive about it and in addition my company VPN couldn't connect through that network. A colleague from another company had a similar problem. Over the CSL 3G connection, the VPN worked just fine. I'd say those were 10 very worthwhile minutes at the airport.

If smartphone user interface designers are reading this blog I have a feature request: I need a 3G/4G only switch in the settings to disable GSM while leaving the device the option to roam between UMTS and LTE. Let me explain:

Last year I decided to set my smartphone I use for voice and small screen web browsing to '3G only' mode to prevent fallback to GSM, as HD-Voice (WB-AMR) continues to be only deployed in 3G, and dropping to GSM during a call results in a noticeably worse speech quality. Also, I like receiving my emails during lengthy conference calls and get some background information over the web sometimes which is also blocked after a fallback to 2G. Also, air interface security is better on 3G. So far, so good, this works well.

For data connectivity for my notebook on the daily commute and on longer train trips I use Wi-Fi tethering to another device that is LTE capable. Unfortunately, LTE is not as widespread as 3G yet so I have the network type selection set to 2G/3G/4G. This way, I get LTE when it's available in stationary places and 3G on the train as LTE coverage is still somewhat patchy. Hence the device is then stuck on UMTS for the rest of the trip because there is currently no way to get from UMTS to LTE while in Cell-DCH state. But it's still mutli-megabits per second so no real complaints here for the moment. Not so good, however, is that the connection sometimes even drops to GSM and then it takes quite a while to get back to UMTS as the device is busy transmitting data and has only little time to search for a reappearing UMTS network. But these days, GPRS or EDGE are almost unusable for the amount of data that I consume on the notebook so I wonder if that fallback still makes sense?

Therefore I'd rather like the Wi-Fi hotspot device not to fall back to GSM at all and just 'ride-out' the temporary lack of UMTS coverage as I have the impression that the device finds the UMTS network again much faster. Obviously I can set the device to UMTS only mode just like my smartphone but then I disable LTE as well which I really like in stationary places due to the much faster uplink compared to UMTS. In other words, I'd really like to see a 'UMTS/LTE-only' mode setting.

I spend a lot of time commuting and traveling to far away places so I spend a lot of time in trains, cars and planes. Especially in cars and planes I usually make good use of the time by reading or writing something, such as this blog entry for example. But there's one thing usually in the way and that's the noise made by the vehicle itself, frequent (useless) announcements and other travelers as well. Up to a certain level, I can ignore it and get on with whatever I do. But at some point, especially when people close to where I am start talking my concentration is usually gone. Earplugs help somewhat but only to a certain extent. I've long wished for noise canceling headsets to go further. I had some in the past but they had limited effect and when I lost the plastic ear plugs and couldn't get replacements I never ventured into this area again. Then recently, I read a number of raving reports in several places about the new Bose QC20 in-ear noise canceling headsets. To say they were positive would be an understatement so I couldn't wait for them to become generally available (looks like the Bose PR department has done their job well).

What's definitely not an understatement is the price. 300 Euros is a tough number but for real good noise suppression I was willing to spend the money. So I got myself a QC20 and swallowed hard when swiping the credit card through the readier, ah, no actually when clicking on the "One Click To Buy" button online.

Needless to say I couldn't wait for them to arrive and give them an instant test. Amazing, when pressing the silence button the external environment in trains, train stations and office just goes away. If a person nearby speaks loudly a little extra music in addition to the noise suppression makes that sound go away, too. Incredible.

The other thing that always bothered me about in-ear headsets is that they get uncomfortable after a while. The QC20 however is not an in-ear headset, however as its not held by pressing something into the ear channel. Instead, it fixes itself to the ear with a plastic hold that fits inside the ear cups. Perfect, I've worn them for several hours over several days now and it never hurt a bit, not even after several hours of wearing them.

And finally when not suppressing the nose the headset still analyzes the sound environment and compensates for the plastic isolation over the ear. This is great as without it, just like with other in-ear headsets, the external environment sounds artificial and I get a strange and uncomfortable feeling when I speak myself as that has a strange effect on a blocked ear canal. The compensation works great and it almost feels like not having earplugs in at all when switching to "listen to the outside world" mode.

I have high hopes for my next plane trips as well. On intercontinental flights, current 'over ear' headsets were of little use to me as one can't sleep with them when trying to sleep on the side. With the QC20 in-ear, or rather on-ear headset it might just be possible now.

Despite the super high price for the headset I am still full of praise for them, traveling and working in noisy office environments has become very different. Let's see how this story develops and what I think about the headset in a couple of months.

While the Internet is doubtlessly a great invention and I wouldn't want to miss it in my daily life anymore there are certainly downsides to it. Last year I summarized them in a post titled „The Anti-Freedom Side Of The Internet“. While I have found solutions for some of the issues I discussed there such as privacy issues around remotely hosted cloud services, I have touched one topic too lightly that has become much more apparent to me since then: The changing business models and interaction of software companies with their customers that is not necessarily always to the advantage of the customers compared to pre-Internet times.

In the pre-Internet times software was bought on disks or CDs and installed on a computer. For most commercial software you got a usage license with an unlimited duration and the user was in control over the software and the installation process. Fast forward to today and the model has significantly changed. Software is now downloaded over the Internet and installed. The user's control over the process and privacy is largely gone because most software now requires Internet connectivity to communicate with an activation server of some sort before it installs. While I can understand such a move from the software companies point of view I find it highly controversial from a user's point of view because there is no control what kind of information is transmitted to the software company. Also, most software today frequently 'calls home' to ask for security and feature updates for security and perhaps also for other purposes. While this is good on the one hand to protect users it is again a privacy issue because a computer frequently connects to other computers on the Internet in the background without the users knowledge, without his consent and without his insight into what is transmitted. Again, no control as to what kind of data is transmitted.

And with some software empires on the decline, a new interesting license model, not thought of in pre-Internet times, is the annual subscription model. Adobe is going down that path with Photoshop and Microsoft wants to do the same thing with their Office suite: Instead of buying a time unlimited license once, they now want to sell time limited licenses that have to be renewed once a year. Again, understandable from the software companies point of view as that ensures a steady income over the years. From a users point of view I am not really sure as that means there are yearly maintenance costs for software on computers at home that simply was not there before.

I wonder if that will actually accelerate the decline of those companies? If you buy software once you are inclined to use it as long as possible and perhaps buy an update every now and then. But if you are faced with a subscription model where you have to pay once a year to keep that software activated, I wonder if at some point people are willing to try out other alternatives. And alternatives there are such as Gimp for graphics and of course LibreOffice.

Already today I see a lot of people using LibreOffice on their PCs and Macs so that trend is definitely well underway. Perhaps it also triggered by people not only using a single device anymore which would require more than one paid license. Also, the increasing number of different file formats and versions that make sending a document for review to someone else and getting a revision that is still formatted as before it was sent a gamble, so why stick to a particular program or version of a word processor?

In other words, Open Source is the solution in a world where the Internet allows software companies to assert more control over their customers than many of them are likely to want. Good riddance.

If you have commented in the past couple of days you have probably noticed that the comments are not published immediately anymore. Unfortunately I am getting a lot of spam comments at the moment that are not filtered out automatically. As it is less work to approve valid comments for the moment than to remove the spam I've decided to turn off auto-approval of comments. Sorry for the inconvenience, I'll turn it on again as soon as Typepad can handle the spamming…

Being a frequent traveler I was one of the first to wish for a product with which I could share a 3G connection over Wi-Fi. My first article about it is back from 2006. It took another two years until in 2008, however, before one of the first easy to setup devices, the Huawei D100 Wi-Fi access point designed to establish an Internet connection over a separate 3G USB stick appeared on the market. Fortunately I was in Austria at the time and could buy an unlocked version for a few euros. I've used it frequently since then and it has become a mandatory travel accessory for me. Now in 2013, however,  i.e. 5 years later I am finally about to retire it.

Thanks to Android, Wi-Fi tethering has now become a standard feature of most smartphones and despite having limits such as the number of concurrent Wi-Fi connections it supports, it is sufficient for my use. The range of the Wi-Fi chip in a smartphone is perhaps not as good as that of the D100 but in practice the distances I need to cover in hotel and meeting rooms rooms are no problem for a smartphone. 5 years for a wireless device in use before it is retired is quite a thing. Back in 2008, the N95 was the latest and greatest in terms of technology, just to give you an idea of the timeframe we are talking about.

Ever since I discovered the benefits of running Virtual Machines on my notebook for a variety of things and how easy it is in practice I usually have three of them running at the same time. Yes, three of them at the same time and with 8 GB of RAM and using Ubuntu as host operating system makes the experience quite seamless.

A second Ubuntu is usually running in one virtual machine so I can quickly try out things, install programs I only need for a short time and don't want to linger around on my system and to run a TORified Firefox against unfriendly eavesdropping of half the world's security services. Also, by disabling the virtual network adapter and mapping a 3G USB stick or USB Wi-Fi stick directly into the virtual machine gives me a completely separated and independent second computer. Great for networking experiments. The other two machines usually run an instance of Windows XP or Windows 7 for programs that aren't natively available under Linux. There aren't a lot of those but they do exist. As the VMs are usually not in the way I usually start them but never terminate them unless I need to reboot the host. The only thing I noticed is that there is a power consumption impact.

When I was recently taking a long train trip I noticed that the remaining operation time indicated in the status bar was about one hour longer than usual. I was puzzled at first but soon noticed that the difference is that I had just rebooted the day before and I didn't have the need for a VM running since. It's obvious that VMs have an idle power consumption impact because instead of one OS there are usually four operating systems performing their background operations during idle times on my notebook. So while I was surprised I really shouldn't have been. But the takeaway from this is that in the future I know of a good way to increase the autonomy time in case I need it.

I always like to have a backup plan in place in case something goes wrong. For that reason I have kept a paper map of Europe in the car, just in case there's a problem with the maps and navigation app on my smartphone de jour. But recently I noticed that I can't remember when I've last taken it out!?

Honestly I can't and it must be close to 10 years that I haven't used it. This, the fact that the map must now be pretty out of date anyway and usually having more than one device that can run a navigation app with me these days make me think that the map is about to be discarded. Or perhaps I should keep it for historical reasons? The last paper map I bought…

Like telephone booths and coins that are fading away it's one of these things which mobile devices, mobile voice and mobile Internet access have made superfluous. Can you remember the last time you've used a paper map for navigation or orientation?