App security is really low

Web browsers have had since ages a small lock to tell their users when they were securely connected to a web server.

Apps, especially those for mobiles, do not expose this information. It is very difficult to know if they use proper encryption, or that they even check the validity of the encryption certificates (when using methods such as SSL or TLS). Without such encryption, user credentials (login and password) and the exchanged personal data can easily be snooped.

App makers should mandatorily use encryption for communication. And they should use certificates to make sure they connect to the expected server. And they should expose that to the user interface!

Mobile Security, Not Realy Usable, Not Really Secure

Yesterday I stumble upon a journalist opinion who think that current Yahoo! CEO, Marissa Mayer, is just a twerp when it comes to mobile security. I do not think we should qualify someone, even the CEO of an internet company like Yahoo!, of a twerp just because one does not use a pass-lock for its mobile phone.

Why mobile phone security is important?

It is certainly about money, one could use your phone/data connection, but you can easily/quickly close this gap (e.g. using Apple’s Find my iPhone, or some Android equivalents). The other thing that has value is the personal data within the phone. But this has value either in the numbers (smart phone data from thousands of users stolen could interest spammers and hoaxers, for sure) – but unlikely with one phone theft – or because you are a high-profile person or you want to use those data against its rightful owner (blackmail, defamation, etc.).

So yes, security is important for a mobile device.

Security vs. usability

But the usability and efficiency of the security features on mobile is awful! It gets into the way of quickly grabbing the phone and performing an action (urgent call, photo, etc.).

Which is why I understand that people do not want to use a pass-code or similar mechanism to access their phone. Most are cumbersome, they get in the way of easily/readily use the phone (that’s why I still carry a camera when I want to take pictures!). And their relative security is dubious. The PIN1 or gesture authentication mechanism can sometimes – and with the right tool – be read from the finger traces on the phone and/or could be brute force (I am convinced there are ways to do that automated).

Since a few weeks I have a smart phone. It is not a too old one, neither a brand new one, but it is a good smart phone. I got a Samsung Galaxy S (1st generation). I have tried several pass-lock, there is the ubiquitous 4 digits PIN, the swipe gesture, a password, a simple lock and nothing. Clearly, the two last options are the one usable! Out of the pseudo secure ones, only the PIN code seemed not too difficult to use. This is a great disappointment. I do not trust my phone to protect my data to the same extent I trust my computer. And the worst, it seems that making this better is not on the agenda of most manufacturers/mobile OS providers, unless you count the attempt by Apple to improve at least the usability side with the fingerprinting.

Fingerprinting is not the panacea in terms of security. But when properly implemented it is as secured as a PIN-lock and it does not get in the way of using the phone2. Furthermore, I am sure this technology will evolved and we can hope in the near future to have good-enough fingerprinting-lock technology which can surpass PIN-lock in terms of security.

 

  1. I still do not get why PIN pass-code system do not randomise the place of the numbers on the screen!?!
  2. This is my humble opinion, no hard facts. Others have better expressed their views on fingerprinting on mobile phone than I did.

Finally someone got it right regarding 64-bit performance increase:

It seems that the bulk of the A7’s performance gains do not come from any advantages inherent to a 64-bit architecture, but rather from the switch from the outdated ARMv7 instruction set to the newly-designed ARMv8. – iFixit iPhone 5s Teardown

64-bit architecture myths

I should start a video serie “fun with flags 64-bit theories”, but for now I will stick with only this short article. Here is the ironic part:

“There’s no shortage of pundits and self-described experts asserting that Apple’s shift to a 64-bit architecture is either a hoax, a pointless marketing ploy that will deliver no real benefit, or an inevitable shift that everyone will eventually follow anyway at some point, and therefore neither newsworthy nor deserving of any credit.” – for Apple Insider, Daniel Eran Dilger

The journalist then went on citing several Apple statements out of the iOS development guidelines. Considering those statements as true because aimed at developers. I guess that should be viewed as scientific proof ;-) You can read the full article though, it is not all bad, and better than many others I have recently read on the subject. But up to now, the most accurate comments on the new 64-bit ARM CPU for Apple’s iPhone 5s is from Anand. One of those statement is:

“When all apps running on the device are compiled for the 64-bit runtime, iOS never loads the 32-bit versions of those libraries, which means that the system uses less memory and launches apps more quickly,” – Apple

This is slightly marketing terms. A 64-bit apps is likely to use more memory than the same 32-bit counter part, most basic data types have had their size increased. But this is true that the 32-bit stack does not need to be loaded. There is an engineering trade-off to make per app: does the gain in memory consumption when switching to 64-bit exceeds the 32-bit stack footprint? But the author does not get that point and conclude that:

“The company also outlines why it will be beneficial for third party apps to release 64-bit versions of their titles for users, even if those apps don’t in themselves score massive gains from the move to 64-bits: the key result will be lower memory use for the end user.” – for Apple Insider, Daniel Eran Dilger

Lower memory use for the end user when 3rd party apps release 64-bit apps? That would be astonishing. If all 3rd party apps were 64-bit then there is no need for 32-bit stack, but I guess this stack represents a fraction of the overall available/used memory. Apple is also recognising this drawback of 64-bit systems as they state later on:

“Because so many fundamental types have increased in size, the 64-bit version of your app uses more memory than the 32-bit version does. (…) Expect to spend more time optimizing the performance of the 64-bit version of your app.” – Apple

But this is something the journalist blatently ignore.

Note: Moving from 32-bit to 64-bit does not mean you need twice the amount of memory. Not all data types have their size doubled, and apps can be refactor to use less demanding data types.

Then the stunt on the 64-bit memory model (either LP64, LLP64 or ILP64) is also a funny one. Really who cares unless you are a developer which has to use binary data or which needs to optimise an app for memory usage? Unix decided long ago to go the LP64 way (although I do not think all Unix flavour did follow it) after evaluation (performing a trade-off) severa criterias including portability, interoperability or performance. And Windows decided to go the LL64 way, which is not bad either. And regarding performance differences between those models, it only affects the memory pressure and depending on the application this can have no impact or some performance hit. And in this regard, Microsoft choices for Windows would limit the memory pressure when directly recompiling a 32-bit apps for 64-bit.

I am not going on to talk about the journalist speculations on Android move to 64-bit with its engineering and business chalenges. I fully agree that moving to 64-bit has its challenges, and then moving the apps ecosystem is another challenge of its own. But I do not think that moving the core of Android, including Dalvik, to 64-bit is as difficult as the author is implying at least from a pure technical stand. But like him, this is my gut feeling and I have nothing to base this statement on! Hence, I won’t talk about it.

Overall, this journalist, Daniel E. Dilger, is doing a better jobs than many other before him regarding the 64-bit transition which Apple is trying to do for its mobile ecosystem. But this article is clearly biaised towards Apple and in order to be so, the journalist has taken many shortcut and wrongly understood statements made for developers (not journalists!).

Note: I love Apple since many years, I have a MacBook and an iPad (and an iPod lying somewhere). But I am pationate about Linux since almost its inception, and thus I do have an old computer and several VMs running it. I also have an Android phone since recently. The only OS which I do not stand but forced to use (only for work) is Windows. So with this context in mind, I guess my opinions above are rather objective.

Continue reading “64-bit architecture myths”

64-bit chips are too much for a smartphone! Really?

After today’s Apple event, the press is on ebullition to report on it. One journalist at Gigaom has written an article on “Apple’s new 64-bit chip is too much for a smartphone, but great for a MacBook“, he explicitly stated the following:

For chip nerds the idea of 64-bit chip inside a smartphone is overkill. The benefits of a 64-bit chip is that is can take advantage of 4 gigabytes of addressable RAM, but most smartphones are barely hitting 2 or 3 GB of RAM today.

First, let’s correct his statement and then I will tell why I think that a smartphone can benefit from 64-bit chip.

Continue reading “64-bit chips are too much for a smartphone! Really?”

Pedelecs are fast!

A quick comparison of average speeds for my daily commute, these numbers are average moving speed.

Note: Bulls is the brand name of my standard trekking bike, Raleigh is the brand name of my wife’s pedelec city/confort bike (electrical pedal-assist up to 25 km/h) and Peugeot is the brand name of our car.

Each of these modes of transport has 2 average speeds. For bicycles, one should understand the “easy” one as going slow enough to avoid too much sweating, whereas the “fast” one is when trying to be as fast as possible. For the car, it is the lowest and highest measured speed (depending on traffic).

Transport-Average-Speeds

For more information on pedelecs: Wikipedia article on Pedelec.

Home Server – What do I want?

What service do I want to run on my Home Server?

I do have a NAS already which has the following services: File Sharing (Samba, AFS and NFS), Media Streaming Server (DLNA), VPN Server, Cloud Sync Repository. So I do not intend to have redundant services on my Home Server. What is left?

My Home Server could support:

  • Backup: Having a proper backup of all important files from the NAS and our laptop. Implementations: rdiff-backup, Box Backup, fwbackups*, duplicity*, rsnapshot or storeBackup.
  • (N)-IDS: As I have services open to the internet, I want to take some precautions and check that no exploits is taken advantage of. I am not sure this is enough, but it is the least I can do. Implementations: AIDE or Suricata.
  • DNS cache/server: I am thinking of hosting my own DNS server to perform some caching and hopefully enhance a bit the browsing experience in terms of performance. Though I would need to benchmark this to make sure I have any gain as I suspect my old router to do some caching. Implementation: dnsmasq.
  • DHCP server: My home router is a Netgear WG614 and its features for what concern DHCP are fairly limited, having my home server addressing this issue is a nice idea (until we get a better router). I could be even tightly coupled with the DNS server (see earlier bullet point) so that one could use hostname within the local network. Implementation: dnsmasq.
  • Syslog server
  • Maybe – ownCloud: maybe one day I would prefer to use an open source solution for Cloud Sync rather than the closed source one from my NAS vendor.

*: FreeBSD support is uncertain.

As one can see, I could use Linux or BSD based OS or a mixture. However, ZFS is so compelling that I am seriously considering to go for FreeBSD+jails and basta cosi! February will be the month where I try to set-up a FreeBSD server.

My Future Home Server – Part 2

I am experimenting with different OS to find the right settings for my Home Server. I was interested by Fedora especially because there are several “Red Hat” technology which I would like to use on my server, namely: oVirt and virt-manager. Furthermore it sports a recent Linux Kernel (3.7 as of this writing) which could be beneficial if I choose Btrfs for the underlying file system.

However, testing the upgrade path from Fedora 17 to Fedora 18, I am not so thrilled by the robustness of this OS. I have managed after painfully hitting 3 different blocking bugs to recover from the upgrade and have a nice Fedora 18 up and running. But this gave me little trust in the Q&A of the community. It seems that it is not the first time such problems happen (see Fedora 11).

I am still willing to give a go to Fedora. But out of precaution, I am going to experiment first with Ubuntu (for which I had since 2006 only once an upgrade problem). I want to see the state of oVirt and virt-manager on this OS before I am making any choice.

Or maybe I forget entirely about Linux based OS, and I go for FreeBSD with several jails instead of using virtualisation. Though I would need to check the state of technologies like ownCloud, (n)IDS, etc. on this OS.

My Future Home Server – Part 1

I have finally my Home Server built, it has its first storage hard drive and I upgraded the memory to something decent. Time to install the operating system.

I am not yet fully decided which operating system to implement on my Home Server, I would love ZFS as a file system for managing my storage, but I would still want to use Linux and not make the full switch to BSD. I decided to go for Fedora as the main OS, and install BSD in a virtual machine and see how this setup performs.

I had tried for a few month Fedora 17 in a virtual machine, I liked it, although I prefer the Debian package manager over yum, but this is really based on my own feelings and not on technical grounds.

So let’s go and install Fedora 18 (just released) on my server.

Continue reading “My Future Home Server – Part 1”