simonmackay Archive

Should the Android platform be exclusively dependent on the Google Play app store for software?

USB-C connector on Samsung Galaxy S8 Plus smartphone

A question that is appearing for Android users is whether software developers can sell software independently of Google Play

Over the last few months, Epic Games released their Android port of Fortnite in a manner that is very unusual for a mobile-platform app. Here, they released this port of the hit game as an APK software package file that is downloaded from their Website and installed on the user’s Android device as if you are installing a program on a regular Windows or MacOS computer. This allows them to maintain control over the sale of game additions and similar merchandise without having to pay Google a cut of their turnover. Or it could allow them to maintain control over the software’s availability such as issue beta or pre-release versions of software or simply offer high-demanding software like action games to devices known to perform at their best with the software.

The Android platform has a default setting of disallowing software installations unless they come from the Google Play Store or the device manufacturer’s app store. This is a software-security setting to prevent the installation of software that has questionable intent on your Android device. But the “regular” computer platforms have implemented other approaches to allow secure installation of software thanks to their heritage of being able to install software delivered on package media or from download resources like the software developer’s Website or a download site. It also caters towards the role that regular computers play in the course of business computing where line-of-business software is being installed on these systems by value-added resellers and solutions providers.

This question will become more real as the Android platform is taken beyond mobile devices and towards the smart TV like with NVIDIA Shield or recent Sony smart TVs. It could also appeal towards other “smart devices” like network printers that are based on the Android software codebase where there is a desire to add functionality through an app store.

Recent efforts that Microsoft, Apple and the open-source community have taken to protect our regular computers against include software-authenticity certification, least-privilege execution, sandboxing and integrated malware detection. In some cases, there is the ability for users to remove software-authenticity certificates from their regular computer in case questionable software was deployed as highlighted with the Lenovo Superfish incident.

Similarly, these operating system vendors and many third parties have developed endpoint-security software to protect these computers against malware and other security threats.

Google even introduced the Google Play Protect software to the Android platform to offer the same kind of “installed malware” detection that Windows Defender offers for the Windows platform and Xprotect offers on the MacOS platform. Samsung even implements Knox as an endpoint-protection program on their Android devices.

Android does maintain its own app store in the form of the Google Play Store but allows device manufacturers and, in some cases, mobile-phone service providers to create their own app store, payment infrastructure and similar arrangements. But it is difficult for a third-party software developer to supply apps independent of these app stores including creating their own app store. This is more so for app developers who want to sell their software or engage in further commerce like selling in-game microcurrency without having to pay Google or others a cut of the proceeds for the privilege of using that storefront.

Android users can install apps from other sources but they have to go in to their phone’s settings and enable the “install unknown apps” or a similar option for them to install apps from sources other than the Google Play Store or their OEM’s / carrier’s app store.

What could be done for the Android platform could be to support authenticated software deployment that uses the same techniques as Microsoft and Apple with their desktop and server operating systems. It can also be augmented with the creation of authenticated app-stores to allow software developers, mobile carriers, business solutions providers and the like to implement their own app stores on the Android platform. The authentication platform would also require the ability for end-users to remove trusted-developer certificates or for certificate authorities to revoke these certificates.

It could allow for someone like, for example, Valve or GOG to operate a “Steam-like” storefront which is focused towards gaming. Or an app developer like Microsoft could use their own storefront to sell their own software like the Office desktop-productivity suite. Then there are people courting the business segment who want to offer a hand-curated collection of business-focused apps including line-of-business software.

But there would have to be some industry-level oversight regarding certified apps and app stores to make it hard for questionable software to be delivered to the Android ecosystem, This also would include app stores having to make sure that their payment mechanisms aren’t a breeding ground for fraud in its various forms.

There will be the common question that will crop up regarding alternative app stores and developer-controlled or third-party-controlled app-level certification is the ability to purvey apps that have socially-questionable purposes like gambling or pornography. Here, the Android ecosystem will have to have the ability to allow end-users to regulate the provenance of the software installed on these devices.

At least the Fortnite software-distribution conversation is raising questions about how software is delivered to the Android mobile-computing platform and whether this platform is really open-frame.

Send to Kindle

Google to keep deep records of political ads served on their platforms

Articles

Australian House of Representatives ballot box - press picture courtesy of Australian Electoral Commission

Are you sure you are casting your vote without undue influence?

Google Releases Political Ad Database and Trump Is the Big Winner | Gizmodo

From the horse’s mouth

Google

Introducing A New Transparency Report For Political Ads (Blog Post)

Transparency Report – Political Advertising On Google (Currently relevant to federal elections in the USA)

Advertising Policies Help Page – Political Advertising (Key details apply to USA Federal elections only)

My Comments

If you use YouTube as a free user or surf around the Internet to most ad-facilitated blogs and Websites like this one, you will find that the display ads hosted are provided by an ad network owned or managed by Google. Similarly, some free ad-funded mobile apps may be showing ads that are facilitated through Google’s ad networks. Similarly, some advertisers pay to have links to their online resources placed at the top of the Google search-results list.

Online ad - to be respected like advertising in printed media

Google to keep records of political ads that appear on these sites so they have the same kind of respect as traditional print ads

Over the past few years, there has been a strong conversation regarding the authenticity of political advertising on the online space thanks to the recent election-meddling and fake news scandals. This concern has been shown due to the fact that the online space easily transcends jurisdictional borders and isn’t as regulated as traditional broadcast, print and away-from-home advertising especially when it comes to political advertising.

Then there is also the fact that relatively-open publishing platforms can be used to present content of propaganda value as editorial-grade content. The discovery of this content can be facilitated through search engines and the Social Web whereupon the content can even be shared further.

Recently Facebook have taken action to require authentication of people and other entities behind ads hosted on their platforms and Pages or Public Profiles with high follower counts. This ins in conjunction to providing end-users access to archival information about ad campaigns ran on that platform. This is part of increased efforts by them and Google to gain control of political ads appearing on their platforms.

But Google have taken things further by requiring authentication and proof of legitimate residency in the USA for entities publishing political ads through Google-managed ad platforms that targeting American voters on a federal level. As well, they are keeping archival information about the political ads including the ads’ creatives, who sponsored the ad and how much is spent with Google on the campaign. They are even making available software “hooks” to this data for researchers, concerned citizens, political watchdog groups and the like to draw this data in to their IT systems for further research.

If you view a political ad in the USA on this site or other sites that use display advertising facilitated by Google, you will find out who is behind that ad if you click or tap on the blue arrow at the top right hand corner of that ad. Then you will see the disclosure details under the “Why This Ad” heading. Those of you who use YouTube can bring up this same information if you click or tap on the “i” (information) or three-dot icon while the ad is playing.

Google are intending to roll these requirements out for state-level and local-level campaigns within the USA as well as rolling out similar requirements with other countries and their sub-national jurisdictions. They also want to extend this vendor-based oversight towards issues-based political advertising which, in a lot of cases, makes up the bulk of that kind of advertising.

Personally I would also like to see Google and others who manage online ad platforms be able to “keep in the loop” with election-oversight authorities like the USA’s Federal Election Commission or the Australian Electoral Commission. Here, it can be used to identify inordinate political-donation and campaign-spending activity that political parties and others are engaging in.

Send to Kindle

What could be done to simplify your router upgrade

Telstra Gateway Frontier modem router press picture courtesy of Telstra

There needs to be a standard filetype to simplify the process of upgrading your home network router without reconfiguring your home network

An issue that will crop up through the life of a home network is to upgrade the router. This will be brought on with replacement of carrier-supplied equipment with retail equipment, replacing that half-dead router that you are always powering off and on many times a week, or upgrading to higher-performance equipment.

But you will end up having to transcribe out configuration data from your old equipment so you can enter it in to your new equipment especially if you want to avoid having to reconfigure other network equipment on your same home network.

Most routers offer a way for users to back up the current configuration details. This is typically to allow a user to do things like perform a factory resent or to test a configuration without losing a prior known-to-work state.

The process typically requires the user to download a configuration file to the computer they are configuring the router from in a similar manner to downloading a resource from the Web. But there isn’t a consistent file schema for storing this data in a manner for transferring to devices supplied by different vendors. In some cases, you may not be able to transfer the configuration data to newer equipment from the same vendor such as to install a newer router model.

AVM have taken steps in the right direction by allowing users to save a configuration from an older Fritz!Box router and upload it to a newer Fritz!Box router running a newer version of the Fritz!OS firmware. It is also to factor in allowing the router to persist your configuration to a newer version of the firmware.

But what can be done to make this work better would be to use a standard file format, preferably an XML-based schema which could be used for storing a router configuration. This would have to be agreed upon by all of the vendors to provide true vendor interoperability.

There would also be issues about providing multiple methods of storing this data. It could be about maintaining the traditional HTTP download / upload approach with Web clients on the same local network. Or it could also be about transferring the data between a USB Mass Storage device and the router such as to facilitate an out-of-box install.

Such a setup could allow for a range of scenarios like simplifying the upgrade path or to make it easier for support staff to keep information about different configurations they are responsible for.

The configuration data would have to cater for WAN (Internet) and LAN details including details regarding Wi-Fi wireless network segments, advanced network setups like VLAN and VPN setups, VoIP endpoint setups as well as general and security-related data.

Of course an issue that will crop up would be assuring the user of proper network security and sovereignty, something that could be assured through not persisting the management password to a new router. Also you won’t be able to keep Wi-Fi channel data especially if you deal with self-optimising equipment, because you may have to face an evolving Wi-Fi spectrum landscape.

What will need to happen is to provide methods to allow seamless upgrading of devices that serve as your network-Internet “edge” so you can simplify this upgrade process and get the most out of the new equipment.

Send to Kindle

Brother offers to Europeans a full-colour thermal label printer

Article – From the horse’s mouth

Brother Europe

Brother VC-500W full-colour label printer press picture courtesy of Brother Europe

Brother VC-500W full-colour label printer

VC-500W Full-Colour Label Printer

Product Page (EU – English, UK)

My Comments

Brother is offering to the European market the VC-500W compact thermal label printer as a full-colour label printing solution. It is being pitched at applications like colour-coded labels, labels with multi-colour company logos or employee/visitor security badges that use full-colour photos. In the UK, Brother were even pitching the printer not just as a business tool but as part of home-based craftwork and hobbies – think of labelling those jars of marmalade, jam or other preserved fruits you make and give as gifts.

It is while some of the other printer brands are releasing at least one model of full-colour compact label printer using inkjet printing or some other compact full-colour printing technology. The question about full-colour small-form (label / receipt / ticket) printing is whether it is a real business tool or simply a toy, especially where the technologies will become initially expensive to buy and use.

This label printing system is based on the ZINK thermal printing system that Polaroid developed in the 1990s. But ZINK was mainly used for compact photo printers and digital cameras with integrated printers in order to share hard-copy prints of digital snapshots “there and then” like with Polaroid’s instant-camera legacy. Here, this used the direct-thermal printing process but uses the heat-pulse length and intensity to bring up particular colours.

A question that can be raised about the use of ZINK technology is how long the printed labels will keep their same colour before they deteriorate. It also includes whether how long unused rolls of the ZINK-based label tape for this printer can stay unused before they print below par or jam up in the label printer.

This printer uses the P-Touch software for regular Windows or MacOS computers or uses a special colour label-printing app for iOS and Android. It can link to the host computer device via USB or Wi-Fi whether directly or via an extent Wi-Fi network. It can work with a range of label widths up to 50mm and each label roll comes with 5m worth of full-colour label tape.

Brother could also take the ZINK technology further by implementing it in A4/Letter page sizes to create a highly compact mobile colour printer of the same ilk as the “PocketJet” mobile printers. Here, the issue of long-term archiveability for ZINK-based colour printouts would have to be tested for it to have business value. But it could be considered acceptable for applications where full colour is required in transactional printouts like work quotes.

As Brother slowly releases the VC-500W full-colour label printer around the world, it could be a chance to prove to home and business users real use case for full-colour small-form printing rather than it just being a toy.

Send to Kindle

How can social media keep itself socially sane?

BroadcastFacebook login page

Four Corners (ABC Australia) – Inside Facebook

iView – Click to view

Transcript

My Comments

I had just watched the Four Corners “Inside Facebook” episode on ABC TV Australia which touched on the issues and impact that Facebook was having concerning content that is made available on that platform. It was in relationship to recent questions concerning the Silicon Valley social-media and content-aggregation giants and what is their responsibility regarding content made available by their users.

I also saw the concepts that were raised in this episode coming to the fore over the past few weeks with the InfoWars conspiracy-theory site saga that was boiling over in the USA. There, concern was being raised about the vitriol that the InfoWars site was posting up especially in relationship to recent school shootings in that country. At the current time, podcast-content directories like Spotify and Apple iTunes were pulling podcasts generated by that site while

The telecast highlighted how the content moderation staff contracted by Facebook were handling questionable content like self-harm, bullying and hate speech.

For most of the time, Facebook took a content-moderation approach where the bare minimum action was required to deal with questionable content. This was because if they took a heavy-handed approach to censoring content that appeared on the platform, end-users would be drifting away from it. But recent scandals and issues like the Cambridge Analytica scandal and the allegations regarding fake news have been bringing Facebook on edge regarding this topic.

Drawing attention to and handling questionable content

At the moment, Facebook are outsourcing most of the content-moderation work to outside agencies and have been very secretive about how this is done. But the content-moderation workflow is achieved on a reactive basis in response to other Facebook users using the “report” function in the user-interface to draw their attention to questionable content.

This is very different to managing a small blog or forum which is something one person or a small number of people could do thanks to the small amount of traffic that these small Web presences could manage. Here, Facebook is having to engage these content-moderation agencies to be able to work at the large scale that they are working at.

The ability to report questionable content, especially abusive content, is compounded by a weak user-experience that is offered for reporting this kind of content. It is more so where Facebook is used on a user interface that is less than the full Web-based user experience such as some native mobile-platform apps.

This is because, in most democratic countries, social media unlike traditional broadcast media is not subject to government oversight and regulation. Nor is it subject to oversight by “press councils” like what would happen with traditional print media.

Handling content

When a moderator is faced with content that is identified as having graphic violence, they have the option to ignore the content – leave it as is on the platform, delete the content – remove it from the platform, or mark as disturbing – the content is subject to restrictions regarding who can see the content and how it is presented including a warning notice that requires the user to click on the notice before the content is shown. As well, they can notify the publisher who put up the content about the content and the action that has been done with it. In some cases, the content being “marked as disturbing” may be a method used to raise common awareness about the situation being portrayed in the content.

They also touched on dealing with visual content depicting child abuse. One of the factors raised is that the the more views that content depicting abuse multiplies the abuse factor against the victim of that incident.

As well, child-abuse content isn’t readily reported to law-enforcement authorities unless it is streamed live using Facebook’s live-video streaming function. This is because the video clip could be put up by someone at a prior time and on-shared by someone else or it could be a link to content already hosted somewhere else online. But Facebook and their content-moderating agencies engages child-safety experts as part of their moderating team to determine whether it should be reported to law enforcement (and which jurisdiction should handle it).

When facing content that depicts suicide, self-harm or similar situations, the moderating agencies treat these as high-priority situations. Here, if the content promotes this kind of self-destructive behaviour, it is deleted. On the other hand, other material is flagged as to show a “checkpoint” on the publisher’s Facebook user interface. This is where the user is invited to take advantage of mental-health resources local to them and are particular to their situation.

But it is a situation where the desperate Facebook user is posting this kind of content as a personal “cry for help” which isn’t healthy. Typically it is a way to let their social circle i.e. their family and friends know of their personal distress.

Another issue that has also been raised is the existence of underage accounts where children under 13 are operating a Facebook presence by lying about their age, But these accounts are only dealt with if a Facebook user draws attention to the existence of that account.

An advertising–driven platform

What was highlighted in the Four Corners telecast was that Facebook, like the other Silicon Valley social-media giants make most of their money out of on-site advertising. Here, the more engagement that end-users have with these social-media platforms, the more the advertising appears on the pages including the appearance of new ads which leads to more money made by the social media giant.

This is why some of the questionable content still exists on Facebook and similar platforms so as to increase engagement with these platforms. It is although most of us who use these platforms aren’t likely to actively seek this kind of content.

But this show hadn’t even touched on the concept of “brand safety” which is being raised in the advertising industry. This is the issue of where a brand’s image is likely to appear next to controversial content which could be seen as damaging to the brand’s reputation, and is a concept highly treasured by most consumer-facing brands maintaining the “friendly to family and business” image.

A very challenging task

Moderating staff will also find themselves in very mentally-challenging situations while they do this job because in a lot of cases, this kind of disturbing content can effectively play itself over and over again in their minds.

The hate speech quandary

The most contentious issue that Facebook, like the rest of the Social Web, is facing is hate speech. But what qualifies as hate speech and how obvious does it have to be before it has to be acted on? This broadcast drew attention initially to an Internet meme questioning “one’s (white) daughter falling in love with a black person” but doesn’t underscore an act of hatred. The factors that may be used as qualifiers may be the minority group, the role they are having in the accusation, the context of the message, along with the kind of pejorative terms used.

They are also underscoring the provision of a platform to host legitimate political debate. But Facebook can delete resources if a successful criminal action was taken against the publisher.

Facebook has a “shielded” content policy for highly-popular political pages, which is something similarly afforded to respected newspapers and government organisations; and such pages could be treated as if they are a “sacred cow”. Here, if there is an issue raised about the content, the complaint is taken to certain full-time content moderators employed directly by Facebook to determine what action should be taken.

A question that was raised in the context of hate speech was the successful criminal prosecution of alt-right activist Tommy Robinson for sub judice contempt of court in Leeds, UK. Here, he had used Facebook to make a live broadcast about a criminal trial in progress as part of his far-right agenda. But Twitter had taken down the offending content while Facebook didn’t act on the material. From further personal research on extant media coverage, he had committed a similar contempt-of-court offence in Canterbury, UK, thus underscoring a similar modus operandi.

A core comment that was raised about Facebook and the Social Web is that the more open the platform, the more likely one is to see inappropriate unpleasant socially-undesirable content on that platform.

But Facebook have been running a public-relations campaign regarding cleaning up its act in relation to the quality of content that exists on the platform. This is in response to the many inquiries it has been facing from governments regarding fake news, political interference, hate speech and other questionable content and practices.

Although Facebook is the common social-media platform in use, the issues draw out regarding the posting of inappropriate content also affect other social-media platforms and, to some extent, other open freely-accessible publishing platforms like YouTube. There is also the fact that these platforms can be used to link to content already hosted on other Websites like those facilitated by cheap or free Web-hosting services.

There may be some issues that I have covered in this article that may concern you or someone else using Facebook. Here are some

Australia

Lifeline

Phone: 13 11 14
http://lifeline.org.au

Beyond Blue

Phone: 1300 22 46 36
http://beyondblue.org.au

New Zealand

Lifeline

Phone: 0800 543 354

Depression Helpline

Phone: 0800 111 757

United Kingdom

Samaritans

Phone: 116 123
http://www.samaritans.org

SANELine

Phone: 0300 304 7000
http://www.sane.org.uk/support

Eire (Ireland)

Samaritans

Phone: 1850 60 90 90
http://www.samaritans.org

USA

Kristin Brooks Hope Center

Phone: 1-800-SUICIDE
http://imalive.org

National Suicide Prevention Lifeline

Phone: 1-800-273-TALK
http://www.suicidepreventionlifeline.org/

Send to Kindle

HP to start a bug bounty program for its printer firmware

Articles

HP OfficeJet 6700 Premium multifunction printer

HP to implement a bug bounty program to assure high-quality secure firmware for their printers like thisi OfficeJet.

HP Becomes the First Printer Maker to Launch a Bug Bounty | Tom’s Hardware

HP Launches $10,000 Bug Bounty for Printers | ExtremeTech

My Comments

Over the last few years, dedicated-function devices like printers, videosurveillance cameras, routers and the like have been identified as a weak point when it comes to data security.

This has been highlighted through some recent cyberattacks like the Mirai botnet attack which was driven by dedicated-function devices like videosurveillance cameras running compromised firmware along with recent security exploits associated with home and SOHO routers being able to run compromised firmware. There is also the fact that manufacturers are building the same kind of computer power in to these devices as what would be expected from a regular computer through the 1990s or 2000s. There is also the fact that these devices can be seen as an entry point in to a network that handles confidential data or be used as an onramp for a denial-of-service botnet.

Hewlett-Packard have answered the reality of firmware integrated within their printers by starting a bug-bounty program where software developers, computer hackers and the like are paid to “smoke out” bugs within this firmware. Then this leads to meaningful software updates and patches that are sent out to owners of these devices, typically through an automatic or semi-automatic installation approach. It is a similar practice to what Microsoft, Apple and others are working on to make sure that they are running high-quality secure operating-system and application software.

This has been seen as of importance for printers targeted initially at the enterprise market because they would be processing significant amounts of company-confidential data in order to turn out company-confidential documents. But this approach would have to apply to home, SOHO and small-business machines as well as the larger workgroup machines found within the enterprise sector. This is because these kind of machines can be used by people working at or running a business from home along with those of us in charge of small businesses or community organisations.

By HP setting an example with their printer firmware, it could become a standard across other vendors who want to maintain a culture of developing high-quality secure firmware for their dedicated-function devices. This is more so as the consumer and enterprise IT market raises expectations regarding the software quality and security that affects the devices they use.

Send to Kindle

JBL Link View Google-powered smart speaker up for pre-order

Articles JBL Link View lifestyle press image courtesy of Harman International

JBL Link View now up for preorder as the next Amazon Echo Show competitor | CNET News

JBL’s Google-powered smart display launches next month for $250 | The Verge

JBL’s Google-powered smart display is available for preorder | Engadget

JBL Link View Google Assistant smart display up for pre-order, ships September 3rd | 9 to 5 Google

From the horse’s mouth

JBL

Link View (Product page – link to preorder)

My Comments

The Amazon Echo Show is just about to face more competition from the Google Assistant (Home) front with JBL taking advance orders for their Link View smart speaker. This is although Lenovo has just started to roll out a production run of their Smart Displays which are based on the Google Assistant (Home) platform.

JBL have taken advance orders on this speaker since Wednesday 2 August 2018 (USA time) with them costing USD$250 a piece. They expect to have them fully available in the US market by September 3 2018 (USA time). The display on this unit serves the same purpose as the one on the Lenovo Smart Displays where it simply augments your conversation with Google Assistant using a visual experience.

These units look a bit like a boombox or stereo table radio and have an 8” high-definition touch screen along with two 2” (51mm) full-range speakers separately amplified and flanking the screen for stereo sound reproduction. Here, this traditional approach with the stereo speakers at each end of the device leads towards better perceived stereo separation. CNET saw this as offering more “punch” for music content compared to other “smart-display” devices that they experienced.

There is the camera to work with Google Duo but this device has also been designed to take care of user privacy needs thanks to a privacy shutter over the camera along with a microphone mute switch.

Like other Google Assistant (Home) devices, the JBL Link View can work as a wireless speaker for Chromecast Audio and Bluetooth links from mobile devices.

This is the start of something happening with the Google Assistant (Home) platform where the devices being offered by Lenovo and JBL are offering more than what Amazon are currently offering for their smart displays. It includes the stereo speakers for the JBL Link View along with larger displays for both the Lenovo and JBL products. LG and Sony are intending to launch their Google-powered smart displays soon but I don’t know when.

Personally, I would see Amazon and Google establishing a highly-competitive market for smart speakers and allied devices especially if both of them answer each other with devices of similar or better standards. As well, licensing the Alexa and Google Assistant (Home) standards to third-party consumer-electronics companies will also open up the path for innovation including incremental product-design improvements.

Send to Kindle

Lenovo launches the first smart display to compete with Amazon Echo Show

Lenovo Smart Display press picture courtesy of Lenovo USA

Lenovo Smart Displays now available in the USA (press picture courtesy of Lenovo USA)

Articles

Lenovo delivers the first Google Assistant smart display | Engadget

Google and Lenovo’s Smart Display Trounces Amazon’s in Every Way | Gizmodo

First of the Google Assistant-Powered Smart Displays Arrives This Week From Lenovo | Droid Life

From the horse’s mouth

Google

The first Smart Displays with the Google Assistant are now available in stores (Blog Post)

Lenovo

Smart Display (Product Page, Blog Post)

Video – Click or tap to play

My Comments

Google premiered the idea of smart displays based on their Google Assistant (Home) platform at the Consumer Electronics Show in January 2018. This is seen as an intent by Google to answer Amazon’s Echo Show smart display and they had Lenovo and JBL register their intent by presenting prototype products at that trade show. Lenovo even exhibited two models – a baseline unit with an 8” display and a premium unit with a 10” display.

Now Lenovo have made these Smart Displays available to the US market. Here, they will be made available through most of the well-known online and bricks-and-mortar stores who sell household technology like Walmart, Best Buy, Amazon, Costco and Sams Club, as well as being available direct through Lenovo.com.

The baseline model has an 8” screen with a 1280×800 resolution and a single full-range 10-watt speaker and being sold for USD$199.99. The premium model has a 10” display with a 1920×1200 resolution, two full-range speakers and a bamboo finish on the back for USD$249.99. Here, even the baseline model offers a larger display than what the Amazon Echo Show is equipped with.

There is the access to Google’s online services including YouTube, Duo and Maps. Users can even sign up to YouTube TV to receive most of the USA’s over-the-air and cable TV networks on this device via the Internet for USD$40 per month. As well, users also have access to Spotify, Pandora, iHeartRadio, TuneIn Radio along with most of the other popular content services available to the US market. They can also engage in videocalls using the Google Duo “over-the-top” IP-telephony platform thanks to an integrated video camera. Google Photos also allows these Smart Displays to become electronic picture frames as well.

Like other devices based on the Google Assistant (Home) platform, these Lenovo Smart Displays support the Google Assistant Routines which are effectively like “macros” or “scripts” that run a user-determined series of actions under one command. There is also the ability for these smart displays to interlink with “smart home” devices that work with the Google Assistant (Home) platform and can run video from compatible devices like the Nest Cam.

Individual privacy has been taken care of properly with a mechanical shutter that is slid over the camera along with a switch to mute the microphone. That feature is also important to prevent Google Assistant acting on “wake words” or other commands that may be said in normal conversation or uttered by a device.

From what I have seen of the photos posted online of this device, there is a clear concise graphically-rich user experience offered on the screen. It is rather than having a second-rate text-based display offered on the Amazon Echo Show devices. This is because the visual component of Google Assistant (Home) is based on the Android variant of the Google Assistant and it makes it easier to achieve a visual user interface across both Android devices and these Smart Displays.

But there is limited portrait-mode support amongst the app based offered for this platform. It is a sign that the visual-aid functionality for Google Assistant (Home) is still a “rough diamond” and Google and third parties will be needing to refine this functionality further.

I would see some of the other makes like JBL launch at least one Smart Display product for the Google Assistant (Home) ecosystem over the next few months, if not by year’s end.

Send to Kindle

U2F-compliant security keys now seen as phish-proof

Articles

Facebook login page

It is being proven that the use of a hardware security key is making the login experience phish-proof

Google Employees’ Secret to Never Getting Phished Is Using Physical Security Keys | Gizmodo

U2F Security Keys Show Extreme Effectiveness Against Phishing | Tom’s Hardware

Google: Security Keys Neutralized Employee Phishing | Krebs On Security

My Comments

An issue that is being raised regarding SMS-driven two-factor authentication is that it can be used to facilitate phishing and other fraud against the user’s account. Here, it relies on the user receiving an SMS or voice call with a key value to enter in to the login user interface and this is totally dependent on the SMS or call being received at a particular phone number.

The area of risk being highlighted is that the user could be subjected to social engineering to “steer” their phone number to a mobile device under the hacker’s control. Or the IT infrastructure maintained by your mobile telephony provider could be hacked to “steer” your phone number somewhere else. The ease of “steering” your mobile phone number between devices is brought about thanks to a competitive-telephony requirement to “port” mobile or local numbers between competing telephony-service providers if a subscriber wishes to “jump ship” and use a different provider.

Google have proven that the use of hardware security keys that are part of the FIDO Allance’s U2F (Universal Second Factor) ecosystem are more secure than the SMS-based second-factor arrangement used by most online services. This is a “follow-on” from the traditional card-size or fob-size security token used by some banking services to verify their customers during the login process or when instantiating certain transactions.

Here, Google issued all their employees with a U2F-compliant security key and made it mandatory that their work accounts are secured with this key rather than passwords and one-time codes.

Most of these keys are connected to the host computer via plugging them in to a vacant USB port on that host. But there are or can be those that use Bluetooth and / or NFC “touch-and-go” technology to work with mobile devices.

Why are these U2F security keys more secure than the SMS-based two-factor authentication or app-based two-factor authentication? The main reason is that the U2F security key is a separate dedicated hardware device that works on an isolated system, rather than a backbone system dependent on mobile-telephony infrastructure or software that runs on a computer device that can be exposed to security exploits.

For most users, the concept of using a U2F-compliant security key for their data relates it to being the equivalent of the traditional key that you use to gain access to your home or car as in something you possess for that purpose. Most U2F-compliant security keys that use USB or Bluetooth would also require you to press a button to complete the authentication process. Again this is similar to actually turning that key in the lock to open that door.

This has underscored the “phish-proof” claim because a person who uses social engineering to make an attempt on the user’s credentials would also need to have the user’s security key to achieve a successful login. It is something that is similar to what happens when you use an ATM to withdraw cash from your bank account because you need to insert your account card in the machine and enter your PIN to commence the transaction.

What kind of support exists out there for U2F authentication? At the browser level, currently Chrome, Opera and Firefox provide native support but Firefox users would need to enable it manually. At the moment, there isn’t much production-level support for this technology at the operating-system level and a handful of applications, namely password-vault applications, provide native support for U2F authentication.

The issue of providing support for U2F authentication at the operating-system level is a real issue thanks to operating systems having an increased amount of native client-level support for online services “out of the box”. It also includes the use of Web browsers that are developed by the operating system’s vendor like Edge (Microsoft Windows) and Safari (Apple MacOS and iOS) with the operating system set up “out of the box” to use these browsers as the default Web browser. As well, Microsoft, Google and Apple implement their own platform-wide account systems for all of the services they provide.

Other questions that will end up being raised would be the use of hardware-key authentication in the context of single-sign-on arrangements including social-sign-on, along with the 10-foot lean-back user experience involving the TV set. The former situation is underscored through the popularity of Google, Facebook and Microsoft as user credential pools for other online and mobile services. This is while the latter situation would underscore console-based online gaming, interactive TV and video-on-demand services which are account-driven, with the idea of being able to support simplified or “other-device” user authentication experiences.

What has been proven is that easy-to-use dedicated security keys are a surefire means of achieving account security especially where the main attack vector is through social engineering.

Send to Kindle

Across-the-room data transfer–many questions need to be answered

Transfer data between two smartphones

Wirelessly transferring data between two devices in the same space

The industry has explored various methods for achieving point-to-point across-the-room data transfer and user discovery. This would avoid the need to use the Internet or a mobile phone network to share a file or invite another user to a game or social network. Similarly, it would be a way to exchange data with a device like a printer or an interactive advertising setup in order to benefit from what that device offered.

Methods that have been tried

The first of these was IrDA infra-red transfer working in a similar to how most TV remote controls work to allow you to change channels without getting off the couch. This was exploited by the legendary Palm Pilot PDA and some of the Nokia mobile phones as a way to “beam” one’s contact details to a friend or colleague with the same device.

Bluetooth pushed forward with the Object Push Profile and File Transfer Profile as methods for exchanging data across the room. This was typically useful for contact details, low-resolution photos or Weblinks and was exploited with the popular feature phones offered by the major phone manufacturers through the 2000s. This method was also exploited by the out-of-home advertising industry as a way to convey Weblinks or contact details from a suitably-equipped poster to suitably-equipped mobile phones set to be discoverable.

But Apple nipped this concept in the bud when they brought out the highly-popular iPhone. The concept has been kept alive for the regular-computer operating systems and for Android mobile applications but mobile users who want to exchange data would have to ask whether the recipient had an Android phone or not.

Bluetooth also implemented that concept with the 4.0 Low Energy Profile standard by using “beacons” as a location tool. But this would be dependent on application-specific software being written for the client devices.

Microsoft is even reinstigating the Bluetooth method to transfer files between two computers in the same room as part of the functionality introduced in the Windows 10 April Update. But I am not sure if this will be a truly cross-platform solution for Bluetooth as was achieved with the earlier Object Push Profile or File Transfer Profile protocols.

Apple tried out a method similar to Bluetooth Object Push Profile called AirDrop but this implemented Wi-Fi-based technology and could only work with the Apple ecosystem. It was associated with “cyberflashing” where lewd pictures were forced out to unsuspecting recipients and Apple implemented a “contacts only” function with contacts’ emails verified against their Apple ID email logins as a countermeasure against this activity.

QR Code used on a poster

QR codes like what’s used on this poster being used as a pointer to an online resource

The QR code which is a special machine-readable 2D barcode has the ability to convey contact details, Weblinks, Wi-Fi network parameters and other similar data to mobile phones. These can be printed on hard-copy media or shown on a screen and have a strong appeal with business / visiting cards, out-of-home advertising or even as a means for authenticating client devices with WhatsApp.

Facebook even tried implementing QR codes as a way to share a link to one’s Profile or Page on that social network. Here, it can be a secure method rather than hunting via email or phone number which was raised as a concern with the recent Facebook / Cambridge Analytica data-security saga,

The Android and Windows communities looked towards NFC “touch-and-go” technology where you touch your phones together or touch an NFC card or tag to transfer data. This has been exploited as a technique to instigate Bluetooth device pairing and implemented as a method of sharing contact data between Android and / or Windows devices. For a file transfer such as with contact details, the data itself is transferred using Bluetooth in the case of Android Beam or Wi-Fi Direct in the case of Samsung’s S Beam feature.

The Wi-Fi Alliance are even wanting to put up a Wi-Fi-based method called Wi-Fi Aware. Here, this would be used for data transfer and other things associated with the old Bluetooth Object Posh Profile.

This is implemented on a short-range device-to-device basis because users in the same room may not be connected to the same Wi-Fi Direct or Wi-Fi infrastructure network as each other. There is also the reality that a properly-configured Wi-Fi public-access network wouldn’t permit users to discover other users through that network and the fact that a typical Wi-Fi network can cover the whole of a building or a street.

But there could be the ability to enable data transfer and user discovery using Wi-Fi Aware but being able to use a Wi-Fi infrastructure network but allow the user to define particular restrictions. For example, it could be about limiting the scope of discovery to a particular access point because most of these access points may just cover a particular room. Using the access points as a “scoping” tool even if the host devices don’t connect to that network could make the concept work without jeopardising the Wi-Fi infrastructure network’s data security.

Applications

There are a series of key applications that justify the concept of “across-the-room” data transfer. Typically they either involve the transfer of a file between devices or to even transfer a session-specific reference string that augments local or online activity.

The common application here is for a user to share their own or a friend’s contact details with someone else as a vCard contact-detail file. Another common application is to share a link to a Web-hosted resource as a URL. But some users also use across-the-room data transfer to share photos and video material such as family snapshots. In the same context, it could be about a dedicated-pudevice sending or receiving a file to or from a regular computer or mobile device such as to transfer .

In the advertising and public-relations context, “across-the-room” data transfer has been seen as a way to transfer a URL for a marketer’s Website or a visual asset to an end-user’s phone or computer. For example, the QR code printed on a poster has become the way to link a user to a media-rich landing page with further explanation about what is advertised. Similarly some out-of-home advertising campaigns implemented the Bluetooth Object Push Profile standard as a way to push an image, video or Weblink to end-users’ mobile phones.

But “across-the-room” data transfer is also being used as a way for users in the same space to discover each other on a social network or to identify potential opponents in a local or online multiplayer game. I find this as a preferred method for discovering someone to add to a social network or similar platform I am a member of so that I can be sure that I am finding the right person on that platform and they are sure about it. Also, in the case of a local multiplayer game, the players would have to continue exchanging data relating to their moves using the local data link for the duration of their game.

Facebook even explored the idea of using QR codes as a way to allow one to invite another person whom they are chatting with to be their Facebook Friend or discover their Facebook Page. It is infact an approach they are going to have to rediscover because they are closing off the users’ ability to search for people on the social network by phone number or email thanks to the Cambridge Analytica scandal.

What does the typical scenario involve?

The users who are in the same area are talking with each other about something that one of them has to offer such as contact details or a photo. Or, in the context of advertising or other similar situations, there will be some prior knowledge that there is something to benefit from knowing more about the offer using an online experience.

One of the users will invoke the transfer process by, for example, sharing the resource or hunting for a potential game opponent using their device’s user interface. The other use will share a nickname or other identifier to look out for in the list that the initial user is presented.

Then the other user will confirm and complete the process, including verifying success of that transfer and agreeing that the contents are what they were expecting. In the case of adding another user to a social network or multiplayer game, they will let the instigating user know that they have been added to that network or game.

What does a successful across-the-room data transfer or user-discovery ecosystem need?

Firstly, it needs to be cross-platform in that each device that is part of a data transfer or user/device discovery effort can discover each other and transfer data without needing to be on the same platform or operating system.

Secondly, the process of instigating or receiving a data transfer needs to be simple enough to allow reliable data transfer. Yet end-users’ data privacy should not be compromised – users shouldn’t need to receive unwanted content.

The protection against unwanted discovery or data transfer should be assured through the use of time-limited or intent-based discovery along with the ability for users to whitelist friends whom they want to receive data from or be discovered by in the wireless-based context. Intent-based discovery could be to have the recipient device become undiscoverable once the recipient device confirms that they have received the sender’s data or, in the case of a local multiplayer game, the players have completed or resigned from the game.

Conclusion

The concept of “across-the-room” data transfer and user/device discovery needs to be maintained as a viable part of mobile computing whether for work or pleasure. Where operated properly, this would continue to assure users of their privacy and data sovereignty.

Send to Kindle