web analytics

Bill Bennett

Menu

Tag: security

This is not a Huawei P40 Pro review

In March Huawei launched the P40 Pro. It is the company’s latest flagship Android phone.

Going by the reviews, the hardware is as good as it gets for Android.

It could have been a contender for 2020’s best phone.

Yet there is more to a phone than hardware. If anything the software and services are more important. So is the way these two integrate with the phone hardware.

Android, not Google

This is a problem for the Huawei P40 Pro because it is the first major Android phone from a top brand that doesn’t include Google Mobile Services.

Last May the Trump Administration placed heavy sanctions on Huawei. The company is not allowed to licence or otherwise use US-made technology.

Which means Huawei’s new phones can only use the open source version of Android.

Moreover, new Huawei phones can’t offer Gmail, Google Maps or You Tube. Huawei is cut adrift from the Google Play Store. You can’t pay for stuff using Google Pay.

Clever, up to a point

Huawei has found one clever workaround the problem. It has re-released versions of earlier phones that are still allowed to use these services. The Huawei P30 Pro recently appeared complete with everything Android.

That works if customers don’t mind buying what could be thought of as old technology. Not that 99 percent of users would ever know the technology is old, it still feels modern enough. As my P30 Pro review says, you get a lot of camera.

Homegrown ecosystem

P40 Pro buyers are stuck with Huawei’s own homegrown ecosystem. You get Huawei’s unexciting EMUI 10 operating system wrapped around Android and a handful of substitute apps. The apps might get the job done, but while some buyers may be satisfied others may not warm to them.

Huawei also offers its own App Gallery. The company said it was going to, or maybe that is will, spend a billion US dollars on the gallery. It has 3,000 software engineers working on it.

Whatever the claims, it’s like entering an Eastern Bloc shop in the bad old Cold War days. There are gaps everywhere and many apps are limp, pale copies of the real thing.

Even the included email app is, well, not a patch on Gmail. Huawei really ought to have poured some resources into making that one sing and dance.

If you are hooked on Facebook, there is no app. In fact you won’t find any of the most popular apps.

A brave decision

You’ve got to really want a Huawei P40 Pro to get one. Or you have to be extra keen to stick-it-to-the-man.

For a start, the P40 Pro isn’t listed in the Spark or Vodafone online stores at the time of writing. You could buy it from 2degrees at NZ$1500 a pop or on a plan.1

Then the challenge is making it work the way you’d want an Android phone to work. A lot of geeky folk are attracted to Android precisely because it does offer more scope for tinkering that Apple’s iPhone.

No doubt some of these will enjoy the P40 Pro challenge.

Security melt-down

You can use third-party app stores. If you work for a corporation your IT security people will probably have a melt-down at the thought. There are downloadable and published hacks and so on. Android is already a minefield for malware and scams, heading into this territory is not for the faint hearted.

Patching security updates is likely to be troublesome and P40 Pro owners may even be violating the terms and conditions for services like online banking using such risky software.

Huawei has made some great phones over the years. In another world, the P40 Pro would probably be among them. But it isn’t. Whether its handicap is fair or reasonable is one thing, but regardless of those matters, it would not be wise to sink $1500 of your own money into a crippled phone.


  1. The marketing material at the 2degrees site doesn’t go anywhere near mentioning the phone is not like other Android phones. This could be grounds for getting your money back if you feel duped. ↩︎

The case against online voting

Laurence Millar:

I do all my banking, travel booking, shopping and communicating online.  Surely in the 21st century, I should be able to vote online? If you are voting to elect the president of your sports club, then online voting is convenient and easy. But it should never be used to elect our government[…]

Source: Online voting? No thanks! – NZRise

It’s comforting to see someone as knowledgable and experienced in government computing as Laurence Millar choses to speak out about the dangers of online voting.

He makes all the points you might expect: the risks are too high and the rewards for ratbags are too tempting. We know for certain that criminals and unfriendly governments have intervened in election campaigns. Some even boast about it. So it’s realistic to assume they will turn their attention to an actual vote.

The reality is almost no computer system is foolproof. And few are immune from attackers who are prepared to throw enough resources at breaching security.

But there’s more. Millar writes:

…the chimera of manipulated votes is in itself sufficient to undermine confidence in the result of the election.

And this is just as likely to be the goal of those who would attack elections. Yes, they’d love to manipulate the vote. But they also want to undermine the very idea of a democratic vote.

This suits their purposes almost as much.

Millar’s other points are all valid. It’s worth reading the original post.

Yet something else bothers me about the idea of an online election in New Zealand. Typically projects of this nature are put out to tender and awarded to the lowest bidder.

Tender writers may talk about how the project won’t just go to the cheapest bid, but also about the values, privacy, security and yada, yada, yada that need to be embodied in the system.

We all know the reality. Lower prices win.

We’ve seen this time and time again. Tender responses may be full of piety and goody two-shoes language about protecting this and respecting that.

Words are cheap.

When push comes to shove, saving a few bucks here and there will impress the organisation issuing the tender more than anything else.

It always does.

And even if money is no object and the first tender goes to a first class bidder who does everything right, when it comes up for renewal someone else will be purchasing.

Or the next time. Or the time after that.

Sooner or later cheapskates or, just as bad, companies that are better at lobbying governments than delivering on promises will get the job.

Before you know it there will be an argument for, say, using an overseas cloud provider or a well known brand that hasn’t done a sterling job managing its own digital security in the past.

It is in the nature of these things. Sooner or later we are disappointed.

Y2K bug has a 2020 echo

The millennium bug is back with a vengeance, after programmers in the 1990s simply pushed the problem back by 20 years.
Source: A lazy fix 20 years ago means the Y2K bug is taking down computers now | New Scientist

The New Scientist reports on problems with software caused by an echo of the Y2K bug that had every excited in the late 1990s.

It turns out one of the fixes then was to kick various software cans down the road to 2020. In theory that gave people 20 years to find long term answers to the problems. In some cases they might have expected software refreshes to have solved the issue.

As the New Scientist reports:

Parking meters, cash registers and a professional wrestling video game have fallen foul of a computer glitch related to the Y2K bug.

The Y2020 bug, which has taken many payment and computer systems offline, is a long-lingering side effect of attempts to fix the Y2K, or millennium bug.

Both stem from the way computers store dates. Many older systems express years using two numbers – 98, for instance, for 1998 – in an effort to save memory. The Y2K bug was a fear that computers would treat 00 as 1900, rather than 2000.

It turns out that as many as 80 percent of the quick fixes in the 1990s used a technique called ‘windowing’. This meant treating all dates from the 00s to 20s as 2000 to 2020 instead of 1900 to 1920.

In one case people selling cars got acknowledgements from the UK Driver and Vehicle Licensing Agency dated in the early years of last century. That’s not going to cause havoc, but you can get an idea of the problem.

There’s another problem in the offing. The year 2038 problem.

This happens because Unix time started on January 1 1970. Time since then is stored as a 32-bit integer. On January 19 2038, that integer will overflow.

Most modern applications and operating systems have been patched to fix this although there are some compatibility problems. The real issue comes with embedded hardware, think of things like medical devices, which will need replacing some time in the next 18 years.

To my knowledge no-one in New Zealand has come across similar 2020 problems. Or have they? If you know of any please get in touch.

The great virtual private network con job

A virtual private network has its uses. But only in limited and narrow cases.

Most people don’t need a VPN. That won’t stop advertisers barraging you with scare stories.

The Electronic Frontier Foundation points out in Why public Wi-fi is a lot safer than you think. It says widespread use of HTTPS encryption means a virtual private network is often overkill.

“In general, using public Wi-Fi is a lot safer than it was in the early days of the Internet. With the widespread adoption of HTTPS, most major websites will be protected by the same encryption regardless of how you connect to them.”

If you are still scared of public Wi-fi, use a mobile data connection. They are far more secure and it works out far cheaper in the long term.

Digital snake oil

VPNs are often sold to people who don’t need them. For most users they are digital snake oil. You might as well buy a charm to ward off evil spirits.

Companies selling virtual private network services charge a lot for not much. They are cheap to set up. Which means VPN margins are high. It’s a lucrative business.

If you are tech savvy you could build your own. It isn’t hard.

Although most people don’t need VPNs most of the time, a minority do.

Helpful when government is repressive

Say you live in or travel to a place where the government restricts internet activity. A VPN can help. In effect it digs a tunnel for your data to pass through firewalls and other digital obstacles.

At least, they do that until the government concerned cracks down on VPNs.

On my first visit to China a VPN helped me get around internet restrictions.

With a VPN I could use Gmail and Outlook.com to send mail. It let me connect to Google and popular social networks. I used it to connect to my WordPress account. There was no problem using iCloud or OneDrive with the VPN switched on.

None of this worked if I switched off my VPN.

What happens in China stays in China

By the time I returned two years later, China was better at frustrating the VPN.

My VPN’s activity was erratic. It disconnected again and again. Some of the time it didn’t work at all. It’s reasonable to assume governments have now figured out their VPN workarounds.

That’s not to say a VPN isn’t useful in these circumstances. Governments tend to be more concerned about restricting their citizens. Overseas visitor are not the main target, the governments may tolerate some use.

Although I couldn’t use my VPN on public networks on my last China trip, I could use it from my hotel room.

Big end of town

You may also need a VPN if you work for a large corporation. They may insist you use a VPN when connecting to the digital mothership. Corporations can be targets for online criminals. Insisting on a VPN may reduce the threat.

HTTPS encrypts data end-to-end. People watching don’t know what’s going on in your messages, but they can view your metadata.

In other words, they know which sites you visit, but not the pages on a site. Metadata may be all a criminal need to find vulnerabilities if they have other parts of the jigsaw.

This argument doesn’t apply when you use your device to check your bank balance or read Gmail. Knowing you’ve connected to Westpac or Gmail isn’t that helpful to a criminal.

Geo-blocking

A second practical VPN application is bypassing geo-blocking.

Bypassing a block doesn’t have to be illegal. There are legitimate reasons to do this. And there are activities that are, well, let’s say ambiguous.

Services like Netflix negotiate content rights on a territory by territory basis.

Say your favourite TV show to is available to US Netflix customers but not New Zealand.

A VPN can make your connection appear to be coming from wherever you choose. To Netflix, a New Zealand customer may appear to be in the US.

Using a VPN terminating in the US makes it look as though you live there. Some streaming services don’t ask questions if you use a New Zealand credit card to subscribe. Others do. There’s a wealth of expertise around the subject of getting past geo blocks1.

Pirates, criminals, persons of interest

Pirates use VPNs to hide their illegal activities from authorities. There is no grey area here, piracy is illegal. By using a VPN their ISP has no idea what is going on, nor do the authorities.

There are worse criminal online acts where a VPN can cover the tracks, up to a point. One thing to keep in mind is that anyone looking hard enough can tell a VPN is being used.

Not all VPNs are create equal. Some are trustworthy even if the sales pitch might be a touch insincere. Take extra care with free VPNs. They are often data gathering exercises. It may hide your information from your ISP and the authorities but it is being stored elsewhere. These ratbags then share your data with other companies.

Some free VPNs are criminal in intent. As is often the case, the worst examples are in the Android world. Some Android VPNs push malware on to your computer. .

“In 2017, researchers from Australia, the UK, and the US studied 234 VPN applications available on the Google Play Store. They discovered that more than a third of these apps used malware to track users’ online behaviour.”

Ciso Magazine.

See also 29 VPN Services Owned by Six China-Based Organizations.

Virtual private network overview

At this point there’s little practical advice to offer readers other than “be wary of free VPNs”. If you are squeaky clean, don’t deal in secrets and don’t travel to locked down countries you don’t need a VPN. If you think you do need one, take care. It’s a minefield out there.

 


  1. Go and look elsewhere. It’s not hard to find ↩︎

UK resists US pressure to ban Huawei 5G kit

America pressure failed to halt Huawei, the Chinese telecommunications equipment company, from taking part in the UK’s 5G network. While the move has implications for New Zealand, little is likely to change here in the short term.

The British government said it would not ban Huawei hardware despite more than a year of heavy lobbying from the Trump administration. Much of the case against the company rests on claims it has close ties to China’s Communist Party and poses a security threat.

Britain’s move is significant because the nation is seen as one of the US’s closest allies. It is also a member of the “five eyes” group of countries, which also includes Australia, Canada and New Zealand. The five nations have a intelligence sharing agreement.

Huawei has found itself at the centre of a geopolitical power play. The US has threatened to curtail intelligence sharing with countries that allow Huawei equipment into strategic networks. Meanwhile China has hinted at economic retaliation against nations that reject Huawei hardware.

Supplier diversity

One reason nations like the UK are willing to permit Huawei’s involvement in strategic networks is that it gives a diversity of of suppliers. Only a handful of companies are capable of building and installing advanced 5G mobile networks.

Huawei was not mentioned by name when the British government announced its decision. Instead it talked in terms of “high-risk vendors” that pose greater security and resilience risks.

The decision is something of a compromise. Huawei, and any other ‘high risk vendors’ will only be able to supply certain parts of the network infrastructure. This might include antennas and base stations.

High-risk vendors are limited to a 35 percent share of any network.

“Disappointed”

The official word from America is that the US government is“disappointed” by the decision. It reiterated its claims about Huawei being mistrusted.

Huawei has repeated denied that it is controlled by the Chinese government. To date no-one has found any credible evidence of the company or any national government using Huawei hardware for intelligence gathering.

Huawei is the world’s largest telecommunication equipment supplier. It has grown rapidly in the last decade to the point where it dominates development in the mobile sector. Huawei was also the driving force behind getting 5G standards accepted.

Officially the UK decision has no influence on Huawei’s role in New Zealand mobile networks. Yet Britain’s acceptance of the company is likely to alter perceptions in many markets including here. It also gives Huawei ammunition in its New Zealand campaign.

There are arguments for and against Huawei, but it’s hard to get away from the negative case being at least as much about geopolitics as security.

At BusinessDesk Paul McBeth writes: “Andrew Bowater, deputy chief executive of Huawei New Zealand, said the UK decision was encouraging and showed it was time for New Zealand’s government to engage with his company and its customers on how to find a way forward.”

Another angle that will be of interest here is the realisation that a Huawei ban could have cost the UK billions. Without Huawei, there is significantly less competitive pressure on equipment makers, which means higher prices.