Friday, August 26, 2016

SurfaceBook's 1st Birthday approaching - How's it Really Been?

Hi all,

I've has lots of requests to update my judgement on the SurfaceBook. In this short update I try to go through my experiences and thoughts about the future.

In the beginning of November my 1 year guarantee will end and before that I'm luckily going to US as I have to return the device. The thing that amazed me the most is (not that surprisingly now that I think about it) actually the reason to take it back: The Hinge. Since a few months now the problem has been that when I crab the tablet part of the Book the connection between the tablet and the keyboard breaks. At home this means that for an annoyingly long 1 minute or so I lose my external monitor, LAN, keyboard and mouse. While training on Skype for Business or doing some webinars this much more dramatic as I lose the connection to my headset which then disconnects me from the call. If I'm presenting in a big conference I lose my connection to the projector so this is one of the biggest game stoppers for me.

Now a hinge can probably be repaired but now it's time to think about what I really need from the Book and why would I keep using it. This is not to include the reason of paying crazy amount of money for it of course.

What I need or don't need from the Book compared to others:

  • The Pen. This is what made me choose it over the Dell XPS 13.
  • The camera
    • I just can't live with the XPS's camera pointing at my fatter and fatter chin... That's just a looks issue but the technical is more important which is the compatibility with the Windows Hello facial recognition. Now I just realized I really need it only maybe four times a year as a fingerprint reader is more convenient for my use anyway. I now have an Intel RealSense R200 for my demos which is a lot smaller than the previous one I had which was the F200. The feature is FUN that's for sure but when thinking about my primary machine - not a game stopper anymore.
  • The Tablettability (I just came up with the term)
    • Adults honestly?? I only detach the tablet from the keyboard for the short amount of time when my plane takes off or lands. The time when you need to put your laptop away. Now with the iPhone 6s Plus I actually use that to watch videos for that short time so for the past two months I haven't detached it once except to brag to friends about the cool mechanics (that don't work anymore...). When I detach I lose all connections to projectors, all USB-devices, more than half of my battery, my external SSD and all the juice of the GPU in the keyboard base. The connection-thingy looks very neat but when I need to fold my laptop to a tent to draw for my students I need to detach and turn the tablet around which again means I lose all the connections for a while. So if you compare this to HP's devices or Lenovo's Yoga series, this is a really big disadvantage :(
So from the previous perspective I can probably live without the Book. Now what's still wrong with the Book after almost a year of ownership:

  • The USB-issue is still there :( So after every build upgrade of Windows 10 I need to install a false USB Controller and a USB Hub driver. That is to keep my external SSD's working.
  • The wireless issue is still there. SurfaceBook is still the only one of my machines that doesn't work with my wireless presenter from Logitech. That's not a game stopper as I have the Kensington BlueTooth one that works perfectly.
What do I now want:

  1. I still believe that the Book has huge potential and it is easily the coolest and best device from Microsoft that I have ever had. I can't wait to get the next one (I guesstimate it's 2017 spring) to see how it will be and will it make me a SurfaceBook lover again.
  2. I am going to buy something else.. If not before then at least after writing all down to this blog post do I realize I can make my life easier. I need a higly portable UltraBook with i7, 16GB or RAM, 8 hours of batterylife, 1TB SSD, a normal camera and at least a DisplayPort connection and a USB3 or 3.1 port. I don't need a tablet, I don't need a pen or a touch screen, I don't need a Windows Hello Camera, I don't need a USB-C only option for network/screens and I absolutely don't need a US keyboard...
  3. I think I'm going to get my hands on a Lenovo X1 Carbon and an X1 Yoga to start testing how my relationship after the honeymoon will be with either one.


Thursday, August 11, 2016

Biometrics – Have your fingers been pwned?

First to start with I believe biometrics are in many ways the future of authentication but sometimes people forget to think about the bad sides as well – when they get too excited. I wanted to take some time and write down my thoughts on this and related topics. I’m talking about Security Internals in Estonia this year ( and I started to gather my thoughts on current trends in security and that gave me the inspiration to write this article. One important trend in my life also changed dramatically this summer as I and my family moved to iPhones. I still think that Windows OS is the best one that there is for mobile phones but at some point the lack of stability and apps just threw me over the Edge. “Over the Edge” in this context is actually just funny if you ask me ;) The iPhone introduced me with the simplicity of using my fingerprint to authenticate to my phone and boy did I welcome this ease! After the honeymoon with my new iPhone I started to seriously consider about this. In the next few paragraphs I’m going to talk about some common questions/comments I get and some points that I don’t believe all people totally understand.


#1 Ease of changing a password


I hope all of you know the best website out there monitoring system breaches called It’s run by a fellow PluralSight author and highly appreciated security expert called Troy Hunt. So what if you lose a password as you just need to change it, right? Right. So now what happens if your biometrics get stolen? You change your finger? Or even worse your face or your retina? So to cut corners a bit you can only be ten times pwned when it comes to your fingerprints.


#2 Lack of true biometric data in Windows


This is what I hear quite often: “Why do we still need to use a password in Windows which is then protected by a PIN or a biometric info? Why can’t we yet in 2016 save the biometric data to Active Directory and just use that?” Think about the previous point and the bad thing about not using a password. If your fingerprint is value 400 and your password is value 400 we can calculate a value of 160000 by multiplying them. If I lose my biometric data to someone I just need to change the password to invalidate the result. So from this perspective I am happy that my true biometric data is not stored in my AD as it would make it more probable for someone to steal my true identity and a lot harder for me to recover when it happens – and it will.


#3 Difference between physical and mental proof of ownership


By law in US you can be forced to use your finger or your “face” to open your device. By law you cannot be forced to give your PIN code to open your device. I would say I have nothing to hide and I’m not a criminal so it doesn’t really matter but many people don’t like the fact that a device with a biometric protection can be used to incriminate you and one with a PIN code can’t.


#4 Why Windows wants me to use a 4 digit PIN code when I have a 16 character password?


When you install Windows 10 and start using any cloud related features it will ask you to change to using a PIN code even if your password would be a lot stronger mathematically. This is because this PIN code protects your password on that certain device. If your real password is stolen all of your physical devices can be used to access your data but with the PIN code only that one device is compromised. That is if you use a different PIN on different devices – As this has always been the suggested best practice I’m sure all of you adhere to it ;) BTW. If your computer has a TPM then that is used to store the PIN making it very secure but if you don’t have one then the PIN is actually just saved in the registry making it a lot less secure.


#5 How do I do it?


To finalize I believe it’s fair to share how I do it personally. So here are some of my best practices I know I use and I also really, I mean REALLY, have the strength to follow.


-          My Windows passwords are always passphrases that have at least 15 characters, have at least characters from three different character sets and have numbers in the middle. So for example Jakedrank16beers! is a very good password but easy to remember. Most people use numbers at the beginning or the end and that’s also programmatically a lot easier to break so put them in the middle. I’m not trying to play Mother Teresa here so next time Jake might have drunk 17 beers ;)

-          I protect that password with facial detection on my SurfaceBook and with different PINs on my tablets that don’t have a keyboard.

-          I will never buy a device that doesn’t have a TPM, and I’d prefer them to have an IO-MMU for future features.

-          When signing in to websites I have a strong base-password but I use the two first letters of the websites Top Level Domain name to make it more unique.

-          I always use a password manager. I prefer LastPass although I hate that they were acquired by LogMeIn and I know they have had their break ins. It is still the only tool that does everything I need.

-          I never logon as an Admin to my workstations! And my Domain Admins are always prevented by policy from logging on to any computer except Domain Controllers

-          And YES, on my iPhone I use a fingerprint – the ease of use wins in my case – at least with my personal phone.

-          If you would ask me what the secure authentication of my choice would be I would like it to be a PIN+Biometrics so I could have a strong protection, easily change the password, not forget my dongles and not too complicated a method to use.


Stay safe,