Doogee launches T5 Android, with newer technology than T6. What happened to T4?

I like Chinese mobile phone maker Doogee. Their kit is great. Their marketing sucks more than a Hoover.

Today’s global launch was for the T5 “business” handset, which looks very like my trusty T2 (aka Titan 2, aka DG700). Except it’s supplied with two different backs so you can switch it for a silicone-looking one instead of the crocodile skin effect. Actually, the T2 was supposed to have interchangeable backs. But if you’re worried about what it looks like you now have a choice. I don’t care for the leather look, but then mine is kept in a case anyway.

Doogee T5

Over the last few weeks it’s body has variously described as plastic (I don’t think so) or titanium, as opposed to the chromed steel of the T2. I suspect it’s really made of unobtanium, and I won’t believe otherwise until I see one for myself.

Confusingly, Doogee has been announcing lots of successors to the fantastic T2, but the cheaper plastic X5 has really taken off in a big way so perhaps they’re busy flogging those instead. As the T2 is pretty much indestructible (shock proof, waterproof and being used as a hammer-proof), I don’t think I’m going to have to replace it any time soon.

Please generate and paste your ad code here. If left empty, the ad location will be highlighted on your blog pages with a reminder to enter your code. Mid-Post

So it turns out T5 has a similar specification – IP67 waterproof and a sturdy metal case. I know, because I’ve dropped the thing from height on to concrete several times, that the floating screen is very hard to crack. There videos of YouTube of lorries running over it. But unlike all the toughened phones I’ve had, it doesn’t look out of place in a boardroom.

The T2 has a 4Ah battery, which keeps me going for a couple of days – or even a week if I’m careful how I use it. My kind of specification. And the T5 looks to be identical, but the battery holds slight more. Okay, it’s got a faster processor too (8-core, ARM Corex A53, if you please), 3G of RAM instead of 1G, and 32Gb of internal storage instead of 8Gb. And of course the cameras have a lot more megapixels, but it’s still a phone camera. The 5″ screen is also full HD this time, if you’re using an magnifying glass.

Enough to tempt me away from the T2? Well not really. The T2 is damn good, and the only criticism I have of it is that the chrome has worn out on the corner I hold it by. That, and the silly case. The greatest practical difference will probably be the use of Android 6.0; the T2 was stuck on 5.0. Depending on your point of view, Android 5 may be A Good Thing.

But what the new phone appears to lack is the NFC chip needed for Android Pay. And a finger printer reader. These were the only thing missing from the T2. Come on guys!

But Doogee has communication problems with the English speaking world. They announce a lot of things, not all of them turn up and some are better than described. There is also supposed to be a T3, which has a small screen on the top edge (where you’d expect to plug stuff in!) and a smaller battery. But not waterproof or hardened in any way. The internal hardware spec seems similar, but I have no idea if/when it will every be available. There’s also a T6, again not waterproof but with similar hardware specification to the T5, other than less megapixels on the cameras. It’s noteworthy for having a 6.5Ah battery – nice! But it’s Android 5.1. On the other hand, you can at least buy it for around £90.

(Footnote – mobile phone cameras are all bad in my eyes, but then I use lenses that cost twenty times the price of a smartphone).

How long should my password be?

Don’t worry. I’m not getting into cryptography in any detail, and I’m going to try very hard not to mention entropy at all. There is so much confusion about passwords already, thanks to Hollywood movies and IT professionals parroting technobabble. I’m going to explain this in English.

What’s wrong with passwords?

If you’ve seen a cracker breaking into a computer on a TV programme, you’ll be familiar with the setup. Faced with a “login:” prompt, and imminent discovery by the guards walking down the corridor, they frantically type a few desperate things and suddenly the screen changes to “Downloading data, 15 seconds remaining”.

This is, of course, complete fiction. But how do crackers really steal passwords? Let’s assume they can’t guess it, because you haven’t used your kid’s name, “password” or “letmein” (the most common genius ideas from the 2000s). Weak passwords are still a problem, as is leaving a default password on something after installation. But assuming you’re not crazy enough to have one, there are still ways discover hard-to-guess passwords.

Password “sniffing”

The first method is obvious. If you type in your password with someone looking over your shoulder, it’s no longer secret. This may seem too simple to worry about, but it happens. And watch out for cameras. But it can also be done remotely, and this is what a keyboard logger Trojan does. This simple piece of malware intercepts everything you type on your keyboard, passwords and all.

Most malware you’re likely to be infected with includes a key logger, or may download one once the criminals have control of your device. Why wouldn’t malware spy on you while it’s at it? They’re also found on PCs in Internet cafes around the world. It’s amazing how many people lose control of the Hotmail accounts after accessing their email on holiday.

If your password is grabbed by a key logger, it’s complexity, or lack of it, really doesn’t matter. It’s compromised. The traditional defense is to ensure you use different passwords for each system and change your passwords frequently. The first is vital, the second wishful thinking. Changing your Gmail password before the criminals do is unlikely.

There is another solution – two factor authentication (2FA). When you get down to it, there are two ways to prove you are you. One is something you know (e.g. a password), and the other is something you have (e.g. a key, as in lock and key). It helps, think about the them as being a combination lock and a physical keyed lock in the real world. And a door lock that uses both is A Good Thing.

You may think that having a physical key is a perfectly good option, as the key is (effectively) unique. No one else has the key. But supposing you lost it? With 2FA, no one can use you key without also knowing the combination. And if your combination became known, it’s useless without the physical key.

Another good example is chip-and-pin bank cards.

Incidentally, you may hear people going on about MFA (Multi-factor authentication). What the third or subsequent factors may be is hard say, but for marketing purposes “multi” sounds better than “two”. (Bio-metrics are often cited as a third factor, but it’s effectively using your body as a key. In other words it’s still something you have).

Wholesale pilfering

But I’ve digressed. I was supposed to be talking about the second way of having your password stolen, and it’s also pretty simple: An attacker gets access to a computer containing a list of passwords, including yours.

Although it has been known to happen, there should never actually be such a list of readable passwords. That’d be crazy. If you don’t have a list of user-IDs and corresponding passwords, no one can steal it. If you do have such a list, expect it to be nicked.

But if there’s no list of passwords, how does a computer know if you’ve entered your password correctly? What is it checking your password against to see if it matches? That’s the cleaver bit.

What you do is keep a list of users, together with their hashed passwords. A hash is a code derived from your password, but which isn’t your password. When you log in, the computer derives the hash code from whatever you’ve entered and compares it with the stored hash – if they match then you entered the right password.

So how is a hash derived? How about an example. In our system a password is going to be a number, for simplicity. And I’ll call this number ‘p’ (for password). The resulting hash I will call ‘h’. Our hashing function (number 1) is going to be:

h = p x 7

Applying this to various passwords gives:

User (stored)Password (not stored)Hash (stored)
Tom 123 0861
Dick 200 1400
Alice 321 2247
Jane 567 3969
Table showing passwords hashed using trivial method

So, if Alice comes along and types her password as “321”, the computer hashes it and gets 2247. It then compares this with the stored hash, and open sesame.

If the user list is stolen, the thief won’t know Alice’s password is 321. Unless, of course, they divide the hash value by seven. Hash method 1 is pretty rubbish, as you can work it backwards.

But if instead of multiplying, you divided by seven then you wouldn’t be able to work backwards to Alice’s password if you only stored the integer part. Or the modulus. But unfortunately, one in seven passwords entered would also match. Unless you pick a suitably complex number – how about Pi, and ignore the integer part. If we do this, we end up with the following:

User (stored)Password (not stored)Hash (stored)
Tom 123 1521
Dick 200 6619
Alice 321 1774
Jane 567 4817
Harry???9915
Table showing passwords hashed using the improved algorithm

This is a much better hash, as you can’t reverse the method and retrieve the password. You can’t take Harry’s hash of 9915 and calculate what his password was. But, unfortunately, you can still work it out. If our passwords are all three digit numbers, there are only 1000 possible choices, and a computer could try them all in turn until if found a match. And this is why password complexity matters. If there are enough possible combinations it could take an unrealistic amount of time to try them all.

The next question to ask is “How many combinations are there?” I said at the start I’d keep the maths very simple, so you may want to skip this bit. But it’s not hard.

If you have a single character password that has to be a letter a-z, there are 26 possible combinations. That should be obvious. If you have two letters, the possible combinations are 26×26=676. Three letters is 26x26x26 (or 26^3)=17576 choices, and so on. In other words, if you take the number of possible characters and raise it to the power of the length you’ll have the total number of possible passwords. The following table gives the possible combinations for different lengths of password and sets of symbols.

lengtha-za-z,0-9a-z,A-Z,0-9 a-z, A-Z, 0-9,
~!@#$%^&*_-+=`

|(){}[]:;”‘<>,.?/
126365296
2676129627049216
31757646656140608884736
44569761679616731161684934656
51E+076E+074E+088E+09
63E+082E+092E+108E+11
78E+098E+101E+128E+13
82E+113E+125E+137E+15
95E+121E+143E+157E+17
101E+144E+151E+177E+19
114E+151E+178E+186E+21
121E+175E+184E+206E+23
132E+182E+202E+226E+25
146E+196E+211E+246E+27
152E+212E+235E+255E+29
164E+228E+243E+275E+31
Table of possible permutations based on password complexity and length

If you’re not familiar with the number format 2E+09, it simply means 2 followed by nine zeros. When we’re talking about big numbers, the number of digits is going to be more useful.

On the face of it, the last column, including all the punctuation characters, is considerably better than a simple choice from a-z. But look more closely and you’ll notice that adding a few more simple characters quickly brings the number of combinations up. For example, an eight-character really complex password has a similar number of permutations to a simple ten-character one. Or a nine-character password if you add 0-9 to a-z.

I don’t know about you, but I’d rather type simple characters rather than messing about with shift, capital letters and punctuation. This puts pay to Myth Number 1: using punctuation and suchlike is necessarily better. The extra keystrokes hitting the Shift key are greater than if you stuck to lower-case.

Actually, it’s a lot worse than that. Everyone knows that people capitalize the first letter, use a $ instead of S and stick a ! on the end – or something similar. If they’re forced to change the password regularly they add 01, 02, 03… and so on to the end, which means an attacker can try such likely variations first.

So the characteristics of a good password are, simply, something that’s complex enough that it would take an unrealistic amount of time to brute-force, AND which is easy to type. Forget easy to remember; it’s got to be random. Passwords containing words to bulk out the length are much easier to crack, as words can be checked for early on.

So how complex does a password need to be? Well that depends on how fast an attacker can cycle through all the possible combinations. Using a computer, does 1000 guesses a second sound reasonable? How about a million? In Your Dreams. The fastest password guesser I know of in private hands can test 400,000,000,000 every second. That’s 4E+11. If you used the full symbol set, at random, a six-character password would take less than a second. If you simply have a rule saying “must contain two out of digits, upper-case letters or symbols”, and people have just one of each to satisfy the requirement, it’ll be substantially faster.

Put another way, a fully secure Microsoft-standard random password with no mistakes will take about five hours, maximum. You can bet nation states and serious cyber-criminals are going to be faster still; I wouldn’t be surprised if it was minutes or even seconds.

So how long if I want to be safe?

So how long should your password be? Well I’d like one that can’t be cracked in 1000 years as a minimum. That’s 3E+10 seconds. The cracker runs at 4E+11 a second, so multiply them together and you get around 1E+22 combinations needed.

From the table above, 16 random a-z characters is enough, or 15 characters if you add 0-9. If you want to include punctuation and so on, and you really, really, don’t mind mixing them in at complete random, then 12 will be enough. But this is a minimum, and you’ll probably have to add a character every year.

The smart answer is to abandon passwords and use certificates instead.

Aussie Census takes a tumble

The Australian government bureaux of statistics had a census yesterday. Every aussie, wherever in the world they happened to be, and to fill in the on-line census form before midnight. For those living in London, they tried to do this late afternoon in order to meet the deadline. No luck! it’s down with a message saying “Sorry Mate, our servers are currently shagged. Please try later and we’ll forget about the fine this time.” Or words to that effect.

On trying again this morning, it was still out of action.

I wonder if all the Australians in the world decided to leave it to the last couple of hours of the day, and whoever designed the system didn’t consider what the peak load might be?

Please don’t click here to see for yourself, as their servers are overloaded enough already.

Update: 10-Aug-16 17:06

Apparently they’re now blaming it of foreign hackers or a DoS. There was some controversy about the security of an on-line census before the event; I see a “told you so” slanging match before long!

Five year old “new” malware discovered “by Kaspersky”

Yesterday Russian security company Kaspersky has released an analysis of what it claims is previously undiscovered malware, which has come to be known as Salron. Kaspersky’s analysis is incomplete, but contains more detail than was generally available in public beforehand. They admit it’s “probably” been around for five years, and this is true; but it’s not exactly unknown. The unknown group  behind the attacks has become known as Strider, and they’re using a backdoor program called Remsec. Details of this were published by Symantec a week ago.

Kaspersky’s conclusion is that this is a “Nation State” level piece of malware. It’s possible, but other than being very competently produced, I have seen no conclusive evidence to back the claim at this stage, but there’s quite a bit that’s circumstantial. According to Symantic, it’s been used to target relatively few organisations – mostly in Russia, with a Chinese airline and an unspecified embassy located in Europe. In other words, that naughty Mr Putin is at it again. Or is it the Chinese attacking their neighbour?

Based on the public analysis, it was written by some very smart people and avoids the mistakes made in previous systems such as Stuxnet. Kaspersky points to it being a rung up the technology ladder as an indication it was another government-sponsored effort, although in practice, anyone could learn the same lessons and produce a new generation.

AV companies have been detecting this for over a week, and it hasn’t thrown up a large number of infections. This is intriguing. Also, the way it works  to circumvent very specific and uncommon high-end security software indicates its in the APT category.

Microsoft, who’s operating systems it attacks, has yet to comment.

Quadrooter – major security bug in Qualcomm Android drivers

Check point software claims to have found what it calls a serious vulnerability in Qualcomm software running on LTE chip-sets used in many Android ‘phones. Apparently they informed Qualcomm about six months ago, and they’ve now modified their drivers to stop it in future, and issued patches, but I doubt many of the 900,000 of the devices already sold with the LTE chips will end up being patched. LTE is two-thirds owned by Qualcomm.

Check Point has released an App to check whether your phone is vulnerable, but it’s up to the device manufacturers to actually push the patch on to their users. The major ones may, but the majority of handsets are of the cheaper variety, sold in third world countries, and not as well supported.

Normally I’d treat stories like this with a bit of caution, and I’ve yet to fathom exactly how ti works. However, Check Point’s description is scary – and the Israeli company isn’t known for hype. Basically, the flawed Qualcomm chip-set drivers have flaws that allow a downloaded App to gain root access without the need for any unusual permissions. This is bad.

Check Points advice is to only trust Apps installed from Google Play, which is ironic given that as recently as this May they released a report saying you shouldn’t trust Apps from Google Play as too many nasty ones crept in.

Windows 10 Free Upgrade failure

Last Friday was the last chance to get a free upgrade/downgrade from Windows 7 to Windows 10. The Microsoft checking utility confidently announced my system was compatible, but I doubted that as I was running stuff in XP Mode, and some old Chicago (Windows 9x) software. But I thought I’d give Microsoft the benefit of the doubt and try. But before that I backed up the entire hard disk.

Giving Microsoft the benefit of any doubt is always a bad plan, and in my case the installation died half way. The update was apparently downloaded, but I left it all weekend and it failed to install.

It’s hard to see why anyone who knows about computers used for serious purposes would consider “upgrading” to Windows 10 a good idea. I’m not sad I had to revert to the backup and get my Windows 7 machine back. Windows 8+ completely failed to implement the backward compatibility that Microsoft used to do so well. Upgrading DOS or Windows meant you could keep your legacy applications and hardware, but switching to OS/2, Apple, UNIX or Linux meant you could not. Now upgrading Windows means ditching older software too – in my case, I suspect my company’s accounting system. If you’re going to do anything as rash as that, you might as well break free from Microsoft completely and choose a whole new platform.

I was expecting to write something slamming Microsoft for messing up my PC this morning, but thanks to their complete incompetence, the upgrade didn’t work anyway.

Parent Pay adds fuel to its fire

Following a disastrous software “upgrade” on 6th June, it appears that ParentPay, the controversial on-line payment system used by many schools, finally appears to have noticed it has a problem. In an email sent to all its 1.7 million victims users today, CEO Clint Wilson apologised that people were having difficulties with the new system and conceding their support service was overwhelmed. He promised to fix the problems and get it right over the summer.

Perhaps in order to emphasise the fact that he really don’t know much about this technology stuff, the email was sent in a Microsoft-only format, with an invitation to “view it in your web browser” if you weren’t using Hotmail, or whatever else it was designed for. It really doesn’t bode well.

The ParentPay website was always awkward, requiring very specific web browsers in order to operate, and using insecure technologies rather than HTML. The latest update relied very heavily on JavaScript and assumed specific screen resolutions, forcing people to upgrade browsers and wait for updates in order to use it – and it looks ridiculous on a desktop-sized screen.

At the same time ParentPay implemented a system where parents were made to pre-pay in to the account and then allocate funds later, rather than paying for the items at the time they were selected/purchased. Subsequently the company has sought to defend this tiresome system as an initiative to help low-income families, although exactly how pre-payment does this isn’t clear. The fact that ParentPay is left holding money for longer before the school gets is probably didn’t even cross their mind.

Parents, already leery about the whole ParentPay system and the way it has been imposed on them by schools in spite of widespread long-standing dissatisfaction, have taken to social media to slag off the crass software update and appalling customer service..

It’s a sad fact that schools and local authorities lack the necessary IT savvy to spot a turkey when its marching up and down in front of them, and instead opt for “safety” in numbers. I don’t actually blame the schools for this – it’s not their job. It’s the government and local authorities that are unable to provide good advice – but local authority and government IT projects are, of course, a byword for expensive shambles.

Am I being phished?

Today I received an intriguing email with a Microsoft Word attachment implying I had money coming to me if I filled in a form. Yeah, right. I was just about to hit delete but I was a bit surprised the sender was addressing me as Prof. Leonhardt. It’s hardly the first time someone’s got this wrong – and to be on the safe side I can see why people might start high and work backwards through Dr. and so on, as people who are about such matters are only offended if you start too low.

But why would a botnet add the title?

On closer inspection I recognised it was a royalty payment enquiry from a publishing company that had actually done a book for about five years ago. I didn’t expect it to sell (it wasn’t that kind of book), so hadn’t thought much about out.

But I still haven’t opened the attachment. The email headers suggest it came from the publisher, but they can be forged. And this could be a clever spear-phishing attempt – after all, if you bought the book, which was largely about email security, you’d have the name of the publisher and my name – and the email address used can be found using Google.

I don’t believe I have ever been spear-phished before, so I’m feeling a bit more important than I did yesterday.

Time to fire up the sandbox!

FreeBSD, ZFS and Denial of Service

I’ve been using ZFS since FreeBSD 8, and it has it’s uses. It’s pretty be wonderful and all that, but I was actually pretty happy with UFS, and switching to ZFS isn’t a no-brainer.

So what’s the up-side to ZFS? Well you get more error checking and correction and it’s great for managing huge filing systems. You can snapshot and roll back, and do lots of other wonderful stuff with datasets and rive arrays. And it’s more “auto” when it comes to allocating disk space. But call me old fashioned if you like; I don’t like “auto” if I can avoid it.

Penguinistas might not “get” this next bit, but on a UNIX system you didn’t normally have One Big Disk. Instead you had several, and even if you only had one, you’d partition the slice it up so it looked like several. And then, of course, you’d mount disks or partitions on to the root filing system wherever you wanted them to appear.

For reliability, you could also create mirrors and striped RAIDs, put a FS on them and mount them wherever you wanted. And demount them, and mount them somewhere else, and so on.

ZFS does all this good stuff, but automatically, and often as One Big Disk. A good thing? Well… if you must. But there are a few points you might want to consider before diving in.

First off, I like to know where and on which disk my data actually resides. I’m really uneasy with ZFS deciding for me. If ZFS loses it, I want to know where to find it. I also like having a FS on each drive or partition, so I can pull the drive out and mount it wherever I want to get data off – or move it from machine to machine. It’s my data, I’ll do what I want to with it, dammit! You can do this virtually with ZFS datasets, but you can’t unplug a dataset and hold it in your hand. Datasets, of course, are fluid rather than fixed in size, so you don’t need to guess how much space to allocate.

Secondly, with UFS I get to decide what hardware is used for each kind of file. Parts of the FS that are rarely used can be put on slow, cheap, huge disks. The database goes on a velociraptor or better, and the swap partitions – well! Okay, you can use multiple zpools for difference performance situations but then you’re using it like UFS.

Thirdly, there’s a price for all this ZFS wonderfulness. Apart from the software overhead, the Copy-on-Write business needs a lot of RAM to maintain good performance. Fragmentation no the physical drive is guaranteed. If you’re running software (e.g. a database) that uses random access files and lots of transaction, UFS with its in-place modification wins out. A DBMS will take care of its own consistency and storage optimisation, and it has the edge as it knows what the data represents at the application level.

But what of the Denial of Service problem in the headline? Okay, it’s been a bit of a ramble, but this is something you must consider.

There are always management issues with One Big Disk. Linux users seem oblivious to this, but this doesn’t mean putting everything on a big partition is a great plan – even if you’re using a single disk in practice.

With the old way of having multiple partitions, each with an FS, mounted on the directory tree, when an FS on a partition/drive filled up, it is was full. You couldn’t create more files on it. You either have to delete unwanted stuff, or you can mount a bigger drive in its place. With One Big Disk, when it’s full, it’s also full. The difference is that you can’t write any data anywhere on the entire FS. And this is where DoS comes it.

Take, for example, /var/log. Any UNIX admin with a bit of sense will have this in its own partition. If some script kiddie then did something that caused a lot of log file activity, eventually you’d run out of space in /var/log. But the rest of the system would still be alive. With UFS the default installation process created partitions with sensible sizes. Using the One Big Disk principle, ZFS satisfies the requests of any disk-eating process until there isn’t a single byte left anywhere, and then rolls over saying the zpool is full. Or it would say it if there was a monitor connected to the server in a data centre miles away, and there was someone there to look at it.

With ZFS you can set a limit to the size on a dataset-by-dataset basis and prevent this sort of thing from happening. But it doesn’t happen by default, so set your quotas manually if you’re plonking the OS, and in particular /var on it.

Okay, this might sound a bit anti-ZFS, and I’ve yet to have a disaster with a ZFS system that’s required me to move drives around, so I don’t really know how possible it is when the chips are down. And ZFS has is a nice unified way of doing stuff, rather than fiddling around with geom and the FS separately. But after a couple of years with FreeBSD 10, where it became practical to boot from ZFS, shouldn’t I be feeling a bit more enthusiastic about it?

Having a ZFS pool attached as a data store rather than as a boot device is, of course, a different story. That’s when you see the benefits. But it does also eat resources, so I want the benefits to be worth it for the particular application. For the time being I’m putting the OS on UFS, usually with a data partition for databases to thrash, and userland putting simple files on ZFS – best of both worlds.

BBC plays the temperamental chef

Today the BBC hit back after being told to do its job. The white paper on its future told the public service broadcaster that it needed to produce public service output, rather than duplicating material ably produced by the commercial sector. The phrase used was “distinctive output”, and this was repeated ad nausium in its reporting of this morning’s story that it would be dropping its popular web recipe archive.

The reason given was that this was not “distinctive output”, and according to Radio 4’s Today programme, it was to save £15M/year from its on-line budget. Really? Anyone who knows anything about web publishing can tell you that publishing recipes is cheap, especially when you already have them. A quick look around the BBC more exotic on-line offerings will soon show where the money really goes.

So what are they up to? Politics, of course. The liberal elite running the BBC isn’t happy about being reminded how it is supposed to be spending our money, and is acting up in a disgraceful manner.

In its own on-line reporting of the matter, the BBC is linking this to the new requirement to publish details everyone having their celebrity lifestyle funded by more than 450K  of our license money. This is going to be be awkward for the luvvies and the star-struck BBC executives fawning over them.

It’s about time the BBC started serving the people who pay for it. It’s hardly impartial when it comes to politics; it’s right in there playing politics itself – albeit the playground variety.