portrait picture


balancing software engineering & infosec

Thoughts on AirPods Max

posted on Wednesday 9th of December 2020 in ,

$550 for a headset. That is a lot of money… but at the same time this is less than some people pay for cables. The audio market is a curious one: Some people „can hear things“ you can physically not hear. Others cannot tell the difference if frequencies below 1000 Hz are present or not. From „I do not care“ to „I CAN SEE SOUND“, everyone finds a spot on the audio spectrum represented in most discussions.

It is easy to focus on the price and declare the AirPods Max a sad joke. Especially considering Apples last over ear headphones are not that well regarded. There are enough people who like their Beats Studio 3. I am not one of them, but this shows that a lot is subjective when it comes to what you consider good audio and to an extend good headphones or headsets.

For the price I would expect the AirPods Max to be somewhere in a class between the beyerdynamic MMX 300 and the DT 1990 Pro. (I am picking those two as I am familiar with them and really like them.)

But there’s a catch here: You cannot make a direct comparison between AirPods and traditional headsets. Ease of use, automatic pairing and switching between devices, spatial audio and much more that traditional headsets just don‘t do. Still, I expect them to sound as good as the aforementioned headsets. Surpassingly enough they got a physical button and not one of those insanely stupid touch interfaces, that’s a bonus point. (I would pay extra money for that alone – „AirPods Max Pro Studio Edition, now with two Apple Watch crowns“.)

That being said, I am not in the market for AirPods Max. My Bose and AirPods serve me well when on the road and at home I prefer my MMX 300.
I really like my AirPods Pro. The noise cancellation is great for their size, battery is okay, they charge quickly enough in the case and they „just work“. I also like my Bose 700s. Super comfortable for long video conferences as long as you only pair them with one device. With two paired devices things get a little bit strange, anything above two and you are in a world of pain trying to understand the unexpected behavior of three or more bluetooth devices. Good luck and make sure you have an alcoholic beverage of your choice near by.

I am still excited to see if Apple managed to build a great headset or if it is just another bluetooth headset you do not really want to use to listen to music. Comfort features alone will not save the AirPods Max – at this price point it has to deliver a great listening experience being able to match other high end headphones. And depending on how good they are $550 might be actually be cheap.

An iPad Pro, a netbook and a webkit bug

posted on Sunday 6th of December 2020 in , ,

As regular readers know I am working a lot on remote machines. Lately my goto editor for this is Visual Studio Code. Using code-server allows you to run VSC on a server and access it via browser. Feels like a pretty neat concept accessing a web app via browser with all the Electron based apps companies force us to use these days.

Sadly a bug was introduced in webkit which shipped with an iPadOS release around 13.x (IIRC 13.4) which messes with scroll events. So you cannot scroll in code-server anymore.

The 12.9“ iPad Pro is technically the perfect device for me to work on a remote server. I have it with me anyway, battery lasts most of the day, LTE is integrated and the Magic Keyboard is great. But not being able to scroll is a bit annoying and I cannot get used to the vim bindings.

Good old Acer Aspire 1410 to the rescue. A smaller screen, the touchpad sucks, the keyboard is far worse, it got a anemic, 11 years old dual core CPU designed to produce zero heat and deliver no performance paired with 2GB memory. Paired with a five year after market SSD and Debian with the MATE Desktop Environment it is worse than the iPad in every single aspect. Maybe not the desktop environment, I am really fond of Gnome 2 and it is still my favorite one on Linux. But while it is really bad all around, it can scroll in code-server.


Dusting off the Acer, putting in a SSD and trying if it holds up was a test; while I do not want to work on code outside of my office it does happen once or twice a year. I was playing with the idea of getting a cheap 200€ Chromebook as temporary device for these occasions. (Well, not right now with the pandemic and all, but a good Cyber Monday deal is always appreciated.) But it turns out that the Acer is good enough as thin client for code-server, no need to spend any money or use a Google product.

Technically I could just stop here, but I have to admit the overall experience is not that great – especially the constantly blowing fan trying to keep the netbook cold enough to not get even slower. And while I like code-server, its plugin system and the first class LSP support, I did the only reasonable thing. Configure neovim with 70 LOC and call it a day.


Turns out despite some small annoyances (and the general annoyance of using a horrible Acer notebook) configuring vim and editing some code feels like coming home. It just works. It is fast. It did not change in any significant way since I used it for the first time many, many moons ago. And it never messed up data, other than VSC / code-server. If you are looking for an SSH / mosh client for iOS / iPadOS I would suggest giving Blinkshell a shot.

All in all, this was a nice experiment and detour to some old hardware that has served me very well throughout the years. The Acer is, as expected, worse in every conceivable aspect than my current day tablet. But if my only requirement would be „I want to be able to use code-server“ it still is the better device than my 2019 iPad Pro. I have to admit this made me chuckle a bit.

Security 101: physical security

posted on Tuesday 24th of November 2020 in ,

One of the most overlooked aspects in information security is physical security. There is a wide range of things that can go horribly wrong and lead to a data breach. Some of them sound like a bad joke people make up to negotiate more money in the annual budget planning session. Some of them are things people simply do not think about anymore in 2020. But they all have one thing in common – a fairly good chance to cause problems you want to avoid.

Let us begin with one scenario most people will be able to relate to – a stolen laptop. This happens every day, they get swiped off of the table at a coffee shop or lifted out of an open bag. Thieves can also get fancy and use bluetooth scanners to find devices left in cars. A data breach originating from a stolen laptop can actually get pretty expensive.

The best stolen laptops story I’ve had to deal with personally happened a few years ago: Someone walked into an office, put some laptops that were lying behind the unmanned reception desk into a trash bag and walked out. Just like that, in broad daylight. Luckily those were all spares and were not provisioned, but counting on luck is most likely a guarantee to end up in court or the Have I Been Pwned database.

However, there are some simple and mostly free things you can do to mitigate some of the risk associated with stolen hardware.

Turn on automatically locking the system after a short period of time. Require a proper pass phrase and / or biometric authentication. Biometric authentication might be a bit questionable depending on the hardware being used, but circumventing it takes time and skill, something people most likely will only invest when it is a targeted attack. It does tremendously improves the user experience and makes adopting shorter timeouts and longer pass phrases easier.

Encrypt the hard drive – Windows and macOS ship one click solutions, Linux users can – as always – pick from many.

Deploy mobile device management. Most MDMs will allow you to remotely wipe a device when you notice it was lost or stolen. If geolocation services are supported you might even be able to locate the device once it connects to a network. I would not bet on being able to recover it, but you never know.

Granted, geolocation services are problematic, especially for mobile devices that might have constant Internet connectivity. As long as your employees have a company owned device with them, you and/or your IT team will be able to locate them whenever you feel like it. This requires proper education of your employees so they know about potentially being tracked. It might also be the reason employees with company issued hardware need longer to respond to emergencies, as they might not be comfortable carrying their device with them all the time. You should also make sure anyone with access to the monitoring software is properly trained and understand the implications (fired before they can even think of an excuse) of abusing it.

Overall, physical security is often ignored due to the misunderstanding of the potential threats. I once talked to a client with blueprints of physical products they manufacture (fully patented!), just lying around for anyone to take a photo of or grab them and run. You could easily access this area from their reception desk. Even demonstrating how fast you can take a photo without anyone noticing could not convince them that potential competitors would buy information like this. While a company focusing on a SaaS product probably has less obviously crucial things just sitting around on desks, there are often laptops, paperwork, external drives, maybe legal documents.

A few months ago I would have taken a bet that you have an office that a significant part of your workforce spends their days in. As soon as this becomes true once again (if it does), you should properly take care of your office security. There are three very obvious (and often not well implemented) steps for a solid baseline.

1) Make sure you got locks and access control. Best case you have some digital locks that keep track of who is entering and leaving the office. This might sound unnecessary, but open door policies are a security nightmare. Remember the laptops in the trash bag I mentioned? Open door policy.

If your locks use RFID or NFC keycards for access control get everyone an RF blocking case for each keycard. Hardware to copy those keycards with a swipe is only slightly more expensive than an RF blocking case.

2) A clean desk policy also reduces the risk of things spontaneously finding a new owner. Access control is all fine and good, but you will have external people walk into your office for legitimate reasons – cleaning, catering, maintenance, just to name a few. Have people take their laptops and paperwork with them or lock them away. It might be a bit inconvenient and require some training and reminders, but having a full desk drawer or desk carried out of the office is far less likely than a laptop.

3) Security cameras are a bit of a misunderstood asset. They will not prevent break ins or theft. They rarely help you identify a thief and chances to find one based on footage alone is even less likely. So what are they actually good for? Well, cutting insurance cost if you are lucky. Prominently placed they discourage crimes of opportunity. “Oh look! A new MacBook and no one is around! Ohhh, there is a security camera… never mind”.

Exceptionally good physical security is hard. Really hard, really expensive and nearly impossible to get right without professional 3rd party services. Following the advice in this post you will not be guarded against targeted attacks specifically designed to hurt you, professional industry espionage or someone beating one of your employees with a five dollar wrench.

But these are not your most likely risk scenarios. The most common and biggest physical security risks for early stage companies are crime of opportunity, accidents and carelessness. Getting the basics right is more often than not enough to cover those.

Thoughts on touchscreen Macs

posted on Monday 16th of November 2020 in , ,

Apple was always pretty clear that they do not work on a touchscreen Mac. They consider Macs a different class of devices and do not see a touchscreen as an valuable asset. Now, with Big Sur being released and the aesthetics being close to what we know from iOS and iPad OS, there was more speculation.

Apple representatives were quick to point out that they did not consider touch input when designing Big Sur. And having used Big Sur for a bit it is pretty obvious that it still would suck for touch input. Funnily the AppStore had an animation up for some time showing a hand interacting with Big Sur. The tweet is „unavailable“ by now, I am not sure why.

I see two options in the long run, both equally likely at this point. (And with long run I would say give it a year or two – basically an eternity when it comes to computers.)

The first option is we will indeed at one point see a touchscreen Mac – and Apple will pretend they just invented a whole new device class. Dell, Lenovo and Razer already ship 2in1’s or laptops with touchscreens and the Surface lineup is gaining more and more fans. There certainly is a market, people are satisfied with the devices and Apple is not ready yet to join the game.

What I actually hope for is option number 2: Apple bringing the full power of macOS to the iPad. Maybe via a docking solution. Run iPad OS while on the road, dock your iPad and switch to macOS. It might cannibalize some of their laptop sales, but I would also throw a lot more money at a device like this than at an iPad. Looking at the size of an iPad Pro 12.9″ and a MacBook Air this should be easily doable with the M1 or its successor.

Either way, I expect Apple to announce something along those lines somewhen the next twelve month. Otherwise competition might actually start gaining a lot more traction as they refine their hardware design and hopefully also operating systems.

Trying to avoid Amazon is an adventure

posted on Friday 13th of November 2020 in , ,

While I do not see myself cancelling Amazon Prime any time soon, I am actively trying to bring my business somewhere else. Amazon has proven too many times that they are a company I do not want to support. (Especially after their “support” basically left me hanging with a broken screen and the seller ghosting me.) But they got one thing right – letting me buy stuff.

I was looking for some memory to upgrade one of our systems. Nothing fancy, 32GB modules DDR4 registered ECC. Something you would expect to find in most servers these days. Usually I order hardware at Alternate. They ship fast, have okay-ish prices and an amazing customer support. Sadly they did not have anything close to what I needed, so I was browsing a few shops I ordered from in the past. I ended up with Mindfactory.

If I would have known what a mess this will be, I would have tried my luck with eBay, the experience could not have been worse…

Took me 30 minutes to cancel the order and actually notice that Alternate now got inventory for the memory I want. One day later I receive a package with 6 32GB sticks.

So far, the number of articles I ordered on Amazon.de that were not available after the order was placed? Zero. Problems cancelling an order or modifying on order before it was shipped? Zero. Number of times Amazon told me I do not know what I ordered and refused to sell me the items? Take a guess.

Shopping at a local store usually works well. Ordering something from the manufacturer directly has always been a great experience. Amazon, no matter how much I dislike it, just works – they streamlined the experience so much that it’s nearly impossible to have a bad experience. Everything else is a gamble if the experience is great or a complete disaster.