Wednesday, October 14, 2020

Samsung T7 Touch 1TB External SSD Drive security mode's security is questionable

 I just purchased a 1TB Samsung T7 Touch External SSD Drive. Main reasons were:

  1. Its hardware based AES-256 encryption capability.
  2. Its USB 3.2 connectivity and claimed max read/write throughput of about 1 GB/s
  3. Its looks
Regarding point 1, the Windows software version that comes with the drive and enables its security mode is buggy. It cannot self-update to the latest version, or tell you if there is one (although it supposedly supports self-update) and although it does work, the drive would freeze, and with it the whole explorer.exe process, after a few hours of continuous use, e.g. while copying over many gigabytes, or having Google Backup and Sync sync those many gigs to Google Drive.

Obviously, like this, the drive would be useless for power users while its coveted security mode is on. Thankfully, the latest software version, which you have to seek out, locate, download and install yourself, does fix the problem; once installed it downloads and installs the latest firmware to the drive which makes the drive work as expected, i.e. it is stable in long term use while security mode is on.

The implementation of its security mode, however, does leave a few serious doubts to those who are security conscious and technically akin to cybersecurity. When I  switched from security to non-security mode and after I disconnected and reconnected the drive I noticed that my files, previously copied over with security mode on, were still accessible as normal. So, how were they encrypted then? Security mode was off and I was never asked for a password when I reconnected the drive, so... This implies the following grim fact: The AES-256 symmetric encryption key is always the same, but probably unique per drive, and potentially known/recorded by Samsung. The are some subcases here - some grimmer than other:

  1. The AES-256 key is hardcoded and therefore potentially fairly easily accessible via hardware/physical attack by a person with some electronics expertise. This would mean that turning on the security mode and supplying a password merely saves your password in a non volatile register (maybe hashed or maybe even in plaintext, though the latter would be unthinkable for a company like Samsung - more to be expected by Chinese companies of the worse kind), the host software compares the password you supply, on each drive connection event, to the one in the register and then either allows files to be decoded by the hardcoded key and appear as available or not. Security-wise, this is a pretty bad predicament.
  2. The AES-256 key is recorded in a non-volatile register, initially in plaintext, but once security mode is turned on, it is encrypted, using an undocumented algorithm, with the user password as key or part of the key, and then re-recorded in the same non-volatile register in encrypted form. When security mode is turned off it is re-recorded in its plaintext form and I remember that the software does ask you for your password when you turn off security mode. This is better but does not change the sobering facts that:
    1. Samsung potentially knows and records the AES-256 key for each drive it puts out in the market.
    2. We do not know how good the key encryption algorithm and overall implementation of the encryption/decryption process is.
Considering the points above, using password only (instead of password & fingerprint) as a more secure option may not be worth not taking advantage of the convenience of the fingerprint unlock feature although if implementation of point 2.2 is good, living with the fact that Samsung may have to disclose your drive's key if you are involved in a major FBI international investigation is not as bad as knowing that some fingerprint sensor fidgeting may unlock your drive.

Regarding point 2, a host computer with a USB 3.0 bus will only give you half the maximum read/write speed of the drive (around 400/500 MB/s); to get close to the maximum speed of 1GB/s you would need a host computer with a USB 3.2 bus.

Regarding point 3, the drive's looks are obviously great.


Finally, here is a tip from Samsung itself on how to improve the drive's performance on Windows hosts.




Wednesday, July 22, 2020

Office Add-In Caching is Problematic

Caching for Javascript based web add-ins for Microsoft Office is super problematic. Hard to make it let go of certain files and use new versions of them. Microsoft gives some instructions on how to clear the add-in cache here but it still won't work sometimes.

Especially problematic files are "FunctionFile.html" and "FunctionFile.js" if the Visual Studio naming convention is to be followed (i.e. how Visual Studio names these files in an auto-generated web add-in project). These files are not downloaded in the task pane's browser instance and therefore caching of them does not follow the same rules; they are extremely sticky and development can get pretty frustrating.

Only way I have found to deal with the problem is rename them in a versioning way whenever I effect changes on the files and want to see the results immediately. Specifically, assuming that the "Home.html" and "FunctionFile.html" naming convention is being used:
  1. In the add-in manifest rename "FunctionFile.html" and "Home.html" to "FunctionFile2.html" and "Home2.html", increasing that version number every time you need to refresh the cache.
  2. In "FunctionFile2.html" rename all instances of "FunctionFile.js" to "FunctionFile2.js"
  3. In "Home2.html" rename all instances of "Home.js" to "Home2.js"
  4. Rebuild & republish the solution if you're using the VS based automated process, or upload the changed files to the add-in backend if you're doing it manually.
  5. Go and manually (e.g. over ssh/sftp or in file explorer if doing it locally) rename the .js files to their new versioned names.
  6. Sideload the published xml manifest of the add-in to your Office app and take pleasure in the fact that your changes finally reflect immediately.
Microsoft has produced irritatingly problematic technologies before but I'm having difficulty remembering something as persistently problematic and as irritating as this. They keep throwing their dirty laundry at the developer.

Thursday, June 18, 2020

How to recover your Amazon account

Case 1: You are being asked to enter an OTP sent to your phone, although you don't have two step/factor authentication/verification, and you have lost access to your phone number or can't receive messages or voice calls where you are, e.g. extraordinary authentication that may occur when you are travelling to other countries where your phone is not working.

Solution: Solution assumes you still have access to the email address associated with your Amazon account. Go here and enter your email address. It will ask you to enter an OTP code that will be sent to your email. Check your email, get the code and enter it; you will then be given the opportunity to change your password AND if needed also the phone number (e.g. new local SIM card or other phone number that does work) associated with your Amazon account.

Case 2: You can still log in to your account but your account has been locked because Amazon thinks you may not be the actual owner of the account.

Solution: Go here and follow the instructions.

Thursday, May 28, 2020

ExecuteFunction won't work with non-button controls in Office Web Add-in manifests

Although  explicitly stated in official Microsoft Office web add-in docs that a function in FunctionFile.js may be called by both a button and a menu item control, it turns out that, at least with the latest Chrome based version of the Edge web control implementing the task pane, only button controls are actually able to invoke functions using the ExecuteFunction add-in manifest clause.

Saturday, April 11, 2020

Switch cameras while recording video on Android

Android, as of this post in April 2020, does not natively support flipping camera from back to front while recording a video. Some chat apps can do it though - Instagram and Snapchat for instance certainly WhatsApp and Skype during video calls. So, how do they do it?

Apparently they do it by screen grabbing a video preview they create in memory - the preview is much like what you see on your screen (minus the overlaid camera controls) when previewing and switching cams on your Android's native camera app. So they take that preview and either record it locally or transmit it to wherever the video is going online, e.g. an Instagram post or the person you are video chatting with.

But what if you want to do just that, i.e. create your own video while switching between cams on both sides of your phone, without being confined by the intricacies and limiting use cases of each of the aforementioned apps?

Well, all you have to do is kinda emulate what these apps do. A way to easily do that is:

  1. Get a good screen recorder Android app (it records a video of your phone screen being used). There's plenty of those on Play Store.
  2. Get an alternative Android cam app that allows all camera controls to be hidden. One good such app is "Open Camera" which is also available on the Play Store. Just use it's "Immersive Mode" to have the controls disappear after a couple of seconds of not using them.
Have fun!