Stop committing credentials to Github!

I mean it. STOP.

Quick orientation
In case you don’t know, Github is an online and largely open repository of code. Users can store code here for their open source projects, and track all changes to the code over time. Github code repositories usually offer public read access.

I know this is not new news. There have been multiple publicised incidents of Amazon AWS API keys being discovered in Github repositories. So we should have learnt our lesson. And yet, a security researcher told me this week that thousands of live credentials can be found within public Github repositories, if you know where to look. Using basic command line tools, commonly available on Linux/OpenBSD/Unix/MacOS, it is possible to discover live credentials for services like:

  • SMS messaging – with live credit cards attached
  • Password-based VNC connections to Internet-accessible computers. (I kid you not.)
  • AWS API keys. A favourite misuse of such keys is to set up bitcoin mining operations at someone else’s expense. My sources tells me of a hefty bill racked up at a UK business, after an employee accidentally uploaded their API keys to Github. That’s a bad day at the office.
  • KeePass files together with the master password. (You’re having a laugh.)
  • Full Netflix account details. (What the…?!)
  • Database connection credentials. That’s a huge problem if the database is so badly configured it’s public-facing.

Mitigation

  • Github has written a very useful article on removing sensitive information from repositories. Read it. (Or, you know, don’t put the sensitive information there in the first place.)
  • Have a look at this git pre-commit hook, which should help protect against this kind of mistake. (Note: read the comments on that gist.)
  • Run the script below against your own repositories (whether on Github or elsewhere) to find passwords in your code. Tweak it to search for other types of sensitive information.
  • If you find any passwords, keys or other credentials in your code, they may already be out in the wild. The safest thing to do is to change them.

Finding passwords in repositories

This shell script, kindly provided by my source, is one way to discover passwords hidden in your git commit history:


git log -p -G'password.*{5,}' | awk 'match($0,
/password.*['\''"\[?&](.*?)['\''"\]=&]/, arr) { print arr[1]}' | grep -v '^\s*$'| sort | uniq -c | sort -n

Step by step explanation:

git log: view the history of code committed
-p: show the differences only (in each new commit)
-G'password.*{5,}': match lines that contain the word “password” with at least 5 characters afterwards
awk: process through awk
'match($0,: look for matches in the entire line
/password.*: This is the start of the regular expression; match “password”, with any number of characters afterwards
['\''"\[?&]: the extra apostrophes here are because we’re already using apostrophes in the shell command line; we’re matching against any single quote ('), double quote ("), open square bracket ([), question mark (?) or ampersand (&)
(.*?): a lazy match of any character; this will generally return the passwords we’re looking for
['\''"\]=&]/,: again, the extra apostrophes here are for shell purposes; we’re matching against any single quote ('), double quote ("), closing square bracket (]), equals sign (=) or ampersand (&)
arr): put the matches into “arr”
{ print arr[1]}': give us the first element from the matched line (anything matching afterwards is likely to be spurious)
| grep: pass the result through grep
-v '^\s*$': remove any lines that consist solely of white space
| sort: sort the results (need to do this so that uniq can strip out duplicate matches)
| uniq -c: remove duplicate results and prefix the output with the number of times the result occurred
| sort -n: sort numerically (i.e. according to frequency of occurrence)

Example output follows; you’ll note that not everything returned is a password, but some definitely are:


1 ******************************
1 InsertPasswordHere
1 9^9NhV6JuVGy&VN
1 testpassword
1 text=
2 check_password
2 personspassword
3 goforit
3

4 passw0rd
4 #password-authenticate
6 n.camelCase(b)])):f
6 person_password
8 nB#KR08p

Run this script over your own repositories; you may be surprised at the results. (You can substitute “key”, “secret” or “password” for password, for more hits.) If you find anything, and your repository is hosted openly on Github, you’ll need to take action promptly. Because anyone, repeat anyone can run this script against any open Github repo. If you’re not sure what to do, take another look at Github’s helpful article.

Use CCleaner? Read this.

CCleaner is a popular program for cleaning up computers. Amongst the host of similar programs out there, CCleaner is the only one I’ve used and trusted, for many years. This week, that trust has been undermined fundamentally.

A version of CCleaner was released during August that contained malicious code, presumably without the developers’ knowledge – though it could well have been an inside job. Anyone installing CCleaner during August/early September may have installed the compromised version of CCleaner – version 5.33.

This is serious. CCleaner is powerful software. The injected code would run with at least the same power of CCleaner, which means it could potentially:

  • Watch your browsing activity
  • Capture passwords
  • Steal your files
  • Compromise your online banking credentials
  • Delete arbitrary data
  • Encrypt files

And so on.

You can see if you’re at risk by running CCleaner and checking the version number:

If you have version 5.33 version installed, I strongly recommend taking the following steps:

  • Uninstall CCleaner immediately
  • Change all passwords you use with the affected computer – including online passwords, banking passwords, etc.
  • Review bank account and credit card statements for unusual activity

In many cases, you can add an extra layer of protection to your passwords by using “two factor authentication” (Google calls it 2-step verification). When logging into certain services, you will be prompted to enter a code from a text message or app. Even if your password has been compromised, two-factor authentication makes it that bit harder for others to gain access to your accounts.

For more information on two factor authentication (“2FA”):

CNET: Two factor authentication what you need to know
PCMag: Two factor authentication – who has it and how to set it up

For a list of services known to support 2FA:

TwoFactorAuth.org

Cisco’s security research team Talos advises that the ultimate target seems to be prominent tech companies. There’s evidence to suggest that a Chinese group has used this injected malware to launch further targeted attacks on companies like Sony, Intel, Samsung, Microsoft and several others. The most likely objective here is to steal intellectual property.

Should that make us any less concerned? Probably not. Such a serious compromise in a widespread, popular program undermines trust in software supply chains generally. There isn’t an awful lot we can do to defend against this sort of approach, other than to proceed with caution when installing any software. Best to stay away from the latest, bleeding-edge releases, perhaps.

Avast, the popular antivirus manufacturer owns CCleaner. If this can happen to a leading software security company, it can happen to anyone.

Run for the hills!!! 😀

The UK Data Protection Bill arrives

It’s the moment we’ve all been waiting for… The government has now published the Data Protection Bill, which is intended primarily to enshrine the equivalent EU law. This nascent legislation, which confirms the powers of the ICO, covers:

  • EU regulation 2016/679 (the General Data Protection Regulation), which comes into force in the EU on 25 May 2018
  • EU directive 2016/680 (the Law Enforcement Directive), which comes into force in the EU on 6 May 2018

The GDPR runs to 88 pages and the LED 43, so perhaps it’s no great surprise that the Data Protection Bill weighs in at a hefty 218 pages. (Wide margins, so that’s something.) It’s going to take a while to wade through, but what we can say immediately is that it’s every bit as bad as we feared. Certainly the €20m/4% fines have survived the translation into Britlaw.

Unlike GDPR, the DPB has a contents page, which is great. It’ll be that bit easier to look up how much trouble we’re in.

Expect the Bill to come into force largely unchanged, probably by next May and definitely before Brexit.

Integrating OCS Inventory with Rundeck

I’ve been on a DevOps journey for a while now. If you’re in a similar place – am I just a dullard, or is it slow going?!

I work mainly at the Ops side of the equation, in an environment that strongly favours open source solutions. Most recently I’ve been focusing on automating asset management/inventory. For this, OCS Inventory NG fits the bill well. The interface isn’t that slick, and I couldn’t for the life of me get the Active Directory integration working [UPDATE: now working; read this post], but for collecting software and hardware inventory, it’s the bomb.

In a mixed estate (Windows/Linux/Mac), I can use Group Policy, Rudder and Meraki respectively to force the OCS agent onto endpoints. Which means I can just sit back and let my CMDB populate itself. Awesome. (Because who’s got time to keep these things updated themselves, right?)

This inventory automation was a prerequisite for Rundeck. Since you’re here, you probably already know, but just in case you don’t: Rundeck is a fantastic tool for wrapping policies around any task you can dream of. You can use it for centralised job scheduling, you can use it to allow your developers to reboot servers without giving them SSH access, and you have ACLs and a full audit trail for everything.

For Rundeck to be any use, it needs a list of servers to control, which brings me back to OCS Inventory. OCS knows about my servers, so let’s just get Rundeck talking to OCS. Then Rundeck will have an always-up-to-date list of server endpoints, with no human input required. Marvellous.

My weapon of choice here is PHP, because I know it and because all the required components for this script are already installed on the OCS Inventory server. The simple prerequisites:

  1. Ensure all servers are tagged on their way into OCS Inventory. I use the installation switch /TAG="SERVER" with the OCS agent.
  2. On the OCS Inventory server, create a read-only MySQL user for the script. I created the user “rundeck@localhost” (so its purpose was clear) and gave it the minimum permissions – SELECT on the accountinfo and hardware OCS tables.

I created a PHP script in the OCS Inventory web root. For me that’s at /usr/share/ocsinventory-reports/ocsreports. I called the script rundeck-xml.php. And here’s the code:

<?php
// OCS inventory integration into Rundeck.
$host = "127.0.0.1";
$db = "ocsweb";
$user = "rundeck";
$pwd = "PASSWORD GOES HERE";

$link = mysqli_connect($host, $user, $pwd, $db);

if (mysqli_connect_errno()) {
    printf("Connect failed: %s\n", mysqli_connect_error());
    exit();
}


// Select all devices tagged as "SERVER" in the OCS database
$query = "
    SELECT `NAME`, `WORKGROUP`, `OSNAME`, `OSVERSION`, `OSCOMMENTS`, `IPADDR`, `DESCRIPTION`, `ARCH` FROM hardware
    LEFT JOIN accountinfo ON hardware.`ID` = accountinfo.`HARDWARE_ID`
    WHERE accountinfo.`TAG` LIKE '%SERVER%'
    ORDER BY `NAME`
";


if($result = mysqli_query($link, $query)) {
    // Start XML
    header('Content-type: text/xml');
    echo "<project>\n";

    while($row = mysqli_fetch_object($result))
    {
        echo "    <node name=\"{$row->NAME}\" type=\"node\"\n";
        echo "        hostname=\"{$row->NAME}.{$row->WORKGROUP}\"\n";
        echo "        osName=\"{$row->OSNAME}\"\n";
        echo "        osVersion=\"{$row->OSVERSION}\"\n";
        // Architecture is either in the DESCRIPTION field (for Ubuntu) or ARCH field (for Windows)
        $arch = (isset($row->ARCH) ? $row->ARCH : $row->DESCRIPTION);
        echo "        osArch=\"$arch\"\n";
        echo "    />\n";
    }
    mysqli_free_result($result);

    echo "</project>\n";
}
?>

Possibly not the most elegant code, but it gets the job done. Further security is left as an exercise for the reader. 😉

Referring to the database and the RESOURCE-XML Rundeck schema, you can extend this script to suit your needs. Add this to your Rundeck project configuration as an external resource model, with the URL of the above script. E.g. http://ocsserver.domain.com/ocsreports/rundeck-xml.php. All being well, every server from OCS Inventory will now appear as a node in Rundeck.

GDPR: what is a small UK business to do?

Although it’s nearly upon us, it seems like many businesses remain unaware of the impending data protection doom of the General Data Protection Regulations. Small businesses in particular. It’s easy to think that (a) there’s no way you’d have time to prepare your business and (b) it won’t apply to you in any event.

The trouble is, that’s a risky position to take. When it comes into force on 25 May 2018, GDPR will usher in fines of up to €20m (and beyond). On top of that, consumers will be increasingly ready and willing to sue companies over data protection issues. Every business needs to take GDPR seriously, then.

Under the current regime, governed by the Data Protection Act, the maximum fine for a data breach is £500k. Under GDPR, at present Euro exchange rates, it’s 34 times that amount. Our data protection enforcement body, the Information Commissioner’s Office (ICO), is about to have a major weapons upgrade.

In June 2017, the ICO fined Morrisons £10,500 for a marketing faux pas. In July, the company under the cosh was MoneySuperMarket and the fine, £80,000. Scaling those fines up 34 times and you’re looking at £357k and £2.7m respectively.

Now it might not work that way in practice, but we’re still looking at huge potential exposure – the kind of exposure that could put a company out of business. Realistically a smaller company is likely to face a smaller fine (smaller customer databases, smaller likely impact from any breach). But also, a smaller company, with less resources to apply to security and cyber risk insurance, is more likely to fall foul of the regulations and be fined. Again and again and again.

Does this sound alarmist? Possibly. It all comes down to risk really. If you’re happy to play fast and loose with your customers’ data in full knowledge of the consequences, read no further. But if all this is giving you pause for thought, stick with me.

But Brexit?

Sorry; we’ll be following GDPR regardless of Brexit.

250 is the magic number

The regulations impose differing obligations on companies, depending on number of employees. The legislation will be less onerous for companies with fewer than 250 members of staff. But still onerous.

If you’re under the 250 mark, but you process or store much personal data (customers, suppliers, employees), GDPR will apply to you in full. So if you’re running a greengrocer’s you’re probably okay. If you’re running a small accountancy firm, well you’ve got a lot of work to do. And we can’t afford to ignore this, right?

New stuff

We’re already covered by the Data Protection Act in the UK. GDPR significantly enhances personal data protection and privacy by imposing:

  • Significant changes when it comes to consent. You may not market to anyone who has not consented. And consent has to consist of an act on the part of the person. Pre-ticking consent boxes on website won’t fly any more.
  • Clarity and ease. It must be easy for consumers to understand what it is they’re consenting to, and easy for them to withdraw consent. Consent must be defined by channel (e.g. email/telephone/SMS) and duration (how long the consent will last).
  • Data portability. If someone asks for a copy of the data you hold on them, you must supply it within 30 days, in a common electronic format (Word document, Excel spreadsheet, PDF file, etc.).
  • Accuracy. You are obliged to correct any incorrect data – including, if you’ve shared that data with a third party, making them correct it too.
  • A right to be forgotten. If someone asks you to remove their data, and you have no other legitimate reason to keep it, you have to remove it.
  • Mandatory data breach processes. If you become aware of a breach that affects personal privacy, you will need to tell the ICO within 72 hours of discovering the breach. Essentially means you need a bullet-proof data breach policy in place.
  • Privacy by design. If you’re designing a new system or business process, you must consider privacy at the outset (and you must document the fact).
  • Data Protection Impact Assessments. If a piece of work is likely to represent a high risk when it comes to personal data, you must conduct a DPIA. The GDPR does not specify the detailed process, but it’s essentially based on risk analysis. If after your analysis, you conclude there is a high risk to privacy, you must consult the ICO before commencing work.
  • Data Protection Officer. If your business is over the 250 mark, or under it and you process personal data, you must appoint a Data Protection Officer. And that DPO needs to have some idea of the responsibilities of the role. Reading this blog post should help!
  • A broad definition of “personal data”. This now includes IP addresses, for example. It’s essentially any data that identifies a person or that could be used with other data to identify a person.
  • Security. The legislation requires you to take reasonable steps to protect personal data. Think encryption, robust passwords for access, principle of least privilege, need to know, etc.

What do I need to do?

If you’re reading all this for the first time, you’ve probably already started to identify areas of your business that you’ll need to review. Here’s a general plan of attack that I would recommend:

  1. Appoint a Data Protection Officer.
  2. Review all your data, thoroughly. If you have more than one employee, you’ll probably need to involve others in this process. If you don’t know where your data is or what data you’re holding, you will be oblivious to your compliance obligations. And obliviousness is no defence I’m afraid, when it comes to penalties.
  3. If you undertake any marketing activity at all, use the remaining time you have between now and May to seek consent from your existing customer base. If you don’t have their consent post-May 2018, and you market to them, you’re liable to be fined and/or sued.
    For companies with large marketing operations, this will be quite a sizeable undertaking. Make sure when you’re collecting consent, you note when consent was granted, which channels it covers and how long it will last. In future, you’ll need a process to renew consent before expiry, or to expunge expired data.
  4. Ensure that in any automated process you use to collect consent, you don’t use pre-ticked boxes or similar. Also, don’t do this anymore: “If you don’t reply to this email, we’ll assume you want to hear from us…”
  5. Update any privacy notices, particularly taking account of the obligation to be clear. Pretend you’re writing it to be read by a 12 year old.
  6. Put in place processes to amend or delete data when required to do so.
  7. Develop a process to provide a copy of all data to a consumer, when asked.
  8. If there’s a chance you will process the data of anyone under the age of 13, you’ll need a process for obtaining parental consent.
  9. Write a data breach response plan. This doesn’t need to be a 100 page document. Just simple steps to follow in case of a breach – which include notifying the ICO and the affected consumers as appropriate.
  10. If in doubt, seek professional help.

Disclaimer

I’m writing this as a Certified Information Systems Security Practitioner and a non-practising solicitor. These guidelines do not constitute legal advice, but I hope they will point you in the right direction. The truth is that these regulations aren’t in force yet, so nobody really knows quite what impact they will have on the data protection landscape. It will be a big shake-up though, that’s for sure.

Featured photo used with permission.

How-to: ODBC connection to DB2 instance (e.g. Mitel CSM)

ibm-db2I’m sure this is a very niche article. Which means if you’ve arrived here, you’ve almost certainly been as frustrated as I have with the documentation for DB2 ODBC connections.

Background: I’m trying to connect to a DB2 instance, running on a Windows machine. I imagine that this procedure will work just as well for instances running on other architectures. And I’m trying to connect from another Windows machine, to pass data into a Microsoft SQL-powered data warehouse.

You will need the “IBM Data Server Driver for ODBC and CLI (Windows/x86-32 32 bit) V10.5 Fix Pack 8“. If the link doesn’t work any more, go to IBM Fix Central and search for “Windows Data Server Driver ODBC 10.5”. Possibly other versions will work, but this is the one I found most reliable.

The process is as follows:

  1. Copy the entire extracted folder to the root of a data drive (e.g. to D:\DB2, E:\DB2 as the case may be).
  2. Add the bin folder to the computer’s PATH environment variable (DB2\clidriver\bin).
    db2_odbc_01
  3. Launch an elevated command prompt.
  4. Navigate to the DB2 bin folder. E.g.:
    e:
    cd e:\DB2\clidriver\bin
  5. Install the ODBC driver:
    db2oreg1.exe -i
  6. On Windows Server 2012 R2, also run:
    db2oreg1 -setup
  7. The driver will now appear in the 32-bit ODBC driver list:
    db2_odbc_02

To connect:

  1. Launch the 32-bit ODBC data source administration applet.
  2. On the User DSN or System DSN tab, click Add.
    db2_odbc_03
  3. Select the ODBC driver and click Finish.
    db2_odbc_04
  4. Name the data source (e.g. “CSM”, in my case) and then click “Add”, next to the Database alias dropdown.
    db2_odbc_05
  5. Enter User ID and password.
    db2_odbc_06
  6. Check the “Save password” box. Note the warning and click OK.
    db2_odbc_07
  7. Switch to the Advanced Settings tab.
    db2_odbc_08
  8. Use the “Add” button, to enter the following values.
    Hostname: [host DNS name or IP address]
    Port:     50000
    Protocol: TCP/IP
    Database: [DB name, e.g. CTI_DATA]
  9. Review the settings and click OK:
    db2_odbc_09
  10. To test the connection, first click the “Configure” button.
    db2_odbc_12
  11. The credentials are stored in the ini file, so you do not need to enter them here. Simply click “Connect”.
    db2_odbc_10
  12. You should see a success message.
    db2_odbc_11

If you’re looking for a free, Windows-based ODBC interrogation program, there are a few out there. All the ones I tried had quirks in their interfaces. I’ve had most success with ODBC query tool though. Here it is, running under Windows 10:

odbc-query-tool

If that doesn’t work for you, you can try the almost identically named ODBC QueryTool.

CodeIgniter 3: connecting to MS SQL from Linux

ms-sql1-300x120Connecting to Windows/Microsoft SQL from Linux/CodeIgniter remains challenging. As PHP progresses, various old methods of connecting to MS SQL are being deprecated in favour of (e.g.) PDO. Unfortunately, reliable MS SQL server PDO drivers are hard to come by under Linux.

As I’ve written previously, the most successful method I’ve found of connecting from CodeIgniter to MS SQL is using a combination of unixODBC and FreeTDS. So here’s an updated guide for CodeIgniter 3 on Ubuntu 14/PHP 5 or Ubuntu 16/PHP 7.

On the server where your web application runs, install the following packages: unixodbc freetds freetds-dev tdsodbc php5-odbc. For Ubuntu 14:

apt-get install unixodbc freetds freetds-dev tdsodbc php5-odbc

For Ubuntu 16:

apt-get install unixodbc freetds-common freetds-dev tdsodbc php7.0-odbc

Restart Apache:

service apache2 restart

Add the details of your MS SQL server to the FreeTDS config file (at /etc/freetds/freetds.conf), e.g.:

[my-server]
host = my-server.domain.local
port = 1433
tds version = 7.4

Note: that the TDS version shown above is for SQL Server 2012 (version 11). For more information about the TDS protocol version numbers (which don’t follow the Microsoft SQL version numbers), read the official documentation.

Add to /etc/odbcinst.ini (you may need to check the precise location of these .so files):

[TDS]
Driver = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so
Description = FreeTDS driver
Setup = /usr/lib/x86_64-linux-gnu/odbc/libtdsS.so

Add details of your MS SQL server to /etc/odbc.ini:

[my-server]
Driver = TDS
Description = My Server
ServerName = my-server
Database = MyDatabase

The ServerName above here corresponds to the name of your server in the FreeTDS configuration file. In the CodeIgniter database configuration file, add something like this:

$db['mssql'] = array(
'dsn' => '',
'hostname' => 'dsn=my-server;uid=myusername;pwd=mypassword',
'username' => '',
'password' => '',
'database' => 'MyDatabase',
'database' => '',
'dbdriver' => 'odbc',
'dbprefix' => '',
'pconnect' => FALSE,
'db_debug' => (ENVIRONMENT !== 'production'),
'cache_on' => FALSE,
'cachedir' => '',
'char_set' => 'utf8',
'dbcollat' => 'utf8_general_ci',
'swap_pre' => '',
'encrypt' => FALSE,
'compress' => FALSE,
'stricton' => FALSE,
'failover' => array(),
'save_queries' => TRUE
);

Then your models should begin something like this:

class WidgetModel extends CI_Model
{
public function __construct()
{
parent::__construct();
// Load MS SQL connection
$this -> widgetdb = $this->load->database('mssql', true);
}

You can get some strange results using this driver. Mainly you’ll have to resort to explicit SQL queries. And certain things won’t work as expected – e.g. using “AS” to rename columns only works on calculated columns.

News: Samsung Galaxy S5 and S6 – IPsec Service consuming device space

I’m a fairly heavy user of apps on my mobile devices. I periodically review them, but it’s quite rare I discover an app that I can happily uninstall and live without. It’s not uncommon for me to have over a hundred apps installed, only one of which is a game. And I’m sure I’m not alone in this. It tells us, doesn’t it, what an invaluable tool the smart phone has become for life, work and play.

So initially when my phone (a Samsung Galaxy S5) told me I was running out of space, I wasn’t all that surprised. Time to review my app usage. Time to move some apps from device storage to SD. Time to clear out some on-device photos and videos. Which I duly did.

And then a few days later – running out of space again. Curious.

I chased it down to the IPsec service. Each time I freed up a bit more space, according to the app manager, IPsec Service expanded to fill the void. At the time of writing, it’s now consuming a wholly excessive 1.64GB – but as I’ve read around about this problem I see reports from Galaxy S6 users who have lost over 4GB to this service’s insatiable appetite. On a clean install by the way, it’s taking up 388KB.

IPsec service run amok

As best we can tell, it’s due to some kind of memory leak in the IPsec service. This afflicts Android 5.0 – and as luck would have it, a few weeks ago I finally relented and upgraded my S5 to Lollipop. And it will be some time before the fix, in 5.1.1 is rolled out by my carrier – that’s if they ever do get round to it. The S5 is so last year, darling.

So what’s the workaround? Well, I wish I could give you good news. I’ve come up with nothing. This has taken me to the point of saying the heck with the warranty, I’m going to root it and flash a different ROM. What with this and the recent StageFright scare, it almost makes me want to move over to the Dark Side and buy an iPhone. Almost!

If you’ve found a more satisfactory solution, do let us know in the comments. Meanwhile, I’ll be getting to grips with CF-Auto-Root and finally releasing my handset from the whims of manufacturers and carriers. Wish me luck!

Review: Aplus GV18 smart watch

Like many tech enthusiasts Dummy and I have been keeping an eye on the smart watch market for a while. As you will probably know, there a few large companies (with the Chinese snapping at their heels) searching for the holy grail of wearables: a beautiful wristpiece that is elegant, convenient, clever and durable. To achieve widespread adoption, it also needs to be affordable. Ah yes, there’s the rub.

I recently stumbled across a smart watch, sometimes called “Aplus”, sometimes “GV18”. It’s fresh out of China. And it bears more than a passing resemblance to the Apple Watch. And it’s a tenth the price. We bought it for £32.98, but we’ve since seen it for under thirty quid. Worth a look then.

First impressions:

Aplus GV18 smart watch 02

  • The watch doesn’t look quite as nice as the computer-generated photos on websites, but it’s still reasonably attractive, as smart watches go.
  • It’s big (13mm deep) and stands quite proud of the wrist.
  • The case has a captive screw on the back, which stands out by about 1.5mm. Not a huge problem, but it seems like a strange design choice because the screw is for looks only. The case pops off easily (too easily) and the hole the screw sits in is considerably larger than the diameter of the screw. So it turns freely.
  • The manual is poorly translated.
  • The watch comes with a screen protector pre-installed, which suggests the glass underneath will not be scratch-resistant.
  • The rubber strap is very comfortable.
  • Horribly irritating (loud) jingle when you first switch it on.

Timepiece

For me, the problem with most smart watches is the watch part. Sounds obvious doesn’t it. Really, what is the point of a watch that isn’t a very good watch? If I turn my wrist to check the time, but before I can see the time I have to press a button, that’s a retrograde step. That’s worse than analogue. And so it is with this watch. It’s an LCD display, not e-ink, and to keep the display lit permanently would be a huge battery drain. So you have to press the side button, to check the time.

Once you’ve done that, it’s not too bad. There’s a choice of three watch faces. One of these faces has a full dial of Roman numerals and is designed sympathetically with the rectangular case. I think it works. Of the other two, one is clumsy and the other is weird.

This slideshow requires JavaScript.

Interface

Oh dear it’s awful. To be honest, I think they probably all are, from all manufacturers. Anything that can’t be done with a press or a flick is a pain in the neck. Unless your fingers are like matchsticks, it’s hard to type letters with a high degree of accuracy on the software keyboard. It’s a little better with numbers, but still vaguely reminiscent of those calculator watches from the eighties. Is this really all the progress we’ve made in 30 years?

This slideshow requires JavaScript.

Apps

As far as I can tell, this is running a bespoke version of Android. There’s no app store, no access to Google Play. There are some bundled apps, but most of them are useless and half of them only work if you have inserted a SIM card. That alone is odd. The watch is designed to be paired with a smart phone. Why would you give it its own SIM card?

I wish I could tell you more about the apps, but most of them made no sense. The only real exceptions were the calculator and the camera. But both of those were such a fiddle to use, you’d be much more likely to reach for your phone. It has a pedometer, but it just doesn’t work.

Sync software

For the watch to talk to the phone, you have to install an app. The app is not the best. There are few settings. You can choose to ignore notifications from certain apps, but it’s a slow and laborious process choosing which apps you do and don’t want to hear from.

BT Notification

(Sorry about the poor screen grab by the way.)

If Bluetooth is switched off when you launch the notification app, you are greeted with the following informative message. Informative that is, if you can read Chinese.

Aplus Bluetooth notification

I deduced this meant you need Bluetooth to be switched on… With Bluetooth switched on, the app needs to be running in order for the watch to receive notifications. The app seems to die all on its own, without warning, and the only way you’ll know that is if notifications stop arriving on the watch.

Specifications

Headline specs when compared to the similar size 42mm Apple Watch

Spec Aplus GV18 Apple Watch 42mm
Screen 1.54″ capacitive 1.54″ capacitive
Battery 450mAh replaceable (though the battery in our unit was labelled 550mAh) 246mAh non-replaceable
Claimed battery life (talk time) 72 hours 3 hours
Thickness 12.3mm 12.6mm
Bluetooth 3.0 4.0 Low Energy
Processor 533MHz MTK6260A Apple S1
Storage 128M 8GB
MicroSD/TF slot Yes, 32GB max No
Pixels 240×240 390×312
Sensors accelerometer accelerometer, heart rate
GPS No Yes
Phone GSM/GPRS 850/900/1800/1900 (SIM slot) Yes
Charging Cable Inductive
Weight 50g 51g
Camera Yes, 1.3MP No
NFC Yes, built into strap Yes
USB port Micro USB No

Flaws

There are many.

  1. Convenience. Above all else, a watch should be two things: convenient and attractive. This is not convenient. If I glance at my wrist to see the time, I’m met with a blank screen. No “shake to wake”. You have to fumble for the button, which if like me you wear your watch on your left wrist, is quite awkward to reach.
  2. Volume control. There is no obvious volume control for notifications.
  3. Bluetooth music. You can stream music to your watch via Bluetooth. And listen to it on your watch’s tiny speaker. Which is probably inferior to the speaker in your phone. Which you’re streaming from (and which has to be within 10 metres, due to the limitations of Bluetooth). There’s no headphone socket. So what’s the point?
  4. Time synchronisation. When the watch first connects to the phone, it asks if you want to sync the time. Since I live in the UK, my phone is set to GMT with daylight saving time. On syncing with the phone, even though the watch is set to the same time zone it changes itself to Amsterdam and puts the clock out by an hour.
  5. Notifications. The pop up notifications are almost useless. They tell you for example that you’ve received an email, but there’s no way on the watch of seeing that email or even any context from the email. So you have to check your phone. So you may as well just check your phone, right?
  6. Notifications again. There’s an option to switch off the notification tone. It doesn’t work. So, like it or not, if you have pop up notifications, you’re also going to have an annoying beep. And there’s no way of changing that beep. Which brings me to my next point.
  7. Customisation. You can’t customise this watch – which is a huge loss. There are three watch faces (and two of them don’t suck too badly), but that’s all. You cannot add more. There are three themes for the menu/app system. Two of them are horrendous. The third is tolerable. You cannot add more. Oh, and apps? That deserves a bullet point of its own.
  8. Apps. As I mentioned before, other than the few bundled with the watch, there aren’t any. There’s no equivalent of the iTunes or Google Play app stores. So you’re stuck with these apps.
  9. Interface. You need fairly slender fingers to operate it – especially the software keyboard. Very hard to hit the right letter. And since there’s no voice control (see next bullet point), you’re stuck with touch/swipes.
  10. Voice control. There isn’t any. And this is, we think, going to be crucial in this technology market. Watch faces will always be smaller than phone screens. It’s essential that you have a usable and convenient way of controlling them. That means you need either an external interface (keyboard? your phone?), which sort of defeats the point, or voice activation. Or maybe, fast forward 20 years, a neural interface. This watch has neither, by the way.
  11. Style. In our opinion, the Moto 360 and the LG Watch Urbane are possibly the only smart watches right now that aren’t ugly. People will accept a certain level of aesthetic compromise in exchange for features (e.g. the massive “brick” phones of yesteryear), but not much. And with the 360 and Urbane on the market, all other smart watch manufacturers need to think long and hard about style.
  12. Reliability. Bluetooth keeps disconnecting and reconnecting – even when the phone and watch remain next to each other. Is this the phone’s fault? The watch’s? Who knows. But every time they reconnect, the watch prompts you whether or not you want to sync time (you don’t, see above!) and then spits out all the notifications currently unviewed on the phone. Which are then a bit of a pain to acknowledge/delete.
  13. Visibility. It’s really difficult to read the screen when outdoors. And when in strong sunlight, there’s no chance. There’s no brightness control, so there’s nothing you can do about this, other than shade the screen with your hand. And squint.
  14. Build quality. The back is not secured well (because the case screw does nothing, see above). It doesn’t seem to fit well on the back of the watch. It wouldn’t drop off while wearing the watch, but may at other times.

Strengths

  1. Style. Although it’s no Moto 360, it’s not as bad as some other watches available now. The brushed steel is nice.
  2. Comfort. The rubber strap is surprisingly comfortable. It’s a little on the heavy/chunky side, but you get used to it.
  3. Battery life. It lasted five days before needing a charge. How much this was to do with the fact it was essentially useless, I’m not sure (!) but it still knocks the spots off the Apple Watch in this particular department.

Conclusion

We have to give this watch some credit. For the price, it’s actually pretty incredible. It’s far less ugly than some of the competition and it does have a lot of functionality, even if it’s not especially well executed. We couldn’t help but think that in a world without smart phones, it would even be considered quite good. You could in theory load it up with a SIM card and use it as a watch, phone, calculator, contacts organiser and so on, without needing any other device. But this is a world with smart phones and when you compare it to any smart phone currently on the market, even the worst ones, this watch doesn’t compete at all well. And neither does it complement a phone, bringing no particular tricks to the party.

This slideshow requires JavaScript.

It was a bit of a conversation starter, while I wore it. A novelty. And if you don’t mind paying a little for a novelty item that you’ll quickly find tiresome, then by all means go ahead. But we couldn’t recommend it. We can’t even recommend the Apple Watch, and if Apple can’t get it right, who can?

[easyreview title=”Geek rating” icon=”geek” cat1title=”Ease of use” cat1detail=”Fiddly, fussy, idiosyncratic.” cat1rating=”1″ cat2title=”Features” cat2detail=”Lacking many essentials for a usable smart watch.” cat2rating=”1″ cat3title=”Value for money” cat3detail=”Very cheap, giving the (few) things it can do, but still not remotely worth buying.” cat3rating=”1.5″ cat4title=”Build Quality” cat4detail=”Mixed. Some good bits, some bad bits.” cat4rating=”2″ summary=”Don’t buy it, we beg you.”]

Review: 3-in-1 smartphone camera lens kit for Android, iPhone, iPad, etc.

3-in-1 mobile lens kit 07I own a Canon EOS 60D, which I bought second hand a couple of years ago. It’s a cracking camera and it was an absolute steal on the second hand market. But it’s not very portable. Not when you take into account the other things I stuff into my camera bag: my three main lenses, the filters, the remote shutter release, the lens hoods and so on.

Of course these days, many people carry a half-decent camera with them at all times, in their phones. These cameras aren’t very versatile, but they’re convenient because they’re almost always at hand. And because of this, there’s a healthy phone camera mod market. One of the leaders in this field is the Olloclip.

Olloclips are great. The trouble is, each Olloclip is designed for a particular phone (or small family of phones). So it’s not really transferable. And with prices in the order of £60, you can buy a pretty competent compact point-and-shoot for not much more than that. It’s clever, good quality, but not exactly a bargain. Not like today’s review kit at least.

3-in-1 mobile lens kit 01This 3-in-1 camera kit, like many other Chinese gadgets can be found for sale on a few shopping sites, under various different “brand names”. Our example was sold as a “Yarrashop”, but we suspect that’s just the current trade name of this particular seller. The kit arrived in an anonymous box, with no manufacturer claiming responsibility. And we think that’s a shame, because as we reckon you’ll agree, it’s rather extraordinary.

In the box, there are three lenses, a bag and a clip. The bag doubles as a lens cleaning cloth. The clip, with rubber pads, enables you to attach the lenses to virtually any mobile phone or tablet.

One of the lenses is a fisheye lens. The other two can be used in combination, to form a wide angle lens, or you can use the smaller component on its own as a macro lens. The lenses and the clip are all sturdy metal, with a solid feel. They can be purchased in different colours, but we went for silver, which we think suits this kind of equipment.

This slideshow requires JavaScript.

The clip attaches securely on the phone or tablet. You do have to position it carefully – this is hardest with the fisheye lens; with the other two, you can see the phone’s camera lens underneath – but once it’s situated, taking photographs is no harder than usual.

This slideshow requires JavaScript.

With the fisheye lens, the photograph appears as though within a circle cut out from black card, so the photo would need cropping afterwards. The wide angle lens – I’m not sure there’s that much use for it; there’s some barrel distortion at the edges and in any event, most smart phones can stitch shots together into a panorama, which would be far superior. The macro lens, well that’s a cracker. You have to be be very close to the subject, so you’d be unlikely to be able to use this on nervous insects. And you probably don’t have a tripod for your phone, so you need a reasonably steady hand. But in spite of all that, the effect of the lens is impressive.

Here are some example shots, taken with the lens attached to a Samsung Galaxy S5. Click through for the full resolution images.

This slideshow requires JavaScript.

As long as you don’t compare this with DSLR quality, this is not bad at all, right? But then we get to the punchline. These lenses, clip included, will set you back less than £7. That’s unbelievable Seven quid. No matter who I’ve shown this to, when I’ve told them the price they have been incredulous. I still can’t believe it, to be honest. But the truth is shown in my Amazon orders history and on my bank statement.

Under close inspection, there is some loss of clarity and marginally less light hitting the sensor. But if you’re starting out with a very good phone camera, this slight degradation is we think more than acceptable, especially given the increased versatility. A few shots more:

This slideshow requires JavaScript.

You’d think there has to be a catch, wouldn’t you. It’s hard to find one actually. Separating the wide angle lens from the macro lens is s bit fiddly – and counter-intuitive too because it’s reverse-threaded. But not too difficult. And it would be nice to have a case for the lenses – the bag doesn’t do much to protect them. But given the price, we’re really splitting hairs. I dug out an old cufflink case and that was perfect for the job.

I’d say to anyone who takes the slightest interest in phone-based photography – get this kit. You won’t regret it. It’s an absolute bargain, well made and practical. As this price, what do you have to lose?

[easyreview title=”Geek rating” icon=”geek” cat1title=”Ease of use” cat1detail=”Very slightly fiddly. But otherwise extremely simple.” cat1rating=”4.5″ cat2title=”Features” cat2detail=”The kit lacks only a case.” cat2rating=”4.5″ cat3title=”Value for money” cat3detail=”Phenomenal value for money at this price.” cat3rating=”5″ cat4title=”Build Quality” cat4detail=”Well made. I wouldn’t be surprised if the odd unit has burrs on the thread or seams, but I saw no evidence of that here. Not the best optics, unsurprisingly.” cat4rating=”3.5″ summary=”All in all, an outstanding kit. Great as a gift, stocking filler, whatever. Or treat yourself, without really any feeling of guilt. You’d spend more on a couple of pints of beer and you know what happens to that. ;-)”]