Wednesday, May 3, 2017

A Plea to Web Developers

There’s a growing trend on web sites that require a login, and it is getting annoying.  And I can’t see any real upside to the decisions that web site designers and developers are making.
What I’m referring to is sites that attempt to disable password managers.  They’ll use all kinds of tricks, ranging from a simple ‘autocomplete=”off”’ to JavaScript that clears the form, to building form elements dynamically so they aren’t picked up by browsers or password managers, among others. 

I believe that they are thinking that this increases a site’s security by preventing unauthorized logins.  You know, someone other than the authorized user logging into the site, being able to do so because the password is automatically filled in.  While that makes sense, the bigger issue is that they are actually reducing the site’s security with this behavior.

Why do I say that?  Because it forces people to use really, really bad passwords.

In today’s world, there is basically no such thing as a “good” password generated by a human.  People notoriously pick passwords that are way, way too easy to crack.  Even when we think we are being clever, some hacker somewhere has already been just as clever and coded the method that we think is unique into a password cracking library.  Basically every method you’ve come up with for creating a password, a hacker has already done it.

So the only good passwords are those that are generated completely randomly.  Using what we call a cryptographically secure pseudo random number generator.  Only passwords created by a PRNG can be considered secure enough to thwart hacking.  They should also be long too – 12 characters at an absolute minimum.  These passwords are virtually impossible to remember, especially considering that every web site we visit should have its own unique password.  Honestly, could you remember your passwords if every site’s was unique and they looked like x^HsNpeGo}V%Xd~, [lfGY%KW$4McJ(3l, or Jo@Rl-p4Vc7Esy?  I seriously doubt it.  So people using good, secure passwords use password manager software to generate and remember these kinds of passwords for them.

(I can honestly say I have no idea what my passwords are on 99% of the web sites I visit. In most cases I’ve never actually even seen them.)

Unfortunately it seems that many web site developers think you can remember these kinds of passwords.  Otherwise they wouldn’t be trying to disable password managers.  They are intentionally trying to force you to remember your passwords.  So they’re forcing people into using passwords like “monkey123” or “k3lly@96” which they can remember, but would be cracked by a hacker in a matter of seconds (or even milliseconds), and since people are bad at remembering passwords they’ll reuse the same passwords on multiple (if not every) site(s).

So while their intended effect is to prevent unauthorized logins, what they’ve effectively done is make their user’s accounts much easier to hack.  Not only are their user’s passwords bad, they’re probably the same as another site that has already been hacked. 

Intended effect: improved security, actual effect: horrendous security.  The law of unintended consequences strikes again.

So, please, if you are in charge of designing or developing a web site, resist the urge to prevent users’ browsers or password managers from filling passwords in for them.  The site will be far more secure if you actually allow users to use secure passwords.

(While I’m on the subject, having a site suggest a secure password when a user creates an account isn’t a bad idea either.  It should be displayed on the page so they can see what it is, as well as pre-filled into the password fields.  Most browsers and password managers will automatically pick up on data pre-filled into those fields and save it for the user.  Oh, and always use HTTPS for any page that requests or displays account data.)

P.S. You can always get a truly random password from my web site.  The passwords aren’t saved anywhere, and only you ever see it.

P.P.S. If you aren’t using a password manager, you should be.  The one I like is LastPass.  If you’re concerned about your passwords being accessible to someone, just choose a really, really good password for your account.  These sites include your account password as part of the encryption key, so nobody can get to your password data without it.  And you can make it even harder to crack by turning on Two-Step Authentication too.

Thursday, March 16, 2017

How I’ve Eliminated Spam Emails

Spam (junk) email is a pretty serious problem.  I haven’t seen a statistic lately, but the last time I did, it was that more than 90% of email being sent on the Internet is spam.  Yikes!  That’s absolutely awful.

You Have MailI feel a little disconnected from the problem, though.  I don’t get spam.  At least not more than a couple times a month.  And the funny thing is, it actually wasn’t that hard to eliminate it.  Without having to worry about any real email being flagged as spam, ever.

Before I jump into my solution, let’s talk about why spam is such a problem.  It basically boils down to the easy access that spammers have to email address lists.  It is trivial for someone who wants to send out mass emails to find a list of email addresses on the Internet.  They are available all over the place.  And if your address happens to be on the list, well, unless your spam filter is exceptionally amazing, you’ll be getting at least some of it.  And once your address is on a list, there’s no way to take it off.  So as long as your email address is still valid, you’ll keep getting more and more of it.

Where do these lists come from?  Based on my own experience (you’ll understand how I know this in a minute) they tend to come from web sites that have been hacked.  Many, many websites have been hacked over the years, some of them even major players – Yahoo, Adobe, LinkedIn, Dropbox, and MySpace just to name a few.  And chances are that you’re using at least one of those sites, so your email address is in a spammer’s database.  And there is, unfortunately, nothing you can do about that.

Most companies that provide email services take a reactive approach to try to eliminate spam.  That is, they put a lot of time and money into coming up with intelligent filters that will try to detect spam and delete it, or at a minimum mark it as such and stick it in a folder for you to review later.  It works – kind of – but not without a few legitimate email messages being detected as spam when they shouldn’t be. So they have to keep most of the spam around for you to review manually.  It’s an ugly solution.

So what can be done if your address is already on their lists and it can’t be removed?  How can we fight back?  There isn’t much you can do, honestly, once they have your address.  There’s no way to edit those lists.  But I came up with a solution to the problem more than a decade ago and it has worked flawlessly that whole time.

The trick is that I have my own internet domain name just for my email.  There’s no web site or any other server there – it’s just for email.  I won’t disclose what it is publically for obvious reasons, but for the sake of discussion we’ll say it is secretemail.tld.  And on that domain, I accept any email sent to any address.  (It’s called a catchall.)  So doug@secretemail.tld, junk@secretemail.tld, xyzxyzxyz@secretemail.tld, jane@secretemail.tld, etc. are all valid email addresses that all go to the same email inbox.  I get all of it, in one place.  I don’t have to create a new account for each address I give out because anything in front of the @ works.

Because anything in front of the @ is valid, whenever someone – anyone – asks for my email address, I give them something unique, usually based on who it is that is asking.  For example, if I’m creating an account at Amazon, the email address I give them is amazon@secretemail.tld.  Google? google@secretemail.tld.  Apple gets apple@secretemail.tld, and so on.  They can all send me email, and I will get it. 

(I do get some strange looks occasionally when I do this.  Or questions like, “Do you work at Target?” when giving a Target cashier that address.  Or, “Do you have an email account setup just for Jamba Juice?”  [Well, I kind of do…] They don’t get it, which is to my advantage.)

So here’s where this all pays off, though… these addresses are disposable.  And since spammers all use the same email databases over and over again, if one of those @secretemail.tld addresses that I’ve given out is included in one of those lists, I block all incoming email sent to that one particular address.  The address is thrown away and never used again.  So if LinkedIn had linkedin@secretemail.tld as my email address when it was hacked, I’ll log into the site, change the email address in that account to something else (maybe even as simple as linkedin2@secretemail.tld), then add linkedin@secretemail.tld to my block list.  LinkedIn can still communicate with me, but now the spammers that have that address cannot.  If they try, they get an “email address doesn’t exist” error before they can even try to send the body of the message. Anyone that tries to use that original, leaked email address is rejected outright, no matter what they are trying to send me.  Once the address has been compromised I block all attempts to use it.

Using this method, I get no more than a couple junk email messages per month, if that.  It is very rare.  If I do happen to get one, it is very easy to prevent the email address they’ve used from ever working again, thus cutting them and anyone else that has that address off forever.  The other upside is that I never have to worry about legitimate email messages being tossed into a junk mail folder.  Because I don’t have one – at all!

The other upside to this is that companies that intentionally share my email address also get blocked.  And they don't get a new email address from me, so I never have to hear from them again.  Anyone that abuses the privilege of having my email address loses it permanently.

I know what you’re thinking… if I accept anything sent to any address at that domain, wouldn’t that open me up to tons of spam?  Because anyone can send anything to any address at that domain and it won’t get blocked?  Well, you’d think so… but in reality that just hasn’t happened.  So far none of the spammers out there have figured out my trick, or at least if they have it isn’t worth their time to try to circumvent it.  I keep my fingers crossed, obviously…  but if someone someday does figure out my trick, I’ll find another way to keep them out… perhaps creating a simple list of addresses that I’ll accept.  But in reality, though, it isn’t worth their time to figure out a workaround.  I’m not the low-hanging fruit and their efforts are better focused elsewhere if they want a return on their investment.

Google sort-of does something similar, but it doesn’t actually help.  Anyone with a Gmail account can give out a unique address.  Google ignores anything after a plus sign in a gmail address, so if your Gmail account is, you can give out as your email address and you’ll still get the message.  The bad part about that is that spammers know this, so all they have to do is strip anything after the plus sign and they have your real email address, and there’s no way for you to know where they got your address.  So this trick doesn’t necessarily help in eliminating spam, but it can help you in identifying where someone got your email address (sometimes).

In terms of my solution, it’s kind of amazing that something so simple has worked so well.  But the truth is, that it has worked.  I still have a couple other spam protection tools installed on my server, but they just aren’t ever kicking in, and I still don't get spam.  Having a list of addresses to block that have leaked has cured the problem.

The spam problem overall isn’t going to be going away any time soon.  As long as even a handful of people click on the links, it is totally worth it to spammers to keep doing what they’re doing.  It costs so little to send out millions of emails that even if 1% of 1% click on a link, it’s worth the spammer’s investment.  And since we can’t convince that 1% of 1% to stop it, it’s just going to keep coming.  At least to everyone but me. :)

If a solution like this interests you, I can give some guidance on how to set it up (you’d need your own server and technical knowledge of how to administer it, though if you already have all of that you could probably figure the rest out on your own), or even give you some space on my server for a small fee.  Reply below and I’ll be in touch.

Wednesday, September 30, 2015

Making the Most of Your Device’s Battery

There seems to be a lot of misinformation out there about the best way to care for the battery in your cell phone, laptop, tablet, or other electronic device.  It seems that most people have not been given proper instructions on how to best care for their batteries, and they end up wearing them out prematurely.  By taking care of your battery, you can make your device perform optimally for years.

Technology has changed quite a bit over the years, that’s for certain.  And so have the batteries that power our devices, and the chargers that keep them running.  Unfortunately much of society hasn’t been taught how to care for them to get the most out of them.  So let’s set the record straight.

Myth: I should let the battery on my device drain all the way down before charging it again.

Fact: This was true in the days we used NiCd rechargeable batteries in our devices.  Very few devices still use NiCds; they are heavy and hold relatively little energy.  Today, we use Lithium Ion batteries, and draining a Li-ion battery shortens its life dramatically.  In fact, in some cases when a Li-ion battery is drained all of the way it won’t accept a charge at all.  Bad things happen to Li-ion batteries when they are allowed to get too low.

For example, if a Li-ion battery is allowed to fully discharge, it will only accept a few hundred charges before it dies.  If a battery is only allowed to dip to 90% charge each time it is used, it will be good for many thousands of charge cycles.  A properly cared-for battery can last for many, many years.  A battery improperly cared for can become useless in under a year.

Myth: It is bad to leave my device plugged in all of the time.

Fact: For devices with really primitive charging circuitry, this is actually true.  These devices would overcharge a battery, and damage it. 

But those days are behind us.  Any modern cell phone, laptop, or tablet has intelligent charging circuitry that shuts off the charger when the battery is full, eliminating the need to unplug when the battery is charged.  You don’t need to unplug manually.

You may even see evidence of the intelligent charger.  If your device’s battery charge actually drops while plugged in, this is the intelligent circuitry doing its job, turning on and off to prevent unnecessary wear and tear.  Most devices hide this on/off cycle from you, though, so even devices that stay at 100% when plugged in are still managing your battery properly.

Myth: It doesn’t matter when I plug my device in, the battery is going to wear out in a couple years anyway.

Fact: Batteries actually do have a limited number of charge cycles that they can handle.  And each charge cycle holds just a little bit less energy than the previous.  But the loss in total capacity can be minimized by making sure that batteries aren’t drained any more than they need to be.  The way you handle charging your device can extend or shorten its life significantly.  Deep discharges wear out a battery faster than letting the battery drop just a few percent before plugging it back in.  To maximize the life of your battery, just plug in whenever you can.

Myth: It isn’t good for a battery to only let it discharge a little bit before plugging it back in.

Fact: The Lithium Ion batteries that power our devices actually last longer when they aren’t allowed to discharge much.  They last longer when their charge isn’t allowed to drop.  They “like” to be constantly topped off.  The old NiCd batteries we used years ago worked best when discharged fully before charging, but the Lithium Ion batteries we use today wear out faster when allowed to discharge.  So plug in to keep your devices topped off whenever you can.

Myth: Lithium Ion batteries are dangerous, and can explode, especially if overcharged.

Fact: Lithium Ion batteries are potentially dangerous.  If allowed to overheat they can catch fire –violently – and even explode.  Fortunately, reputable manufacturers place multiple failsafes into modern batteries to prevent this from happening.  The number of cases of batteries overheating or exploding has dropped dramatically in recent years.

But because batteries have to be designed and built properly to prevent overheating, fires, and explosions, you should avoid purchasing no-name aftermarket batteries.  You just can’t be sure if they’re built with the same level of protection as batteries from the original device manufacturer.  It just doesn’t pay to buy batteries from brands you don’t know you can trust.

Myth: All Lithium Ion batteries are the same, so it doesn’t matter if I buy a cheap no-name replacement.

Fact: Batteries are most definitely not all created equal.  Aftermarket batteries often hold less of a charge than the originals (even when labeled as if they held more), and very often aren’t built with the same level of protections against fire and explosion.  They also tend to wear out faster.  It generally isn’t worth it to buy batteries from anyone other than the original device manufacturer, or at least a trusted brand. 

Myth: The battery in my device can’t be replaced.  The cover can’t be removed.

Fact: We have certainly seen a trend in recent years for device manufacturers to take away the ability for owners to swap out a battery by removing access covers.  But in most cases, batteries can still be replaced by a qualified service center.  Don’t be tempted to throw away an old phone just because it doesn’t hold a charge very well.  Replace the battery and keep using the device, or donate it to someone else who can enjoy it.  (Reusing is better than recycling, and far better than discarding.)

Myth: It’s okay to use an aftermarket charger.

Fact: It depends on what type of charger you’re talking about.  If you’re talking about a charger that you plug into a phone or tablet, it may not matter what charger you use in terms of the life of your battery.  But if you’re talking about a charger that you insert a loose battery directly into, it can make all of the difference in the world.  Cheap battery chargers don’t often have the intelligence that they need to maintain a battery properly.  Stick to chargers from the original manufacturers, or at least a well-known and well-respected brand.

Myth: If I don't have time to fully charge the battery, I shouldn't plug my device in to charge because short charging cycles harm my battery.

Fact: False. Even short charging cycles are helpful.  Plug in whenever you can.

Myth: Using a charger with a higher milliamp rating than the original will damage a device/battery.

Fact: The milliamp rating on a charger is simply the maximum amount of current that it can potentially put out.  It doesn’t mean that it will force more current into a device than it can handle.  If a device is designed to draw 500mA, and you plug it into a 1000mA charger, the device will still draw just 500mA.  It is generally just fine to use a charger with a higher milliamp rating, so long as the voltage is correct.

Myth: I should never allow my battery to drain fully.

Fact: Okay, well, yes, you should never drain the battery all the way until your device shuts itself off.  That is bad.  But it is a good idea to drain your battery down to 10% or so a couple times per year.  Not because doing so is actually good for the battery, but because it is actually good for the device it is powering.  It is quite difficult for devices to figure out the charge level of Lithium Ion devices (it involves a lot of guesswork), and putting a device through a discharge / recharge cycle gives the device a chance to re-learn how your battery is operating.  You’ll be rewarded with a more accurate gauge of the amount of battery life you have left.

Myth: It isn’t worth it to do anything to improve the battery life of my device.

Fact: Because draining a Li-ion battery is bad for it, you can extend the life of your device’s battery by taking a few steps to reduce the amount of battery charge being used.  Things like changing the amount of time a device sits idle before automatically going to sleep, reducing the brightness of your screen, using Wi-Fi instead of a cellular connection, or closing apps you aren’t using can make a huge difference, and can extend the life of your battery dramatically.

Myth: It is okay to throw away a used battery in the trash.

Fact: Nope. Lithium Ion batteries should always be recycled.  It is easy to do; most electronics and office supply stores will recycle old batteries for you at no charge (pun intended).

Myth: Batteries perform differently based on temperature.

Fact: This one is actually true.  A warm battery doesn't output as much energy as one at room temperature.  Likewise, a cold battery doesn't output as much as one at room temperature.  Batteries operate most ideally at the same temperatures that we as humans do.

Similarly, batteries charge best at room temperature as well.  A cold battery won't charge as fast as one at room temperature.  And trying to charge a hot battery isn't a good idea.  So if your device is too warm or too cold, give it some time to return to room temperature before plugging it in.

Batteries which become too warm are also damaged by the heat.  A battery that overheats because the device is in the sun, or is hot because the electronics inside have gotten warm, can easily be permanently damaged.

Myth: It's okay to use a battery which has swelled up.

Fact: A battery which has been overcharged or overheated can sometimes swell up and become larger than it is intended to be.  These are potentially dangerous to use.  The act of swelling up can damage some of the protection circuitry inside.  Once a battery has swelled it should be properly recycled and replaced.  There is no way to repair a swelled-up battery.

Myth: You have oversimplified how to care for a battery here.

Fact: Okay, yes, I have oversimplified a bit.  I'm aware that my advice isn't 100% accurate.  I'm aware that modern electronics do push batteries harder than they maybe should.  But I feel my advice is still good because actual battery best practices are too complicated and nobody would ever actually attempt to follow those rules exactly.  We aren't NASA using devices that have to survive in space for a decade.  Nobody would be happy with the battery life of their devices if they followed actual best practices, nobody would take the time to monitor their devices that closely to maintain them perfectly, and any potential damage done by following my advice compared to ideal is for all practical purposes insignificant.  Device owners can benefit significantly from the advice here compared to how they are likely handling their devices now.  So I've opted to simplify the rules to make them easier to follow. So please forgive me for not over-complicating the matter.

Tuesday, August 11, 2015

Why I Don’t Buy Digital Movies

With the availability of iTunes and other digital video services, I hear a lot of people talk about how they don’t buy DVDs any longer.  I hear things like “I don’t want to take up space with all of those cases” or “my kids destroy DVDs” – which make sense, but at the same time I can’t bring myself to give up my physical media.

For me, though, digital video distribution (DVD?) plays a supporting role rather than the primary role in building my video collection.  I don’t purchase movies digitally – I buy the discs.  Almost always Blu-ray discs, actually, since normally when I watch movies they’re being projected on a 100” screen, and DVD can fall apart at that size.  So do streaming services, to some degree, as well, but this isn’t the reason I choose not to invest in digital.  It’s more basic than that.

The main reason is that I don’t trust that these services are going to be around in ten years.  And I don’t want my investment to be lost.

History already tells us that we can’t rely on these services, no matter who is backing them.  Several big players have already tried and failed, including Wal-Mart and Target.  And when they fail, you lose what you’ve bought.

I know what you’re thinking… that Apple’s iTunes isn’t going to go away.  Maybe not.  At least not now.  But can you actually believe that Apple, if they’re still around in 20 years, is still going to be supporting a service that old?  They don’t support any services more than a few years old now.  There’s just no way that they’ll actually still make your movies available to you that far in the future.  Technology changes too fast.  Twenty years in the technology world is an eternity.  Very few tech companies make it that long. 

Owning the discs ensures that I’ll be able to watch them 10, 15, or more years in the future.  Even if (when) manufacturers stop making Blu-ray players in the future, the players I own today will still play those discs moving forward.  Yes, we’ll see improvements in picture quality with new tech like 4K and HDR moving forward, but Blu-ray is pretty good – it’s virtually the same level of quality currently projected in your local theater – and many movies have actually been shot in HD-like resolution, so in those cases a higher quality version usually doesn’t even exist.  And unless you’re sitting really close to very large screen, newer technologies won’t even provide any additional discernable picture detail. (Though HDR, if it catches on, has the potential to improve things considerably.)

The other big reason I still buy discs is convenience.  I don’t want to be without a way to watch a movie if my Internet goes down, I’m travelling somewhere where I don’t have Internet access, or it isn’t fast enough to stream a movie reliably.  Maybe in 5-10 years our Internet access will be more reliable and high speed will be more ubiquitous, but I just can’t count on it.  And will the streaming service you’ve invested n still be around at that time?  There’s no way to know.

That said, it isn’t like I don’t use digital video services, because I do.  They’re just my backup.  Most movies I buy come with a code to unlock digital versions.  And if they don’t, I’ve really found Vudu’s Disc-to-Digital program to be very handy.  (Tip: If you use the service, do the conversions at home on your own computer, and convert more than 10 discs at a time for a 50% discount.) I can’t convert all of my movies to digital, but I can certainly convert enough of them that I’m generally not left wanting when I want to stream a movie. I’ve got 241 on Vudu right now, so I’ve got plenty to choose from.

In any case, I know that everyone’s situation is different.  But I would encourage you to think about the future when making your video purchases.  Would you care if your selected service shut down in 5 years?  Would it bother you if you lost your investment because they’ve gone belly-up, or choose not to support it any longer?  It’s something to consider.

Tuesday, October 14, 2014

Why Web Sites Don’t Need to Store Your Password

It seems counterintuitive, but web sites that require logins don’t actually need to store your password.  And they actually shouldn’t – it is a very bad idea to do so.   We see too many leaks of account databases for it to ever be safe to store passwords in any form, even if encrypted.

So how can a site validate a login if it doesn’t store the password?  The answer is something really cool called a hash function.  I know your eyes just glazed over, but bear with me, the concept is actually simple.

A hash function is a way of processing data that is one-way… you can put data in, and always get the same result coming out, but there is no way to reverse the process to get back the original data.  I won’t get into the specifics of how hashes actually work, but I can describe a very simple hash that will illustrate the principle.

Say, for the sake of simplicity, we are creating a web site that uses a 4-digit PIN as a password to log in.  We know that storing the PIN itself is dangerous because it could be leaked out or viewed by site administrators, so instead we add up the four digits and store that sum.  So if my PIN is 2468, we store 20 (2+4+6+8) in the database.  When we go back to the site to log in, the site can add up the four digits we enter for the PIN, compare that result against the sum in the database, and validate that we know what the correct PIN number is.  A hacker that gets his hands on the database only knows that the sum of the digits is 20… he can’t possibly know that the original PIN was 2468.  They’d have to guess what the original PIN number was by trying different combinations.

Of course this is overly simplified.  This demonstration hash function wouldn’t really work in the real world because it is too easy to figure out combinations that would let hackers in.  This situation is called a collision… 8642, 5555, 8282, 1991, and 6446 all produce the same hash value of 20.  But real hash functions used for account login verification are much, much more complicated, and aren’t normally subject to problems with collisions.  But you get the idea.  Instead of storing the actual password, we store a value that is calculated from the password.  We can validate that someone knows the password without actually storing that password.

This has other advantages as well.  For example, using a hash function there is no limit to the length of the password, because hash result values are always the same length regardless of the amount of data going in.  Someone could enter 6 letters, or 200 random symbols, and either one can be hashed down to a value of a standard length that can be stored in the database. 

Because of this, you can sometimes tell web sites that don’t use hashes to securely store passwords because they enforce a maximum length for passwords.  This isn’t always the case, but it can be one indicator that the site’s security has been poorly designed.  But if you are signing up for an account on a web site and they have a low limit on the length of the password, like 12 characters, you might look for other signs of poor site security or privacy policies.  And definitely don’t reuse a password from another site.  Or just steer clear.

The down side to using hashes is that if you forget your password the site has no way of sending it to you… because they actually don’t know it.  That is why sites generate a brand-new, random passwords that they send to you via email when you forget your password.  They honestly have no idea what your password was, so the only solution is to create a new one and use that temporarily until you create your own.

The whole process is considerably more complicated than I’ve described here – or at least it should be.  Just using a hash isn’t sufficient, either, because we’ve got affordable computers these days that can calculate billions of hashes per second and are therefore capable of brute-forcing short passwords very quickly.  (A 6-letter password, for example, would be cracked hundreds of times over in just one second using a simple hash).  But for a site to use a hash on passwords is one step in the right direction.

Saturday, October 11, 2014

Canon vs. Nikon vs. Sony

We’re all familiar with the expression “the grass is always greener on the other side of the hill.” This applies in many areas of life.  And, of course, that means photography. 

I’m primarily a Canon shooter.  I use a Canon 6D as my primary camera, with several other bodies for backup or other shooting situations.  I’ve currently got 5 working Canon DSLRs, as well as three film bodies, and I’ve amassed quite a large collection of lenses, flashes, and other gear as well.  And I’ve been very happy with all of it.  But sometimes you start to doubt your choices when you start reading articles online about how Nikon’s and Sony’s cameras are capable of producing images with more detail, greater dynamic range of bright vs. dark, and a wider range of colors.  Did I choose the wrong brand?  Am I making a mistake by sticking with what I’ve got?  Or should I sell it all and switch?

So I’ve spent a bit of time reading up on what the advantages and disadvantages of the different brands are.  I even bought a Nikon camera and couple of lenses so I could see what they offer.  I’ll save my conclusion for the end, so bear with me for a bit.

I’m making all comparisons between similar models… so, for example when I make a statement about a feature, I’m referring to competing models between brands… I won’t compare features on high-end models of one brand to low-end models of another brand.  I’m trying to be as objective and honest as I can be.


If I were to go by specifications alone, both Nikon and Sony produce camera bodies that have more detail in terms of resolution, dynamics, and breadth of colors.  The numbers are pretty clear on that.  As far as Nikon goes, they’ve stuck with the more traditional SLR design, with an optical viewfinder and reflex mirror that moves out of the way of the sensor when shooting an image, whereas Sony is producing basically all mirrorless designs, relying on electronic viewfinders.  I won’t really get much into the reflex vs. mirrorless debate here, but I do prefer the optical viewfinder because of its significantly higher resolution and lack of delay.  Someday mirrorless designs may make up for those issues, but as someone who usually shoots with manual focus, the highest resolution viewfinder is essentially a must-have for me.

In terms of autofocus ability, each brand has standout models.  I don’t really believe that any brand has an inherent advantage over another.  Having used both Canon and Nikon bodies, I prefer the way that the Canon models work.  Especially in low-light situations.


As of today, Sony probably has the advantage of the best looking video when comparing models with similar feature sets.  Canon is the other standout here, with its pretty amazing DualPixel autofocus on the 70D.  Both Nikon and Sony produce images with more detail.  Nikon still seems to have trouble with the “Jello” effect more than the other two brands, though they have gotten better.  Certain Canon models have more moirĂ© issues than the others, so that needs to be considered as well.


Here’s the make-or-break for me… whatever brand I go with has to have good quality lenses, and a wide variety of them, at affordable prices.  I’ve found that sticking with OEM lenses usually gets you the best results when compatibility, affordability, and autofocus are taken into consideration. 
So here’s the bottom line… Sony’s selection of lenses pales in comparison to both Canon and Nikon.  The difference is huge.  There are less than a dozen lenses for the Sony “A” series, which is really the only line I’d potentially be interested in.  So, for me, Sony is out.  They have some amazing lenses, but being limited to just a few (especially considering their cost) isn’t viable for me.  For people without sophisticated lens needs, and significant budgets, Sony could be a great choice.  I use a really wide variety of lenses, especially primes.  I really don’t think I’d be able to give that up. 

So I’m back to the traditional Canon vs. Nikon debate.  What I’ve found, though, when researching this (primarily on, though many YouTube review videos are being taken into consideration) is that unless you’re willing to spend a lot of money on Nikon lenses, that Nikon’s image quality really suffers relative to equivalent Canon lenses.  Nikon produces just a handful of lenses that autofocus on the less expensive bodies under $1000 that are rated to give more than about 10 megapixels of resolution, whereas Canon has a lot to choose from.  Comparing Canon to Nikon lenses, in almost every case the Canons do better in terms of sharpness.  Which for me is the most important thing.  I don’t want to spend time taking images only to come home and find out that they are always soft.  It is especially true with prime lenses, where Canon has a huge advantage.  Canon’s lenses often resolve nearly twice as much detail as the Nikon equivalents.

Take the Nikon AF 50mm f/1.8D vs. the Canon EF 50mm f/1.8.  The Nikon gets a 8 MP score for its sharpness, whereas the Canon gets 14MP.  And the Canon is cheaper.  And it autofocuses on all bodies, not just the high-end models like the Nikon (Nikon “AF” lenses do not autofocus on the D3xxx or D5xxx series of cameras – you have to step up to “AF-S’' lenses or a more expensive body for that).  The difference in performance between these two lenses isn’t at all atypical comparing equivalent models. 

To be fair, Nikon also offers a 50mm AF-S f/1.8G lens, which does autofocus on all bodies, and gets a 15 MP score, but it is more than twice as expensive as Canon’s ($220 vs. $100).  And it is the only one of a few primes in Nikon’s lineup under $1000 that gets a score over 10 MP.  Every one of Canon’s prime lenses scores 14 MP or higher.  Performance with kit lenses included with camera bodies is similar… Canon’s are all better.  For all of the love that Nikon gets from its owners, I was shocked at the difference.  And choices on the Nikon side become much more scarce if having autofocus on a lower-end body is a requirement. I think there are only two AF-S Nikon primes under $1000 able to resolve 14 MP of detail or better.  Canon has over a dozen.

One could argue that you don’t have to go with OEM lenses.  And that is true.  My own experience with third-party lenses, though, has been disappointing.  Not necessarily in terms of image quality (though they do often lag behind), but of build quality.  Every third-party lens I’ve ever bought has broken on me.  Every single one.  But I’ve never had anything go wrong with any of my OEM lenses.


So what does it boil down to for me?  I’m sticking with Canon.  Having cameras with the best available sensors would be awesome, but if the options for the glass to put in front of it aren’t as good, I’m afraid I just couldn’t make a switch.  It would be nice if you could put Canon glass on front of a Nikon, but without complicated adapters which inherently have to reduce image quality that just isn’t possible.  Or if I was insanely rich and could afford boutique lenses, the story would probably be different.  But I’m very much on a budget, so I’ve got to stick with more affordable choices for now.  And for today, that still means Canon.

So it boils down to this: Nikon’s choices for someone who likes to shoot prime lenses with the highest quality image are weak compared to Canon.  And Sony doesn’t even show up for that contest.  Those are the deciding factors for me.

I know that there are going to be a lot of people upset with my conclusion.  And they’ll even use DxOMark’s data to try to make their point.  Keep in mind that I’m making my decision based solely on achieving the best quality image while keeping lenses affordable.  If budget goes out the window, then the decision very likely could be different.

Sunday, February 16, 2014

Best Kept Secret in Technology

Every once a while a technology product comes along which is just an absolute bargain.  And very often those bargains are unknown to the general public.

The one that I want to tell you about today is the Nokia Lumia 520 (or 521) smartphone.  I’m sure you’re thinking, “but I already have a smartphone!”  But I’m suggesting this not as a replacement for your current smartphone, but rather something that is neat to own in addition to your smartphone.  But it would be a great thing to own for anyone who doesn’t already have a smartphone of their own.

Most of the time when you buy a cell phone you have to buy it with a contract, or pay out the nose for it up front.  Most smartphones, if you buy them outright, will cost $500 or more, and if you don’t pay that out-of-pocket it is figured into your monthly bill one way or another.  The Lumia 520 and 521 are inexpensive (both are easily less than $150) and don’t require you to sign a contract or even activate the phone.  But why would you ever do that?

Well, consider all of the things that people like to do with their phones… browse the web, check for email, listen to music, watch videos, play games, get driving directions.  Imagine being able to do all of that without a monthly payment.  Zero.  None.  No contracts, no monthly payments, ever, unless you want to.  That’s what’s great about these two models of phone.

A few scenarios…

Much of the time when you want to listen to music, it is music you already own – you don’t need an active Internet connection to stream it.  Maybe you have an iPod Touch that you listen to music on.  But those start at $229.  The Lumia 520/521 play all of your music just like the iPod Touch does – and in my opinion does a better job of it.  And they are a lot less.  And with an iPod, if you run out of storage you have to buy an entirely new device.  With the Lumia 520/521, if you run out of storage you can buy a Micro SD Card (up to 64 GB) and pop it in.  The Lumia 520 + a 64GB of storage is less than half the cost of the cheapest iPod Touch.  And it has an FM radio too, which the iPhone does not.
Music + Videos Hub
Now say you want directions from A to B.  Yes, I know that smartphones already do that.  But to do that they nearly always require Internet access and a data plan.  Because the Lumia 520/521 runs Windows Phone 8, you can pre-download maps (state-by-state or country-by-country) at home over WiFi before you leave, and store them on the device for use even when you don’t have Internet access.  You get door-to-door directions, like a dedicated GPS unit, for a lot less than a dedicated GPS unit.  And unlike the budget GPS units, it even knows how to pronounce street names so directions are specific – “turn right on Juniper Avenue” instead of “in 300 yards, turn right.”  If you do activate the device as a phone or tether it over WiFi to a smartphone or tablet, you even get up-to-the-minute traffic information, so it can route you around problems.  And I actually believe that Nokia Drive is the best navigation software out there for any smartphone.  It’s fast, accurate, and touch-friendly so it works great in the car, and best of all, it’s totally free.  And since it doesn’t require a data connection, it works in the middle of nowhere when your cell phone won’t.  (Nokia, incidentally, owns Navteq, which easily has the best map data anywhere – easily besting Apple [cough] and Google – and this is where the map data for Windows Phones comes from.)

Watching movies is easy too.  Since you can pop a Micro SD card in, you can store a lot of video for the kiddies to watch in the car.  It isn’t the biggest or best screen, but it’s more than adequate.  And at 800x480 pixels, a lot higher resolution than you’d get from an Android device in the same price range.  Most of those are 320x240 – or maybe VGA if you’re really lucky.

Say you’ve got a kid that is bugging you about wanting an iPod Touch or iPhone to play games on, but you’re not excited about the cost.  These two Nokia phones do an excellent job of playing games.  It’s true that you won’t get the same selection of games you get on an iPod, but you also aren’t shelling out a ton of money for something that is probably going to get lost, broken, or stolen and have to be replaced over and over.  If one of these phones gets lost or broken, it isn’t that big a deal because they’re so inexpensive.

Games Hub
And of course whenever you’re in range of WiFi you get all of the benefits of a smartphone that you’ve come to expect.  It will check your email (best email client on a smartphone I think), it will browse the web (not the best browser, but certainly more than serviceable).  And play games.
So why a Windows Phone?  Well, because in this price range nothing else comes close.  Apple doesn’t make an i-device for less than $200, and anything in that price range running Android is just, well, a downright ugly experience.  The 520/521 might be the slowest Windows Phones out there, but they aren’t slow.  They feel very fast.  They’re certainly a lot faster than anything running Android at three times the price, and faster than any Apple device more than a year old.  And they don’t feel cheap like many similarly priced devices do.  They feel well built so they should hold up to the abuse that you or your kids throw at them.

The only difference between the two is that one is sold by AT&T and the other is sold by T-Mobile.  You don’t have to have an account with either carrier to buy one – just order it from Amazon or pick it up at Wal-Mart.  As of this writing, the Lumia 520 is only $59.99 at Amazon, and the 521 is $119.99.  Again, you don’t sign up with the carrier if you don’t want to.

These two phones are absolutely the best deal on technology out there today.  You get the functionality of a good smartphone at a tiny portion of what it would cost you to get it otherwise.  Nothing else even comes close right now.

The one thing to note is that these phones are locked to either AT&T or T-Mobile.  Which means you can’t just pop in a SIM card from the other carrier and have it work.  If you want to use one as a phone, only AT&T SIMs will work in the 520, and only T-Mobile SIMS will work in the 521.  So if you want to have one as a backup phone, buy the one that is tied to your carrier.  But, again, you don’t have to be (or become) an AT&T or T-Mobile customer.
They also only come with 8 GB of storage.  So you probably will want to consider getting a MicroSD card for additional storage.
Is this the perfect device?  Certainly not.  But for the price, nothing else even comes remotely close.
Bonus tip: If you do happen to be a T-Mobile customer, go to their web site or one of their stores and sign up for a free tablet account, even if you don’t have or plan to buy a tablet.  You get 200 MB of 4G data every month at no cost (and if you go over that data allotment they just slow you down – there are never any overage charges).  You can then use that SIM card in the Lumia 521 and use it to access the Internet on the phone without paying for a phone line – you won’t have to pay a dime in service charges, ever.  You won’t be able to make phone calls (unless you use an app like Skype over the 4G connection), but you can do everything else you'd be able to do on a smartphone, and it won’t cost you anything to do so.

Google Search