Page 1
Standard

A keyboard with swappable switches

It started out with a post to Reddit that linked to a series of photos on Imgur of a new keyboard the user had ordered from the Chinese e-commerce site Taobao. Taobao, for those who don’t know, is a Chinese-language-only e-commerce site run by Alibaba Group that caters to residents of China and nearby countries where people speak Chinese. Many sellers on the site, even if you could navigate the site in Chinese, won’t ship outside of China. To meet demand, a whole crop of sites have sprung up just to help foreigners order products from Taobao. These ‘Taobao agents’ will order the product for you, receive the product in China, and then re-ship it to you wherever you are in the world. Of course, that service comes with a price, and in many cases that eliminates any cost savings you might get from ordering from Taobao. Occassionally, however, there are products on Taobao that are not available elsewhere. In this case, the user (redditsavedmyagain) ordered a keyboard that was in fact quite unique.

The keyboard is called the Team Wolf Zhuque+. I had never heard of it and before that post on Reddit most other people had never heard of it either. The keyboard was made of Aluminum, had folding feet on the bottom that could be used to angle the keyboard, and had LED backlights. Most interestingly, the keyboard was configured to allow switches to added without soldering (and removed without desoldering). The keyboard comes with blue Gaote Outemu switches, made special for the SMD LED underneath the switch. Most LEDs in keyboards go on the top of the switch, with the wires going through holes in the switch and then soldered to the circuit board underneath. Since this keyboard allows the switches to be removed, the LEDs are surface-mounted to the circuit board and have no connection to the switch. This is nice, but presents some problems. For one, the light is below the switch instead of on top of it, meaning the switch itself needs to either be transparent or have a hole to allow the light through. Also, since most switches are not designed with SMD LEDs in mind, they may not have enough room at the bottom for the LED. The Gaote switches used in this keyboard are specially designed for these kinds of LEDs, and are recessed at the bottom to leave room for the LED, have an extra large hole to allow light through, and while the bottom of the switch is white plastic, the top is transparent. This allows the light lots of room to shine.

Two things about the keyboard got users excited on Reddit. First, the swappable switches. It’s not the first keyboard to have swappable switches, but it definitely is one of the first. The second reason was the price. The keyboard cost only about $30-$40. That’s more or less unheard of for a metal-frame mechanical keyboard, especially one including Cherry MX-compatible switches. While lots of people on Reddit wanted to order the keyboard, they ran into a problem – there was no easy way to order it without speaking Chinese and probably having a shipping location in China. Some managed to do it, but most could not. Instead, something interesting happened. Users recruited representatives of Massdrop on Reddit to look into putting together a group buy on their site. That came together very quickly. Massdrop contacted the manufacturer, and offered two versions of the keyboard, the same TKL version shown on Reddit, and a Full Size keyboard as well (if you don’t know the difference between TKL and Full Size, see my article How many keys are there on a keyboard?). In addition to the keyboard, Massdrop allowed the user to bundle Gateron switches that were similarly configured to the Gaote switches, designed for use with SMD LEDs. The Gateron switches similarly had a gap for the LED, larger holes above the LED, and transparent tops. Massdrop offered the switches in a variety of types (brown, red, black, etc.) for $30 for a set. The price of the TKL keyboard was $59 (and an extra $20 for the Full Size) and while shipping in the US wasn’t too expensive, outside the US the shipping came to $30. That brought the price of the keyboard that was somewhere around $30-$40 on Taobao to $89 to people outside the US. A lot of people were annoyed at the big price hike. Of course, most people couldn’t order on Taobao, and certainly couldn’t get SMD LED compatible switches to go with the keyboard (specialist switches like this are incredibly hard to find in small volumes).

Another option popped up at the same time. Chinese site Banggood.com also followed the post, and offered the same TKL version from the original post for $59 on their site, including shipping anywhere in the world. While the Massdrop deal might be better in the US considering it could be bundles with extra switches and you could get the Full Size version, the Banggood deal was better for most people outside the US as the price was the same and the shipping was free.

One big difference between Massdrop and Banggood in terms of this keybaord, is that Massdrop sold a set amount, and now you need to wait until Massdrop decides there’s enough interest to have another group buy for the keyboard. Banggood is a normal e-commerce site, and you can still buy the keyboard from them for $59. As long as there is interest in it, presumably they’re continue to replenish stock.

So I bought a keyboard through BG. It’s true that I can’t find the special SMD LED switches myself, but I read that other switches could work. I happened to have a bag of normal Gateron switches, and figured I could make them work. If not, I could always use the keyboard with the Gaote switches it came with.

This is what the keyboard looked like on arrival:

Close up of Team Wolf keyboard with original keycaps

For more (and better) images see the original photos on Imgur linked to from Reddit, as well as another review on Imgur (I can’t find the post that linked to this review).

So a few things about the stock appearance. Note the white keycaps with translucent legends. The stencil-like appearance of the legends is, how do I put this, not very appealing. I I like the FN (function) key that lets me use all the secondary functions, such as the media keys and the backlight controls.

The keyboard comes with a keycap remover, and a switch remover. The keycap remove wasn’t particularly good, but I had a different one which made it easier to remove all the keycaps:

Team Wolf keyboard close-up with keycaps removed

The switches are blue tactile clicky Gaote Outemu switches. Note the bottom half is white plastic, and the top is transparent. The first thing I noticed when I removed the keycaps was that the switches are mounted upside down. It took me a few moments before I realized all the keycaps I had removed had their legends on the top half of the keycap. The switches were mounted upside down so the opening for the LED underneath the switch would be underneath the legends. Normally the LEDs that are mounted on top of a switch are on the lower half of the switch, so in order to have the light on the top half of the keycap they needed to be upside down.

The next step was removing the switches from the keyboard. In a normal mechanical keyboard, you would need to desolder the switches from the circuit board, and then remove the switches. A normal switch has two contacts that would have to be desoldered. If there were LEDs, depending on the type, you would need to desolder either two or four contacts. That’s per switch. These LEDs have two contacts, so four contacts per switch, times 87 keys, is 348 contacts to desolder to replace all the switches in a normal mechanical keyboard of this size. I’m okay with soldering, but let me say that I hate desoldering. That’s one of the reasons this keyboard appealed to me. Here’s the switch removal tool that comes with the keyboard. It takes all of a couple of seconds to remove the switches:

Removing a switch

Removing the switches leaves you with an empty space in the top plate over the circuit board. Below you can see the four arrow key switches removed, with one of them flipped over so you can see the bottom of the switch. Note the two contacts, and the receiving point in the circuit board those would go into. You can also see the LED mounted on the circuit board, and the big hole in the switch which goes over that LED. The big circle in the middle of the switch is there to help hodl the switch in place, and you can see the corresponding hole in the circuit board where that goes.

Switches removed with one upside down

A look at the keyboard with all the switches removed. You might notice that the LEDs for some key locations are different than others. That’s because the LEDs are different colors. The letters and the right-side keys all have blue backlighting. The modifier and function keys all have white backgrounds, while the number keys have green backgrounds. The stabilizers, the white plastic pieces on either side of the large key locations (Backspace, Return and Shift) are not a type of stabilizer that I had ever seen before, but luckily they worked just fine with the other set of keycaps I wanted to use.

Team Wolf keyboard with switches removed

Before putting in new switches, I wanted to see what was on the back of the circuit board. I removed all the screws and removed the top plate and circuit board, and then flipped it over. You can clearly see the black units that receive the switch contacts:

Bottom of Team Wolf circuit board showing switch receivers

Here you can see the side of the circuit board that sits underneath the right side of the keyboard, where everything that makes the keyboard tick is placed:

Bottom of Team Wolf circuit board showing resistors

Once I took a look I put everything back together, and put all the screws back. The next step was preparing the switches. I didn’t have the special SMD LED switches, only plain Gateron brown switches. The switches I had were actually made for use directly on a PCB, so they had two extra small posts coming out of the bottom of the switch that would normally fit into matching holes in the PCB. Since I was plate-mounting these switches, and the PCB didn’t have matching holes, I had to do a little switch circumcision and snip the two posts off each switch:

Switch circumcision

The next step was to deal withy the fact that these switches were not designed to be used with SMD LEDs. The goal of those switches is to allow more light through the switch, both by having a larger hole above the LED and by having transparent switch tops. Standard Gateron switches like the ones I had are slightly translucent white plastic, but not fully transparent. Luckily I had a bag of transparent switch tops, and just needed to swap out the tops of each switch. For that purpose I have a 3D-printed switch opener that does the trick nicely:

Switch opener

It’s a little hard to tell from the picture, but basically you lower the switch on to the black plastic opener, and small wedges in the opener pry open four connection points on the switch and allow the top to be pulled up from the switch. After swapping the switch cover you can see the difference in the switch appearance:

Switch cover comparison

I also considered making a larger hole in the bottom of the switch to try to match somewhat with the switches that came with the keyboard, but I figured it didn’t matter too much since the Gateron bottoms were somewhat translucent, and the light would shine through the whole switch.

Here’s a look at the bottoms of the two switches. On the left is the Gaote switch that came with the keyboard. Note the opaque white plastic, and the large hole for the LED. It’s a little hard to see but the hole sits above a small gap that allows more room for the LED. The Gateron on the right, however, is made of translucent plastic, and has very small holes for the LED (because for these switches the LED would normally be on top, and the two contacts from the LED would pass through those tiny holes).

Bottom of Gaote and Gateron switches

One other minor modification was for the switch to be used for the space bar. It’s normal for the space bar to have a stronger spring than the other keys. I started out with a clear Gateron switch, and removed the cover, spring, and plunger from the switch. I then inserted the gold spring shown with a much higher resistance, and reinserted the plunger and added a transparent cover. I knew the space bar I was going to use didn’t have any opening for light, so putting the transparent cover on it was sort of a waste, but I figured I might as well keep it consistent.

Replacing the switch spring

This is what the switches looked like in place:

Team Wolf keyboard with brown Gateron switches close-up

They look pretty good, it’s almost a shame to cover them up with keycaps. Note that I had no trouble inserting these switches into the keyboard, event though the switches were not designed to work with SMD LEDs. It’s possible I’ll run into problems at some point because the switches are resting directly on the LEDs, although LEDs don’t generate a lot of heat, so it really should be too much of a problem.

I tested out the backlights before adding the keycaps, just to make sure they were all working:

Testing the backlights

Now that I knew all the switches were working I needed to add the keycaps. Before I could do that, however, I needed to get the stabilizers installed. Stabilizers are used by keys that are at least twice the width of a standard key. At that point the key can have problems without a stabilizer to keep the pressing of the key consistent. You don’t want there to be a problem when pressing the side of the key where the key just bends instead of pressing down the plunger on the switch. As I mentioned, I had never seen these kinds of stabilizers before, but they seemed fairly simple.

You start by removing the little plastic inserts from the old keys. Most keys have two stabilizers. Note the metal wire on either side of the stabilizer in the keyboard. You lift up the wire which is actually one U shaped wire, and position the plastic inserts onto those wires. The inserts fall into the stabilizer spaces, and when you push the keycap down all three plus-shaped pieces get pushed into the keycap (the two stabilizers and the switch itself in the middle):

Team Wolf keyboard stabs

After getting all the stabilized keys installed, started adding all the other keycaps:

Team Wolf keyboard half keycaps

These keycaps are Vortex Double-Shot PBT/POM keycaps. The black material is PBT, a higher-quality plastic than the standard ABS plastic used in most keycaps. The legends are injection-molded separately (the double-shot) out of POM, which is translucent.

Team Wolf keycaps with PBT keycaps

You can see that the legends are not the most readable. Here’s what they look like when the keyboard is plugged in:

Backlight test corner

Backlight test middle

Since these keycaps were not designed for this keyboard, the backlighting isn’t perfect. The biggest problem is that for numbers, the backlight is lighting up the shift value for each key instead of the primary value. Note how the !, @, #, etc. are all green while the numbers are not lit up at all. Here’s the full view:

Final keyboard Team Wolf

While not perfect, I’m definitely enjoying the Gateron brown switches, and I like the appearance of the Vortex PBT keycaps over the keycaps that came with the keyboard. The lack of backlight under the numbers is a bit distracting, however. It’s the same with any keycap that has two symbols on it, like the comma and period keys. You can understand now why the keycaps that came with the keyboard made the unusual design decision to put multiple symbols next to each other at the top, instead of the more standard one on top of the other. While I worked hard to maintain the backlighting, in the end it’s possible I’ll switch to regular keycaps that don’t support backlighting, to get a more consistent look for the keyboard. Maybe I’ll just switch the alphanumeric keys to standard keycaps, and leave everything else backlit. I’ll have to see if I can find keycaps that match the appearance of these Vortex keycaps, which may not be easy since these are PBT and any other keycaps I have, and most made, are ABS. One thing that bother me about the keyboard is the placement of the cable right in the middle of the case. I would have preferred to have it off to one side since I mostly work with a laptop and the cable gets in the way. A nice feature would have been to offer more than one exit point for the cable, and let the user decide which one to use.

I’m kind of amazed how much interest was generated for this keyboard by a single post in a forum. I hope Team Wolf is at least sending redditsavedmyagain some swag.

The end
The end
Standard

E-mail security stinks, and that makes hackers (and the NSA) happy

The Better Mousetrap

Making the perfect e-mail client seems like the build-a-better-mousetrap challenge of our day. Every year or so it seems there’s another amazing e-mail client released by a startup, that says it has ‘reimagined’ or ‘reinvented’ e-mail and how to use it. Some examples include Sparrow (launched in 2011, bought by Google and discontinued in 2012) and Mailbox (launched in 2013 and bought a month later by Dropbox, and announcement of its imminent retirement just this month). This is kind of ironic considering the move away from e-mail to other messaging services, particularly real-time services, such as Slack and Whatsapp.

Recently, perhaps due in part to the imminent shut down of Mailbox, another e-mail app called Polymail has been receiving a lot of hype. It is already the fourth most up-voted product on Product Hunt, and it hasn’t even launched yet. Seeing the latest e-mail-mousetrap launch reminds me about one of the inherent security problems all of these applications encourage.

A Question of Protocol

All of these apps rely primarily on the IMAP e-mail protocol (short for Internet Message Access Protocol). That makes a lot of sense as it keeps most of the e-mail management on the server, and allows app developers to release both desktop and mobile clients that can both share the same e-mail, including read status and folder structure. Many of the largest e-mail providers like Gmail, Yahoo, iCloud, and Outlook.com (the service formerly known as Hotmail) support IMAP, so these e-mail accounts are generally supported by these new e-mail clients.

In the old days, most e-mail was served up using a different protocol, POP, short for Post-Office Protocol (technically it is POP3, and IMAP is actually IMAP4). The truth is that both POP and IMAP date back to the 1980s. POP is only a couple of years older than IMAP, although IMAP received more ongoing attention in the 1990s. There are a lot of differences between POP and IMAP, but the main difference is that when you use POP, all of your messages are downloaded to your e-mail client, and then deleted from the server, while IMAP downloads a local copy, but leaves all the e-mail on the server.

Keeping e-mail on the server has many advantages, such as having a backup of your e-mail on a remote server, and allowing your phone, tablet and desktop to all access your e-mail. There are some minor problems with keeping your e-mail on the server, such as running out of server space (depends on your e-mail provider). One problem that is usually overlooked, however, is that if your e-mail is stored on the server, your e-mail is accessible at all times by hackers and the government. Let’s take a look at these two scenarios.

Scenario One: Hackers

In the old days e-mail was never encrypted. Nowadays more and more companies are trying to insure it is encrypted when in-transit between servers. Google offers an interesting view of their attempt to encrypt e-mail in transit to different providers, showing which companies they receive and send e-mail to that are fully encrypted, and which are not. This in-transit encryption prevents, or at least greatly lowers, the ability of third parties (criminal or government) to intercept your e-mails while they are traveling between servers, or from a server to your client device. That’s great, but there’s one problem they don’t usually talk about, which is that the e-mails are stored unencrypted on the server itself. Apple actually points this out in their iCloud security and privacy overview:

apple-icloud-security-mail

Now I’m sure most major e-mail providers have amazing security, but nothing is a guarantee. How many times have you received spam from a friend whose account on a major e-mail provider or social network had been hacked? I still remember the first time I received the ‘I’m stranded in X and need you to wire me money’ scam. If your e-mail is online, it’s available to those who can access the server. That could be high-level hacks that compromise the entire server, or simple hacks like guessing your password. Check out HaveIBeenPwned.com to search a database of over 250 million username/password credentials that have been hacked and leaked online and you may find your e-mail address there. Do you use the same password on multiple sites? how about the same password for your e-mail and for online sites? That’s a big no no, but when the most common password on the Internet is ‘password’ security isn’t a major concern for many.

Even if you use strong passwords and use different passwords on different sites, however, there are more intricate methods for gaining access to e-mail without having to hack the server directly. Take for example the teenager that gained access to the personal e-mail account of John Brennan, the director of CIA. He did a reverse-lookup of Brennan’s phone number, determined its provider (Verizon), and called Verizon pretending to be a Verizon technician. This is called social engineering, and it’s basically hacking without a computer. The teenager managed to get enough information from Verizon to then call AOL and reset the password on the e-mail account. This was the director of the CIA.

Scenario Two: The Government

Sure, everyone knows the NSA is listening. Edward Snowden’s revelations about the NSA have been news fodder for years. One of the most troubling images released by Snowden via The Guardian was this slide from a presentation on NSA’s PRISM electronic surveillance program:

PRISM E-mail Data Collection

The slide seems to suggest at which point each of these services were compromised by the NSA. Whether these services were hacked by the NSA or were given access by the providers isn’t shown. That distinctions is really irrelevant, it would seem. Does this mean that the NSA can read all of your Gmail, Yahoo and iCloud e-mails? That’s not clear, but it doesn’t seem that is what they mean. It is possible that this slide merely means that the NSA is capable of intercepting all e-mails being sent and received by these servers. For example, they connect to the data pipes in between the hosting location and the Internet provider they use. The NSA can just listen in to everything coming and going, and doesn’t need to access the servers at all. That might have been the impetus for Google’s increased focus on in-transit encryption as mentioned above.

Now you might say that a lot of these programs were shut down and are not active. That’s also irrelevant. You know why? Because you don’t need to be the NSA to access e-mails stored on servers. You don’t even need a warrant. You’re probably thinking that’s crazy, and of course law enforcement agencies would need a warrant to access your e-mail on the server. NOT. TRUE. The Electronic Communications Privacy Act of 1986 (ECPA) defines e-mail on a server that is more than 180 days old as abandoned. This dates back to a time when everyone used POP or a proprietary protocol to download their e-mails, and storage was so expensive that keeping everyone’s e-mails on the server seemed absurd. Back then the assumption was you could download your e-mail and then the server would delete it to make room. The problem is that this antiquated definition is still the law of the land, and a law enforcement agency can ask for all e-mails older than 180 days and doesn’t need a warrant to do so. That’s not to say e-mail providers haven’t fought against this definition, but the law is on the government’s side until it gets changed. Meanwhile, if the government wants to take a look at the e-mails you’ve downloaded to your computer, they need a warrant. So if you store your e-mails remotely (using IMAP), the government can simply ask for them with little justification. If you download all your e-mails (using POP) then the government needs to go to a judge and get a warrant to search your computer, which they obviously need to get from you physically. If an e-mail provider hands over all your e-mails to a law enforcement agency, how would you know it even happened?

The interesting thing then is that using the older POP protocol, you are in many ways more secure than if you use IMAP. If you’re using in-transit encryption, which both IMAP and POP support, then the only e-mails accessible to government agencies when they approach an e-mail provider are what are sitting there in between downloads to your client. It’s usually a pretty good bet that those are less than 180 old, which means the government cannot get access to any of your e-mails if you use POP, without a warrant.

Sure all of this is theoretical. I don’t assume anyone reading this is being pursued by law enforcement. That said, any loophole is exploitable. Just ask John Brennan.

Then What?

The obvious answer to e-mail security is to encrypt all e-mails all the time. That, however, is harder than it seems. First, you can’t force other people to send you e-mails that are always encrypted. Second, even setting up encryption for all of your outgoing e-mails is incredibly difficult. It doesn’t feel like so long ago that Phil Zimmerman had to publish the code to his PGP encryption software in a hard-bound book and put it up for sale, in order to allow it to be exported outside the US under the First Amendment. The problem at the time was that strong encryption was considered a munition under US law, and exporting it to many countries was illegal. Anyone with a copy of the book could rip off the cover, separate the pages, and then scan the pages and generate the source code. A project to do just that outside the US was set up to stay up to date with new versions, called the PGPi scanning project. Nowadays, those laws are more relaxed, and no scanning in foreign countries is required. It’s not a secret sauce anymore. Getting strong encryption code out into the wild was only part of the problem, however. The bigger problem turns out to be a question of how easy encryption is to use.

Many people have tried to make encryption easier to use so more people would use it, but no one has really succeeded. Phil Zimmerman himself advised Hushmail, and co-founded Silent Circle, both of which could be described as attempts to make encryption more accessible. More recently two other efforts are perhaps more interesting.

Will Ackerly, who used to work at the NSA, launched Virtru, a company that piggybacks on existing e-mail services like Gmail and adds strong encryption. Some of the things Virtru allows beyond encryption are the ability to allow or disallow an e-mail from being forwarded, and the ability to revoke an e-mail (i.e. delete it from the recipient’s computer) at will, or automatically after a set period of time. Additionally, recipients of encrypted e-mails don’t need to install special software to read messages sent via Virtru. Virtu currently offers Chrome and Firefox plug-ins for web-access to services like Gmail, and offers a plug-in for Outlook on the Windows desktop. They also offer iOS and Android apps. Virtru tries to be a simple end-to-end solution for secure e-mail, and it does seem to do things very well.

Another startup, Keybase, was founded by the former founders of online dating site OKCupid. Founding a dating site might not sound like the right pre-requisite for bringing encryption to the masses, but besides building OKCupid based on complex mathematical matching algorithms, they also managed to sell their company to Match.com for $50 million in cash. As proven entrepreneurs, they managed to convince the right people, and raised $10.8 million from major silicon investors just to get started on the problem. The idea behind keybase is to link your cryptographic key with your various social media profiles, making it much easier for people to locate your public key and communicate with you. For example, you might link your Facebook, Twitter, Instagram, and Reddit usernames to your public key, which you store on the Keybase server. The important part is not just finding the key, but finding the right key. Normally using PGP you need to establish trust based on who signs each key. The problem is that if you’re e-mailing someone new, you won’t necessarily know if the people signing the key are fake. If you can link the key to established accounts of the user and cross-reference them with other accounts, then you have a fairly safe and easy want to confirm the owner of a key. The encryption scheme started with PGP, but is now evolving to include NaCl. The idea addresses a significant problem with public-key encryption, but doesn’t fully remove the ease-of-use problem most people have with encryption. Hopefully those are also being addressed.

All of these efforts are great, but they’re not solutions most people will use – yet. In the mean time, the question is how accessible are your e-mails to snooping. While the latest whiz-bang e-mail applications support IMAP and storing e-mails on the server, most have left POP behind. It is possible to download all your e-mails locally using IMAP, and then delete them all from your server, but it’s not the default. Next time another web site is hacked (don’t forget to check your e-mail address on HaveIBeenPwned.com) or another revelation about government snooping is revealed, you might wonder if storing everything locally, like POP does by default, might not be the better way to go.

The end
The end