Weekly output: network security (x2), election security, Google finding Apple’s bugs

Now it can be told: I spent all of the last two weeks on the West Coast, with my stay in Las Vegas for Black Hat and DEF CON sandwiched inside time with my in-laws in California. That let me have a much shorter trip to and from Vegas and then segue from WiFi security to a little wine tasting and, more important, a lot of napping.

8/12/2019: WiFi can be a free-for-all for hackers. Here’s how to stop them from taking your data, USA Today

I e-mailed this to my editor with the following note: “I’m sending this over the DEF CON conference WiFi, so if you only see pirate-flag emoji I trust you’ll call or text to warn me.” If you don’t want to read all 600-ish words in this piece, the top three are “encryption is your friend.”

8/12/2019: This tech could secure voting machines, but not before 2020, Yahoo Finance

One of the big reasons I decided to stick around Vegas for DEF CON–even though it meant I’d have to pay $300 in cash for that conference badge–was the chance to see the exhibits and presentations at its Voting Village. The proceedings did not disappoint, even if a DARPA demo from a project with the delightful acronym of SSITH is far from yielding shipping voting hardware.

8/12/2019: Google got Apple to fix 10 security flaws in the iPhone, Yahoo Finance

Black Hat offered a two-course serving of Apple-security news. Its first day featured a briefing from Google Project Zero researcher Natalie Silvanovich about how her team uncovered 10 serious iOS vulnerabilities, and then its second day brought a talk from Apple security-engineering head Ivan Krstić that ended with news of a much more open bug-bounty program.

8/14/2019: This Morning with Gordon Deal August 13, 2019, This Morning with Gordon Deal

I talked about my USAT column on this business-news radio program; my spot starts just after the 13th minute.

Advertisements

Another year of battle with the Tree of Hell

The correct weeding implement to remove a finger-sized “Tree of Heaven” sapling is a shovel.

I thought I’d learned that lesson two summers ago, when I foolishly bragged here that I hadn’t seen any new ailanthus altissima seedlings poking above my lawn. But by this June, I had a new crop of these trash-tree growths invading the front yard and part of the side yard.

This time around, I dug deeper, literally. Just yanking out the massed roots below each sapling wasn’t enough; I had to drive the shovel a few inches deeper to find the thicker, trunk-like root running below my lawn. And then work backwards and forwards to rip that out of the earth.

The upside of this dirt-under-fingernails work is, I hope, a more lasting end to this weed of a tree. And so far, that’s worked–in the sense that I haven’t seen new growths in the front yard two and a half weeks after this surgery. (The side yard is another story, but at least that’s not obvious from the street.)

The downside is that unless you do this root removal right before a torrential downpour, the grass you’ve removed probably won’t survive the disruption. In my case, I now have streaks of dead grass, that outline where this invasive tree’s roots had taken up residence in my yard.

You could say I had to destroy the lawn in order to save it. But I’m not going to state that conclusively until this time next summer, when I’m past the spring’s usual foolish lawncare optimism.

Weekly output: wireless service, Gmail phishing, social-media disinformation, DNA tests

I spent most of this week in Las Vegas for the Black Hat and first DEF CON security conferences. I knew Black Hat from last year, but covering its sponsor-free, community-run counterpart for the first time left me feeling overwhelmed at how much of it I’d missed after just the first day. The Flickr album I posted earlier today may give you a sense of that fascinating chaos.

8/7/2019: The Best Cell Phone Plans, Wirecutter

This update took longer than I thought it would, but it now benefits from a simpler set of usage estimates that better align with how much data most people use. This guide also features new recommendations for value-priced service and shared-usage plans.

Fast Company Gmail-phishing post8/8/2019: We keep falling for phishing emails, and Google just revealed why, Fast Company

I wrote up a Black Hat talk that revealed new insights about why people fall for phishing e-mails and reinforced old advice about the importance of securing essential accounts with the right kind of two-step verification.

8/9/2019: Fake calculations… an electronic weapon in the hands of autocratic government, Al Jazeera

I took part in an episode of AJ’s “From Washington” show with Ryan Grim of the Intercept and my former congressman Jim Moran (D.-Va.), discussing disinformation campaigns on social media. At one point, Moran paused to say “Ryan and Rob are extremely intelligent and informative,” which I trust was equally effusive overdubbed into Arabic. The conversation later pivoted to the political scenario in Sudan, a topic I am maybe as prepared to discuss as any regular reader of the Washington Post’s A section.

8/10/2019: DNA Test Kits: Everything You Need to Know, Tom’s Guide

In this first post for a new client, I went about 2,000 words into the weeds on the privacy, legal and mental-health risks of taking DNA tests that may create facts you’d wish you could uncreate. That’s not my last post on DNA testing for Tom’s Guide, so if you have questions I didn’t get to in this feature, please ask away.

This is the most interesting conference badge I’ve worn

LAS VEGAS–I’ve spent the last two days wearing a circular circuit board topped with a slab of quartz, which is not just normal but required behavior to attend the DEF CON security conference here.

DEF CON 27 badgeI had heard upfront that DEF CON badges–available only for $300 in cash, no comped press admission available–were not like other conference badges. But I didn’t realize how much they differed until I popped the provided watch battery into my badge (of course, I put it in wrong side up on the first try), threaded the lanyard through the badge, and soon had other attendees asking if they could tap their badges against mine.

These badges designed by veteran hacker Joe Grand include their own wireless circuitry and embedded software that causes them to light up when held next to or close to other badges. As you do this with other attendees of various classes–from what I gathered, regular attendees have badges with white quartz, press with green, vendors with purple, and speakers with red–you will unlock other functions of the badge.

What other functions, I don’t know and won’t find out, as I’m now headed back from the event. That’s one way in which I’m a DEF CON n00b, the other being that I didn’t wear any other badges soldered together from circuit boards, LEDs and other electronic innards.

(Update: Saturday evening, Grand, aka “Kingpin,” posted detailed specifics about his creation, including source code and slides from a talk I’d missed.)

You might expect me to critique the unlabeled DEF CON badge for flunking at the core task of announcing your name to others, but forced disclosure is not what this event is about–hence the restriction to cash-only registration. And since I have mini business cards, this badge met another key conference-credential task quite well: The gap between the circuit board and the lanyard was just the right size to hold a stash of my own cards.

Weekly output: Facebook customer dissatisfaction, Facebook meddling in the Middle East (x3)

Tuesday has me departing for Las Vegas for the Black Hat and DEF CON information-security conferences, aka Hacker Summer Camp. In addition to the usual risk of getting pwned, this year I and other attendees will also have to deal with a plague of grasshoppers.

Yahoo Facebook ACSI post7/30/2019: Study shows Facebook’s customer-satisfaction scores plunging, Yahoo Finance

A new survey from the American Customer Satisfaction Index showed people’s contentment with Facebook plummeting to depths you could call Comcastic–except the cable company still rated lower in ACSI research earlier this year. If this post seems somewhat familiar, you may remember me writing up a similar set of ASCI findings in 2010. The issue of what we’ve learned about Facebook in the intervening years is left as an exercise for the reader.

8/1/2019: Facebook catches meddling from Saudi Arabia, United Arab Emirates, Egypt, Al Jazeera

The Arabic-language news channel had me on air live–twice in this day–to talk about Facebook’s announcement that it had booted hundreds of accounts and pages run out of Saudi Arabia, the United Arab Emirates and Egypt for “coordinated inauthentic behavior,” its phrase for disinformation campaigns.

8/2/2019: Facebook catches meddling from Saudi Arabia, United Arab Emirates, Egypt, Al Jazeera

Saudi Arabia misbehaving on social media put the Qatari network into flood-the-zone mode–not difficult to understand, given the enmity between the kingdom and Qatar–and so AJ had me on for a second day in a row to talk about this story. If you don’t care about Gulf politics, please consider that the Facebook-meddling move here of impersonating local news sources could work in the many U.S cities and towns now starved for local news coverage.

From Pixel 1 to Pixel 3a

I changed smartphones this week without being forced to–my old phone hadn’t suffered any catastrophic failure or fallen into a weird cycle of malfunctions. Instead, I retired my first-generation Google Pixel because two years and change is a good run for a phone, and upgrading to a Pixel 3a with a better camera and superior network coverage would only cost $400 and change.

I could shop free of duress because my Pixel 1 has been the best smartphone I’ve ever owned. It’s taken a lot of great pictures, it’s had an almost-entirely crash-free existence, it’s benefited from every Google update almost as soon as each was released, its battery life has been fine (except for maybe the last few weeks, and obviously not at battery-devouring tech events like CES), and it’s survived multiple drops on hard floors that left all four corners scuffed.

The Pixel 3a I bought last week–after spending a couple of months trying out a loaner picked up at Google I/O in May–should share most of those virtues. It also cost about two-thirds the Pixel 1’s list price (although I was able to buy mine at a substantial discount when Google refunded the purchase price of the Nexus 5X that succumbed to a fatal bootloop cycle). And like the Pixel 1 but unlike the Pixel 2 and Pixel 3, this device includes a headphone jack, so I didn’t have to underwrite the gadget industry’s latest idiotic design-minimalism fetish.

The obvious upgrade with the 3a is its camera, which includes most of the optical hardware of the far more expensive Pixel 3. But because it also supports the low-frequency LTE band that T-Mobile has lit up over the past few years, this device should also deliver much better connectivity.

(I really hope I haven’t jinxed this purchase with the preceding two paragraphs.)

Finally, after struggling with earlier Android migrations, I have to give Google credit for easing this path. This time around, I only had to connect the two devices with a USB-C cable, start the migration process, and see some 13 minutes later that my app-icon layout had been copied over, after which I could sit through a tedious app-download process. That’s still not close to the simplicity of swapping iOS devices–like, why did my screen wallpaper not copy over?–but I’ll accept that added inconvenience if it means I can still have a phone with a headphone jack.

(No, I’m never letting that go. Why did you ask?)

Weekly output: Google’s “security hold,” how to read wireless-carrier rankings

Both posts this week had me circling back to topics I’ve covered before and learning something new, which is always nice.

7/25/2019: Locked out of your Google account? Why it can sometimes take days to get back in, USA Today

Once again, I tried to shed some light on how Google goes about resolving a forgotten password for a Google account. This time, I got the company to document a hitherto-undocumented “security hold.” Alas, much of the process here remains mysterious, and the reader in question here may have only gotten her account back so quickly because I inquired on her behalf.

7/26/2019: Why so many wireless carriers seem to have “America’s best network”, Fast Company

My work updating the Wirecutter guide to smartphone service required me to spend a lot of time with studies ranking the performance of the big four wireless carriers, so I decided to write an explainer about how these surveys get their results and how you should interpret their findings. That effort revealed a couple of finer points about these projects that I was able to add to the Wirecutter update, which should be up any day now.