A travel to-do for Android Pie: enable lockdown

Posted on by
Reply

The first new feature in Android Pie that I noticed after installing it on my Pixel 12 days ago was its Adaptive Battery feature, which hunts and handcuffs energy-hungry apps (yes, that seems like a feature that shouldn’t have had to wait for a 9.0 release). The first new setting I changed was Pie’s “lockdown” option.

That’s the feature Google left out of the keynote sessions at Google I/O in May and instead saved for the closing minutes of a more technical briefing on the last day of the conference. Lockdown disables your phone’s fingerprint unlock and hides all notifications from the lock screen–a useful option if, as Android security manager Xiaowen Xin said during this presentation, “you need to hand it over for inspection at a security checkpoint.”

Or as avgeek blogger Seth Miller phrased things in a tweet then, it’s Android’s “airport mode.” It’s how you’d want your phone to behave if you must hand it over to somebody you shouldn’t automatically trust.

But lockdown isn’t on by default or all that easy to find. You have to open the Settings app, tap “Security & location,” tap “Lock screen preferences,” and then tap the slider next to “Show lockdown option” so it’s highlighted in blue.

Turning it on isn’t super-obvious either: Wake but don’t unlock your phone by pressing the power button, then hold down the power button again for about a second. You should see a “Lockdown” button on a menu that will pop out of the right side of the screen; tap that, and your fingerprint’s no good to unlock the device.

Now you know. Whenever you get Android Pie on your phone–yes, I realize that could be many months, unless apathetic vendor support prolongs that timeframe to “never”–enable this option. Then please get in the habit of using it.

Advertisements

Weekly output: Black Hat hacks and security fixes, T-Mobile news, self-driving-car security, voting-machine security, fear of robots

Posted on by
Reply

Most of this week’s copy was reported and written the previous week at the Black Hat security conference in Vegas. Considering my own frequently-elastic interpretations of deadlines, I can’t complain about editors with their own crowded calendars taking a day or two to give their full attention to my own work.

8/13/2018: Hacks of Macs, Microsoft Cortana are two more reasons why you should install updates, USA Today

I used this column to synthesize my notes from a few different Black Hat talks that intersected to yield the same lesson: You are safer overall if you install security fixes for your apps and devices when they arrive instead of playing IT department and deciding which ones should wait.

8/13/2018: What could T-Mobile uncap for its next Un-carrier news?, Fierce Wireless

I wrote this curtain-raiser for T-Mobile’s Wednesday announcement twice when a late reply from one analyst and my tardy queries to others led me to file a 1.0 version that would make it into Fierce’s mid-day newsletter. The one you can read now includes quotes from those additional experts–none correctly forecasting that T-Mobile would make its next big push better customer service.

8/13/2018: How two car hackers plan to keep GM’s self-driving cars safe, Yahoo Finance

The single most entertaining talk at Black Hat was this presentation from Charlie Miller and Chris Valasek. You may remember them as the guys who hacked a Jeep Cherokee in 2015 to seize control of it with Wired writer Andy Greenberg at the wheel. The two now work for the GM subsidiary Cruise Automation, and at Black Hat they explained how they plan to stop the likes of them from remotely exploiting Cruise’s fleet of self-driving vehicles–in part by removing such attack surfaces as Bluetooth wireless and the FM radio.

8/14/2018: There’s more to election integrity than secure voting machines, The Parallax

Another Black Hat talk gave me one more chance to take a whack at the WinVote voting machines that infested polling places across Virginia–mine included–for a decade. This time around, I checked back with a couple of the experts I’d consulted for earlier coverage of electronic voting machines and learned that both wished they’d paid more attention before to such separate election-integrity issues as voter registration systems.

8/15/2018: Robot workers or human employees, Al Jazeera

I got a request from my usual guy in AJ’s D.C. bureau asking if I could talk about the prospect of robots taking human jobs–both in the private and defense sectors. I was in Boston at the time visiting family, but that proved to be no problem. Instead of them sending a car to my house to take me to their D.C. studios, they ran me over to a studio in downtown Boston, where I did my talking-head duty (overdubbed live into Arabic) wearing one of my brother’s jackets. Since I knew I’d only appear on camera from the torso up, I didn’t bother changing out of the shorts and sandals I’d put on that morning.

Beer and behavioral economics at Nats Park

Posted on by
Reply

When an exhibition game at Nationals Park this spring revealed that beer prices there this season would hit $16, the sports commentariat went entirely and understandably crazy. Sixteen bucks?! That’s absurd.

Nats Park beerOr as a Yahoo Sports headline put it, “The Nationals’ new beer prices could pay for Bryce Harper’s contract themselves.”

But Mark Townsend’s post and others also noted that these higher prices were for 25-ounce servings. Paying either $15 or $16 for the equivalent of two quality beers doesn’t seem so bad.

And with the price of a pint at Nats Park having escalated from $10.50 or $10.75 to $12–the less-obvious land grab in this year’s changes to ballpark eating and drinking–spending $15 or $16 for a 24-ounce pour or a 25-ounce can becomes the only defensible option if you don’t want to feel quite so abused by your transaction.

Also less obvious: After you’ve had one of these economy-sized servings, buying another seems much less defensible than getting a second round might have appeared last year. Even with the Nats’ angst-inducing performance this summer, do you really want to down the equivalent of two-thirds of a six-pack at a game? The marginal utility just isn’t the same, not if you want to pay attention to the proceedings on the field.

And that’s how the Nats have gotten me to spend and drink less at the yard this year–not simply by charging more, but by exceeding the 25- to 50-cent annual price increase they’d conditioned me to expect, then giving me an option that only requires accepting the risk of beer getting warm in the sun.

Still free after this year’s round of ballpark price hikes: real-world lessons in behavioral economics.

Weekly output: mobile payments, Black Hat security, travel tech

Posted on by
Reply

I left Black Hat feeling a little overwhelmed–not because of how little time I had to take in things between my arrival in Vegas Tuesday afternoon and my departure Thursday night, but because of how many fascinating briefings I had to miss because I was attending others. And then there’s everything I missed by flying home before DEF CON

8/6/2018: Hang on, Apple: Phone payments still need work, USA Today

Seeing all the hype over Apple announcing that CVS will finally succumb to reality and accept Apple Pay (meaning you can also pay with any non-Apple phone that does NFC payments) got me feeling cranky enough to write this reality-check post. I’ve since received an e-mail from a reader saying he’s had no problem paying for stuff with his iPhone in Mexico, contrary to a statement in the column based on an incorrect reading of Apple and Google support documents. I’ve asked my editors to correct that part.

8/9/2018: Black Hat attendees are surprisingly lax about encryption, The Parallax

As I was putting together my Black Hat schedule, I got an invitation to tour the network operations center supervising the conference’s WiFi. I thought that visit would allow me a chance to look at a lot of blinking lights, but instead it provided up-close evidence of some horrifyingly slack security practices among a minority of Black Hat attendees.

FTU DC badge8/11/2018: Welcome and Keynote with Rob Pegoraro, Frequent Traveler University Washington, DC

After years of profiting from tips shared in various frequent-flyer forums, I had a chance to give back when FTU host Stefan Krasowski asked if I’d like to talk about my travel experiences to open this two-day program of seminars about airline and hotel loyalty programs and other sorts of travel hacking. We had a great conversation about freelance business-trip economics, the gadget accessories I take on the road, two underrated virtues of United elite status, and my worst airport-transit experience ever. My only regret: Since I couldn’t stick around for the rest of the day, I didn’t have a chance to meet the other FTU speakers, a few of whom I’ve been reading for years.

Black Hat priorities: don’t get pwned, do get work done

Posted on by
2

LAS VEGAS–I took my own phone and laptop to the Black Hat USA security conference here, which is often held out as a bad idea.

Before I flew out to Vegas Tuesday, I got more than a few “Are you bringing a burner phone?” and “Are you leaving your laptop at home?” questions.

Black Hat backdropBut bringing burner hardware means dealing with a different set of security settings and doesn’t address the risk of compromise of social-media accounts. And writing thousand-word posts on my phone risks compromising my sanity.

So here’s what I did with my devices instead:

  • Put my laptop in airplane mode, then enabled only WiFi to reduce the PC’s attack surface to that minimum.
  • For the same reason, turned off Bluetooth and NFC on my phone.
  • Set the Windows firewall to block all inbound connections.
  • Used a loaner Verizon hot spot for all my data on both my laptop and phone–I even disabled mobile data on the latter gadget, just in case somebody set up a malicious cell site.
  • Connected only though a Virtual Private Network on both devices, each of which were set to go offline if the Private Internet Access app dropped that encrypted connection.
  • Did not plug in a USB flash drive or charge my phone through anything but the chargers I brought from home.
  • Did not download an update, install an app, or type in a password.
  • Did not leave my laptop or phone alone in my hotel room.

Combined, this probably rates as overkill–unless the National Security Agency or a comparable nation-state actor has developed an intense interest in me, in which case I’m probably doomed. Using a VPN alone on the conference WiFi should keep my data secure from eavesdropping attempts, on top of the fact that all the sites I use for work already encrypt their connections.

But for my first trip here, I figured I’d rather err on the side of paranoia. (You’re welcome to make your case otherwise in the comments.)

Then I showed up and saw that everybody else had brought the usual array of devices. And a disturbing number of them weren’t even bothering to use encryption for things as basic as e-mail.

Weekly output: data transfer, Facebook vs. disinformation campaigns (x2), Bletchley Park, $1 trillion Apple

Posted on by
1

Tuesday morning, I head out for my first business travel since June. And I’m going to one of the last places any sane individual would choose in August: Las Vegas. After years of following it from afar, I’m going to the Black Hat security conference. I hope I don’t melt down in the 108-degree heat, and I hope I can escape Vegas Thursday night without my computer or phone getting hacked.

(Most Black Hat attendees stick around for DEF CON, the other big infosec event in Vegas that week, but I have other travel booked next week, plus I’m speaking about travel tech at the Frequent Traveler University conference in Arlington Saturday morning.)

7/31/2018: Want to move your online data? New service could simplify the transfer to a rival site, USA Today

I wrote about the Data Transfer Project, an initiative backed by Facebook, Google, Microsoft and Twitter to let people not just download their data from Web services but transfer it directly to competing sites.

7/31/2018: Facebook battles fake accounts, Al Jazeera

The Arabic-language news network had me on via Skype to talk Facebook’s July 31 announcement that it had removed 32 fake accounts for behavior that looked a whole lot like the Russian meddling Facebook largely overlooked in 2016.

8/1/2018: Bletchley Park’s WWII lessons for today’s hackers, The Parallax

While I was in England seeing family last month, I spent an afternoon wandering around the exhibits at Bletchley Park, the estate north of London where Allied codebreakers helped speed the end of World War II by defeating Nazi Germany’s encryption schemes. The story of how they did that offers important lessons to debates about security today, so I wrote them up The Parallax–with added insights from a couple of experts in the field.

I posted a few extra pictures from my visit at Flickr. But don’t take my words or photos for it; if you’ve got some free time when visiting London, use some of it to walk around Alan Turing’s old workplace.

8/1/2018: Facebook battles fake accounts, Al Jazeera

I returned to AJ, this time live in studio, to talk again about the Facebook-versus-fake-accounts story but with more emphasis on how the social network’s moves are playing out on Wall Street and in public opinion.

8/2/2018: Apple worth $1 trillion, WTOP

I talked to the news station about Apple hitting $1 trillion in market capitalization, but somehow without saying the phrase “one trillion dollars” in a Dr. Evil accent.

Recognize a bad-faith campaign to discredit a journalist when you see one

Posted on by
1

The latest target of Two Minutes Hate on the Internet is somebody unusual, in that it’s somebody I know. But the story here is manufactured outrage as usual.

Until Thursday, few people outside tech-journalism circles could have name-checked Sarah Jeong or described her Twitter presence. I’ve been following her since sometime in 2014, so I can: sarcastic and often bitterly so, expletive-laced, and grounded in a deep knowledge of how tech intersects culture and the law

That makes Jeong an essential read in my world, and also an amusing one–see her unpacking of the PETA’s monkey-selfie case. She’s also a student of how social networks fuel online harassment and wrote an excellent book about it, The Internet of Garbage, that led me to quote her in Yahoo Finance posts in 2015 and 2016.

Now Jeong is again experiencing the subject of her own research, thanks to a cut-and-paste screencap compilation quoting her saying such mean things about white people from 2013 to 2015 as “it’s kind of sick how much joy I get out of being cruel to old white men.”

Why 2014 tweets in 2018? The New York Times announced Wednesday that it had named Jeong to its editorial board. The creator of that image, who calls himself Garbage Human on Twitter, apparently saw a chance to bully the Times into hitting the Undo button on its hire–what’s happened to other young writers, some right-wing, hired by traditional media outlets.

So is Jeong a racist whom the NYT should dump? That argument is, as Jeong would put it, bullshit.

First: No, she isn’t racist. I have interacted with her, online and in person, more than enough to determine that, and I’ve yet to see any co-workers of her say otherwise. And yes, that insight trumps yours if you hadn’t heard of Jeong until yesterday. Seen in context–as you can, since she hasn’t deleted them–most of the tweets at stake are cranky jokes received as such by white friends. One’s a profane distillation of a multiple-tweet legal argument. Others look like her venting about the misogynistic, racist word vomit that can greet a woman or person of color on Twitter; I will not tone-police people in that position. 

Second, consider the sources. After Garbage Human, whose tweets show a fondness for InfoWars hoaxer Paul Joseph Watson, Jeong’s tweets got publicized by Gateway Pundit, a conspiracy-theory-spouting factory of lies. I first became acquainted with its dreck last January, when it wrongly named my friend Doris Truong as the Asian reporter taking pictures of Rex Tillerson’s notes at his confirmation hearing without bothering to ask her if she was even there.

These are not honest critics, and their arguments are no more founded in a belief in racial equality than GamerGate harassment was about ethics in gaming journalism. You don’t owe time to the talking points of a bad-faith actor, not when it’s based on a context-free sample of a handful of tweets out of 103,203 available.

I know this because I saw this strategy employed successfully against my then-Post co-worker Dave Weigel in 2010. That’s when the journalism-gossip site FishbowlDC and then the Daily Caller (both with a history of ginning up right-wing outrage, facts or context optional) published cranky e-mails about various politicians that Weigel had sent to a private mailing list. Post management did not have the spine to stand up for its new employee against this selective copy-and-paste hit job or the absurd theory behind it that reporters should never share opinions about the stuff they cover, and Weigel resigned.

Five years later, the Post hired Weigel back. He’s been kicking ass at the paper since.

I look forward to Jeong doing the same at the NYT, as it declined to take the bait. Its PR department defended their new hire while adding that it “does not condone” her earlier banter and including Jeong’s tweeted apology that “I deeply regret that I mimicked the language of my harassers.”

Jeong’s current employer until she starts at the Times, The Verge, took a stronger line in a post:

Online trolls and harassers want us, the Times, and other newsrooms to waste our time by debating their malicious agenda. They take tweets and other statements out of context because they want to disrupt us and harm individual reporters. The strategy is to divide and conquer by forcing newsrooms to disavow their colleagues one at a time. This is not a good-faith conversation; it’s intimidation.

Exactly.