Weekly output: 5G IoT security worries, Big Ten carriage deals, House of the Dragon streaming glitches, Netflix + ads, Russian digital attacks on Ukraine, YouTube TV, Thursday Night Football, Xfinity Mobile, NBC Sports Washington, non-TV video viewing, Plex breach, video budgets, FuboTV, LotR: Rings of Power, SpaceX + T-Mobile

Monday’s schedule has three big items on it: the Space Launch System’s Artemis I liftoff, our kid starting seventh grade, and my flying across the Atlantic for the IFA electronics trade show in Berlin for the first time since 2019. They’re all pretty exciting, although one of them has a vastly more detailed checklist.

(The IFA organizers are covering most of the travel costs for an invited group of U.S. journalists and analysts, your blogger here included.)

Screenshot of story as seen in Safari on an iPad mini 5.8/22/2022: The next wave of wireless security worries: API-driven IoT devices, Light Reading

My Black Hat coverage continued with this recap of a talk about the possible security risks of connected devices on 4G and 5G networks.

8/22/2022: NBCUniversal and its Peacock streamer get Big Ten Saturday night, FierceVideo

I spent my mornings this week filling in at my video trade-pub client, starting with this post about a sweeping deal for college-sports carriage rights.

8/22/2022: Some Fire TV users fired up over streaming glitches with HBO Max, FierceVideo

Some House of the Dragon viewers had trouble watching the Game of Thrones prequel on Amazon Fire TV devices.

8/22/2022: Report: Netflix to keep new movies and kids’ shows ad-free, FierceVideo

I can imagine the relief of cash-strapped parents on learning that the upcoming cheaper-with-ads version of Netflix won’t feature ads in kid-oriented content.

8/23/2022: Six months into the war, how have Ukraine and its Western allies resisted Russia’s digital tactics?, Fast Company

I was almost done with this piece when I got the chance to quiz TCP/IP co-author Vint Cerf at a Washington event about how Russia has abused his creation.

8/23/2022: YouTube TV to add YouTube Shorts and four-channel viewing, FierceVideo

This lede essentially wrote itself: “YouTube TV’s shorter-attention-span viewers may applaud (albeit briefly) two new features apparently coming to the streaming video service.”

8/23/2022: DirecTV-Amazon deal keeps Thursday Night Football in bars, FierceVideo

This story about NFL rights is really one about the uneven availability of broadband in the U.S.

8/23/2022: Comcast’s Xfinity Mobile Cuts Rates for Subscribers With 2 or 3 Lines, PCMag

Verifying the fine print in Xfinity Mobile’s plans took a surprisingly long time.

8/24/2022: Comcast sells D.C. RSN to Monumental Sports & Entertainment, FierceVideo

After I wrote this, the Washington Post reported that MSE founder Ted Leonsis is preparing a bid to buy the Washington Nationals.

8/24/2022: 59% of U.S. adults watch video daily on non-TV devices, FierceVideo

I wrote up a survey of video-viewing habits.

8/24/2022: Plex reports data breach, tells users to reset passwords, FierceVideo

It was somewhat nice to write about a data breach that didn’t involve me.

8/25/2022: Survey: 26% of U.S. households have cut video budgets, FierceVideo

This survey found that Americans’ biggest money-saving move was dining out less often.

8/26/2022: Fubo adds slate of Cinedigm FAST lifestyle channels, FierceVideo

I noted that the streaming-TV provider Fubo’s list of channels is now as long as the average cable company’s.

8/26/2022: WSJ: Amazon spends $715 million on The Rings of Power, FierceVideo

I would have written this piece faster if I hadn’t spent so much time finding Lord of the Rings references to drop into it.

8/26/2022: T-Mobile to Expand Coverage With the Help of SpaceX’s Starlink Satellites, PCMag

A very long Thursday wrapped up with me writing a version of this post from an advance copy of the joint SpaceX/T-Mobile announcement, then rewriting it that night after watching the stream of the event.

Weekly output: security attitudes at Black Hat, American Airlines bullish on Boom, Visible changes plans, business cybersecurity worries, Mark Vena podcast

With our kid going back to school a week from Monday, this is my last week of day-camp-commute driving for the year.

Screenshot of column as seen in Firefox for macOS8/16/2022: As Black Hat security conference turns 25, a lesson: security doesn’t have an end point, USA Today

I didn’t finish writing this recap until leaving Vegas and using that conference’s video-on-demand option to watch the panel I’d most regretted missing.

8/16/2022: American Airlines Puts Down Deposit on 20 Boom Supersonic Overture Jets, PCMag

Once again, Boom Supersonic had news of an airline order for its Overture jet land unaccompanied by news of an engine design, so this time I reminded readers of how long two recent jet engines took to enter revenue service.

8/17/2022: Visible Reshuffles Plans: No More Party Pay, But Solo Service Is Now $10 Cheaper, PCMag

Visible is taking a page out of its parent firm Verizon’s book by having more than one plan with “unlimited” data.

8/18/2022: What Do Business Execs Worry About Most? Getting Hacked, PCMag

A PricewaterhouseCoopers survey finding that business executives worry most about information security shouldn’t be news… except that none of PwC’s previous surveys of suits had found infosec to be their top anxiety.

8/19/2022: S02 E34 – SmartTechCheck Podcast, Mark Vena

Recording this week’s episode of the podcast hit a few technical glitches, and for once they weren’t on my end.

Weekly output: LinkNYC, Google renews RCS plea, Chris Krebs at Black Hat, 5G explainer, Cyber Safety Review Board, Web3 security

After a week on the West Coast, including four days in Las Vegas for the Black Hat security conference, I now have two weeks of not going anywhere. Which is good!

8/8/2022: LinkNYC begins deploying 5G kiosks – but not yet with 5G inside, Light Reading

After too many months of not writing for this telecom trade-pub client, I filed this update on New York rebooting its LinkNYC effort to bring free WiFi and digital city services to individual blocks.

8/9/2022: Google Posts Yet Another Plea for Apple to Support RCS Messaging in iMessage, PCMag

Google makes fair points when it calls out Apple for hindering the quality and privacy of cross-platform text messaging by not supporting the RCS messaging standard in iMessage. But Google hurts its cause by not supporting RCS in Google Voice–or even explaining that hangup. Also unhelpful: Google has yet to ship an API that would let the developers of Signal and other third-party messaging apps support RCS.

Screenshot of PCMag post as seen in Chrome on a Pixel 5a, with a VPN service active.8/10/2022: Ex-CISA Chief’s Advice at Black Hat: Make Security Valuable and Attacks Costly, PCMag

I covered the keynote by former Cybersecurity and Infrastructure Security Agency head Chris Krebs that opened Black Hat. His talk ended on a self-help note, as he advised his audience: “Life’s too short to work for assholes. So don’t.” And yet Krebs worked for President Trump from 2018 through 2020, when Trump fired him for correctly confirming that the 2020 election was run fairly and securely; that could not have been easy for him.

8/11/2022: What Is 5G, and Does It Actually Make a Difference?, Wirecutter

I wrote yet another 5G explainer, this time for the New York Times’ Wirecutter site.

8/11/2022: How a US Govt Board Helped the Open-Source Community Leap to Patch Log4j, PCMag

As the token Washingtonian among PCMag’s crew of writers, I had to write up this very Washington panel about the first test of the Cyber Safety Review Board–an organization set up as an infosec version of the National Transportation Safety Board.

8/12/2022: Why Is Web3 Security Such a Garbage Fire? Let Us Count the Ways, PCMag

This talk about a series of security meltdowns at blockchain-based sites and services had more than a few unintentional-comedy moments.

8/12/2022: The 14 Scariest Things We Saw at Black Hat 2022, PCMag

My contribution to this recap was the “Startups Shirk Security” section.

Updated 8/21/2022 to add the PCMag Black Hat recap.

Conference VOD: one half-decent thing we’ve gotten out of the pandemic

LAS VEGAS

The Black Hat security conference that wrapped up here once again left me wishing I could clone myself for a few days. Its info-dense schedule put as many as nine briefings in the same timeslot, requiring me to make some tough choices and hope that I’d picked a presentation that would yield enough news and insights to turn into an article.

(Spoiler alert: I did not always choose wisely.)

In the Before Times, the panels that I had to skip would have been lost to me until the event organizers uploaded video of them to Black Hat’s YouTube channel, often months later. But this year’s conference, run like last year’s as a hybrid in-person/online event, came with both streaming access to panels as they happened and video-on-demand playback 48 hours later for attendees.

This conference, unlike too many I’ve attended, also continues to post the presentations of speakers, so attendees don’t need to take pictures of every statistic-filled slide for posterity.

So I can treat my conference FOMO and see what I missed much sooner than I could have before. That’s one small side benefit of conferences having to make themselves open to remote attendees, a welcome democratization of events that in a better world would have happened without the pressure of a worldwide pandemic. It’s also personally convenient today because I’m already getting asked on Twitter about Black Hat briefings that I did not get to.

I do, however, still need to remember to catch up on these briefings before the 30-day window to watch them expires–the mistake I made last summer, when I had a much less busy schedule.

8/14/2022: I updated this to add a compliment to the Black Hat organizers for posting speakers’ presenations.

Weekly output: Starlink, spectrum coordination, flight delays (x2), T-Mobile and Verizon 5G home broadband, Mark Vena podcast

About one year later than I’d planned, I’m flying to Las Vegas Tuesday to cover the Black Hat information-security conference. Two big factors in my deciding to go ahead with that trip this year: My kid is now vaccinated and boosted, while I had Covid barely seven weeks ago.

8/2/2022: SpaceX’s Starlink has soared, but a course correction may be on the horizon, Fast Company

More weeks ago than I’d like to admit, one of my editors asked if I could do a more in-depth look at the progress of SpaceX’s Starlink low-Earth-orbit broadband constellation. A day after this piece ran, Reddit’s ever-informative r/starlink served up new evidence of capacity issues at this service: a new rate plan in France that cuts the monthly rate in half but imposes a 250 GB threshold for possible speed deprioritization.

8/2/2022: 2 Key Federal Telecom Agencies Promise to Play Nice With Wireless Spectrum, PCMag

Two federal offices about two miles apart in D.C. pledged to work better together in spectrum planning. That might seem like an obvious thing to do, but the Federal Communications Commission and the National Telecommunications and Information Administration last updated this memorandum of understanding in 2003.

Story as seen in Chrome on a Pixel 5a phone, showing its lead illustration: a photo of people waiting on line at an airport.8/3/2022: Don’t Get Stranded: How to Watch for Flight Delays and Get Around Them, PCMag

A discussion on PCMag’s Slack workspace about coping with travel hiccups led to me asking if I could write this story, and not just because I’d like to recoup my added travel costs from my unplanned extra night in Toronto in June.

8/3/2022: How Verizon ‘fixed wireless’ and T-Mobile home broadband is converting cable customers, USA Today

After a reality-check interview with an analyst who reminded me that fiber scales so much better to meet demand than fixed wireless can, this column on the progress of T-Mobile and Verizon’s 5G-based home broadband got a bit less enthusiastic about its potential.

8/4/2022: S02 E32 – SmartTechCheck Podcast, Mark Vena

My main contribution to this discussion was talking about my Starlink story, but if you watch the video of the podcast you can also see me scowl at a Lightning cable.

8/5/2022: DOT Moves to Strengthen Rules on Refunds for Flight Changes, Cancellations, PCMag

Speaking of travel delays, I returned to the subject to cover a set of proposed Department of Transportation rules that would clarify what counts as a significant schedule change and a cancelled flight–and require either non-expiring trip credits or straight-up refunds for travel canceled because of a future pandemic.

Black Hat pitches increasingly resemble CES pitches

When I’m spending a sunny Saturday in front of my computer, the usual reason is that it’s beastly hot outside. But today I have an additional, also seasonally-specific reason: I’m overdue to look over and make some decisions about all of the Black Hat meeting requests that have been piling up in my inbox.

A view of the Las Vegas Strip from the Foundation Room atop the Mandalay Bay hotel--a common event venue for both CES and Black Hat receptions.

Unlike last summer, I actually am going to this information-security conference in Las Vegas. And many more infosec companies seem to have made the same decision, leading to a flood of e-mails from their publicists asking if I’d like to set up a meeting while I’m in Vegas. How many? Over the last month, I’ve received 134 messages mentioning Black Hat, a number that makes me think of the annual deluge of CES PR pitches.

(Sorry, the total is now 135.)

Just like at CES, accepting even half of these invitations would leave me almost no time to do anything else at the conference. But where at CES I need to save time to gawk at gadgets on and off the show floor–and to get from venue to venue at that sprawling event–at Black Hat I want to save time to watch this conference’s briefings.

In the two prior years I’ve gone to Black Hat, I’ve found that the talks there have an exceptionally high signal-to-noise ratio. And since a coherent and entertaining explanation of a vulnerability in a widely used app, service or device is something that’s relatively easy to sell as a story, I also have an economic incentive to hold off on taking any meeting requests until the organizers post the briefings schedule–which this year only happened barely two weeks ago.

In other words, now I’m out of excuses to deal with these pitches. Which I could have done this afternoon had I not waited until this afternoon to write this post…

8/24/2022: Fixed the typo in the headline that nobody seems to have noticed until my wife asked about it today.

Weekly output: supply-chain attacks, Mark Vena podcast, password managers, 5G vs. IMSI catchers, fake vaccination cards

TALLINN, Estonia–I’m writing a post from the other side of the Atlantic for the first time since November of 2019 because of a press trip set up for this week by Estonia’s business-development types to show off the country’s tech sector. That sort of thing would be a non-starter were I on anybody’s staff, but I’m not and I’ve gotten a lot out of a few previous trips along these lines. It does help that Estonia is no Las Vegas in its approach to the pandemic. 

Screenshot of the story as seen in Safari on an iPad8/10/2021: More SolarWinds-style attacks are coming. Here’s how to stop them, Fast Company

I wrote up the keynote that opened Black Hat, in which security researcher (and excellent Twitter individual) Matt Tait outlined how getting hostile code into a software supply chain can yield rewards so outsized that attackers have to work extra to focus their attack.

8/11/2021: SmartTechCheck Podcast by Parks Associates, Mark Vena

This week’s edition of my tech-analyst pal’s podcast featured an unusually contentious debate over Apple’s announced plans to do on-device scanning of photos ready to be uploaded to iCloud for matches of known child sexual-abuse material.

8/12/2021: Best Password Managers of 2021, U.S. News & World Report

I contributed an update to the guide I helped write at the start of this year. My work this time includes profiles of 1Password, Bitwarden, Dashlane, Enpass, and LastPass, plus comparisons of 1Password and LastPass, Dashlane and LastPass, and 1Password and Dashlane.

8/13/2021: 5G defends against IMSI catchers – but implementation is critical, Light Reading

My Black Hat coverage-from-afar continued with this writeup of a briefing about 5G’s vulnerability to IMSI catchers, the fake base stations sometimes used by law-enforcement and national-security investigators as well as criminal enterprises to intercept people’s communications.

8/13/2021: Fake vaccination cards, Al Jazeera

I thought the Arabic-language news network would want me to talk about the technical difficulties involved in making counterfeit-proof vaccination cards, but instead they stuck to such big-picture queries as why people would even want to spend $100 or so on fake vax cards sold by random con artists on Telegram.

My next in-person tech conference will have to wait a little longer

Next week was going to feature a conference badge and triple-digit temperatures, and now the only way I’ll get any of those things is if the forecast for D.C. turns out to be completely off.

Barely a month after I’d booked flights and a (refundable) hotel room for the Black Hat security conference, convinced that this security gathering in Las Vegas would represent my first in-person conference since February of 2020, I cancelled those bookings this week. Instead of flying to Nevada to take notes in the middle of a physical audience and then network in person at a series of receptions, I’ll follow the briefings online and then connect with nobody new as I have dinner at home.

It wasn’t any one thing about this conference happening in the middle of a not-yet-over pandemic that led me to bag this trip, even though I’ve been fully vaccinated since late May; it was all the things.

First, while I would expect most information-security professionals to evaluate their risks intelligently and therefore have gotten vaccinated long ago, there’s always going to be the exceptions.

Second, Black Hat is like everything else in Vegas in August in that it must exist in a series of air-conditioned bubbles. And while I wouldn’t have a problem wearing a mask while watching briefings, staying masked-up is a lot harder at a conference reception.

Third, Vegas has a giant tourist demographic that self-selects for poor risk management, raising the odds of me sharing an elevator or check-in line with some hard-partying idiot who has made pandemic denial part of his personal political brand.

Fourth, the city itself has a depressingly low vaccination rate, with only 41% of Clark County residents fully vaccinated. Seeing that many people spend that many months declining to use the best tool we have against the pandemic does not make me want to go to their city and spend my money.

The odds remain pretty low, as I understand them, that I would pick up the Delta variant of the novel coronavirus over those two days and change in Vegas. But when one of the people I’d see afterwards would be my not-yet-vaccine-eligible 11-year-old daughter, I can’t justify the risk posed by what strikes me as an especially bad scenario compared to any of the events I’m contemplating for later this year.

So even while I have resumed some business travel, it’s going to be a little while longer before I come home with a new conference badge to add to the collection that’s now been collecting dust for a year and a half.

All vaxxed up and nowhere to go (especially for work)

Thursday was my V-day: two weeks elapsed since my second dose of the Moderna coronavirus vaccine, and therefore cleared for takeoff into a normal life. But I still feel like I’m on the runway, if not still on the taxiway waiting for my clearance.

I’m blaming work. I had thought it would be nice to celebrate this milestone Friday by having a drink at an actual bar indoors, but I had deadlines to meet that kept me at the keyboard until almost dinnertime. One reason why I still had fingers at the keyboard that late: I spent part of Friday afternoon volunteering at a vaccination clinic, which was arguably a better way to mark the occasion anyway. I did at least wear only one cloth mask instead of doubling up as I had before.

Photo shows my COVID-19 vaccination card atop my new passport and a route map from United Airlines' Hemispheres magazine.

(Another difference between now and my first volunteer shift in early April: Positive test rates have plummeted to well under 2% in Arlington and D.C.)

Work also factors into this in-between feeling, because it’s become so obvious that business gatherings will be a trailing indicator of America’s victory over this disease. As I type this, my also-fully-vaccinated neighbors are having people over on their back deck and that seems completely normal, but I have no idea when the first (non-pandemic-denying) think tank, trade association, PR firm or other corporate outpost around here will dare to host an in-person briefing, luncheon or reception.

The forecast is also fuzzy for in-person conferences. Wednesday, the management of the IFA trade show announced that they had to cancel this year’s edition of that electronics event in Berlin. I had thought they had good odds of pulling it off, considering how fast Germany is getting vaccine doses into arms. But IFA is a global show, and many of the countries that would be sending companies there remain far behind in vaccinations.

(MWC Barcelona, the first tech event to succumb to the pandemic, is somehow still set to happen next month, albeit on a grossly exhibitor-deprived scale. I don’t know what the thinking is there.)

Conferences that take place in the U.S. and draw a mostly-American audience look more likely to happen as planned, which on my calendar would probably make the first such IRL event the Black Hat information-security conference. Subjecting oneself to the blast-furnace heat of Las Vegas in August is not most people’s idea of fun–but after a year and change of only experiencing events through a screen, I legit would enjoy it. Besides, it really is a dry heat there.

DVR debt, but for virtual-conference panels

For the past two months, I’ve been looking at the same five tabs left open in my Mac’s copy of Chrome. They’re all from Black Hat–as in, the security conference that happened online in early August, but which remains incomplete in my own viewing.

If this event had taken place in Las Vegas as usual, I would have watched almost all the talks I’d picked out from the schedule. That’s a core feature of traveling to spend a few days at a conference: All of the usual at-home distractions are gone, leaving you free to focus on the proceedings at hand.

Online-only events zero out my travel costs and offer the added benefit of vastly reducing the odds of my catching the novel coronavirus from a crowd of hundreds of strangers. But because they leave me in my everyday surroundings, they’re also hard to follow.

If I have a story to write off a panel–meaning a direct financial incentive–I can and will tune in for that. But for everything else at an online conference, it’s just too easy to switch my attention to whatever work or home task has to be done today and save the panel viewing for later, as if it were yet another recording on my TiVo. (Or to let my attention wander once again to Election Twitter.) It’s not as if other conference attendees will be able to note my absence!

So I still haven’t caught up with the talks at Black Hat. Or at the online-only DEF CON hacker conference that followed it. I haven’t even tried to follow the panels at this year’s online-only version of the Online News Association’s conference… mainly because I couldn’t justify spending $225 on a ticket when this conference’s usual networking benefits would be so attenuated. I feel a little bad about that, but on the other hand I also feel a little cranky about submitting a panel proposal for ONA 20 and never getting a response.

I would love to be able to return to physical-world events with schedules crowded by overlapping panel tracks that force me to choose between rooms. But there seems to be zero chance of them resuming in the next six months, even if a vaccine arrives before the end of the year in mass quantities. Web Summit, CES, SXSW: They’ll all be digital-only, happenings experienced only through a screen.

I should try harder to cultivate the habit of experiencing these virtual events in the moment, not weeks or months afterwards. Or at least I should try to catch up on the backlog of panels I’ve already accumulated. This last hour would have been great for that… except I spent it writing this post instead.

Update, 10/10/2020: It turns out none of those Black Hat panels were available for viewing anymore. Whoops! At least the tab bar in Chrome looks cleaner now, I guess.