Weekly output: network security (x2), election security, Google finding Apple’s bugs

Now it can be told: I spent all of the last two weeks on the West Coast, with my stay in Las Vegas for Black Hat and DEF CON sandwiched inside time with my in-laws in California. That let me have a much shorter trip to and from Vegas and then segue from WiFi security to a little wine tasting and, more important, a lot of napping.

8/12/2019: WiFi can be a free-for-all for hackers. Here’s how to stop them from taking your data, USA Today

I e-mailed this to my editor with the following note: “I’m sending this over the DEF CON conference WiFi, so if you only see pirate-flag emoji I trust you’ll call or text to warn me.” If you don’t want to read all 600-ish words in this piece, the top three are “encryption is your friend.”

8/12/2019: This tech could secure voting machines, but not before 2020, Yahoo Finance

One of the big reasons I decided to stick around Vegas for DEF CON–even though it meant I’d have to pay $300 in cash for that conference badge–was the chance to see the exhibits and presentations at its Voting Village. The proceedings did not disappoint, even if a DARPA demo from a project with the delightful acronym of SSITH is far from yielding shipping voting hardware.

8/12/2019: Google got Apple to fix 10 security flaws in the iPhone, Yahoo Finance

Black Hat offered a two-course serving of Apple-security news. Its first day featured a briefing from Google Project Zero researcher Natalie Silvanovich about how her team uncovered 10 serious iOS vulnerabilities, and then its second day brought a talk from Apple security-engineering head Ivan Krstić that ended with news of a much more open bug-bounty program.

8/14/2019: This Morning with Gordon Deal August 13, 2019, This Morning with Gordon Deal

I talked about my USAT column on this business-news radio program; my spot starts just after the 13th minute.

Weekly output: wireless service, Gmail phishing, social-media disinformation, DNA tests

I spent most of this week in Las Vegas for the Black Hat and first DEF CON security conferences. I knew Black Hat from last year, but covering its sponsor-free, community-run counterpart for the first time left me feeling overwhelmed at how much of it I’d missed after just the first day. The Flickr album I posted earlier today may give you a sense of that fascinating chaos.

8/7/2019: The Best Cell Phone Plans, Wirecutter

This update took longer than I thought it would, but it now benefits from a simpler set of usage estimates that better align with how much data most people use. This guide also features new recommendations for value-priced service and shared-usage plans.

Fast Company Gmail-phishing post8/8/2019: We keep falling for phishing emails, and Google just revealed why, Fast Company

I wrote up a Black Hat talk that revealed new insights about why people fall for phishing e-mails and reinforced old advice about the importance of securing essential accounts with the right kind of two-step verification.

8/9/2019: Fake calculations… an electronic weapon in the hands of autocratic government, Al Jazeera

I took part in an episode of AJ’s “From Washington” show with Ryan Grim of the Intercept and my former congressman Jim Moran (D.-Va.), discussing disinformation campaigns on social media. At one point, Moran paused to say “Ryan and Rob are extremely intelligent and informative,” which I trust was equally effusive overdubbed into Arabic. The conversation later pivoted to the political scenario in Sudan, a topic I am maybe as prepared to discuss as any regular reader of the Washington Post’s A section.

8/10/2019: DNA Test Kits: Everything You Need to Know, Tom’s Guide

In this first post for a new client, I went about 2,000 words into the weeds on the privacy, legal and mental-health risks of taking DNA tests that may create facts you’d wish you could uncreate. That’s not my last post on DNA testing for Tom’s Guide, so if you have questions I didn’t get to in this feature, please ask away.

Weekly output: Facebook customer dissatisfaction, Facebook meddling in the Middle East (x3)

Tuesday has me departing for Las Vegas for the Black Hat and DEF CON information-security conferences, aka Hacker Summer Camp. In addition to the usual risk of getting pwned, this year I and other attendees will also have to deal with a plague of grasshoppers.

Yahoo Facebook ACSI post7/30/2019: Study shows Facebook’s customer-satisfaction scores plunging, Yahoo Finance

A new survey from the American Customer Satisfaction Index showed people’s contentment with Facebook plummeting to depths you could call Comcastic–except the cable company still rated lower in ACSI research earlier this year. If this post seems somewhat familiar, you may remember me writing up a similar set of ASCI findings in 2010. The issue of what we’ve learned about Facebook in the intervening years is left as an exercise for the reader.

8/1/2019: Facebook catches meddling from Saudi Arabia, United Arab Emirates, Egypt, Al Jazeera

The Arabic-language news channel had me on air live–twice in this day–to talk about Facebook’s announcement that it had booted hundreds of accounts and pages run out of Saudi Arabia, the United Arab Emirates and Egypt for “coordinated inauthentic behavior,” its phrase for disinformation campaigns.

8/2/2019: Facebook catches meddling from Saudi Arabia, United Arab Emirates, Egypt, Al Jazeera

Saudi Arabia misbehaving on social media put the Qatari network into flood-the-zone mode–not difficult to understand, given the enmity between the kingdom and Qatar–and so AJ had me on for a second day in a row to talk about this story. If you don’t care about Gulf politics, please consider that the Facebook-meddling move here of impersonating local news sources could work in the many U.S cities and towns now starved for local news coverage.

Weekly output: Black Hat hacks and security fixes, T-Mobile news, self-driving-car security, voting-machine security, fear of robots

Most of this week’s copy was reported and written the previous week at the Black Hat security conference in Vegas. Considering my own frequently-elastic interpretations of deadlines, I can’t complain about editors with their own crowded calendars taking a day or two to give their full attention to my own work.

8/13/2018: Hacks of Macs, Microsoft Cortana are two more reasons why you should install updates, USA Today

I used this column to synthesize my notes from a few different Black Hat talks that intersected to yield the same lesson: You are safer overall if you install security fixes for your apps and devices when they arrive instead of playing IT department and deciding which ones should wait.

8/13/2018: What could T-Mobile uncap for its next Un-carrier news?, Fierce Wireless

I wrote this curtain-raiser for T-Mobile’s Wednesday announcement twice when a late reply from one analyst and my tardy queries to others led me to file a 1.0 version that would make it into Fierce’s mid-day newsletter. The one you can read now includes quotes from those additional experts–none correctly forecasting that T-Mobile would make its next big push better customer service.

8/13/2018: How two car hackers plan to keep GM’s self-driving cars safe, Yahoo Finance

The single most entertaining talk at Black Hat was this presentation from Charlie Miller and Chris Valasek. You may remember them as the guys who hacked a Jeep Cherokee in 2015 to seize control of it with Wired writer Andy Greenberg at the wheel. The two now work for the GM subsidiary Cruise Automation, and at Black Hat they explained how they plan to stop the likes of them from remotely exploiting Cruise’s fleet of self-driving vehicles–in part by removing such attack surfaces as Bluetooth wireless and the FM radio.

8/14/2018: There’s more to election integrity than secure voting machines, The Parallax

Another Black Hat talk gave me one more chance to take a whack at the WinVote voting machines that infested polling places across Virginia–mine included–for a decade. This time around, I checked back with a couple of the experts I’d consulted for earlier coverage of electronic voting machines and learned that both wished they’d paid more attention before to such separate election-integrity issues as voter registration systems.

8/15/2018: Robot workers or human employees, Al Jazeera

I got a request from my usual guy in AJ’s D.C. bureau asking if I could talk about the prospect of robots taking human jobs–both in the private and defense sectors. I was in Boston at the time visiting family, but that proved to be no problem. Instead of them sending a car to my house to take me to their D.C. studios, they ran me over to a studio in downtown Boston, where I did my talking-head duty (overdubbed live into Arabic) wearing one of my brother’s jackets. Since I knew I’d only appear on camera from the torso up, I didn’t bother changing out of the shorts and sandals I’d put on that morning.

Weekly output: mobile payments, Black Hat security, travel tech

I left Black Hat feeling a little overwhelmed–not because of how little time I had to take in things between my arrival in Vegas Tuesday afternoon and my departure Thursday night, but because of how many fascinating briefings I had to miss because I was attending others. And then there’s everything I missed by flying home before DEF CON

8/6/2018: Hang on, Apple: Phone payments still need work, USA Today

Seeing all the hype over Apple announcing that CVS will finally succumb to reality and accept Apple Pay (meaning you can also pay with any non-Apple phone that does NFC payments) got me feeling cranky enough to write this reality-check post. I’ve since received an e-mail from a reader saying he’s had no problem paying for stuff with his iPhone in Mexico, contrary to a statement in the column based on an incorrect reading of Apple and Google support documents. I’ve asked my editors to correct that part.

8/9/2018: Black Hat attendees are surprisingly lax about encryption, The Parallax

As I was putting together my Black Hat schedule, I got an invitation to tour the network operations center supervising the conference’s WiFi. I thought that visit would allow me a chance to look at a lot of blinking lights, but instead it provided up-close evidence of some horrifyingly slack security practices among a minority of Black Hat attendees.

FTU DC badge8/11/2018: Welcome and Keynote with Rob Pegoraro, Frequent Traveler University Washington, DC

After years of profiting from tips shared in various frequent-flyer forums, I had a chance to give back when FTU host Stefan Krasowski asked if I’d like to talk about my travel experiences to open this two-day program of seminars about airline and hotel loyalty programs and other sorts of travel hacking. We had a great conversation about freelance business-trip economics, the gadget accessories I take on the road, two underrated virtues of United elite status, and my worst airport-transit experience ever. My only regret: Since I couldn’t stick around for the rest of the day, I didn’t have a chance to meet the other FTU speakers, a few of whom I’ve been reading for years.

Black Hat priorities: don’t get pwned, do get work done

LAS VEGAS–I took my own phone and laptop to the Black Hat USA security conference here, which is often held out as a bad idea.

Before I flew out to Vegas Tuesday, I got more than a few “Are you bringing a burner phone?” and “Are you leaving your laptop at home?” questions.

Black Hat backdropBut bringing burner hardware means dealing with a different set of security settings and doesn’t address the risk of compromise of social-media accounts. And writing thousand-word posts on my phone risks compromising my sanity.

So here’s what I did with my devices instead:

  • Put my laptop in airplane mode, then enabled only WiFi to reduce the PC’s attack surface to that minimum.
  • For the same reason, turned off Bluetooth and NFC on my phone.
  • Set the Windows firewall to block all inbound connections.
  • Used a loaner Verizon hot spot for all my data on both my laptop and phone–I even disabled mobile data on the latter gadget, just in case somebody set up a malicious cell site.
  • Connected only though a Virtual Private Network on both devices, each of which were set to go offline if the Private Internet Access app dropped that encrypted connection.
  • Did not plug in a USB flash drive or charge my phone through anything but the chargers I brought from home.
  • Did not download an update, install an app, or type in a password.
  • Did not leave my laptop or phone alone in my hotel room.

Combined, this probably rates as overkill–unless the National Security Agency or a comparable nation-state actor has developed an intense interest in me, in which case I’m probably doomed. Using a VPN alone on the conference WiFi should keep my data secure from eavesdropping attempts, on top of the fact that all the sites I use for work already encrypt their connections.

But for my first trip here, I figured I’d rather err on the side of paranoia. (You’re welcome to make your case otherwise in the comments.)

Then I showed up and saw that everybody else had brought the usual array of devices. And a disturbing number of them weren’t even bothering to use encryption for things as basic as e-mail.