Weekly output: Black Hat hacks and security fixes, T-Mobile news, self-driving-car security, voting-machine security, fear of robots

Most of this week’s copy was reported and written the previous week at the Black Hat security conference in Vegas. Considering my own frequently-elastic interpretations of deadlines, I can’t complain about editors with their own crowded calendars taking a day or two to give their full attention to my own work.

8/13/2018: Hacks of Macs, Microsoft Cortana are two more reasons why you should install updates, USA Today

I used this column to synthesize my notes from a few different Black Hat talks that intersected to yield the same lesson: You are safer overall if you install security fixes for your apps and devices when they arrive instead of playing IT department and deciding which ones should wait.

8/13/2018: What could T-Mobile uncap for its next Un-carrier news?, Fierce Wireless

I wrote this curtain-raiser for T-Mobile’s Wednesday announcement twice when a late reply from one analyst and my tardy queries to others led me to file a 1.0 version that would make it into Fierce’s mid-day newsletter. The one you can read now includes quotes from those additional experts–none correctly forecasting that T-Mobile would make its next big push better customer service.

8/13/2018: How two car hackers plan to keep GM’s self-driving cars safe, Yahoo Finance

The single most entertaining talk at Black Hat was this presentation from Charlie Miller and Chris Valasek. You may remember them as the guys who hacked a Jeep Cherokee in 2015 to seize control of it with Wired writer Andy Greenberg at the wheel. The two now work for the GM subsidiary Cruise Automation, and at Black Hat they explained how they plan to stop the likes of them from remotely exploiting Cruise’s fleet of self-driving vehicles–in part by removing such attack surfaces as Bluetooth wireless and the FM radio.

8/14/2018: There’s more to election integrity than secure voting machines, The Parallax

Another Black Hat talk gave me one more chance to take a whack at the WinVote voting machines that infested polling places across Virginia–mine included–for a decade. This time around, I checked back with a couple of the experts I’d consulted for earlier coverage of electronic voting machines and learned that both wished they’d paid more attention before to such separate election-integrity issues as voter registration systems.

8/15/2018: Robot workers or human employees, Al Jazeera

I got a request from my usual guy in AJ’s D.C. bureau asking if I could talk about the prospect of robots taking human jobs–both in the private and defense sectors. I was in Boston at the time visiting family, but that proved to be no problem. Instead of them sending a car to my house to take me to their D.C. studios, they ran me over to a studio in downtown Boston, where I did my talking-head duty (overdubbed live into Arabic) wearing one of my brother’s jackets. Since I knew I’d only appear on camera from the torso up, I didn’t bother changing out of the shorts and sandals I’d put on that morning.

Advertisements

Weekly output: mobile payments, Black Hat security, travel tech

I left Black Hat feeling a little overwhelmed–not because of how little time I had to take in things between my arrival in Vegas Tuesday afternoon and my departure Thursday night, but because of how many fascinating briefings I had to miss because I was attending others. And then there’s everything I missed by flying home before DEF CON

8/6/2018: Hang on, Apple: Phone payments still need work, USA Today

Seeing all the hype over Apple announcing that CVS will finally succumb to reality and accept Apple Pay (meaning you can also pay with any non-Apple phone that does NFC payments) got me feeling cranky enough to write this reality-check post. I’ve since received an e-mail from a reader saying he’s had no problem paying for stuff with his iPhone in Mexico, contrary to a statement in the column based on an incorrect reading of Apple and Google support documents. I’ve asked my editors to correct that part.

8/9/2018: Black Hat attendees are surprisingly lax about encryption, The Parallax

As I was putting together my Black Hat schedule, I got an invitation to tour the network operations center supervising the conference’s WiFi. I thought that visit would allow me a chance to look at a lot of blinking lights, but instead it provided up-close evidence of some horrifyingly slack security practices among a minority of Black Hat attendees.

FTU DC badge8/11/2018: Welcome and Keynote with Rob Pegoraro, Frequent Traveler University Washington, DC

After years of profiting from tips shared in various frequent-flyer forums, I had a chance to give back when FTU host Stefan Krasowski asked if I’d like to talk about my travel experiences to open this two-day program of seminars about airline and hotel loyalty programs and other sorts of travel hacking. We had a great conversation about freelance business-trip economics, the gadget accessories I take on the road, two underrated virtues of United elite status, and my worst airport-transit experience ever. My only regret: Since I couldn’t stick around for the rest of the day, I didn’t have a chance to meet the other FTU speakers, a few of whom I’ve been reading for years.

Black Hat priorities: don’t get pwned, do get work done

LAS VEGAS–I took my own phone and laptop to the Black Hat USA security conference here, which is often held out as a bad idea.

Before I flew out to Vegas Tuesday, I got more than a few “Are you bringing a burner phone?” and “Are you leaving your laptop at home?” questions.

Black Hat backdropBut bringing burner hardware means dealing with a different set of security settings and doesn’t address the risk of compromise of social-media accounts. And writing thousand-word posts on my phone risks compromising my sanity.

So here’s what I did with my devices instead:

  • Put my laptop in airplane mode, then enabled only WiFi to reduce the PC’s attack surface to that minimum.
  • For the same reason, turned off Bluetooth and NFC on my phone.
  • Set the Windows firewall to block all inbound connections.
  • Used a loaner Verizon hot spot for all my data on both my laptop and phone–I even disabled mobile data on the latter gadget, just in case somebody set up a malicious cell site.
  • Connected only though a Virtual Private Network on both devices, each of which were set to go offline if the Private Internet Access app dropped that encrypted connection.
  • Did not plug in a USB flash drive or charge my phone through anything but the chargers I brought from home.
  • Did not download an update, install an app, or type in a password.
  • Did not leave my laptop or phone alone in my hotel room.

Combined, this probably rates as overkill–unless the National Security Agency or a comparable nation-state actor has developed an intense interest in me, in which case I’m probably doomed. Using a VPN alone on the conference WiFi should keep my data secure from eavesdropping attempts, on top of the fact that all the sites I use for work already encrypt their connections.

But for my first trip here, I figured I’d rather err on the side of paranoia. (You’re welcome to make your case otherwise in the comments.)

Then I showed up and saw that everybody else had brought the usual array of devices. And a disturbing number of them weren’t even bothering to use encryption for things as basic as e-mail.