Tag Archives: hacking

Weekly output: Facebook customer dissatisfaction, Facebook meddling in the Middle East (x3)

Posted on by
Reply

Tuesday has me departing for Las Vegas for the Black Hat and DEF CON information-security conferences, aka Hacker Summer Camp. In addition to the usual risk of getting pwned, this year I and other attendees will also have to deal with a plague of grasshoppers.

Yahoo Facebook ACSI post7/30/2019: Study shows Facebook’s customer-satisfaction scores plunging, Yahoo Finance

A new survey from the American Customer Satisfaction Index showed people’s contentment with Facebook plummeting to depths you could call Comcastic–except the cable company still rated lower in ACSI research earlier this year. If this post seems somewhat familiar, you may remember me writing up a similar set of ASCI findings in 2010. The issue of what we’ve learned about Facebook in the intervening years is left as an exercise for the reader.

8/1/2019: Facebook catches meddling from Saudi Arabia, United Arab Emirates, Egypt, Al Jazeera

The Arabic-language news channel had me on air live–twice in this day–to talk about Facebook’s announcement that it had booted hundreds of accounts and pages run out of Saudi Arabia, the United Arab Emirates and Egypt for “coordinated inauthentic behavior,” its phrase for disinformation campaigns.

8/2/2019: Facebook catches meddling from Saudi Arabia, United Arab Emirates, Egypt, Al Jazeera

Saudi Arabia misbehaving on social media put the Qatari network into flood-the-zone mode–not difficult to understand, given the enmity between the kingdom and Qatar–and so AJ had me on for a second day in a row to talk about this story. If you don’t care about Gulf politics, please consider that the Facebook-meddling move here of impersonating local news sources could work in the many U.S cities and towns now starved for local news coverage.

Advertisement

Weekly output: #DIV/0!

Posted on by
Reply

For the first time since two Augusts ago, I have no new bylines in a week. I did file one story, not yet posted, and get much of the reporting done for two others–after losing much of the first two days from having our schools closed after last weekend’s snowstorm–but it’s still annoying to have this post equate to a divide-by-zero error.

And that happened even though I worked for a good chunk of this weekend: I spent most of Saturday at the Shmoocon cybersecurity conference in D.C. I connected with people much better-informed than me, picked up some useful insights that I hope to turn into a post, caught up with an old friend, and enjoyed spotting the hilarious National Security Agency recruitment ad pictured at right. (No, I did not plug in my phone.)

Having this con take place at the Washington Hilton provided a bonus level of amusement. I’ve been at the venue Washingtonians call the Hinckley Hilton for many other events, but none had involved so many people with hair dyed interesting colors and on-message t-shirts (e.g,, “Crypto means cryptography”). That was an excellent change-up from this hotel’s usual overdressed look.

Black Hat priorities: don’t get pwned, do get work done

Posted on by
3

LAS VEGAS–I took my own phone and laptop to the Black Hat USA security conference here, which is often held out as a bad idea.

Before I flew out to Vegas Tuesday, I got more than a few “Are you bringing a burner phone?” and “Are you leaving your laptop at home?” questions.

Black Hat backdropBut bringing burner hardware means dealing with a different set of security settings and doesn’t address the risk of compromise of social-media accounts. And writing thousand-word posts on my phone risks compromising my sanity.

So here’s what I did with my devices instead:

  • Put my laptop in airplane mode, then enabled only WiFi to reduce the PC’s attack surface to that minimum.
  • For the same reason, turned off Bluetooth and NFC on my phone.
  • Set the Windows firewall to block all inbound connections.
  • Used a loaner Verizon hot spot for all my data on both my laptop and phone–I even disabled mobile data on the latter gadget, just in case somebody set up a malicious cell site.
  • Connected only though a Virtual Private Network on both devices, each of which were set to go offline if the Private Internet Access app dropped that encrypted connection.
  • Did not plug in a USB flash drive or charge my phone through anything but the chargers I brought from home.
  • Did not download an update, install an app, or type in a password.
  • Did not leave my laptop or phone alone in my hotel room.

Combined, this probably rates as overkill–unless the National Security Agency or a comparable nation-state actor has developed an intense interest in me, in which case I’m probably doomed. Using a VPN alone on the conference WiFi should keep my data secure from eavesdropping attempts, on top of the fact that all the sites I use for work already encrypt their connections.

But for my first trip here, I figured I’d rather err on the side of paranoia. (You’re welcome to make your case otherwise in the comments.)

Then I showed up and saw that everybody else had brought the usual array of devices. And a disturbing number of them weren’t even bothering to use encryption for things as basic as e-mail.

Weekly output: 5G possibilities, Comcast-NBC revisited, switching to Windows, big-media serfdom, Face ID hack, online abuse

Posted on by
1

Good luck with your Thanksgiving family tech support, everybody!

11/13/2017: 5G’s Economic Prospects: Flexibility and Fuzziness, FierceWireless

Researching this piece about possible business models for 5G wireless helped inform me about story angles I’ll want to look into over the next few years. As with my past work for Fierce’s e-book bundles, you’ll have to cough up an e-mail address to read this one.

11/13/2017: Comcast + NBCUniversal Produces Mixed Bag, FierceCable

Disclosure: Comcast’s purchase of NBCUniversal has benefited me directly, in the form of Comcast PR inviting me to NBCUniversal movie screenings in D.C.

11/13/2017: How Apple sold me on buying a Windows laptop, Yahoo Finance

An angle I didn’t have room to address in this post: Windows 10’s “tablet mode” represents a long-delayed fulfillment of the promise of Windows XP’s watching-not-creating Media Center interface.

11/14/2017, Barry Diller says big media will be ‘serfs on the land’ of tech giants, Yahoo Finance

The media mogul’s pessimistic assessment of traditional media’s future was an easy sell from the Internet Association’s Virtuous Circle conference in San Francisco.

11/17/2017: You should still use the iPhone X’s Face ID even though hackers say they beat it, Yahoo Finance

I’ve written a few posts over the past year or two on the theme of “security nihilism”–the unhelpful belief of many infosec types that if a defensive measure can’t protect you from the most experienced and motivated attackers, then it’s worthless. Maybe this was more persuasive than the others?

11/16/2017: Technical and Human Solutions to Problematic Behaviors, Family Online Safety Institute

I moderated this panel at FOSI’s conference about ways to deal with people being jerks online. My thanks to TeenSafe’s Tracy Bennett, Verizon’s Ginelle Brown, Twitter’s Patricia Cartes and the Born This Way Foundation’s Rachel Martin for making me sound smarter on the subject on a day when I had to function on about four hours of sleep after a fuel leak forced my flight back from SFO to divert to Denver, after which I didn’t land at Dulles until after 1 a.m.

Weekly output: net neutrality, cybersecurity advice, Photobucket

Posted on by
Reply

In an alternate universe, I’d be heading to New York Tuesday for CE Week, but I had a panel invitation here and none there. I also recalled how low-key last year’s conference was, so I decided to stick around here after I’d already put in for a press pass. To everybody who’s pitched me about their CE Week exhibits or events (which seem to be more numerous than last year’s): Sorry!

7/3/2017: How open-internet rules are actually helping consumers, Yahoo Finance

Yet another net-neutrality post? Yes. This one covered two angles I had not addressed adequately before. One is how Internet providers’ own deployment figures show they’ve kept on expanding their networks after the advent of open-Internet rules. The other is the poor odds of a small ISP getting the time of day from a major streaming-media service, much less inking a paid-prioritization deal that would yield enough money to finance broadband buildout.

7/3/2017: ICD Brief 47, International Cybersecurity Dialogue

This group’s newsletter quoted my critique of the cybersecurity lessons offered in a French TV report. I didn’t find it much more helpful than much of the infosec advice you’ll see in mainstream coverage.

7/7/2017: The big lesson from Photobucket’s ‘ransom images’ debacle, Yahoo Finance

It’s been years since I last uploaded any pictures to Photobucket, but only a decade ago it led the market for online image sharing. Its subsequent descent into a) becoming an ad-choked hell and b) demanding that free users who had accepted its invitation to embed their photos elsewhere switch to paying $400 a year is sad on a lot of levels.

Weekly output: CES recap, United fleet site, cybersecurity coverage, wireless phone plans, inauguration wireless coverage, T-Mobile One alternatives

Posted on by
1

I got a little extra publicity this week from the Columbia Journalism Review when its editors illustrated their open letter to President Trump from the White House press corps with a photo I took of the White House press briefing room. It’s been flattering to see that people actually read photo credits! I would have liked to see CJR link to the original–I believe that’s a condition of the Creative Commons non-commercial-use-allowed license under which I shared it on Flickr–but the reply I got was that their CMS doesn’t support links in photo credits.

That photo, incidentally, comes from 2014’s White House Maker Faire–exactly the sort of event I don’t expect to get invited to over the next four years.

1/17/2017: Techdirt Podcast Episode 105: The CES 2017 Post-Mortem, Techdirt

I talked with Techdirt founder Mike Masnick about my experience at this year’s show. I did the interview using a podcasting Web app I hadn’t tried before, Cast. My verdict: great UX, but that name is horrible SEO.

Screenshot of Air & Space story1/18/2017: Get to Know Your Airliner, Air & Space Magazine

I finally wrote a story for a magazine I’ve been reading on and off since high school, which is pretty great. The subject: the United Airlines Fleet Website, a remarkably useful volunteer-run database of United planes that I’ve gotten in the habit of checking before every UA flight. The story should also be in the February issue, available at newsstands in the next few days.

1/18/2017: What you should really know about every major hacking story, Yahoo Finance

I put on my media-critic hat to write this post about what too many cybersecurity pieces–and too many mass-media conversations on the subject, up to and including those started by Donald Trump–get wrong.

1/19/2017: The Best Cell Phone Plans, The Wirecutter

We decided last summer that having separate guides for the four major wireless carriers and for prepaid and resold phone plans didn’t help readers who should be considering all of their options. That also imposed extra work on me. The result: a single guide that’s much shorter and will be easier to update the next time, say, Sprint rolls out some new price plans.

1/19/2017: How carriers will keep D.C. online during Trump’s inauguration, Yahoo Finance

The real test of the big four networks came not during President Trump’s under-attended inauguration but the Women’s March on Washingtoh the next day. To judge from the experience of my wife and others, the carriers did not acquit themselves too well: Her Verizon iPhone lost data service for part of the day, and I saw friends posting on Facebook that they couldn’t get photos to upload.

1/22/2017: Am I stuck with T-Mobile’s flagship plan?, USA Today

T-Mobile’s decision to limit its postpaid offerings to the unmetered-but-not-unlimited T-Mobile One gave me an opportunity to provide a quick tutorial on the differences between postpaid, prepaid and resold services.

Weekly output: Game of Thrones, security, augmented reality, T-Mobile, phone insurance

Posted on by
Reply

Happy Easter!

DisCo Game of Thrones post

3/27/2013: Ethicists Make Lousy Economists, And Other Lessons From the Endless “Game of Thrones” Debate, Disruptive Competition Project

This started life as a draft here a year ago, when I’d gotten fed up by seeing the same old arguments thrown around on Twitter and in blog posts about the HBO series. Then I set it aside, which turned out be a good thing when I had a paying client interested in the topic.

3/29/2013: Social-Media Trend To Watch: Security That Doesn’t Have To Suck, Disruptive Competition Project

With Dropbox, Apple and, soon, Evernote and Twitter following Google’s lead in offering two-step verification as a login option, I’m cautiously optimistic that this competition will yield more usable security than what the efforts of corporate IT have yielded so far. The skeptical comments this post has since gotten have me wondering if I was too optimistic.

3/29/2013: Augmented Reality Doesn’t Need Google Glasses, Discovery News

I revisited a topic I last covered in depth in a 2009 column for the Post. Part of this post recaps how I still use some of the apps I mentioned back then, part suggests some other possible applications, and then I note how Windows Phone 8’s “Lenses” feature could foster “AR” on that platform. I’m not sure all of those parts hold together.

3/31/2013: Q&A: Is T-Mobile’s new math a good deal?, USA Today

The wireless carrier’s no-contract plans may not save you much money if you buy a new smartphone exactly every two years, but if you upgrade less often–or buy an unlocked phone from a third party–they can work well for you. (And if they foster the growth of a carrier-independent market for phones, they would work well for the rest of us.) The post also includes a reminder to watch out for phone-insurance charges on your bill.

Sulia highlights: calculating how much you’d spend on an iPhone 5 and two years of service at the four major wireless carriers; noting the belated arrival of threaded comments on Facebook pages; explaining why Google Maps doesn’t offer real-time arrival estimates for Metro and other transit systems; critiquing the woeful setup experience on a Linksys router.

A fix for strange search results

Posted on by
4

Something looked broken with Web search on my computer yesterday, and it took me only about 18 hours of detours to figure out the problem. To spare you all the trouble of repeating my troubleshooting, here’s how things worked out.

search redirect network activityEverything started when I was doing a routine search for a post I’d written last winter on CEA’s blog. I clicked on Google’s link, saw a random address appear and then another, and found myself looking at a sketchy page with ads for some casino instead of my analysis of exemptions to the Digital Millennium Copyright Act’s anti-circumvention provisions.

My first thought–both frightened and angry–was that I’d finally gotten hit with a virus like DNSChanger on my own computer. But the same hijacked search happened in another Mac and on the Chromebook I’d just reviewed.

Maybe my wireless router had gotten compromised somehow? I had covered one reader’s experience with that two years ago, and my fellow tech journalist Glenn Fleishman (I’d say he’s forgotten more about WiFi than I’ll ever know, but he forgets nothing) thought that was likely too.

But the router had nothing amiss with its domain-name-server settings. Meanwhile, doing the same search in the browser on an AT&T Android phone (another recent review) didn’t yield any spurious results. Two replies on Twitter also suggested this issue might be specific to Internet providers.

My last move before getting distracted by our daughter was to try the same search on other sites. At Bing, the result also got hijacked; at DuckDuckGo, it did not.

This morning, as I was using Safari’s Web Inspector to see if I could get any more insight on the mechanics of the hijack (and take the screengrab you see above), another Twitter reply suggested that it could be an issue with CEA’s installation of WordPress. There is a history of exploits for that popular blogging platform that target incoming referrers from popular sites to send those clicks elsewhere; see, for instance, this Q&A thread.

(WordPress.com, this blog’s host, is a commercial service that runs WordPress; one of its selling points is having professionals stay on top of patches and security so I don’t have to.)

Sucuri LLC’s malware-checking site didn’t find any malware at CEA’s blog. But when I e-mailed somebody at the Arlington, Va., trade association, they did find a malicious script on the site that’s since been removed. And now, my original search takes me to the right page.

So I guess reporting this counts as this week’s good deed for the Internet… and maybe a start on next weekend’s USA Today column. But before I do that: Have you run into anything like this? Were you able to get it resolved? What else would you like to know about search hijacking?

Weekly output: Mat Honan, Mike Daisey, pausing telecom service, “Free Public WiFi”

Posted on by
Reply

Two of this week’s posts involved other people’s stories–either adding context to them or critiquing the storytelling itself. (I also filed one post and a podcast for CEA, but they haven’t gone up yet. I’m blaming the fact that it’s August in D.C.)

8/8/2012: Hacking Nightmare Comes True: Mat Honan’s Story, Discovery News

After reading Wired writer Mat Honan’s Tumblr post about how hackers had hijacked his iCloud and Twitter accounts, deleted his Google account and remote-wiped his iPad, iPhone and MacBook Air, I wanted to know how such a thing could be possible. After reading his explanation of the hack on Wired.com, I wanted to write about it myself–both to yell at Amazon and Apple for their (now fixed) security flaws that enabled the hack, and to remind readers of what they can to prevent the same thing from happening to them. It helped to talk to Honan over the phone on Tuesday morning and hear the stress and anger in his voice. (I enjoy Honan’s work, and he and I were on a radio show once, but I don’t think we’ve met face to face.)

8/8/2012: How Mike Daisey retooled The Agony and the Ecstasy of Steve Jobs, Ars Technica

Some 17 months after I first saw Daisey’s monologue about Apple, I returned to the Woolly Mammoth Theatre Company in downtown D.C. to catch the 2.0 version, stripped of the material he fabricated earlier about Apple’s outsourced manufacturing in China. This was the first time in years that I’d taken notes on a paper notepad (the prior item in this one was a set of questions I jotted down for a video interview with Steve Wozniak I did for the Post in late 2009).

It was also the first time in a while that the subject of a review wrote back to me. Maybe an hour after this post went up, Daisey e-mailed to contest my interpretation. He said I made him sound too trusting in the New York Times’ reporting and didn’t give him enough credit for addressing some of the related issues I mentioned in this piece in the program handed out to attendees. I replied that those were my reactions, as jotted down in real time in the dark; they may not be a correct interpretation, but the review is supposed to reflect what I thought at the time.

Meanwhile, the vast majority of the comments from Ars readers were far less sympathetic to Daisey’s case.

8/12/2012: How to pause cable, phone services, USA Today

I thought a reader’s question about whether he could suspend his Internet, TV and phone services while away from home would make for a nice, easy, “it’s August in D.C. and nobody wants to work too hard” item. Wrong. Some telecom firms have multiple policies that vary by region. The piece also reminds readers that the “Free Public WiFi” hot spot you might see is an artifact of a patched Windows XP bug. (Yes, you’ve read that from me before: I covered it in a 2009 article for the Post.)