This is the most interesting conference badge I’ve worn

LAS VEGAS–I’ve spent the last two days wearing a circular circuit board topped with a slab of quartz, which is not just normal but required behavior to attend the DEF CON security conference here.

DEF CON 27 badgeI had heard upfront that DEF CON badges–available only for $300 in cash, no comped press admission available–were not like other conference badges. But I didn’t realize how much they differed until I popped the provided watch battery into my badge (of course, I put it in wrong side up on the first try), threaded the lanyard through the badge, and soon had other attendees asking if they could tap their badges against mine.

These badges designed by veteran hacker Joe Grand include their own wireless circuitry and embedded software that causes them to light up when held next to or close to other badges. As you do this with other attendees of various classes–from what I gathered, regular attendees have badges with white quartz, press with green, vendors with purple, and speakers with red–you will unlock other functions of the badge.

What other functions, I don’t know and won’t find out, as I’m now headed back from the event. That’s one way in which I’m a DEF CON n00b, the other being that I didn’t wear any other badges soldered together from circuit boards, LEDs and other electronic innards.

(Update: Saturday evening, Grand, aka “Kingpin,” posted detailed specifics about his creation, including source code and slides from a talk I’d missed.)

You might expect me to critique the unlabeled DEF CON badge for flunking at the core task of announcing your name to others, but forced disclosure is not what this event is about–hence the restriction to cash-only registration. And since I have mini business cards, this badge met another key conference-credential task quite well: The gap between the circuit board and the lanyard was just the right size to hold a stash of my own cards.

Advertisements

Weekly output: Facebook customer dissatisfaction, Facebook meddling in the Middle East (x3)

Tuesday has me departing for Las Vegas for the Black Hat and DEF CON information-security conferences, aka Hacker Summer Camp. In addition to the usual risk of getting pwned, this year I and other attendees will also have to deal with a plague of grasshoppers.

Yahoo Facebook ACSI post7/30/2019: Study shows Facebook’s customer-satisfaction scores plunging, Yahoo Finance

A new survey from the American Customer Satisfaction Index showed people’s contentment with Facebook plummeting to depths you could call Comcastic–except the cable company still rated lower in ACSI research earlier this year. If this post seems somewhat familiar, you may remember me writing up a similar set of ASCI findings in 2010. The issue of what we’ve learned about Facebook in the intervening years is left as an exercise for the reader.

8/1/2019: Facebook catches meddling from Saudi Arabia, United Arab Emirates, Egypt, Al Jazeera

The Arabic-language news channel had me on air live–twice in this day–to talk about Facebook’s announcement that it had booted hundreds of accounts and pages run out of Saudi Arabia, the United Arab Emirates and Egypt for “coordinated inauthentic behavior,” its phrase for disinformation campaigns.

8/2/2019: Facebook catches meddling from Saudi Arabia, United Arab Emirates, Egypt, Al Jazeera

Saudi Arabia misbehaving on social media put the Qatari network into flood-the-zone mode–not difficult to understand, given the enmity between the kingdom and Qatar–and so AJ had me on for a second day in a row to talk about this story. If you don’t care about Gulf politics, please consider that the Facebook-meddling move here of impersonating local news sources could work in the many U.S cities and towns now starved for local news coverage.

Weekly output: cybersecurity, pay-TV satisfaction, U.S. vs. Huawei, personal air transport, open-source SaaS, Collision conference

I don’t have to fly anywhere Monday, which seems a cause for joy after the last six weeks of travel.

5/21/2019: Cybersecurity: In search of the Holy Grail?, Collision

This somewhat broad description yielded a talk on what we’re doing wrong in infosec with defy.vc managing director Trae Vassallo, Veracode co-founder Chris Wysopal, 4iQ CEO Monica Pal, and Emerson Collective managing director (and former Democratic National Committee CTO Raffi Krikorian. I will add a link to video of this (and the other panels I moderated in Toronto) whenever the organizers post it; in the meantime, enjoy the picture by my friend John Ulaszek.

5/21/2019: Comcast, DirecTV and others suffer another round of low customer satisfaction scores, FierceVideo

I wrote up the latest findings of the American Customer Satisfaction Index survey for my occasional trade-publication client FierceVideo.

5/21/2019: U.S. vs. Huawei, Al Jazeera

I talked to AJ’s Arabic-language news channel about the growing isolation of the Chinese telecom firm via Skype from the Collision speaker-prep lounge; if you watched this hit live, that setting should explain the dull backdrop.

5/22/2019: The race to rule the skies, Collision

My second Collision panel featured Gwen Lighter, founder and CEO of the GoFly competition, and Ben Marcus, co-founder of the drone-cartography firm AirMap, talking about efforts to enable personal air transportation.

5/23/2019: Open source in the SaaS era, Collision

Panel number three of this week called for me to interview MongoDB CTO Eliot Horowitz, and that proved harder than I’d expected: The stage acoustics made it difficult for mo to hear complete sentences from him.

5/24/2019: At Collision conference, Facebook and the rest of tech gets taken to task once again, USA Today

I wrote a recap of the conference for USAT that noted the general distaste for Facebook’s reach and conduct as well as the lack of certainty over what, exactly, we should do about that company.

Updated 6/29/2019 to add links to videos of my Collision panels.

Weekly output: #DIV/0!

For the first time since two Augusts ago, I have no new bylines in a week. I did file one story, not yet posted, and get much of the reporting done for two others–after losing much of the first two days from having our schools closed after last weekend’s snowstorm–but it’s still annoying to have this post equate to a divide-by-zero error.

And that happened even though I worked for a good chunk of this weekend: I spent most of Saturday at the Shmoocon cybersecurity conference in D.C. I connected with people much better-informed than me, picked up some useful insights that I hope to turn into a post, caught up with an old friend, and enjoyed spotting the hilarious National Security Agency recruitment ad pictured at right. (No, I did not plug in my phone.)

Having this con take place at the Washington Hilton provided a bonus level of amusement. I’ve been at the venue Washingtonians call the Hinckley Hilton for many other events, but none had involved so many people with hair dyed interesting colors and on-message t-shirts (e.g,, “Crypto means cryptography”). That was an excellent change-up from this hotel’s usual overdressed look.

2018 in review: security-minded

I spent more time writing about information-security issues in 2018 than in any prior year, which is only fair when I think about the security angles I and many of other people missed in prior years.

Exploring these issues made me realize how fascinating infosec is as a field of study–interface design, business models, human psychology and human villainy all intersect in this area. Plus, there’s real market demand for writing on this topic.

2018 calendarI did much of this writing for Yahoo, but I also picked up a new client that let me get into the weeds on security issues. Well after two friends had separately suggested I start writing for The Parallax–and after an e-mail or two to founder Seth Rosenblatt had gone unanswered–I spotted Seth at the Google I/O press lounge, introduced myself, and came home with a couple of story assignments.

(Lesson re-learned: Sometimes, the biggest ROI from going to conference consists of the business-development conversations you have there.)

Having this extra outlet helped diversify my income, especially during a few months when too many story pitches elsewhere suffered from poor product-market fit. My top priority for 2019 is further diversification: The Parallax is funded by a single sponsor, the Avast security-software firm, which on one hand frees it from the frailty of conventional online advertising but on the other leaves it somewhat brittle.

I’d also like to speak more often at conferences. Despite being half-terrified of public speaking in high school, I’ve become pretty good at what think of as the performance art of journalism. This took me some fun places in 2018, including my overdue introduction to Toronto. (See after the jump for a map of my business travel.)

My focus on online security and privacy extended to my own affairs. In 2018, I made Firefox my default browser and set its default search to DuckDuckGo, cut back on Facebook’s access to my data, and disabled SMS two-step verification on my most important accounts in favor of app or U2F security-key authentication.

At Yahoo, it’s now been more than five years since my first byline there–and with David Pogue’s November departure to return to the New York Times, I’m the last original Yahoo Tech columnist still writing for Yahoo. My streak is even longer at USA Today, where I just hit my seventh anniversary of writing for the site (and sometimes the paper). Permanence of any sort is not a given in freelance journalism, and I appreciate that these two places have not gotten bored with me.

I also appreciate or at least hope that you reading this haven’t gotten bored with me. I’d like to think this short list of my favorite work of 2018 had something to do with that.

Thanks for reading; please keep doing so in 2019.

Continue reading

Black Hat priorities: don’t get pwned, do get work done

LAS VEGAS–I took my own phone and laptop to the Black Hat USA security conference here, which is often held out as a bad idea.

Before I flew out to Vegas Tuesday, I got more than a few “Are you bringing a burner phone?” and “Are you leaving your laptop at home?” questions.

Black Hat backdropBut bringing burner hardware means dealing with a different set of security settings and doesn’t address the risk of compromise of social-media accounts. And writing thousand-word posts on my phone risks compromising my sanity.

So here’s what I did with my devices instead:

  • Put my laptop in airplane mode, then enabled only WiFi to reduce the PC’s attack surface to that minimum.
  • For the same reason, turned off Bluetooth and NFC on my phone.
  • Set the Windows firewall to block all inbound connections.
  • Used a loaner Verizon hot spot for all my data on both my laptop and phone–I even disabled mobile data on the latter gadget, just in case somebody set up a malicious cell site.
  • Connected only though a Virtual Private Network on both devices, each of which were set to go offline if the Private Internet Access app dropped that encrypted connection.
  • Did not plug in a USB flash drive or charge my phone through anything but the chargers I brought from home.
  • Did not download an update, install an app, or type in a password.
  • Did not leave my laptop or phone alone in my hotel room.

Combined, this probably rates as overkill–unless the National Security Agency or a comparable nation-state actor has developed an intense interest in me, in which case I’m probably doomed. Using a VPN alone on the conference WiFi should keep my data secure from eavesdropping attempts, on top of the fact that all the sites I use for work already encrypt their connections.

But for my first trip here, I figured I’d rather err on the side of paranoia. (You’re welcome to make your case otherwise in the comments.)

Then I showed up and saw that everybody else had brought the usual array of devices. And a disturbing number of them weren’t even bothering to use encryption for things as basic as e-mail.

Weekly output: net neutrality, cybersecurity advice, Photobucket

In an alternate universe, I’d be heading to New York Tuesday for CE Week, but I had a panel invitation here and none there. I also recalled how low-key last year’s conference was, so I decided to stick around here after I’d already put in for a press pass. To everybody who’s pitched me about their CE Week exhibits or events (which seem to be more numerous than last year’s): Sorry!

7/3/2017: How open-internet rules are actually helping consumers, Yahoo Finance

Yet another net-neutrality post? Yes. This one covered two angles I had not addressed adequately before. One is how Internet providers’ own deployment figures show they’ve kept on expanding their networks after the advent of open-Internet rules. The other is the poor odds of a small ISP getting the time of day from a major streaming-media service, much less inking a paid-prioritization deal that would yield enough money to finance broadband buildout.

7/3/2017: ICD Brief 47, International Cybersecurity Dialogue

This group’s newsletter quoted my critique of the cybersecurity lessons offered in a French TV report. I didn’t find it much more helpful than much of the infosec advice you’ll see in mainstream coverage.

7/7/2017: The big lesson from Photobucket’s ‘ransom images’ debacle, Yahoo Finance

It’s been years since I last uploaded any pictures to Photobucket, but only a decade ago it led the market for online image sharing. Its subsequent descent into a) becoming an ad-choked hell and b) demanding that free users who had accepted its invitation to embed their photos elsewhere switch to paying $400 a year is sad on a lot of levels.