Weekly output: shipboard IoT, ransomware versus cruise lines, CNN blocks Australia from its Facebook pages

Hello, fourth quarter of 2021; goodbye, Washington Nationals 2021 baseball season.

Photo of a monitor showing the participants of the first panel I moderated at the Seatrade Cruise Global convention in Miami Beach.9/29/2021: IoT: The Future of Operational Efficiency, Seatrade Cruise Global

This hybrid panel–I’m pretty sure it’s the first one I’ve ever done–had Stanislaw Schmal, director of data analytics and AI at Lufthansa Industry Solutions, sitting alongside me on the stage in a room at the Miami Beach Convention Center. Two other cruise-industry executives participated via streaming video: Matthew Denesuk, senior vice president for data analytics & artificial intelligence at Royal Caribbean Group, and Francesco Pugliese, corporate business innovation director for MSC Cruises. We covered many different topics, but as a repeat data-breach victim I most appreciated Schmal’s plea for more companies to practice data minimization.

9/29/2021: Ransomware and Maritime Cyber Security in the Post-Pandemic World, Seatrade Cruise Global

For my second panel at this cruise-industry convention, Mandiant director Pat McCoy spoke in person while Georgios Mortakis, vice president for enterprise technology operations and chief information security officer at NCLH, joined via video. Jairo Orea, global chief information security officer at Royal Caribbean Group, was a last-minute scratch; having enjoyed a prep call with him beforehand, I’m sorry he couldn’t make it.

9/29/2021: CNN Blocks Aussies From Its Facebook Pages, Citing New Liability Ruling, PCMag

I wrote most of this from the speaker room at Seatrade before my two panels, then finished and filed it afterwards before getting lunch. Once again, telling myself “no eating until filing” motivated me to get copy from my screen to an editor’s.

My next in-person tech conference will have to wait a little longer

Next week was going to feature a conference badge and triple-digit temperatures, and now the only way I’ll get any of those things is if the forecast for D.C. turns out to be completely off.

Barely a month after I’d booked flights and a (refundable) hotel room for the Black Hat security conference, convinced that this security gathering in Las Vegas would represent my first in-person conference since February of 2020, I cancelled those bookings this week. Instead of flying to Nevada to take notes in the middle of a physical audience and then network in person at a series of receptions, I’ll follow the briefings online and then connect with nobody new as I have dinner at home.

It wasn’t any one thing about this conference happening in the middle of a not-yet-over pandemic that led me to bag this trip, even though I’ve been fully vaccinated since late May; it was all the things.

First, while I would expect most information-security professionals to evaluate their risks intelligently and therefore have gotten vaccinated long ago, there’s always going to be the exceptions.

Second, Black Hat is like everything else in Vegas in August in that it must exist in a series of air-conditioned bubbles. And while I wouldn’t have a problem wearing a mask while watching briefings, staying masked-up is a lot harder at a conference reception.

Third, Vegas has a giant tourist demographic that self-selects for poor risk management, raising the odds of me sharing an elevator or check-in line with some hard-partying idiot who has made pandemic denial part of his personal political brand.

Fourth, the city itself has a depressingly low vaccination rate, with only 41% of Clark County residents fully vaccinated. Seeing that many people spend that many months declining to use the best tool we have against the pandemic does not make me want to go to their city and spend my money.

The odds remain pretty low, as I understand them, that I would pick up the Delta variant of the novel coronavirus over those two days and change in Vegas. But when one of the people I’d see afterwards would be my not-yet-vaccine-eligible 11-year-old daughter, I can’t justify the risk posed by what strikes me as an especially bad scenario compared to any of the events I’m contemplating for later this year.

So even while I have resumed some business travel, it’s going to be a little while longer before I come home with a new conference badge to add to the collection that’s now been collecting dust for a year and a half.

Weekly output: small telecom firms dropping pay TV, remote-working security, Facebook bias allegations

This week brought bad news on the client front: Glimmer, the tech-culture publication where I’ve enjoyed writing long features about such wonky topics as Google’s complex relationship with news publishers, did not survive a round of layoffs at its corporate parent Glitch. As crummy as this was for me, it was worse for my editor there who now finds herself unemployed.

5/18/2020: Small TV providers need to hold customers’ hands to exit TV, FierceVideo

This story took much longer to report than I expected, mainly because I had a hard time getting enough of the small number of tiny Internet providers to have dropped pay TV outright to return my calls or e-mails.

5/19/2020: Session 3 Security Panel, Futureproof IT

In my first virtual-conference panel, I talked about security issues with remote-work software (via Zoom, naturally) with Secureframe CEO Shrav Mehta, Splunk senior technology advocate Amélie Erin Koran, and freelance tech journalist Yael Grauer.

5/22/2020: Facebook bias allegations, Al Jazeera

The Arabic-language news network had me to discuss complaints that Facebook is blocking pro-Palestinian speech. That’s not an allegation I’ve seen confirmed independently–it’s not hard to find pages advocating for Palestine and against Israel’s occupation–but I spent most of my time on air emphasizing the general difficulty of content moderation at scale. I hope my effort at nuance was as persuasive in the interpreter’s rendition.

Updated 6/30/2020 with the screengrab from the Futureproof IT site that I forgot to add the first time.

This is the most interesting conference badge I’ve worn

LAS VEGAS–I’ve spent the last two days wearing a circular circuit board topped with a slab of quartz, which is not just normal but required behavior to attend the DEF CON security conference here.

DEF CON 27 badgeI had heard upfront that DEF CON badges–available only for $300 in cash, no comped press admission available–were not like other conference badges. But I didn’t realize how much they differed until I popped the provided watch battery into my badge (of course, I put it in wrong side up on the first try), threaded the lanyard through the badge, and soon had other attendees asking if they could tap their badges against mine.

These badges designed by veteran hacker Joe Grand include their own wireless circuitry and embedded software that causes them to light up when held next to or close to other badges. As you do this with other attendees of various classes–from what I gathered, regular attendees have badges with white quartz, press with green, vendors with purple, and speakers with red–you will unlock other functions of the badge.

What other functions, I don’t know and won’t find out, as I’m now headed back from the event. That’s one way in which I’m a DEF CON n00b, the other being that I didn’t wear any other badges soldered together from circuit boards, LEDs and other electronic innards.

(Update: Saturday evening, Grand, aka “Kingpin,” posted detailed specifics about his creation, including source code and slides from a talk I’d missed.)

You might expect me to critique the unlabeled DEF CON badge for flunking at the core task of announcing your name to others, but forced disclosure is not what this event is about–hence the restriction to cash-only registration. And since I have mini business cards, this badge met another key conference-credential task quite well: The gap between the circuit board and the lanyard was just the right size to hold a stash of my own cards.

Weekly output: Facebook customer dissatisfaction, Facebook meddling in the Middle East (x3)

Tuesday has me departing for Las Vegas for the Black Hat and DEF CON information-security conferences, aka Hacker Summer Camp. In addition to the usual risk of getting pwned, this year I and other attendees will also have to deal with a plague of grasshoppers.

Yahoo Facebook ACSI post7/30/2019: Study shows Facebook’s customer-satisfaction scores plunging, Yahoo Finance

A new survey from the American Customer Satisfaction Index showed people’s contentment with Facebook plummeting to depths you could call Comcastic–except the cable company still rated lower in ACSI research earlier this year. If this post seems somewhat familiar, you may remember me writing up a similar set of ASCI findings in 2010. The issue of what we’ve learned about Facebook in the intervening years is left as an exercise for the reader.

8/1/2019: Facebook catches meddling from Saudi Arabia, United Arab Emirates, Egypt, Al Jazeera

The Arabic-language news channel had me on air live–twice in this day–to talk about Facebook’s announcement that it had booted hundreds of accounts and pages run out of Saudi Arabia, the United Arab Emirates and Egypt for “coordinated inauthentic behavior,” its phrase for disinformation campaigns.

8/2/2019: Facebook catches meddling from Saudi Arabia, United Arab Emirates, Egypt, Al Jazeera

Saudi Arabia misbehaving on social media put the Qatari network into flood-the-zone mode–not difficult to understand, given the enmity between the kingdom and Qatar–and so AJ had me on for a second day in a row to talk about this story. If you don’t care about Gulf politics, please consider that the Facebook-meddling move here of impersonating local news sources could work in the many U.S cities and towns now starved for local news coverage.

Weekly output: cybersecurity, pay-TV satisfaction, U.S. vs. Huawei, personal air transport, open-source SaaS, Collision conference

I don’t have to fly anywhere Monday, which seems a cause for joy after the last six weeks of travel.

5/21/2019: Cybersecurity: In search of the Holy Grail?, Collision

This somewhat broad description yielded a talk on what we’re doing wrong in infosec with defy.vc managing director Trae Vassallo, Veracode co-founder Chris Wysopal, 4iQ CEO Monica Pal, and Emerson Collective managing director (and former Democratic National Committee CTO Raffi Krikorian. I will add a link to video of this (and the other panels I moderated in Toronto) whenever the organizers post it; in the meantime, enjoy the picture by my friend John Ulaszek.

5/21/2019: Comcast, DirecTV and others suffer another round of low customer satisfaction scores, FierceVideo

I wrote up the latest findings of the American Customer Satisfaction Index survey for my occasional trade-publication client FierceVideo.

5/21/2019: U.S. vs. Huawei, Al Jazeera

I talked to AJ’s Arabic-language news channel about the growing isolation of the Chinese telecom firm via Skype from the Collision speaker-prep lounge; if you watched this hit live, that setting should explain the dull backdrop.

5/22/2019: The race to rule the skies, Collision

My second Collision panel featured Gwen Lighter, founder and CEO of the GoFly competition, and Ben Marcus, co-founder of the drone-cartography firm AirMap, talking about efforts to enable personal air transportation.

5/23/2019: Open source in the SaaS era, Collision

Panel number three of this week called for me to interview MongoDB CTO Eliot Horowitz, and that proved harder than I’d expected: The stage acoustics made it difficult for mo to hear complete sentences from him.

5/24/2019: At Collision conference, Facebook and the rest of tech gets taken to task once again, USA Today

I wrote a recap of the conference for USAT that noted the general distaste for Facebook’s reach and conduct as well as the lack of certainty over what, exactly, we should do about that company.

Updated 6/29/2019 to add links to videos of my Collision panels.

Weekly output: #DIV/0!

For the first time since two Augusts ago, I have no new bylines in a week. I did file one story, not yet posted, and get much of the reporting done for two others–after losing much of the first two days from having our schools closed after last weekend’s snowstorm–but it’s still annoying to have this post equate to a divide-by-zero error.

And that happened even though I worked for a good chunk of this weekend: I spent most of Saturday at the Shmoocon cybersecurity conference in D.C. I connected with people much better-informed than me, picked up some useful insights that I hope to turn into a post, caught up with an old friend, and enjoyed spotting the hilarious National Security Agency recruitment ad pictured at right. (No, I did not plug in my phone.)

Having this con take place at the Washington Hilton provided a bonus level of amusement. I’ve been at the venue Washingtonians call the Hinckley Hilton for many other events, but none had involved so many people with hair dyed interesting colors and on-message t-shirts (e.g,, “Crypto means cryptography”). That was an excellent change-up from this hotel’s usual overdressed look.

2018 in review: security-minded

I spent more time writing about information-security issues in 2018 than in any prior year, which is only fair when I think about the security angles I and many of other people missed in prior years.

Exploring these issues made me realize how fascinating infosec is as a field of study–interface design, business models, human psychology and human villainy all intersect in this area. Plus, there’s real market demand for writing on this topic.

2018 calendarI did much of this writing for Yahoo, but I also picked up a new client that let me get into the weeds on security issues. Well after two friends had separately suggested I start writing for The Parallax–and after an e-mail or two to founder Seth Rosenblatt had gone unanswered–I spotted Seth at the Google I/O press lounge, introduced myself, and came home with a couple of story assignments.

(Lesson re-learned: Sometimes, the biggest ROI from going to conference consists of the business-development conversations you have there.)

Having this extra outlet helped diversify my income, especially during a few months when too many story pitches elsewhere suffered from poor product-market fit. My top priority for 2019 is further diversification: The Parallax is funded by a single sponsor, the Avast security-software firm, which on one hand frees it from the frailty of conventional online advertising but on the other leaves it somewhat brittle.

I’d also like to speak more often at conferences. Despite being half-terrified of public speaking in high school, I’ve become pretty good at what think of as the performance art of journalism. This took me some fun places in 2018, including my overdue introduction to Toronto. (See after the jump for a map of my business travel.)

My focus on online security and privacy extended to my own affairs. In 2018, I made Firefox my default browser and set its default search to DuckDuckGo, cut back on Facebook’s access to my data, and disabled SMS two-step verification on my most important accounts in favor of app or U2F security-key authentication.

At Yahoo, it’s now been more than five years since my first byline there–and with David Pogue’s November departure to return to the New York Times, I’m the last original Yahoo Tech columnist still writing for Yahoo. My streak is even longer at USA Today, where I just hit my seventh anniversary of writing for the site (and sometimes the paper). Permanence of any sort is not a given in freelance journalism, and I appreciate that these two places have not gotten bored with me.

I also appreciate or at least hope that you reading this haven’t gotten bored with me. I’d like to think this short list of my favorite work of 2018 had something to do with that.

Thanks for reading; please keep doing so in 2019.

Continue reading

Black Hat priorities: don’t get pwned, do get work done

LAS VEGAS–I took my own phone and laptop to the Black Hat USA security conference here, which is often held out as a bad idea.

Before I flew out to Vegas Tuesday, I got more than a few “Are you bringing a burner phone?” and “Are you leaving your laptop at home?” questions.

Black Hat backdropBut bringing burner hardware means dealing with a different set of security settings and doesn’t address the risk of compromise of social-media accounts. And writing thousand-word posts on my phone risks compromising my sanity.

So here’s what I did with my devices instead:

  • Put my laptop in airplane mode, then enabled only WiFi to reduce the PC’s attack surface to that minimum.
  • For the same reason, turned off Bluetooth and NFC on my phone.
  • Set the Windows firewall to block all inbound connections.
  • Used a loaner Verizon hot spot for all my data on both my laptop and phone–I even disabled mobile data on the latter gadget, just in case somebody set up a malicious cell site.
  • Connected only though a Virtual Private Network on both devices, each of which were set to go offline if the Private Internet Access app dropped that encrypted connection.
  • Did not plug in a USB flash drive or charge my phone through anything but the chargers I brought from home.
  • Did not download an update, install an app, or type in a password.
  • Did not leave my laptop or phone alone in my hotel room.

Combined, this probably rates as overkill–unless the National Security Agency or a comparable nation-state actor has developed an intense interest in me, in which case I’m probably doomed. Using a VPN alone on the conference WiFi should keep my data secure from eavesdropping attempts, on top of the fact that all the sites I use for work already encrypt their connections.

But for my first trip here, I figured I’d rather err on the side of paranoia. (You’re welcome to make your case otherwise in the comments.)

Then I showed up and saw that everybody else had brought the usual array of devices. And a disturbing number of them weren’t even bothering to use encryption for things as basic as e-mail.

Weekly output: net neutrality, cybersecurity advice, Photobucket

In an alternate universe, I’d be heading to New York Tuesday for CE Week, but I had a panel invitation here and none there. I also recalled how low-key last year’s conference was, so I decided to stick around here after I’d already put in for a press pass. To everybody who’s pitched me about their CE Week exhibits or events (which seem to be more numerous than last year’s): Sorry!

7/3/2017: How open-internet rules are actually helping consumers, Yahoo Finance

Yet another net-neutrality post? Yes. This one covered two angles I had not addressed adequately before. One is how Internet providers’ own deployment figures show they’ve kept on expanding their networks after the advent of open-Internet rules. The other is the poor odds of a small ISP getting the time of day from a major streaming-media service, much less inking a paid-prioritization deal that would yield enough money to finance broadband buildout.

7/3/2017: ICD Brief 47, International Cybersecurity Dialogue

This group’s newsletter quoted my critique of the cybersecurity lessons offered in a French TV report. I didn’t find it much more helpful than much of the infosec advice you’ll see in mainstream coverage.

7/7/2017: The big lesson from Photobucket’s ‘ransom images’ debacle, Yahoo Finance

It’s been years since I last uploaded any pictures to Photobucket, but only a decade ago it led the market for online image sharing. Its subsequent descent into a) becoming an ad-choked hell and b) demanding that free users who had accepted its invitation to embed their photos elsewhere switch to paying $400 a year is sad on a lot of levels.