Tag Archives: infosec

Weekly output: security attitudes at Black Hat, American Airlines bullish on Boom, Visible changes plans, business cybersecurity worries, Mark Vena podcast

Posted on by
Reply

With our kid going back to school a week from Monday, this is my last week of day-camp-commute driving for the year.

Screenshot of column as seen in Firefox for macOS8/16/2022: As Black Hat security conference turns 25, a lesson: security doesn’t have an end point, USA Today

I didn’t finish writing this recap until leaving Vegas and using that conference’s video-on-demand option to watch the panel I’d most regretted missing.

8/16/2022: American Airlines Puts Down Deposit on 20 Boom Supersonic Overture Jets, PCMag

Once again, Boom Supersonic had news of an airline order for its Overture jet land unaccompanied by news of an engine design, so this time I reminded readers of how long two recent jet engines took to enter revenue service.

8/17/2022: Visible Reshuffles Plans: No More Party Pay, But Solo Service Is Now $10 Cheaper, PCMag

Visible is taking a page out of its parent firm Verizon’s book by having more than one plan with “unlimited” data.

8/18/2022: What Do Business Execs Worry About Most? Getting Hacked, PCMag

A PricewaterhouseCoopers survey finding that business executives worry most about information security shouldn’t be news… except that none of PwC’s previous surveys of suits had found infosec to be their top anxiety.

8/19/2022: S02 E34 – SmartTechCheck Podcast, Mark Vena

Recording this week’s episode of the podcast hit a few technical glitches, and for once they weren’t on my end.

Advertisement

Weekly output: LinkNYC, Google renews RCS plea, Chris Krebs at Black Hat, 5G explainer, Cyber Safety Review Board, Web3 security

Posted on by
Reply

After a week on the West Coast, including four days in Las Vegas for the Black Hat security conference, I now have two weeks of not going anywhere. Which is good!

8/8/2022: LinkNYC begins deploying 5G kiosks – but not yet with 5G inside, Light Reading

After too many months of not writing for this telecom trade-pub client, I filed this update on New York rebooting its LinkNYC effort to bring free WiFi and digital city services to individual blocks.

8/9/2022: Google Posts Yet Another Plea for Apple to Support RCS Messaging in iMessage, PCMag

Google makes fair points when it calls out Apple for hindering the quality and privacy of cross-platform text messaging by not supporting the RCS messaging standard in iMessage. But Google hurts its cause by not supporting RCS in Google Voice–or even explaining that hangup. Also unhelpful: Google has yet to ship an API that would let the developers of Signal and other third-party messaging apps support RCS.

Screenshot of PCMag post as seen in Chrome on a Pixel 5a, with a VPN service active.8/10/2022: Ex-CISA Chief’s Advice at Black Hat: Make Security Valuable and Attacks Costly, PCMag

I covered the keynote by former Cybersecurity and Infrastructure Security Agency head Chris Krebs that opened Black Hat. His talk ended on a self-help note, as he advised his audience: “Life’s too short to work for assholes. So don’t.” And yet Krebs worked for President Trump from 2018 through 2020, when Trump fired him for correctly confirming that the 2020 election was run fairly and securely; that could not have been easy for him.

8/11/2022: What Is 5G, and Does It Actually Make a Difference?, Wirecutter

I wrote yet another 5G explainer, this time for the New York Times’ Wirecutter site.

8/11/2022: How a US Govt Board Helped the Open-Source Community Leap to Patch Log4j, PCMag

As the token Washingtonian among PCMag’s crew of writers, I had to write up this very Washington panel about the first test of the Cyber Safety Review Board–an organization set up as an infosec version of the National Transportation Safety Board.

8/12/2022: Why Is Web3 Security Such a Garbage Fire? Let Us Count the Ways, PCMag

This talk about a series of security meltdowns at blockchain-based sites and services had more than a few unintentional-comedy moments.

8/12/2022: The 14 Scariest Things We Saw at Black Hat 2022, PCMag

My contribution to this recap was the “Startups Shirk Security” section.

Updated 8/21/2022 to add the PCMag Black Hat recap.

Conference VOD: one half-decent thing we’ve gotten out of the pandemic

Posted on by
2

LAS VEGAS

The Black Hat security conference that wrapped up here once again left me wishing I could clone myself for a few days. Its info-dense schedule put as many as nine briefings in the same timeslot, requiring me to make some tough choices and hope that I’d picked a presentation that would yield enough news and insights to turn into an article.

(Spoiler alert: I did not always choose wisely.)

In the Before Times, the panels that I had to skip would have been lost to me until the event organizers uploaded video of them to Black Hat’s YouTube channel, often months later. But this year’s conference, run like last year’s as a hybrid in-person/online event, came with both streaming access to panels as they happened and video-on-demand playback 48 hours later for attendees.

This conference, unlike too many I’ve attended, also continues to post the presentations of speakers, so attendees don’t need to take pictures of every statistic-filled slide for posterity.

So I can treat my conference FOMO and see what I missed much sooner than I could have before. That’s one small side benefit of conferences having to make themselves open to remote attendees, a welcome democratization of events that in a better world would have happened without the pressure of a worldwide pandemic. It’s also personally convenient today because I’m already getting asked on Twitter about Black Hat briefings that I did not get to.

I do, however, still need to remember to catch up on these briefings before the 30-day window to watch them expires–the mistake I made last summer, when I had a much less busy schedule.

8/14/2022: I updated this to add a compliment to the Black Hat organizers for posting speakers’ presenations.

Weekly output: Starlink, spectrum coordination, flight delays (x2), T-Mobile and Verizon 5G home broadband, Mark Vena podcast

Posted on by
Reply

About one year later than I’d planned, I’m flying to Las Vegas Tuesday to cover the Black Hat information-security conference. Two big factors in my deciding to go ahead with that trip this year: My kid is now vaccinated and boosted, while I had Covid barely seven weeks ago.

8/2/2022: SpaceX’s Starlink has soared, but a course correction may be on the horizon, Fast Company

More weeks ago than I’d like to admit, one of my editors asked if I could do a more in-depth look at the progress of SpaceX’s Starlink low-Earth-orbit broadband constellation. A day after this piece ran, Reddit’s ever-informative r/starlink served up new evidence of capacity issues at this service: a new rate plan in France that cuts the monthly rate in half but imposes a 250 GB threshold for possible speed deprioritization.

8/2/2022: 2 Key Federal Telecom Agencies Promise to Play Nice With Wireless Spectrum, PCMag

Two federal offices about two miles apart in D.C. pledged to work better together in spectrum planning. That might seem like an obvious thing to do, but the Federal Communications Commission and the National Telecommunications and Information Administration last updated this memorandum of understanding in 2003.

Story as seen in Chrome on a Pixel 5a phone, showing its lead illustration: a photo of people waiting on line at an airport.8/3/2022: Don’t Get Stranded: How to Watch for Flight Delays and Get Around Them, PCMag

A discussion on PCMag’s Slack workspace about coping with travel hiccups led to me asking if I could write this story, and not just because I’d like to recoup my added travel costs from my unplanned extra night in Toronto in June.

8/3/2022: How Verizon ‘fixed wireless’ and T-Mobile home broadband is converting cable customers, USA Today

After a reality-check interview with an analyst who reminded me that fiber scales so much better to meet demand than fixed wireless can, this column on the progress of T-Mobile and Verizon’s 5G-based home broadband got a bit less enthusiastic about its potential.

8/4/2022: S02 E32 – SmartTechCheck Podcast, Mark Vena

My main contribution to this discussion was talking about my Starlink story, but if you watch the video of the podcast you can also see me scowl at a Lightning cable.

8/5/2022: DOT Moves to Strengthen Rules on Refunds for Flight Changes, Cancellations, PCMag

Speaking of travel delays, I returned to the subject to cover a set of proposed Department of Transportation rules that would clarify what counts as a significant schedule change and a cancelled flight–and require either non-expiring trip credits or straight-up refunds for travel canceled because of a future pandemic.

Black Hat pitches increasingly resemble CES pitches

Posted on by
Reply

When I’m spending a sunny Saturday in front of my computer, the usual reason is that it’s beastly hot outside. But today I have an additional, also seasonally-specific reason: I’m overdue to look over and make some decisions about all of the Black Hat meeting requests that have been piling up in my inbox.

A view of the Las Vegas Strip from the Foundation Room atop the Mandalay Bay hotel--a common event venue for both CES and Black Hat receptions.

Unlike last summer, I actually am going to this information-security conference in Las Vegas. And many more infosec companies seem to have made the same decision, leading to a flood of e-mails from their publicists asking if I’d like to set up a meeting while I’m in Vegas. How many? Over the last month, I’ve received 134 messages mentioning Black Hat, a number that makes me think of the annual deluge of CES PR pitches.

(Sorry, the total is now 135.)

Just like at CES, accepting even half of these invitations would leave me almost no time to do anything else at the conference. But where at CES I need to save time to gawk at gadgets on and off the show floor–and to get from venue to venue at that sprawling event–at Black Hat I want to save time to watch this conference’s briefings.

In the two prior years I’ve gone to Black Hat, I’ve found that the talks there have an exceptionally high signal-to-noise ratio. And since a coherent and entertaining explanation of a vulnerability in a widely used app, service or device is something that’s relatively easy to sell as a story, I also have an economic incentive to hold off on taking any meeting requests until the organizers post the briefings schedule–which this year only happened barely two weeks ago.

In other words, now I’m out of excuses to deal with these pitches. Which I could have done this afternoon had I not waited until this afternoon to write this post…

8/24/2022: Fixed the typo in the headline that nobody seems to have noticed until my wife asked about it today.

Weekly output: shipboard IoT, ransomware versus cruise lines, CNN blocks Australia from its Facebook pages

Posted on by
1

Hello, fourth quarter of 2021; goodbye, Washington Nationals 2021 baseball season.

Photo of a monitor showing the participants of the first panel I moderated at the Seatrade Cruise Global convention in Miami Beach.9/29/2021: IoT: The Future of Operational Efficiency, Seatrade Cruise Global

This hybrid panel–I’m pretty sure it’s the first one I’ve ever done–had Stanislaw Schmal, director of data analytics and AI at Lufthansa Industry Solutions, sitting alongside me on the stage in a room at the Miami Beach Convention Center. Two other cruise-industry executives participated via streaming video: Matthew Denesuk, senior vice president for data analytics & artificial intelligence at Royal Caribbean Group, and Francesco Pugliese, corporate business innovation director for MSC Cruises. We covered many different topics, but as a repeat data-breach victim I most appreciated Schmal’s plea for more companies to practice data minimization.

9/29/2021: Ransomware and Maritime Cyber Security in the Post-Pandemic World, Seatrade Cruise Global

For my second panel at this cruise-industry convention, Mandiant director Pat McCoy spoke in person while Georgios Mortakis, vice president for enterprise technology operations and chief information security officer at NCLH, joined via video. Jairo Orea, global chief information security officer at Royal Caribbean Group, was a last-minute scratch; having enjoyed a prep call with him beforehand, I’m sorry he couldn’t make it.

9/29/2021: CNN Blocks Aussies From Its Facebook Pages, Citing New Liability Ruling, PCMag

I wrote most of this from the speaker room at Seatrade before my two panels, then finished and filed it afterwards before getting lunch. Once again, telling myself “no eating until filing” motivated me to get copy from my screen to an editor’s.

My next in-person tech conference will have to wait a little longer

Posted on by
5

Next week was going to feature a conference badge and triple-digit temperatures, and now the only way I’ll get any of those things is if the forecast for D.C. turns out to be completely off.

Barely a month after I’d booked flights and a (refundable) hotel room for the Black Hat security conference, convinced that this security gathering in Las Vegas would represent my first in-person conference since February of 2020, I cancelled those bookings this week. Instead of flying to Nevada to take notes in the middle of a physical audience and then network in person at a series of receptions, I’ll follow the briefings online and then connect with nobody new as I have dinner at home.

It wasn’t any one thing about this conference happening in the middle of a not-yet-over pandemic that led me to bag this trip, even though I’ve been fully vaccinated since late May; it was all the things.

First, while I would expect most information-security professionals to evaluate their risks intelligently and therefore have gotten vaccinated long ago, there’s always going to be the exceptions.

Second, Black Hat is like everything else in Vegas in August in that it must exist in a series of air-conditioned bubbles. And while I wouldn’t have a problem wearing a mask while watching briefings, staying masked-up is a lot harder at a conference reception.

Third, Vegas has a giant tourist demographic that self-selects for poor risk management, raising the odds of me sharing an elevator or check-in line with some hard-partying idiot who has made pandemic denial part of his personal political brand.

Fourth, the city itself has a depressingly low vaccination rate, with only 41% of Clark County residents fully vaccinated. Seeing that many people spend that many months declining to use the best tool we have against the pandemic does not make me want to go to their city and spend my money.

The odds remain pretty low, as I understand them, that I would pick up the Delta variant of the novel coronavirus over those two days and change in Vegas. But when one of the people I’d see afterwards would be my not-yet-vaccine-eligible 11-year-old daughter, I can’t justify the risk posed by what strikes me as an especially bad scenario compared to any of the events I’m contemplating for later this year.

So even while I have resumed some business travel, it’s going to be a little while longer before I come home with a new conference badge to add to the collection that’s now been collecting dust for a year and a half.

Weekly output: small telecom firms dropping pay TV, remote-working security, Facebook bias allegations

Posted on by
1

This week brought bad news on the client front: Glimmer, the tech-culture publication where I’ve enjoyed writing long features about such wonky topics as Google’s complex relationship with news publishers, did not survive a round of layoffs at its corporate parent Glitch. As crummy as this was for me, it was worse for my editor there who now finds herself unemployed.

5/18/2020: Small TV providers need to hold customers’ hands to exit TV, FierceVideo

This story took much longer to report than I expected, mainly because I had a hard time getting enough of the small number of tiny Internet providers to have dropped pay TV outright to return my calls or e-mails.

5/19/2020: Session 3 Security Panel, Futureproof IT

In my first virtual-conference panel, I talked about security issues with remote-work software (via Zoom, naturally) with Secureframe CEO Shrav Mehta, Splunk senior technology advocate Amélie Erin Koran, and freelance tech journalist Yael Grauer.

5/22/2020: Facebook bias allegations, Al Jazeera

The Arabic-language news network had me to discuss complaints that Facebook is blocking pro-Palestinian speech. That’s not an allegation I’ve seen confirmed independently–it’s not hard to find pages advocating for Palestine and against Israel’s occupation–but I spent most of my time on air emphasizing the general difficulty of content moderation at scale. I hope my effort at nuance was as persuasive in the interpreter’s rendition.

Updated 6/30/2020 with the screengrab from the Futureproof IT site that I forgot to add the first time.

This is the most interesting conference badge I’ve worn

Posted on by
4

LAS VEGAS–I’ve spent the last two days wearing a circular circuit board topped with a slab of quartz, which is not just normal but required behavior to attend the DEF CON security conference here.

DEF CON 27 badgeI had heard upfront that DEF CON badges–available only for $300 in cash, no comped press admission available–were not like other conference badges. But I didn’t realize how much they differed until I popped the provided watch battery into my badge (of course, I put it in wrong side up on the first try), threaded the lanyard through the badge, and soon had other attendees asking if they could tap their badges against mine.

These badges designed by veteran hacker Joe Grand include their own wireless circuitry and embedded software that causes them to light up when held next to or close to other badges. As you do this with other attendees of various classes–from what I gathered, regular attendees have badges with white quartz, press with green, vendors with purple, and speakers with red–you will unlock other functions of the badge.

What other functions, I don’t know and won’t find out, as I’m now headed back from the event. That’s one way in which I’m a DEF CON n00b, the other being that I didn’t wear any other badges soldered together from circuit boards, LEDs and other electronic innards.

(Update: Saturday evening, Grand, aka “Kingpin,” posted detailed specifics about his creation, including source code and slides from a talk I’d missed.)

You might expect me to critique the unlabeled DEF CON badge for flunking at the core task of announcing your name to others, but forced disclosure is not what this event is about–hence the restriction to cash-only registration. And since I have mini business cards, this badge met another key conference-credential task quite well: The gap between the circuit board and the lanyard was just the right size to hold a stash of my own cards.

Weekly output: Facebook customer dissatisfaction, Facebook meddling in the Middle East (x3)

Posted on by
Reply

Tuesday has me departing for Las Vegas for the Black Hat and DEF CON information-security conferences, aka Hacker Summer Camp. In addition to the usual risk of getting pwned, this year I and other attendees will also have to deal with a plague of grasshoppers.

Yahoo Facebook ACSI post7/30/2019: Study shows Facebook’s customer-satisfaction scores plunging, Yahoo Finance

A new survey from the American Customer Satisfaction Index showed people’s contentment with Facebook plummeting to depths you could call Comcastic–except the cable company still rated lower in ACSI research earlier this year. If this post seems somewhat familiar, you may remember me writing up a similar set of ASCI findings in 2010. The issue of what we’ve learned about Facebook in the intervening years is left as an exercise for the reader.

8/1/2019: Facebook catches meddling from Saudi Arabia, United Arab Emirates, Egypt, Al Jazeera

The Arabic-language news channel had me on air live–twice in this day–to talk about Facebook’s announcement that it had booted hundreds of accounts and pages run out of Saudi Arabia, the United Arab Emirates and Egypt for “coordinated inauthentic behavior,” its phrase for disinformation campaigns.

8/2/2019: Facebook catches meddling from Saudi Arabia, United Arab Emirates, Egypt, Al Jazeera

Saudi Arabia misbehaving on social media put the Qatari network into flood-the-zone mode–not difficult to understand, given the enmity between the kingdom and Qatar–and so AJ had me on for a second day in a row to talk about this story. If you don’t care about Gulf politics, please consider that the Facebook-meddling move here of impersonating local news sources could work in the many U.S cities and towns now starved for local news coverage.