Weekly output: wireless service, Gmail phishing, social-media disinformation, DNA tests

I spent most of this week in Las Vegas for the Black Hat and first DEF CON security conferences. I knew Black Hat from last year, but covering its sponsor-free, community-run counterpart for the first time left me feeling overwhelmed at how much of it I’d missed after just the first day. The Flickr album I posted earlier today may give you a sense of that fascinating chaos.

8/7/2019: The Best Cell Phone Plans, Wirecutter

This update took longer than I thought it would, but it now benefits from a simpler set of usage estimates that better align with how much data most people use. This guide also features new recommendations for value-priced service and shared-usage plans.

Fast Company Gmail-phishing post8/8/2019: We keep falling for phishing emails, and Google just revealed why, Fast Company

I wrote up a Black Hat talk that revealed new insights about why people fall for phishing e-mails and reinforced old advice about the importance of securing essential accounts with the right kind of two-step verification.

8/9/2019: Fake calculations… an electronic weapon in the hands of autocratic government, Al Jazeera

I took part in an episode of AJ’s “From Washington” show with Ryan Grim of the Intercept and my former congressman Jim Moran (D.-Va.), discussing disinformation campaigns on social media. At one point, Moran paused to say “Ryan and Rob are extremely intelligent and informative,” which I trust was equally effusive overdubbed into Arabic. The conversation later pivoted to the political scenario in Sudan, a topic I am maybe as prepared to discuss as any regular reader of the Washington Post’s A section.

8/10/2019: DNA Test Kits: Everything You Need to Know, Tom’s Guide

In this first post for a new client, I went about 2,000 words into the weeds on the privacy, legal and mental-health risks of taking DNA tests that may create facts you’d wish you could uncreate. That’s not my last post on DNA testing for Tom’s Guide, so if you have questions I didn’t get to in this feature, please ask away.

Advertisements

This is the most interesting conference badge I’ve worn

LAS VEGAS–I’ve spent the last two days wearing a circular circuit board topped with a slab of quartz, which is not just normal but required behavior to attend the DEF CON security conference here.

DEF CON 27 badgeI had heard upfront that DEF CON badges–available only for $300 in cash, no comped press admission available–were not like other conference badges. But I didn’t realize how much they differed until I popped the provided watch battery into my badge (of course, I put it in wrong side up on the first try), threaded the lanyard through the badge, and soon had other attendees asking if they could tap their badges against mine.

These badges designed by veteran hacker Joe Grand include their own wireless circuitry and embedded software that causes them to light up when held next to or close to other badges. As you do this with other attendees of various classes–from what I gathered, regular attendees have badges with white quartz, press with green, vendors with purple, and speakers with red–you will unlock other functions of the badge.

What other functions, I don’t know and won’t find out, as I’m now headed back from the event. That’s one way in which I’m a DEF CON n00b, the other being that I didn’t wear any other badges soldered together from circuit boards, LEDs and other electronic innards.

(Update: Saturday evening, Grand, aka “Kingpin,” posted detailed specifics about his creation, including source code and slides from a talk I’d missed.)

You might expect me to critique the unlabeled DEF CON badge for flunking at the core task of announcing your name to others, but forced disclosure is not what this event is about–hence the restriction to cash-only registration. And since I have mini business cards, this badge met another key conference-credential task quite well: The gap between the circuit board and the lanyard was just the right size to hold a stash of my own cards.

Weekly output: Facebook customer dissatisfaction, Facebook meddling in the Middle East (x3)

Tuesday has me departing for Las Vegas for the Black Hat and DEF CON information-security conferences, aka Hacker Summer Camp. In addition to the usual risk of getting pwned, this year I and other attendees will also have to deal with a plague of grasshoppers.

Yahoo Facebook ACSI post7/30/2019: Study shows Facebook’s customer-satisfaction scores plunging, Yahoo Finance

A new survey from the American Customer Satisfaction Index showed people’s contentment with Facebook plummeting to depths you could call Comcastic–except the cable company still rated lower in ACSI research earlier this year. If this post seems somewhat familiar, you may remember me writing up a similar set of ASCI findings in 2010. The issue of what we’ve learned about Facebook in the intervening years is left as an exercise for the reader.

8/1/2019: Facebook catches meddling from Saudi Arabia, United Arab Emirates, Egypt, Al Jazeera

The Arabic-language news channel had me on air live–twice in this day–to talk about Facebook’s announcement that it had booted hundreds of accounts and pages run out of Saudi Arabia, the United Arab Emirates and Egypt for “coordinated inauthentic behavior,” its phrase for disinformation campaigns.

8/2/2019: Facebook catches meddling from Saudi Arabia, United Arab Emirates, Egypt, Al Jazeera

Saudi Arabia misbehaving on social media put the Qatari network into flood-the-zone mode–not difficult to understand, given the enmity between the kingdom and Qatar–and so AJ had me on for a second day in a row to talk about this story. If you don’t care about Gulf politics, please consider that the Facebook-meddling move here of impersonating local news sources could work in the many U.S cities and towns now starved for local news coverage.

Weekly output: cryptocurrency hack, TV technology (x2), Last Gadget Standing, 2018 cybersecurity forecasts revisited, connected appliances at CES, drones at CES, CES oddities

I never work harder in a week than during CES, so I immensely appreciated the gift of a snowstorm this weekend that let me get in some cross-country skiing, go sledding with my daughter on the nearest suitable hill and think about work very little.

If you’ve already read all of the posts below, please check out my Flickr album from the show.

1/8/2019: True Confessions: ICOs, Crypto, Tokens and VCs, Digital Money

My spot on this panel track was an onstage interview of cryptocurrency investor Michael Terpin about how a SIM-swap hack led to him being robbed of startup tokens worth almost $24 million at the time.

1/9/2019: Your TV could soon have these features that are better than 8K, Yahoo Finance

Just about every one of the 22 consecutive CESes that I’ve covered has led to me writing a report on the state of the TV. This year’s version involves an unusual company: Apple.

1/10/2019: Last Gadget Standing, Living in Digital Times

Once again, I helped judge this gadget competition and introduced one of the contestants–Origami Labs, developer of the Orii smart ring. This year’s contest, however, featured a new emcee. Instead of my former Yahoo colleague David Pogue, my USA Today colleague Jennifer Jolly did the honors.

1/10/2019: How cybersecurity forecasts got 2018 wrong, The Parallax

Having botched enough tech forecasts of my own, I appreciated having a chance to revisit other people’s predictions for the year we just escaped.

1/11/2019: From a smart toilet to ‘Shazam for Food’: CES unveils new connected appliances, Yahoo Finance

Once Samsung explained how this year’s version of their Family Hub fridge automatically identified food inside visible to its three interior cameras, Silicon Valley’s “Shazam for food” plot line immediately jumped into my head. That also led me to think of the role of hacked smart fridges in the HBO comedy–which made the unwillingness of so many CES smart-home exhibitors to talk specifics about security fixes all the more annoying.

1/11/2019: The drones of CES 2019 aren’t all in the air, Yahoo Finance

I wasn’t sure how I’d end this story until finding myself staring at a an enormous John Deere combine–brought to the show floor to exhibit how GPS guidance lets it drive itself to an extraordinary degree of accuracy. That makes it a very large drone that happens to help bring corn and corn-based products to supermarkets, and there I had my ending.

1/12/2019: 8K TVs show the tech industry indulging in a bad habit, USA Today

This take on TV technology revisited some CES flops of a decade and two decades ago: 3-D TV and the would-be CD-upgrade formats DVD-Audio and Super Audio CD.

1/13/2019: The weirdest tech we saw at CES, Yahoo Finance

I wrote this, along with the two prior stories, after landing at Dulles early Friday morning. It turns out that you can be productive after a red-eye flight home if you pass out for almost the entire flight, nap a couple of times during the day and apply caffeine as needed.

Updated 1/24/2019 with video of my interview of Michael Terpin.

CES 2019 travel-tech report: overcoming oversights

I’ve survived another CES, this time after committing two of the dumber unforced errors possible at an enormous tech trade show.

One was not arranging an update to the Wirecutter LTE-hotspots guide to coincide with CES, such that I’d have to bring a couple of new hotspots to the show. Instead, I was left to cope with intermittently available press-room and press-conference WiFi.

It confounds me that in 2019, anybody would think it okay to host a press event and not provide bandwidth to the press. But that’s CES for you, when either PR professionals or their clients seem to shove common sense into the shredder.

Fortunately, the show press rooms offered wired Internet, so I could fish out my USB-to-Ethernet adapter and get online as I would have 20 years ago. A couple of other times, I tethered off my phone.

On its second CES, my HP Spectre x360 laptop worked fine except for the one morning it blue-screened, then rebooted without a working touchpad. I had to open Device Manager and delete that driver to get it working once again. I also couldn’t help think this doesn’t charge as fast as my old MacBook Air, but I’m still happier with a touchscreen laptop that I can fold up to use as a tablet–and which didn’t gouge me on storage.

My other big CES error was leaving the laptop’s charger in the press room at the Sands. I looked up and realized I had only 30 minutes to get to an appointment at the Las Vegas Convention Center, hurriedly unplugged what I thought was everything, and only realized my oversight an hour later. Fortunately, a call to the Sands press room led to the people there spotting the charger and safeguarding it until I retrieved it the next morning.

Meanwhile, my first-gen Google Pixel declined to act its age. It never froze up or crashed on me, took good pictures and recharged quickly over both its own power adapter and the laptop’s. I am never again buying a phone and laptop that don’t share a charging-cable standard.

I also carried around a brick of an external charger, an 8,000 milliamp-hours battery included in the swag at a security conference in D.C. I covered in October. This helped when I was walking around but didn’t charge the Pixel as quickly, and leaving the charger and phone in my bag usually led to the cable getting jostled out of the Pixel.

The other new tech accessory I brought on this trip made no difference on the show floor but greatly improved my travel to Vegas: a pair of Bose QC25 noise-cancelling headphones that I bought at a steep discount during Amazon’s Prime Day promotion. These things are great, and now I totally get why so many frequent flyers swear by them.

Weekly output: privacy-law prospects, switching wireless carriers, cable and broadband fee inflation, Android messages on your computer

ces 2019 badgeOnce again, a Sunday in January finds me in Las Vegas for CES. It’s like I’ve been doing this since 1998 or something…

12/31/2018: Why 2019 might finally bring a national privacy law for the US, Yahoo Finance

Writing a story optimistic about the prospects for a national privacy bill makes me feel like Charlie Brown lining up to the kick the football, so if the year ends with Congress having yanked the ball away I’ll be disappointed but not enormously surprised.

12/31/2018: How to Switch Cell Phone Carriers, Wirecutter

This how-to post started with some banter on Wirecutter’s Slack about the mechanics of switching carriers.

1/1/2019: How your TV or broadband bill might creep up in the new year, Yahoo Finance

Just as I predicted a year ago, cable and broadband companies marked the new year with a round of rate hikes. This time around, I focused on increases to the add-on fees that are usually confined to the fine print of ads.

1/4/2019: You can read your Android phone’s texts on your Mac or PC. Here’s how, USA Today

A couple of readers complained that this column didn’t address third-party solutions for reading your texts on your Mac or PC–for example, MightyText, Pushbullet, Pulse SMS. That, I have to admit, is a fair point.

Updated 1/15/2019 to add a link to the Wirecutter how-to post that I’d missed at the time. 

Black Hat priorities: don’t get pwned, do get work done

LAS VEGAS–I took my own phone and laptop to the Black Hat USA security conference here, which is often held out as a bad idea.

Before I flew out to Vegas Tuesday, I got more than a few “Are you bringing a burner phone?” and “Are you leaving your laptop at home?” questions.

Black Hat backdropBut bringing burner hardware means dealing with a different set of security settings and doesn’t address the risk of compromise of social-media accounts. And writing thousand-word posts on my phone risks compromising my sanity.

So here’s what I did with my devices instead:

  • Put my laptop in airplane mode, then enabled only WiFi to reduce the PC’s attack surface to that minimum.
  • For the same reason, turned off Bluetooth and NFC on my phone.
  • Set the Windows firewall to block all inbound connections.
  • Used a loaner Verizon hot spot for all my data on both my laptop and phone–I even disabled mobile data on the latter gadget, just in case somebody set up a malicious cell site.
  • Connected only though a Virtual Private Network on both devices, each of which were set to go offline if the Private Internet Access app dropped that encrypted connection.
  • Did not plug in a USB flash drive or charge my phone through anything but the chargers I brought from home.
  • Did not download an update, install an app, or type in a password.
  • Did not leave my laptop or phone alone in my hotel room.

Combined, this probably rates as overkill–unless the National Security Agency or a comparable nation-state actor has developed an intense interest in me, in which case I’m probably doomed. Using a VPN alone on the conference WiFi should keep my data secure from eavesdropping attempts, on top of the fact that all the sites I use for work already encrypt their connections.

But for my first trip here, I figured I’d rather err on the side of paranoia. (You’re welcome to make your case otherwise in the comments.)

Then I showed up and saw that everybody else had brought the usual array of devices. And a disturbing number of them weren’t even bothering to use encryption for things as basic as e-mail.