Weekly output: supply-chain attacks, Mark Vena podcast, password managers, 5G vs. IMSI catchers, fake vaccination cards

TALLINN, Estonia–I’m writing a post from the other side of the Atlantic for the first time since November of 2019 because of a press trip set up for this week by Estonia’s business-development types to show off the country’s tech sector. That sort of thing would be a non-starter were I on anybody’s staff, but I’m not and I’ve gotten a lot out of a few previous trips along these lines. It does help that Estonia is no Las Vegas in its approach to the pandemic. 

Screenshot of the story as seen in Safari on an iPad8/10/2021: More SolarWinds-style attacks are coming. Here’s how to stop them, Fast Company

I wrote up the keynote that opened Black Hat, in which security researcher (and excellent Twitter individual) Matt Tait outlined how getting hostile code into a software supply chain can yield rewards so outsized that attackers have to work extra to focus their attack.

8/11/2021: SmartTechCheck Podcast by Parks Associates, Mark Vena

This week’s edition of my tech-analyst pal’s podcast featured an unusually contentious debate over Apple’s announced plans to do on-device scanning of photos ready to be uploaded to iCloud for matches of known child sexual-abuse material.

8/12/2021: Best Password Managers of 2021, U.S. News & World Report

I contributed an update to the guide I helped write at the start of this year. My work this time includes profiles of 1Password, Bitwarden, Dashlane, Enpass, and LastPass, plus comparisons of 1Password and LastPass, Dashlane and LastPass, and 1Password and Dashlane.

8/13/2021: 5G defends against IMSI catchers – but implementation is critical, Light Reading

My Black Hat coverage-from-afar continued with this writeup of a briefing about 5G’s vulnerability to IMSI catchers, the fake base stations sometimes used by law-enforcement and national-security investigators as well as criminal enterprises to intercept people’s communications.

8/13/2021: Fake vaccination cards, Al Jazeera

I thought the Arabic-language news network would want me to talk about the technical difficulties involved in making counterfeit-proof vaccination cards, but instead they stuck to such big-picture queries as why people would even want to spend $100 or so on fake vax cards sold by random con artists on Telegram.

Weekly output: password managers, streaming-TV forecast, Limelight earnings, EU vs. Apple

The most important item on my calendar this week: getting my second dose of the Moderna coronavirus vaccine.

Screengrab of story as shown in USAT's iPad app4/28/2021: A cheaper deal from Dashlane invites a new look at password managers, USA Today

Dashlane’s PR firm offered me an advance on their addition of a new, cheaper price plan, which I used as a news peg for an overview of the password-manager market.

4/29/2021: Expect To Spend More On Streaming Video Than On Traditional Pay TV By 2024: New Report, Forbes

I wrote up a Strategy Analytics report predicting a slow demise for pay TV as we’ve known it. Sports fans, take note of the streaming deal for Italy’s Liga Serie A that one SA analyst described for me.

4/30/2021: Limelight revenues drop and losses widen, FierceVideo

I filled in at this client to cover this content-delivery network firm’s disappointing earnings.

4/30/2021: EU’s Answer To Spotify’s Complaint: Apple’s Rules Have Consumers Losing Out, Forbes

Writing this post about the European Commission’s preliminary finding that Apple abused its App Store authority to suppress competition from Spotify took me back to 2011–when it already seemed obvious that Apple demanding a 30% share of in-app subscriptions while forbidding app developers from pointing iPhone and iPad users to their own payment systems represented an abuse of power.

Weekly output: streaming-video viewers, Facebook vs. Australia, ShowStoppers TV, password managers, Vint Cerf on 6G

In addition to the stories below, my tweet about the Metropolitan Washington Airports Authority’s board-meeting news of an American Express Centurion Lounge coming to National Airport in 2022 got picked up at Gary Leff’s View From The Wing travel blog. As a longtime reader of Gary’s, I had to smile about that.

2/16/2021: OTT providers acknowledge the challenge of holding onto viewers, FierceVideo

I wrote up this online panel about the issues involved in retaining viewers as we emerge from this pandemic. The panel itself suffered its own retention problems, in the form of the moderator dropping offline multiple times.

2/17/2021: Facebook Will Give You Less Koala Content, Among Other Problems With Its Australian News Ban, Forbes

The koala-content angle came to me early on as I wrote this post, so I had to find some file art of a koala to go with the piece.

2/18/2021: ShowStoppers TV, ShowStoppers

I emceed this round of gadget demos, introducing and quizzing the presenters:  Godonut’s smartphone/tablet mount, HoverCam’s eGlass remote-teaching system, and Wacom’s Chromebook-connected drawing tablet.

Screenshot of USA Today column as seen in the paper's iPad app2/18/2021: LastPass to limit its free password manager. Here are other options, including Apple, Google, USA Today

All the research I did about password-manager services at the end of last year for the U.S. News guide that ran in January made this an easier column to write. That work also helped me write a longer post about the relative merits of LastPass, 1Password, Bitwarden and Dashlane for Patreon readers.

2/19/2021: 6G internet? Internet pioneer Vint Cerf isn’t buying the hype, Fast Company

I wrote up an online event hosted by Mitre Corp. on Feb. 11 that featured this interview of Internet pioneer Vint Cerf (whom I previously wrote about for Fast Company when he spoke at a conference in Alexandria in late 2019). Much as Cerf had voiced some sensible skepticism about 5G broadband one winter ago, he declined to get too excited over 6G and instead pointed to the connectivity potential of low-Earth-orbit satellites and ever-cheaper undersea fiber-optic cables.

Weekly output: ATSC 3.0, password managers, AT&T TV, ShowStoppers TV, CDA 230, CES recap, 8K TV, TV tech at CES (x2)

Although my Google Maps timeline shows no evidence of CES having happened over the past few days, my calendar and published work (in addition to the posts below, I wrote an extra recap Saturday for Patreon subscribers) leave no doubt that I spent this week “at” this year’s digital-only edition of this trade show.

1/12/2021: ATSC 3.0 backers tout brighter prospects for NEXTGEN TV, FierceVideo

I revisited a subject I covered at CES 2020 for my fave trade-pub client: an upgrade to broadcast TV that might reach more viewers’ homes, especially if TV manufacturers would stop ignoring it.

1/12/2021: Password Managers, U.S. News & World Report

My second project for U.S. News followed the outline of the guides to local Internet providers I helped write a few months ago; after editors analyzed third-party reviews to rank the companies involved, I provided my own context in a profile of each. I thought I knew this category before, but after researching Bitwarden, Keeper, LastPass, Dashlane, 1Password, LogMeOnce, NordPass, KeePassXC, RoboForm, Sticky Password, McAfee True Key, and Zoho Vault (plus head-to-head comparisons of 1Password vs LastPass, Dashlane vs LastPass, and Dashlane vs 1Password), I think I have a much deeper grounding. In the bargain, this work reminded me that I’d been neglecting some useful features in my own password manager, 1Password.

1/12/2021: AT&T TV NotNow: Telco Giant Reshuffles Streaming Services, Forbes

AT&T closing its AT&T TV Now streaming-TV service to new subscribers and making AT&T TV its core video service looked like a welcome stab at simplicity, but then I checked out the fine print in AT&T TV’s two-year-contract option.

1/13/2021: ShowStoppers TV, ShowStoppers

As I did last summer, I emceed the product presentations of three tech companies at an event hosted by the PR firm that, in the Before Times, helped organize my trips to IFA and a few other tech events. Unlike last summer, one of these firms wound up not presenting because they could not get their audio working.

1/13/2021: Special Broadband Breakfast Live Online Town Hall on Section 230, Broadband Breakfast

Twitter’s overdue decision to boot Donald Trump off the service led to this online panel about Section 230 of the Communications Decency Act, the law that lets online forums remove content that’s legal but “otherwise objectionable.” My fellow panelists: Ranking Digital Rights’ Jessica Dheere, the Cato Institute’s Will Duffield, the Computer & Communications Industry Association’s Ali Sternburg, and tech lawyer Cathy Gellis, with Broadband Breakfast editor and publisher Drew Clark moderating our conversation. The next day, Broadband Breakfast’s Samuel Triginelli wrote up the conversation that you can also watch in the embed below.

1/14/2021: Afternoon Learners SIG, Washington Apple Pi

I joined this meeting of one of WAP’s special interest groups via Zoom to share my thoughts on CES. We lost a good 10 minutes to audio glitches that I couldn’t hear but my audience could, so I stuck around for an extra 10 minutes.

1/14/2021: If You Want To Watch 8K Video On Your 8K TV, You May Have To Record It Yourself, Forbes

Yes, I remain deeply skeptical of 8K TV, even if Samsung’s newest line of smartphones can record in the format.

1/15/2021: Yes, you can have — and deserve — a bigger TV. That’s the theme on display at CES trade show, USA Today

No CES is complete for me without a state-of-the-TV piece. My industry-analyst friend Carolina Milanesi provided an opening quote that was more colorful than usual for this type of story.

1/15/2021: TVs at CES, WLW

This Cincinnati radio station had me on their afternoon drive-time show to talk about TVs. I flubbed a question from the hosts about the price for a 70-inch 4K TV: Because I hadn’t thought to leave a browser tab open to any retailer’s TV listings, I had to try to remember the prices I’d seen at Costco three weeks prior and then overshot the going rate by about 50 percent.

Updated 1/18/2021 to add links to my Patreon post, three other posts in the U.S. News password-manager guide, and Broadband Breakfast’s video and recap. 

Weekly output: password managers, exposure-notification apps, talking tech with Mark Vena

Six months ago, I expected to be busy tonight packing for the IFA tech trade show. But although that conference in Berlin is proceeding on a drastically-scaled-down basis, I’m not flying to Germany tomorrow because of the European Union’s ban on Americans traveling to the EU. Given how thoroughly we’ve botched this pandemic, I can’t blame them for imposing that restriction.

8/24/2020: Extra security or extra risk? Pros and cons of password managers, TechRepublic

I shared my experience with password managers–mainly LastPass and 1Password–with TechRepublic’s Veronica Combs for this overview of the advantages and disadvantages of these services.

8/25/2020: COVID-19 tracking apps, supported by Apple and Google, begin showing up in app stores, USA Today

Writing a lengthy report for O’Reilly about contact-tracing apps did not mean I could write this much shorter piece from memory and my existing notes. In addition to getting useful adoption data from Virginia’s Department of Public Health about its COVIDWISE app, I also reported that VDH plans to support a national key-server project from the Association of Public Health Laboratories that will let these state-developed apps relay and receive warnings of potential COVID-19 exposure across state lines.

8/28/2020: SmartTechCheck Podcast (8-28-20), Mark Vena

I talked about exposure-notification apps, the future of tech events like IFA, 5G wireless and Apple silicon with my analyst pal at Moor Insights & Strategy–another tech type who would have been packing for Berlin tonight but is instead grounded. You may notice a break in the recording about halfway through, when I had to get a glass of water so I could resume speaking normally. Note to self: Before sitting down to record a 45-minute podcast, make sure a glass of water is on the desk.

Weekly output: password peril, mobile-hotspot help, Facebook’s Oversight Board

I had been holding out hope that I could return to business travel, even if just once before fall or winter, to cover America’s return to launching astronauts to space–SpaceX’s Demo-2 test flight of its Crew Dragon capsule, scheduled for May 27. I’d put in for a press pass and had a confirmed assignment from a name-brand client, and I was willing to figure out how I’d not lose money on the trip later on. But on Monday, I got the e-mail that many other journalists received, saying that NASA could not accommodate me at the Kennedy Space Center because social-distancing dictates required drastically limiting the number of press on site.

I’m not surprised and I’m not that upset. I’ve already seen three launches from the press site at KSC–the penultimate and final Space Shuttle launches and the February 2018 debut of the Falcon Heavy rocket–and that’s three more than I had any reasonable expectation of seeing 10 years ago.

5/5/2020: We still stink at passwords, and there’s really no excuse, Fast Company

I got an advance look at a study published by LastPass, the password-manager service that I used to use. The study confirmed earlier reports that people reuse way too many passwords but reported curiously high adoption of two-step verification–but did not gauge how many of us now employ password managers.

5/8/2020: All of the COVID-19 Data Upgrades That Cell Phone Carriers Are Offering, Wirecutter

I inventoried the ways that the big four wireless carriers as well as their prepaid brands and their major resellers have made it easier to share your smartphone’s bandwidth with nearby devices via its mobile-hotspot function. As you can see in the comments, it looks like I got one service’s information wrong; Google Fi has raised the limit at which it will slow down your connection, but not in a way that will lower most customers’ bills.

5/9/2020: Facebook’s Oversight Board, Al Araby

As one third of a panel discussion on this Arabic-language news network, I talked about Facebook’s new Oversight Board and its odds of changing things at the social network. My main point: While this equivalent of a Supreme Court is empowered to reverse Facebook decisions to take down or keep up content, Facebook’s automated rankings of the priority of content appear to be outside its orbit.

First impressions of 1Password

After several years using the same password-manager service–and then paying for its premium version–I’ve spent the last few weeks trying an alternative.

I can credit a sales pitch that included the italicized phrase “completely free” for this departure: 1Password’s offer of a free membership to journalists, in celebration of World Press Freedom Day this May 3. But I was also overdue to spend some time in a password manager besides LastPass.

So far, I’m impressed by the elegance of the interface but a little put off by how persnickety 1Password can be to set up. You don’t just create a username and password, you also have to type in a complex and random secret key to get going.

Having read this Toronto-based firm’s documentation of how this extra step helps ensure that a successful guess of your password still won’t compromise your account, I get where they’re coming from. But I’m not sure I’d recommend it to just anybody, especially not when LastPass’s free version suffices for many casual users.

Further time with 1Password’s Mac, Windows and Android apps has revealed other things I like:

This time has also surfaced one thing I don’t like: an incomplete approach to two-step verification that seems to require choosing between running an authenticator app on your smartphone or employing a weird Yubikey implementation that requires running a separate app instead of just plugging a standard USB security key. That’s no better than LastPass’s inflexible notion of two-step verification.

I’d like to see 1Password improve that and support the WebAuthn standard for security-key confirmation. But I’m prepared to give them some time, based on everything else I’ve seen so far.

Here’s my Web-services budget

The annual exercise of adding up my business expenses so I can plug those totals into my taxes gave me an excuse to do an extra and overdue round of math: calculating how much I spend a year on various Web services to do my job.

The result turned out to be higher than I thought–even though I left out such non-interactive services as this domain-name registration ($25 for two years) and having it mapped to this blog ($13 a year). But in looking over these costs, I’m also not sure I could do much about them.

Google One

Yes, I pay Google for my e-mail–the work account hosted there overran its 15 gigabytes of free storage a few years ago. I now pay $19.99 a year for 100 GB. That’s a reasonable price, especially compared to the $1.99 monthly rate I was first offered, and that I took too long to drop in favor of the newer, cheaper yearly plan.

Microsoft Office 365

Getting a Windows laptop let me to opting for Microsoft’s cloud-storage service, mainly as a cheap backup and synchronization option. The $69.99 annual cost also lets me put Microsoft Office on one computer, but I’ve been using the free, open-source LibreOffice suite for so long, I have yet to install Office on my HP. Oops.

Evernote Premium

This is my second-longest-running subscription–I’ve been paying for the premium version of my note-taking app since 2015. Over that time, the cost has increased from $45 to $69.99. That’s made me think about dropping this and switching to Microsoft’s OneNote. But even though Microsoft owns LinkedIn, it’s Evernote that not only scans business cards but checks LinkedIn to fill in contact info for each person.

Flickr Pro

I’ve been paying for extra storage at this photo-sharing site since late 2011–back when the free version of Flickr offered a punitively-limited storage quota. This cost, too, has increased from $44.95 for two years to $49.99 a year. But now that Yahoo has sold the site to the photography hub SmugMug, the free tier once again requires serious compromises. And $50 a year doesn’t seem that bad, not when I’m supporting an indie-Web property instead of giving still more time to Facebook or Google.

Private Internet Access

I signed up for this virtual-private-network service two years ago at a discounted rate of $59.95 for two years, courtesy of a deal offered at Techdirt. Absent that discount, I’d pay $69.95, so I will reassess my options when this runs out in a few months. Not paying for a VPN service, however, is not an option; how else am I supposed to keep up on American news when I’m in Europe?

LastPass Premium

I decided to pay for the full-feature version of this password manager last year, and I’m already reconsidering that. Three reasons why: The free version of LastPass remains great, the premium version implements U2F two-step verification in a particularly inflexible way, and the company announced last month that the cost of Premium will increase from $24 a year to $36.

Combined and with multi-year costs annualized, all of these services added up to $258.96 last year. I suspect this total compares favorably to what we spend on news and entertainment subscriptions–but that’s not math I care to do right now.

LastPass shows how to do two-step verification wrong

I finally signed up for LastPass Premium after years of using the free version of that password-management service. And I’m starting to regret that expense even though $2 a month should amount to a rounding error.

Instead of that minimal outlay, I’m irked by LastPass’s implementation of the feature I had in mind when typing in credit-card digits: support for Yubikey U2F security keys as a form of two-step verification.

Two-step verification, if any reminder is needed, secures your accounts by confirming any unusual login with a one-time code. The easy but brittle way to get a two-step code is to have a service text one to you, which works great unless somebody hijacks your phone number with a SIM swap. Using an app like Google Authenticator takes your wireless carrier’s security out of the equation but requires regenerating these codes each time you reset or switch phones.

Using a security key–Yubikey being one brand, “U2F” an older standard, “WebAuthn” a newer and broader standard–allows two-step verification independent of both your wireless carrier and your current phone.

Paying for LastPass Premium allowed me to use that. But what I didn’t realize upfront is that LastPass treats this as an A-or-B choice: If you don’t have your Yubikey handy, you can’t click or type a button to enter a Google Authenticator code instead as you can with a Google account.

A LastPass tech-support notice doesn’t quite capture the broken state of this user experience:

If multiple Authentication methods are used, only one will activate per login attempt. If you disable one, then another will activate on the next log in attempt. Because only one activates at a time, you cannot have multiple prompts during the same log in.

The reality you see if you happened to leave your Yubikey at home or just have your phone closer at hand: an “I’ve lost my YubiKey device” link you’re supposed to click to remove that security option from your account.

This absolutist approach to two-step verification is not helpful. But it’s also something I should have looked up myself before throwing $24 at this service.

Weekly output: LTE hotspots, Techdirt, SOTU, password managers, Washington Apple Pi, Tech Night Owl, old IE versions

I had a relaxing week after CES… no, that’s not right.

Wirecutter LTE hotspot guide1/11/2016: Best Wi-Fi Hotspot, The Wirecutter

My overdue update to this guide to LTE hotspots endorsed a Verizon model and gave a secondary endorsement to an AT&T hotspot with lesser battery life. We then revised the update after it posted to note that the Sprint reseller Karma had downgraded an initially-promising unlimited-data option.

1/12/2016: Techdirt Podcast Episode 56: The CES Post-Mortem, Techdirt

I ran into Techdirt’s Mike Masnick at CES, and on our respective ways out of town he suggested I appear on his podcast. I said that would be a great idea.

1/13/2016: State of the Union’s Technology? What Obama Didn’t Say, Yahoo Tech

The tech-policy story about this SOTU address is how little attention tech policy got. I’d still like to know what led Reuters to think that self-driving cars would get a mention in the speech.

1/14/2016: Tip: How to Make Sure Someone Can Access Your Passwords in an Emergency, Yahoo Tech

The 4.0 update LastPass rolled out right before CES added an emergency-access feature, so I used this tip to tell readers about that and Dashlane’s comparable emergency-contacts option.

1/14/2016: Afternoon Learners SIG, Washington Apple Pi

I stopped by a meeting of this Apple users’ group to share my thoughts about CES–and to hand out some PR swag and USB flash drives.

1/16/2016: January 16 2016 — John Martellaro and Rob Pegoraro, Tech Night Owl

I talked to Gene Steinberg about what I saw at CES, from UHD TVs to the Internet of Insecure Things.

1/17/2016: What to do after Microsoft ends support for older browsers, USA Today

The easy answer to Microsoft’s end of support for older Internet Explorer versions is “install IE 11.” But that browser isn’t the same app in Windows 7 as it is in Win 8 and 10, and updating your browser doesn’t end your Web-security chores.