Weekly output: 5G leaders, Mr. Antenna, streaming study, Desi Bundle, Disney’s Star+, Seinfeld coming to Netflix, two-factor authentication, HBO Max on Vizio, Locast logs off, Apple loosens App Store rules for “reader” apps, Nielsen nixed, checking wireless coverage, WhatsApp privacy fine

Posted on September 5, 2021 by robpegoraro

I worked a volunteer shift at a COVID-19 vaccination clinic Friday, the fourth time I’ve done so. On this occasion, we had far fewer customers than before, most coming for their second round of Pfizer or Moderna. But a few had yet to get any dose, which meant that they got to choose between those two vaccines or Johnson & Johnson’s; the latter needing a single jab made the difference for one man who said he was only getting vaccinated because his job required it. We also had a few under-18 kids who were limited to Pfizer–and one whom had been brought by her mom on her 12th birthday, so we had to take a minute to sing “Happy Birthday” to her.

8/30/2021: The 5G 50 to Watch Top Ten List, Light Reading

I helped write the bios for this list of top telecom industry executives put together by my trade-pub client. Yes, my last name is spelled wrong at the end of the piece.

8/31/2021: OTA antenna service alleges Vegas station refused to air its ads, FierceVideo

I spent most of this week filling in at my other big trade-pub client. I started by covering an allegation by a broadcast-antenna vendor named Mr. Antenna that a Las Vegas station had quit airing its ads because increased broadcast viewing would undercut its cable-TV income.

8/31/2021: New study finds more Americans splitting their streaming budget, FierceVideo

I wrote up a Leichtman Research Group study finding more Americans signing up for at least three streaming services.

8/31/2021: DistroScale streaming bundle serves up free South Asian channels, FierceVideo

If you didn’t know that “desi” is a term for people of South Asian descent before reading this post, you did after.

9/1/2021: Disney debuts Star+ in Latin America, FierceVideo

Writing this led me to dust off my VPN service for the first time in months to see what pricing this new Disney streaming service would show to a viewer in its target Latin American markets–the press releases I saw didn’t list any.

9/1/2021: Seinfeld coming to Netflix Oct. 1—and in 4K, FierceVideo

I only referenced one Seinfeld catch phrase in this piece, which I thought showed remarkable restraint.

9/1/2021: Why you shouldn’t rely on texts when using two-factor authentication to sign into accounts, USA Today

I could have written this column at any time in the previous two years, but T-Mobile’s latest data breach made it newly relevant.

9/2/2021: HBO Max app comes to Vizio connected TVs, FierceVideo

This post reminded me how much of HBO Max’s early struggles with getting its apps on streaming platforms.

9/2/2021: After hostile court ruling, Locast logs off, FierceVideo

As I tweeted after this story ran, the broadcasters who succeeded in suing Locast offline might not want to gloat too much. Viewers aren’t getting any less weary of endless pay-TV rate hikes, and telling people without good over-the-air reception to stick with cable will only get less persuasive every year.

9/2/2021: Apple to let video apps point users away from its payment system, FierceVideo

Apple deigning to allow “reader” apps to include one link to their own site shouldn’t be a big deal, but it is in the context of that company’s history of App Store control-freakery.

9/3/2021: Media Rating Council suspends Nielsen accreditations, FierceVideo

My last post for Fierce this week covered an industry group snubbing Nielsen’s audience-tracking work.

9/3/2021: Which wireless carrier has the best coverage where you’re going? Here’s how to find out, USA Today

A friend’s query about ways to see if T-Mobile or Verizon would offer better service than AT&T at his home was followed by my realizing that USAT had yet to cover the FCC’s release of a new and surprisingly helpful map of predicted LTE coverage from the major carriers.

9/3/2021: WhatsApp fined under GDPR, Al Jazeera

The Arabic-language channel had me on to discuss WhatsApp getting hit with a €225 million fine for violations of the EU’s General Data Protection Regulation. The European Data Protection Board’s ruling in this case calls those failures of transparency, but I see the underlying problem as WhatsApp insisting on access to your phone’s contacts list to place a call or send a message to anybody who hasn’t already contacted you in the app.

Weekly output: password peril, mobile-hotspot help, Facebook’s Oversight Board

Posted on May 10, 2020 by robpegoraro

I had been holding out hope that I could return to business travel, even if just once before fall or winter, to cover America’s return to launching astronauts to space–SpaceX’s Demo-2 test flight of its Crew Dragon capsule, scheduled for May 27. I’d put in for a press pass and had a confirmed assignment from a name-brand client, and I was willing to figure out how I’d not lose money on the trip later on. But on Monday, I got the e-mail that many other journalists received, saying that NASA could not accommodate me at the Kennedy Space Center because social-distancing dictates required drastically limiting the number of press on site.

I’m not surprised and I’m not that upset. I’ve already seen three launches from the press site at KSC–the penultimate and final Space Shuttle launches and the February 2018 debut of the Falcon Heavy rocket–and that’s three more than I had any reasonable expectation of seeing 10 years ago.

5/5/2020: We still stink at passwords, and there’s really no excuse, Fast Company

I got an advance look at a study published by LastPass, the password-manager service that I used to use. The study confirmed earlier reports that people reuse way too many passwords but reported curiously high adoption of two-step verification–but did not gauge how many of us now employ password managers.

5/8/2020: All of the COVID-19 Data Upgrades That Cell Phone Carriers Are Offering, Wirecutter

I inventoried the ways that the big four wireless carriers as well as their prepaid brands and their major resellers have made it easier to share your smartphone’s bandwidth with nearby devices via its mobile-hotspot function. As you can see in the comments, it looks like I got one service’s information wrong; Google Fi has raised the limit at which it will slow down your connection, but not in a way that will lower most customers’ bills.

5/9/2020: Facebook’s Oversight Board, Al Araby

As one third of a panel discussion on this Arabic-language news network, I talked about Facebook’s new Oversight Board and its odds of changing things at the social network. My main point: While this equivalent of a Supreme Court is empowered to reverse Facebook decisions to take down or keep up content, Facebook’s automated rankings of the priority of content appear to be outside its orbit.

First impressions of 1Password

Posted on May 31, 2019 by robpegoraro

After several years using the same password-manager service–and then paying for its premium version–I’ve spent the last few weeks trying an alternative.

I can credit a sales pitch that included the italicized phrase “completely free” for this departure: 1Password’s offer of a free membership to journalists, in celebration of World Press Freedom Day this May 3. But I was also overdue to spend some time in a password manager besides LastPass.

So far, I’m impressed by the elegance of the interface but a little put off by how persnickety 1Password can be to set up. You don’t just create a username and password, you also have to type in a complex and random secret key to get going.

Having read this Toronto-based firm’s documentation of how this extra step helps ensure that a successful guess of your password still won’t compromise your account, I get where they’re coming from. But I’m not sure I’d recommend it to just anybody, especially not when LastPass’s free version suffices for many casual users.

Further time with 1Password’s Mac, Windows and Android apps has revealed other things I like:

Importing my saved passwords from LastPass was as simple as advertised (and 1Password having a documented export format should ease any possible future switch away from 1Password);
Its Watchtower feature taps into the Have I Been Pwned data-breach index to warn you if you’re using passwords that have already leaked from other sites;
You can unlock the Windows app using Microsoft’s Windows Hello biometric authentication (but not after a restart of the app or the PC).

This time has also surfaced one thing I don’t like: an incomplete approach to two-step verification that seems to require choosing between running an authenticator app on your smartphone or employing a weird Yubikey implementation that requires running a separate app instead of just plugging a standard USB security key. That’s no better than LastPass’s inflexible notion of two-step verification.

I’d like to see 1Password improve that and support the WebAuthn standard for security-key confirmation. But I’m prepared to give them some time, based on everything else I’ve seen so far.

LastPass shows how to do two-step verification wrong

Posted on December 7, 2018 by robpegoraro

I finally signed up for LastPass Premium after years of using the free version of that password-management service. And I’m starting to regret that expense even though $2 a month should amount to a rounding error.

Instead of that minimal outlay, I’m irked by LastPass’s implementation of the feature I had in mind when typing in credit-card digits: support for Yubikey U2F security keys as a form of two-step verification.

Two-step verification, if any reminder is needed, secures your accounts by confirming any unusual login with a one-time code. The easy but brittle way to get a two-step code is to have a service text one to you, which works great unless somebody hijacks your phone number with a SIM swap. Using an app like Google Authenticator takes your wireless carrier’s security out of the equation but requires regenerating these codes each time you reset or switch phones.

Using a security key–Yubikey being one brand, “U2F” an older standard, “WebAuthn” a newer and broader standard–allows two-step verification independent of both your wireless carrier and your current phone.

Paying for LastPass Premium allowed me to use that. But what I didn’t realize upfront is that LastPass treats this as an A-or-B choice: If you don’t have your Yubikey handy, you can’t click or type a button to enter a Google Authenticator code instead as you can with a Google account.

A LastPass tech-support notice doesn’t quite capture the broken state of this user experience:

If multiple Authentication methods are used, only one will activate per login attempt. If you disable one, then another will activate on the next log in attempt. Because only one activates at a time, you cannot have multiple prompts during the same log in.

The reality you see if you happened to leave your Yubikey at home or just have your phone closer at hand: an “I’ve lost my YubiKey device” link you’re supposed to click to remove that security option from your account.

This absolutist approach to two-step verification is not helpful. But it’s also something I should have looked up myself before throwing $24 at this service.

Weekly output: facial recognition, Washington Apple Pi

Posted on July 29, 2018 by robpegoraro

This was a challenging week, since our daughter’s camp schedule had her at home during most of the day. If I had a dollar for every time I was asked to help find a Lego piece… I’d buy our kid more Legos, because they are awesome.

7/27/2018: Microsoft argues facial-recognition tech could violate your rights, Yahoo Finance

My inspiration for writing this was Microsoft president Brad Smith calling for government regulation of this technology; having the ACLU report that Amazon’s Rekognition facial-recognition service falsely identified 28 members of Congress as criminal suspects motivated me to finish and file the post.

7/28/2018: Rob Pegoraro, ronin technology columnist, Washington Apple Pi

I spoke at the monthly meeting of this Mac/iOS user group about changing notions of security–or, to phrase things less politely, how foolish and gullible we’ve been in prior years. (Seriously, the defaults most people operated on in 1995 and 2000 look horrifyingly stupid now.) I also called out such lingering obstacles in infosec as Apple’s unwillingness to support “U2F” two-step verification via encrypted USB keys and Microsoft’s bizarre stance that full-disk encryption is something only business users need. In the bargain, I donated my now-deceased MacBook Air to the Pi’s MacRecycleClinic and gave away a bag of trade-show swag, including a couple of U2F keys.

Update, 7/31/2018: I had an embed of the Pi’s YouTube clip of my talk, but I didn’t know that stream had playback disabled on other sites until a reader called that out in a comment. (Thanks, jeffgroves!) So I’ve replaced that with a link to the clip.

Weekly output: Chris Vickery, post-phishing advice, hyperloop competition

Posted on August 20, 2017 by robpegoraro

It was a back-to-work week after the previous week’s time off. In addition to what you see here, I filed a USA Today column that should go up tomorrow morning and a thousand-word feature that won’t run for a few more weeks.

8/15/2017: How companies leave your data online without your knowledge, Yahoo Finance

This post was the product of my one work appointment while on vacation in the Bay Area, a conversation with data-breach detective Chris Vickery.

8/17/2017: These college students are vying to build Elon Musk’s hyperloop, Yahoo Finance

I drove up to College Park Tuesday morning to see the test hyperloop pod that this UMD team is taking to a SpaceX-hosted hyperloop competition at the end of this month, then used part of my resulting writeup to discuss the overall feasibility of the hyperloop concept for transporting people. In the process, I got to employ a quote that I’ve had sitting in Evernote since last November.

8/18/2017: You got phished. Now what?, USA Today

This ran about a week after I filed it, thanks to my original e-mail not being addressed to the right editor and the right editor a) missing my re-send of that e-mail and b) being really busy. Fortunately, phishing and e-mail security in general are both evergreen topics, so this summary of the advice I gave to a friend’s dad was at no real risk of getting scooped.

Weekly output: Virgin Mobile USA Inner Circle, Microsoft on security, D.C. tech media, Sprint Flex, SMS two-step verification

Posted on July 16, 2017 by robpegoraro

This week involved a large tech conference, but I didn’t have to go any farther than D.C. for it: Microsoft Inspire ran from Monday to Wednesday at the convention center, with the morning keynotes held at the Verizon Center. The event yielded one post, an idea for another and a sweaty evening at Nationals Park Wednesday, the location of the Carrie Underwood concert that closed out the gathering.

7/10/2017: Virgin Mobile’s iPhone-only plan: What’s the catch?, USA Today

This snakebit column required not one but two corrections. The first remedied my mistake in reading “$1” as this Sprint prepaid brand’s promotional monthly rate when it was the cost for the entire first year of service; minutes later, I saw a reader comment calling out my dumb error in writing “megabits per second” instead of “kilobits per second” when describing a streaming speed limit.

7/12/2017: Microsoft reveals two big ways to stop ransomware attacks, Yahoo Finance

Microsoft president and chief legal officer Brad Smith’s keynote Wednesday called for collective action to stop ransomware and other malware outbreaks. But getting companies and organizations to end their long-running abusive relationship with Windows XP won’t be easy; neither will persuading governments to stop hoarding vulnerabilities in favor of promptly disclosing all of them so they can be fixed.

7/12/2017: Working with Tech Media in the Washington D.C. Region, Washington Network Group

I spoke on this panel with the Washington Business Journal’s Andy Medici and FedScoop’s Tajha Chappellet-Lanier (a fellow Washingtonian Tech Titan honoree) about coverage priorities, tech trends and PR pet peeves. Once again, I implored publicists not to follow up by re-sending the original e-mail topped by nothing more than “Any interest?”

7/14/2017: Sprint doesn’t want you to buy your next phone, Yahoo Finance

Sprint gave me an advance on this, but its PR pitch for its new Flex leasing deal didn’t spell out that this move would also end Sprint’s installment-payment pricing on phones. Because I’m slow, I needed a couple of rounds of Q&A to grasp that difference. Sprint, in turn, didn’t clarify the international-unlocking policy under Flex until Friday morning, after its embargo on the news had passed but before it had posted its own press release.

7/14/2017: How a system meant to keep your money safe could put it in danger, Yahoo Finance

I expected to see everybody else jump on this story of a PayPal customer losing money after an AT&T rep let an unknown attacker move his number–the last line of defense on his PayPal account–to a new SIM, since I learned about it on Twitter a week earlier. Instead, I had time to quiz PayPal, AT&T and others; verify that a no-longer-advertised phone-free form of two-factor authentication still worked at PayPal; and have an enlightening chat with Google security product manager Stephan Somogyi about the tradeoffs of different “2FA” methods.

Weekly output: Trump tech policy, cyber attacks, watching Oscar nominees online, security attitudes, Android messaging apps

Posted on January 29, 2017 by robpegoraro

Like most Americans, I’m a descendant of immigrants. My dad’s grandparents came over from Italy and Croatia and my mom’s father arrived from Gibraltar before WWI, while her mother landed in New York from Ireland in 1923–only months after the end of the Irish Civil War. It is easy to imagine a rule like President Trump’s executive order keeping her out.

1/24/2017: President Trump’s tech policy is a mystery, Yahoo Finance

I’ve been going to the State of the Net conference on and off since 2007, and this was the first time I saw so much confusion over what a new administration would do in so many areas of tech policy.

1/24/2017: Cyber attacks, Al Jazeera

The Arabic news network had me on for a segment about cyber attacks like the Shamoon virus that recently crippled government and business PCs in Saudia Arabia.

1/26/2017: Why you can’t stream this year’s Oscar nominees on Netflix, Yahoo Finance

One of the first posts I wrote for Yahoo Tech looked at the crummy online availability of the year’s critically-acclaimed movies. I enjoyed a chance to revisit the topic and shed some light on how the industry works.

1/26/2017: Study finds most people are scared they’ll be hacked, but don’t do much about it, Yahoo Finance

The Pew Research Center’s study on Americans’ attitudes on cybersecurity painted a depressing picture–aside from a figure on use of two-step verification that I found more reassuring but also suspiciously high.

1/29/2017: The best Android messaging apps in a crowded field, USA Today

Google’s blog post announcing the revival of its Google Voice apps couldn’t explain the differences between them and the Hangouts apps most GV users had switched to a couple of years ago. That gave me an opportunity to do so and remind readers of other noteworthy Android messaging apps.

Weekly output: CISA, e-mail “sub-addressing”

Posted on November 1, 2015 by robpegoraro

Greetings, frustrated owners of Timex sport watches. I’m glad that essay I wrote in a fit of nerd rage continues to draw such interest at each time change, and I hope that at least some of the people who come here looking for help taking their timepiece in and out of Daylight Saving Time stick around and keep reading.

I spent much of this week wrapping up work on a long and long-delayed story. This coming week will see me in Dublin, where I’m covering Web Summit and catching up with some cousins I haven’t seen in over a dozen years. That’ll be my last air travel for work this year, and I am quite okay with that fact.

10/27/2015: CISA: Why Tech Leaders Hate the Latest Cyber-Security Bill, Yahoo Tech

I had meant to write about this cybersecurity bill earlier, but instead this post went up on the day that the Senate approved it by a 74-21 vote. I guess the folks there did not find this piece terribly persuasive. FYI: If you don’t like rants about Obama’s creeping dictatorship, you might want to avoid the comments.

11/1/2015: When a site rejects email “sub-addressing”, USA Today

Want to protect your privacy by giving a site a custom e-mail address that still lands in your inbox? Some won’t let you do that, and their explanations don’t square with the basic specifications of e-mail.

Weekly output: startups and privacy, iPhoto passwords

Posted on November 30, 2014 by robpegoraro

I’m thankful for readers who look for my work, and for clients who pay well and on time. You?

11/25/2014: Is the Uber Problem Changing How Startups Treat Privacy? Not Much., Yahoo Tech

Halfway through the Demo conference two weeks ago, I worried that I wouldn’t have anything to write about. Then I remembered that the founders of most new startups actually say what they think, unlike their more seasoned, better-media-trained counterparts at older tech companies.

11/30/2014: Warning: iPhoto won’t know if you change a password in OS X, USA Today

I feel a tiny bit dumb for writing this more than two years after getting religion about two-step verification. In my defense, I almost never use iPhoto’s shortcut to e-mail photos from that app, so it fell to my wife to run into and ask me about a password-management glitch in that soon-to-be-retired app that Apple probably won’t fix.

Rob Pegoraro

Occasional shop talk about journalism, technology and a few other things

Tag Archives: two-step verification