Black Hat priorities: don’t get pwned, do get work done

LAS VEGAS–I took my own phone and laptop to the Black Hat USA security conference here, which is often held out as a bad idea.

Before I flew out to Vegas Tuesday, I got more than a few “Are you bringing a burner phone?” and “Are you leaving your laptop at home?” questions.

Black Hat backdropBut bringing burner hardware means dealing with a different set of security settings and doesn’t address the risk of compromise of social-media accounts. And writing thousand-word posts on my phone risks compromising my sanity.

So here’s what I did with my devices instead:

  • Put my laptop in airplane mode, then enabled only WiFi to reduce the PC’s attack surface to that minimum.
  • For the same reason, turned off Bluetooth and NFC on my phone.
  • Set the Windows firewall to block all inbound connections.
  • Used a loaner Verizon hot spot for all my data on both my laptop and phone–I even disabled mobile data on the latter gadget, just in case somebody set up a malicious cell site.
  • Connected only though a Virtual Private Network on both devices, each of which were set to go offline if the Private Internet Access app dropped that encrypted connection.
  • Did not plug in a USB flash drive or charge my phone through anything but the chargers I brought from home.
  • Did not download an update, install an app, or type in a password.
  • Did not leave my laptop or phone alone in my hotel room.

Combined, this probably rates as overkill–unless the National Security Agency or a comparable nation-state actor has developed an intense interest in me, in which case I’m probably doomed. Using a VPN alone on the conference WiFi should keep my data secure from eavesdropping attempts, on top of the fact that all the sites I use for work already encrypt their connections.

But for my first trip here, I figured I’d rather err on the side of paranoia. (You’re welcome to make your case otherwise in the comments.)

Then I showed up and saw that everybody else had brought the usual array of devices. And a disturbing number of them weren’t even bothering to use encryption for things as basic as e-mail.

Advertisements

Another part of the world where I need to use a VPN

I spent last week in London with my family–yes, actual vacation-esque time! It was great, except for when I was trying to keep up with news from back home.

My first stay across the Atlantic since the European Union’s General Data Protection Regulation went into force May 25 brought home the unpleasant reality of some U.S. sites’ continued struggles with this privacy law. And instead of experiencing this only briefly in a Virtual Private Network session on my iPad, I got a full-time dose of it.

The biggest problem is sites such as the Chicago Tribune and the Los Angeles Times that have blocked all European access instead of providing the privacy controls required by the GDPR.

That’s not the fault of the GDPR–its provisions were set two years ago–but is the fault of Tronc, the long-mismanaged news firm formerly known as Tribune Publishing. Tronc could afford to pay $15 million to former chairman Michael Ferro after he quit facing charges of sexual abuse but apparently couldn’t afford to hire any GDPR-qualified developers. I hope the LAT can fix that now that Tronc has sold the paper, but it may be a while before I can link to any Tribune stories without annoying European readers.

With my client USA Today, the issue isn’t as bad: It provides EU readers with a stripped-down, ad- and tracking-free version of the site, which you can see at right in the screenshot above. What’s not to like about such a fast, simple version? Well, I can’t see comments on my own columns, and simply searching for stories requires switching to Google… by which I mean, Bing, since right-clicking a Google search result doesn’t let you copy the target address, and clicking through to a Google result will yield an EU-specific USAT address.

The simplest fix for these and other GDPR-compliance glitches was to fire up Private Internet Access on my laptop and connect to one of that VPN service’s U.S. locations–yes, as if I were in China. It seems a violation of the Web’s founding principles to have to teleport my browser to another continent for a task as simple as reading the news, but here we are.

Bandwidth battles in China

SHANGHAI–Crowded gadget trade shows like CES and Mobile World Congress usually entail connectivity complaints. But when you put the gadget show in China, you level up the complexity, thanks to the need to run a Virtual Private Network app to preserve access to U.S. sites blocked by China’s Internet filters.

In theory–and in every PR pitch from a VPN service advertising itself as the surefire way to stop your ISP from tracking your online activity–that should add no difficulty to getting online. You connect, the VPN app automatically sets up an encrypted link to the VPN firm’s servers, and then you browse as usual.

PIA VPN exit-server menu

The reality that I’ve seen at CES Asia this week while using the Private Internet Access Windows and Android apps has been a good deal less elegant.

  • Often, the PIA app will connect automatically to the best available server (don’t be like me by wasting selecting a particular U.S. server when the app usually gets this right) to provide a usable link to the outside world. But it’s never clear how long that link will stay up; you don’t want to start a long VoIP call or Skype conference in this situation.
  • On other occasions, the app has gotten stuck negotiating the VPN connection–and occasionally then falls into a loop in which it waits increasingly longer to retry the setup. Telling it to restart that process works sometimes; in others, I’ve had to quit the app. For whatever reason, this has been more of a problem on my laptop than on my phone.
  • The WiFi itself has been exceedingly spotty whether I’ve used my hotel WiFi, the Skyroam Solis international-roaming hotspot I took (a review loaner that I really, really need to send back), the press-room WiFi or, worst of all, the show-floor WiFi. Each time one of those connections drop, the VPN app has to negotiate a new connection.

If you were going to say “you’re using the wrong VPN app”: Maybe I am! I signed up for PIA last year when the excellent digital-policy-news site Techdirt offered a discounted two-year subscription; since then, my client Wirecutter has endorsed a competing service, IVPN (although I can’t reach that site at the moment). Since I don’t have any other trips to China coming up, I will wait to reassess things when my current subscription runs out next April.

Also, it’s not just me; my friend and former Yahoo Tech colleague Dan Tynan has been running into the same wonkiness.

To compound the weirdness, I’ve also found that some connectivity here seems to route around the Great Firewall without VPN help. That was true of the press-room WiFi Thursday, for instance, and I’ve also had other journalists attending CES Asia report that having a U.S. phone roam here–free on Sprint and T-Mobile, a surcharge on AT&T or Verizon–yielded an unfettered connection.

At the same time, using a VPN connection occasionally left the CES Asia site unreachable. I have no idea why that is so.

What I do know is that I’ll very much appreciate being able to break out my laptop somewhere over the Pacific in a few hours and pay for an unblocked connection–then land in a country where that’s the default condition.

Weekly output: Internet-provider privacy (x2), net neutrality, online privacy advice

I spent the first two days of the week commuting to Reston (by Metro and then Bikeshare) for a fascinating conference on drone policy issues. That hasn’t yielded a story yet, but it should soon.

3/28/2017: Congress votes to roll back internet privacy protection, Yahoo Finance

The speed with which Congress moved to dispatch pending FCC regulations that would have stopped Internet providers from selling your browsing history to advertisers without your upfront permission is remarkable, considering how our legislators can’t be bothered to fix actual tech-policy problems that have persisted for decades. It’s also remarkable how blind many people in Washington are to the immense unpopularity of this move.

I’m told this post got a spot on the Yahoo home page, which may explain the 2,796 comments it’s drawn. Would anybody like to summarize them for me?

3/29/2017: Internet providers and privacy, WTOP

The news station interviewed me about this issue. I was supposed to do the interview live, but after I got bumped for breaking news, they recorded me for later airing. How did I sound?

3/31/2017: Trump is going after the open internet next, Yahoo Finance

I have to admit that I missed White House press secretary Sean Spicer using part of his Thursday briefing to denounce the idea of the FCC classifying Internet providers as “common carriers,” which he compared to them being treated “much like a hotel.” That would be because I’ve never made a habit of watching White House press briefings live; it’s a little concerning to see alerts about them splashed atop the Post’s home page.

4/2/2017: Take these 5 steps to help protect your privacy online, USA Today

This story benefited from some fortuitous timing. When I wrote it, USAT’s site had not yet switched on encryption, and so the copy I filed had to note its absence. I asked my editor if she’d heard anything about a move to secure the connection between the site and a reader’s browser. She made some inquiries and learned that this upgrade would go into effect Sunday, my column’s usual publication day.

Weekly output: MLB regional blackouts, Sprint and T-Mobile “unlimited” plans (x2), Tech Night Owl

This week brought the unusual experience of a story getting taken down a few hours after its appearance. The post in question covered the regional blackouts that prevent MLB.tv subscribers from watching their home team online and my use of an alternative domain-name service called Unlocator.com to work around them. I’ve expressed my annoyance at the fan-hostile nature of regional blackouts before, but this story was my first to document how to defeat them… and Yahoo Finance’s editor-in-chief thought it went too far in telling people just how to break the rules, so he decided to take it down.

Facebook share of Yahoo Finance postBefore you ask, I don’t know what Major League Baseball thinks of the story, as I haven’t heard anything from anybody there since the background conversation I had with a publicist Monday afternoon in which I recounted my Unlocator use. I do know that I’m nowhere near the first person to write a how-to about beating blackouts–see, for example, this April piece from the Los Angeles Times’ Chris Erskine. I’m going to chalk this up to my not reading my client correctly.

8/19/2016: T-Mobile and Sprint’s new unlimited plans aren’t exactly unlimited, Yahoo Finance

As part of August’s stubborn refusal to act like the slow news month it’s supposed to be, Sprint and T-Mobile each introduced new, cheaper “unlimited” data plans that each contain significant limits (like an absence of usable tethering at T-Mo). Most subscribers should avoid these offers, but many may find them tempting because their own phones make it difficult to track how much data they use.

8/20/2016: August 20, 2016 — Rob Pegoraro and Jeff Gamet, Tech Night Owl

I talked with host Gene Steinberg about those new price plans, the state of municipal broadband, and Windows 10’s first anniversary. I would have sounded less positive about Win 10 had I known before the recording of this podcast that the Windows 10 Anniversary Update broke many third-party webcams.

8/21/2016: Unlimited plans at Sprint, T-Mobile have limited appeal, USA Today

My editors at USAT wanted me to compare these two new offerings to the unlimited-data deals they replaced and to the other plans available at each carrier. Sprint’s all-you-can-browse deal came out of this exercise looking a good deal better than T-Mobile’s.

Weekly output: drones (x2), White House Maker Faire, proxy servers and online video

I went to the White House this week for the first time since visiting it as a tourist sometime in high school–this time around, with a press pass. That was kind of neat.

6/17/2014: Regulations Could Ground Drones Before Takeoff, Yahoo Tech

I wrote about the completely inconsistent regulatory climate around drones–recreational use is essentially wide open below 400 feet altitude, but commercial use is banned outright. The fearful if not paranoid nature of many readers’ comments bugged me, as you may tell from the tone of my replies. Thought I had afterwards: “I’ve been around drones enough, and all of the drone users I know play by the rules. Is this what it’s like to be a responsible gun owner and have strangers see you as a loon like Wayne LaPierre?”

6/17/2014: 4 Ways to Use Drones for Good (None of Which Is Amazon Delivery), Yahoo Tech

I talked to a few people–including my long-ago Washington Post colleague Dan Pacheco, now a journalism professor at Syracuse–about peaceful, profitable uses for drones that tend to get overlooked as people throw around the specter of snooping in people’s backyards.

Yahoo Tech White House Maker Faire report6/18/2014: White House Hosts Its First Maker Faire, with Robotic Giraffe in Attendance, Yahoo Tech

I covered the White House’s debut Maker Faire–somehow, also the first story I’ve written around a presidential speech–with this photo gallery. There’s more in my Flickr album.

6/22/2014: Geo-fakeout: Use a proxy for online video, USA Today

A neighbor wanted to know how he could have watched Netflix during a recent trip to Morroco; answering that also allowed me to give a tutorial in using proxy servers to watch World Cup coverage online. There’s also a tip about checking for “TLS” encryption at your mail service (something I covered at greater length at Yahoo Tech the other week), making this one of the more technically involved columns I’ve written for USAT.

How a hidden OS X process made my old employer think my Mac had been hacked

A slow Monday that I’d hoped would ease my way back into a semi-normal workweek was interrupted by a note from an old Post colleague–specifically, somebody in the IT department–with the never-good subject line of “virus?”

The security guys are reporting that someone is attempting to logon to VPN with your old credentials.

I replied saying that it was probably something spurious unless it was coming from the IP address my home currently had assigned from Verizon. He wrote back to say “turns out that IP is what is pinging the VPN server.”

Well, crap.

Little Snitch network monitorI updated my Mac’s ClamXav malware-scanner for the first time in months and got it started on a tedious inspection of my Mac, then downloaded the trial version of a network monitor called Little Snitch.

The virus scan found nothing, and Little Snitch didn’t report any oddball apps trying to send out data either. I also checked the settings of apps that I’d once configured to log into the newsroom remotely, but found nothing there.

Then I thought to try searching for the Post VPN address in Little Snitch’s network monitor. That revealed that Safari–to be exact, its WebProcess component–had pinged it only a few hours ago. A search for that address in Safari’s bookmarks and history located an old bookmark for the site that I’d misplaced in an unrelated, rarely-opened folder. Since deleting that, Little Snitch hasn’t recorded any more access attempts, and I haven’t gotten any other reports of those from the Post’s IT people.

WebProcess itself seems remarkably undocumented on Apple’s customer and developer sites, aside from references to it by users in the company’s tech-support forums. A further inquiry confirmed my initial hunch that this process updates Safari’s “Top Sites” view of pages you’ve visited recently–how else will the browser know to provide current previews of them?

What I still don’t get is why WebProcess would have kept on checking a site I hadn’t visited in close to two years–and which I don’t remember seeing in Top Sites anytime since. But I’ve witnessed enough weird behavior lately from individual Apple apps that I can’t put this past Safari… which is to say, I hope that’s all this is and that I haven’t missed something else.