Weekly output: supply-chain attacks, Mark Vena podcast, password managers, 5G vs. IMSI catchers, fake vaccination cards

TALLINN, Estonia–I’m writing a post from the other side of the Atlantic for the first time since November of 2019 because of a press trip set up for this week by Estonia’s business-development types to show off the country’s tech sector. That sort of thing would be a non-starter were I on anybody’s staff, but I’m not and I’ve gotten a lot out of a few previous trips along these lines. It does help that Estonia is no Las Vegas in its approach to the pandemic. 

Screenshot of the story as seen in Safari on an iPad8/10/2021: More SolarWinds-style attacks are coming. Here’s how to stop them, Fast Company

I wrote up the keynote that opened Black Hat, in which security researcher (and excellent Twitter individual) Matt Tait outlined how getting hostile code into a software supply chain can yield rewards so outsized that attackers have to work extra to focus their attack.

8/11/2021: SmartTechCheck Podcast by Parks Associates, Mark Vena

This week’s edition of my tech-analyst pal’s podcast featured an unusually contentious debate over Apple’s announced plans to do on-device scanning of photos ready to be uploaded to iCloud for matches of known child sexual-abuse material.

8/12/2021: Best Password Managers of 2021, U.S. News & World Report

I contributed an update to the guide I helped write at the start of this year. My work this time includes profiles of 1Password, Bitwarden, Dashlane, Enpass, and LastPass, plus comparisons of 1Password and LastPass, Dashlane and LastPass, and 1Password and Dashlane.

8/13/2021: 5G defends against IMSI catchers – but implementation is critical, Light Reading

My Black Hat coverage-from-afar continued with this writeup of a briefing about 5G’s vulnerability to IMSI catchers, the fake base stations sometimes used by law-enforcement and national-security investigators as well as criminal enterprises to intercept people’s communications.

8/13/2021: Fake vaccination cards, Al Jazeera

I thought the Arabic-language news network would want me to talk about the technical difficulties involved in making counterfeit-proof vaccination cards, but instead they stuck to such big-picture queries as why people would even want to spend $100 or so on fake vax cards sold by random con artists on Telegram.

My next in-person tech conference will have to wait a little longer

Next week was going to feature a conference badge and triple-digit temperatures, and now the only way I’ll get any of those things is if the forecast for D.C. turns out to be completely off.

Barely a month after I’d booked flights and a (refundable) hotel room for the Black Hat security conference, convinced that this security gathering in Las Vegas would represent my first in-person conference since February of 2020, I cancelled those bookings this week. Instead of flying to Nevada to take notes in the middle of a physical audience and then network in person at a series of receptions, I’ll follow the briefings online and then connect with nobody new as I have dinner at home.

It wasn’t any one thing about this conference happening in the middle of a not-yet-over pandemic that led me to bag this trip, even though I’ve been fully vaccinated since late May; it was all the things.

First, while I would expect most information-security professionals to evaluate their risks intelligently and therefore have gotten vaccinated long ago, there’s always going to be the exceptions.

Second, Black Hat is like everything else in Vegas in August in that it must exist in a series of air-conditioned bubbles. And while I wouldn’t have a problem wearing a mask while watching briefings, staying masked-up is a lot harder at a conference reception.

Third, Vegas has a giant tourist demographic that self-selects for poor risk management, raising the odds of me sharing an elevator or check-in line with some hard-partying idiot who has made pandemic denial part of his personal political brand.

Fourth, the city itself has a depressingly low vaccination rate, with only 41% of Clark County residents fully vaccinated. Seeing that many people spend that many months declining to use the best tool we have against the pandemic does not make me want to go to their city and spend my money.

The odds remain pretty low, as I understand them, that I would pick up the Delta variant of the novel coronavirus over those two days and change in Vegas. But when one of the people I’d see afterwards would be my not-yet-vaccine-eligible 11-year-old daughter, I can’t justify the risk posed by what strikes me as an especially bad scenario compared to any of the events I’m contemplating for later this year.

So even while I have resumed some business travel, it’s going to be a little while longer before I come home with a new conference badge to add to the collection that’s now been collecting dust for a year and a half.

All vaxxed up and nowhere to go (especially for work)

Thursday was my V-day: two weeks elapsed since my second dose of the Moderna coronavirus vaccine, and therefore cleared for takeoff into a normal life. But I still feel like I’m on the runway, if not still on the taxiway waiting for my clearance.

I’m blaming work. I had thought it would be nice to celebrate this milestone Friday by having a drink at an actual bar indoors, but I had deadlines to meet that kept me at the keyboard until almost dinnertime. One reason why I still had fingers at the keyboard that late: I spent part of Friday afternoon volunteering at a vaccination clinic, which was arguably a better way to mark the occasion anyway. I did at least wear only one cloth mask instead of doubling up as I had before.

Photo shows my COVID-19 vaccination card atop my new passport and a route map from United Airlines' Hemispheres magazine.

(Another difference between now and my first volunteer shift in early April: Positive test rates have plummeted to well under 2% in Arlington and D.C.)

Work also factors into this in-between feeling, because it’s become so obvious that business gatherings will be a trailing indicator of America’s victory over this disease. As I type this, my also-fully-vaccinated neighbors are having people over on their back deck and that seems completely normal, but I have no idea when the first (non-pandemic-denying) think tank, trade association, PR firm or other corporate outpost around here will dare to host an in-person briefing, luncheon or reception.

The forecast is also fuzzy for in-person conferences. Wednesday, the management of the IFA trade show announced that they had to cancel this year’s edition of that electronics event in Berlin. I had thought they had good odds of pulling it off, considering how fast Germany is getting vaccine doses into arms. But IFA is a global show, and many of the countries that would be sending companies there remain far behind in vaccinations.

(MWC Barcelona, the first tech event to succumb to the pandemic, is somehow still set to happen next month, albeit on a grossly exhibitor-deprived scale. I don’t know what the thinking is there.)

Conferences that take place in the U.S. and draw a mostly-American audience look more likely to happen as planned, which on my calendar would probably make the first such IRL event the Black Hat information-security conference. Subjecting oneself to the blast-furnace heat of Las Vegas in August is not most people’s idea of fun–but after a year and change of only experiencing events through a screen, I legit would enjoy it. Besides, it really is a dry heat there.

DVR debt, but for virtual-conference panels

For the past two months, I’ve been looking at the same five tabs left open in my Mac’s copy of Chrome. They’re all from Black Hat–as in, the security conference that happened online in early August, but which remains incomplete in my own viewing.

If this event had taken place in Las Vegas as usual, I would have watched almost all the talks I’d picked out from the schedule. That’s a core feature of traveling to spend a few days at a conference: All of the usual at-home distractions are gone, leaving you free to focus on the proceedings at hand.

Online-only events zero out my travel costs and offer the added benefit of vastly reducing the odds of my catching the novel coronavirus from a crowd of hundreds of strangers. But because they leave me in my everyday surroundings, they’re also hard to follow.

If I have a story to write off a panel–meaning a direct financial incentive–I can and will tune in for that. But for everything else at an online conference, it’s just too easy to switch my attention to whatever work or home task has to be done today and save the panel viewing for later, as if it were yet another recording on my TiVo. (Or to let my attention wander once again to Election Twitter.) It’s not as if other conference attendees will be able to note my absence!

So I still haven’t caught up with the talks at Black Hat. Or at the online-only DEF CON hacker conference that followed it. I haven’t even tried to follow the panels at this year’s online-only version of the Online News Association’s conference… mainly because I couldn’t justify spending $225 on a ticket when this conference’s usual networking benefits would be so attenuated. I feel a little bad about that, but on the other hand I also feel a little cranky about submitting a panel proposal for ONA 20 and never getting a response.

I would love to be able to return to physical-world events with schedules crowded by overlapping panel tracks that force me to choose between rooms. But there seems to be zero chance of them resuming in the next six months, even if a vaccine arrives before the end of the year in mass quantities. Web Summit, CES, SXSW: They’ll all be digital-only, happenings experienced only through a screen.

I should try harder to cultivate the habit of experiencing these virtual events in the moment, not weeks or months afterwards. Or at least I should try to catch up on the backlog of panels I’ve already accumulated. This last hour would have been great for that… except I spent it writing this post instead.

Update, 10/10/2020: It turns out none of those Black Hat panels were available for viewing anymore. Whoops! At least the tab bar in Chrome looks cleaner now, I guess.

Weekly output: network security (x2), election security, Google finding Apple’s bugs

Now it can be told: I spent all of the last two weeks on the West Coast, with my stay in Las Vegas for Black Hat and DEF CON sandwiched inside time with my in-laws in California. That let me have a much shorter trip to and from Vegas and then segue from WiFi security to a little wine tasting and, more important, a lot of napping.

8/12/2019: WiFi can be a free-for-all for hackers. Here’s how to stop them from taking your data, USA Today

I e-mailed this to my editor with the following note: “I’m sending this over the DEF CON conference WiFi, so if you only see pirate-flag emoji I trust you’ll call or text to warn me.” If you don’t want to read all 600-ish words in this piece, the top three are “encryption is your friend.”

8/12/2019: This tech could secure voting machines, but not before 2020, Yahoo Finance

One of the big reasons I decided to stick around Vegas for DEF CON–even though it meant I’d have to pay $300 in cash for that conference badge–was the chance to see the exhibits and presentations at its Voting Village. The proceedings did not disappoint, even if a DARPA demo from a project with the delightful acronym of SSITH is far from yielding shipping voting hardware.

8/12/2019: Google got Apple to fix 10 security flaws in the iPhone, Yahoo Finance

Black Hat offered a two-course serving of Apple-security news. Its first day featured a briefing from Google Project Zero researcher Natalie Silvanovich about how her team uncovered 10 serious iOS vulnerabilities, and then its second day brought a talk from Apple security-engineering head Ivan Krstić that ended with news of a much more open bug-bounty program.

8/14/2019: This Morning with Gordon Deal August 13, 2019, This Morning with Gordon Deal

I talked about my USAT column on this business-news radio program; my spot starts just after the 13th minute.

Weekly output: wireless service, Gmail phishing, social-media disinformation, DNA tests

I spent most of this week in Las Vegas for the Black Hat and first DEF CON security conferences. I knew Black Hat from last year, but covering its sponsor-free, community-run counterpart for the first time left me feeling overwhelmed at how much of it I’d missed after just the first day. The Flickr album I posted earlier today may give you a sense of that fascinating chaos.

8/7/2019: The Best Cell Phone Plans, Wirecutter

This update took longer than I thought it would, but it now benefits from a simpler set of usage estimates that better align with how much data most people use. This guide also features new recommendations for value-priced service and shared-usage plans.

Fast Company Gmail-phishing post8/8/2019: We keep falling for phishing emails, and Google just revealed why, Fast Company

I wrote up a Black Hat talk that revealed new insights about why people fall for phishing e-mails and reinforced old advice about the importance of securing essential accounts with the right kind of two-step verification.

8/9/2019: Fake calculations… an electronic weapon in the hands of autocratic government, Al Jazeera

I took part in an episode of AJ’s “From Washington” show with Ryan Grim of the Intercept and my former congressman Jim Moran (D.-Va.), discussing disinformation campaigns on social media. At one point, Moran paused to say “Ryan and Rob are extremely intelligent and informative,” which I trust was equally effusive overdubbed into Arabic. The conversation later pivoted to the political scenario in Sudan, a topic I am maybe as prepared to discuss as any regular reader of the Washington Post’s A section.

8/10/2019: DNA Test Kits: Everything You Need to Know, Tom’s Guide

In this first post for a new client, I went about 2,000 words into the weeds on the privacy, legal and mental-health risks of taking DNA tests that may create facts you’d wish you could uncreate. That’s not my last post on DNA testing for Tom’s Guide, so if you have questions I didn’t get to in this feature, please ask away.

Weekly output: Facebook customer dissatisfaction, Facebook meddling in the Middle East (x3)

Tuesday has me departing for Las Vegas for the Black Hat and DEF CON information-security conferences, aka Hacker Summer Camp. In addition to the usual risk of getting pwned, this year I and other attendees will also have to deal with a plague of grasshoppers.

Yahoo Facebook ACSI post7/30/2019: Study shows Facebook’s customer-satisfaction scores plunging, Yahoo Finance

A new survey from the American Customer Satisfaction Index showed people’s contentment with Facebook plummeting to depths you could call Comcastic–except the cable company still rated lower in ACSI research earlier this year. If this post seems somewhat familiar, you may remember me writing up a similar set of ASCI findings in 2010. The issue of what we’ve learned about Facebook in the intervening years is left as an exercise for the reader.

8/1/2019: Facebook catches meddling from Saudi Arabia, United Arab Emirates, Egypt, Al Jazeera

The Arabic-language news channel had me on air live–twice in this day–to talk about Facebook’s announcement that it had booted hundreds of accounts and pages run out of Saudi Arabia, the United Arab Emirates and Egypt for “coordinated inauthentic behavior,” its phrase for disinformation campaigns.

8/2/2019: Facebook catches meddling from Saudi Arabia, United Arab Emirates, Egypt, Al Jazeera

Saudi Arabia misbehaving on social media put the Qatari network into flood-the-zone mode–not difficult to understand, given the enmity between the kingdom and Qatar–and so AJ had me on for a second day in a row to talk about this story. If you don’t care about Gulf politics, please consider that the Facebook-meddling move here of impersonating local news sources could work in the many U.S cities and towns now starved for local news coverage.

Weekly output: Black Hat hacks and security fixes, T-Mobile news, self-driving-car security, voting-machine security, fear of robots

Most of this week’s copy was reported and written the previous week at the Black Hat security conference in Vegas. Considering my own frequently-elastic interpretations of deadlines, I can’t complain about editors with their own crowded calendars taking a day or two to give their full attention to my own work.

8/13/2018: Hacks of Macs, Microsoft Cortana are two more reasons why you should install updates, USA Today

I used this column to synthesize my notes from a few different Black Hat talks that intersected to yield the same lesson: You are safer overall if you install security fixes for your apps and devices when they arrive instead of playing IT department and deciding which ones should wait.

8/13/2018: What could T-Mobile uncap for its next Un-carrier news?, Fierce Wireless

I wrote this curtain-raiser for T-Mobile’s Wednesday announcement twice when a late reply from one analyst and my tardy queries to others led me to file a 1.0 version that would make it into Fierce’s mid-day newsletter. The one you can read now includes quotes from those additional experts–none correctly forecasting that T-Mobile would make its next big push better customer service.

8/13/2018: How two car hackers plan to keep GM’s self-driving cars safe, Yahoo Finance

The single most entertaining talk at Black Hat was this presentation from Charlie Miller and Chris Valasek. You may remember them as the guys who hacked a Jeep Cherokee in 2015 to seize control of it with Wired writer Andy Greenberg at the wheel. The two now work for the GM subsidiary Cruise Automation, and at Black Hat they explained how they plan to stop the likes of them from remotely exploiting Cruise’s fleet of self-driving vehicles–in part by removing such attack surfaces as Bluetooth wireless and the FM radio.

8/14/2018: There’s more to election integrity than secure voting machines, The Parallax

Another Black Hat talk gave me one more chance to take a whack at the WinVote voting machines that infested polling places across Virginia–mine included–for a decade. This time around, I checked back with a couple of the experts I’d consulted for earlier coverage of electronic voting machines and learned that both wished they’d paid more attention before to such separate election-integrity issues as voter registration systems.

8/15/2018: Robot workers or human employees, Al Jazeera

I got a request from my usual guy in AJ’s D.C. bureau asking if I could talk about the prospect of robots taking human jobs–both in the private and defense sectors. I was in Boston at the time visiting family, but that proved to be no problem. Instead of them sending a car to my house to take me to their D.C. studios, they ran me over to a studio in downtown Boston, where I did my talking-head duty (overdubbed live into Arabic) wearing one of my brother’s jackets. Since I knew I’d only appear on camera from the torso up, I didn’t bother changing out of the shorts and sandals I’d put on that morning.

Weekly output: mobile payments, Black Hat security, travel tech

I left Black Hat feeling a little overwhelmed–not because of how little time I had to take in things between my arrival in Vegas Tuesday afternoon and my departure Thursday night, but because of how many fascinating briefings I had to miss because I was attending others. And then there’s everything I missed by flying home before DEF CON

8/6/2018: Hang on, Apple: Phone payments still need work, USA Today

Seeing all the hype over Apple announcing that CVS will finally succumb to reality and accept Apple Pay (meaning you can also pay with any non-Apple phone that does NFC payments) got me feeling cranky enough to write this reality-check post. I’ve since received an e-mail from a reader saying he’s had no problem paying for stuff with his iPhone in Mexico, contrary to a statement in the column based on an incorrect reading of Apple and Google support documents. I’ve asked my editors to correct that part.

8/9/2018: Black Hat attendees are surprisingly lax about encryption, The Parallax

As I was putting together my Black Hat schedule, I got an invitation to tour the network operations center supervising the conference’s WiFi. I thought that visit would allow me a chance to look at a lot of blinking lights, but instead it provided up-close evidence of some horrifyingly slack security practices among a minority of Black Hat attendees.

FTU DC badge8/11/2018: Welcome and Keynote with Rob Pegoraro, Frequent Traveler University Washington, DC

After years of profiting from tips shared in various frequent-flyer forums, I had a chance to give back when FTU host Stefan Krasowski asked if I’d like to talk about my travel experiences to open this two-day program of seminars about airline and hotel loyalty programs and other sorts of travel hacking. We had a great conversation about freelance business-trip economics, the gadget accessories I take on the road, two underrated virtues of United elite status, and my worst airport-transit experience ever. My only regret: Since I couldn’t stick around for the rest of the day, I didn’t have a chance to meet the other FTU speakers, a few of whom I’ve been reading for years.

Black Hat priorities: don’t get pwned, do get work done

LAS VEGAS–I took my own phone and laptop to the Black Hat USA security conference here, which is often held out as a bad idea.

Before I flew out to Vegas Tuesday, I got more than a few “Are you bringing a burner phone?” and “Are you leaving your laptop at home?” questions.

Black Hat backdropBut bringing burner hardware means dealing with a different set of security settings and doesn’t address the risk of compromise of social-media accounts. And writing thousand-word posts on my phone risks compromising my sanity.

So here’s what I did with my devices instead:

  • Put my laptop in airplane mode, then enabled only WiFi to reduce the PC’s attack surface to that minimum.
  • For the same reason, turned off Bluetooth and NFC on my phone.
  • Set the Windows firewall to block all inbound connections.
  • Used a loaner Verizon hot spot for all my data on both my laptop and phone–I even disabled mobile data on the latter gadget, just in case somebody set up a malicious cell site.
  • Connected only though a Virtual Private Network on both devices, each of which were set to go offline if the Private Internet Access app dropped that encrypted connection.
  • Did not plug in a USB flash drive or charge my phone through anything but the chargers I brought from home.
  • Did not download an update, install an app, or type in a password.
  • Did not leave my laptop or phone alone in my hotel room.

Combined, this probably rates as overkill–unless the National Security Agency or a comparable nation-state actor has developed an intense interest in me, in which case I’m probably doomed. Using a VPN alone on the conference WiFi should keep my data secure from eavesdropping attempts, on top of the fact that all the sites I use for work already encrypt their connections.

But for my first trip here, I figured I’d rather err on the side of paranoia. (You’re welcome to make your case otherwise in the comments.)

Then I showed up and saw that everybody else had brought the usual array of devices. And a disturbing number of them weren’t even bothering to use encryption for things as basic as e-mail.