How do New York Times journalists use technology in their jobs and in their personal lives? Nicole Perlroth, a cybersecurity reporter based in Boulder, Colo., discussed the tech she is using.
As a cybersecurity reporter, what do you do to secure your technology setup?
I went through a period about three years ago of trying to have perfect “op sec” for everything. I used a password manager. I had a spare computer for web browsing beyond email, banking and social media. I used Pretty Good Privacy, or PGP, encryption for any emails with sources. And I refused to buy any “Internet of Things” devices, like a Nest thermostat, fearing that all those devices did was give hackers entry into my home.
But over the past year or so, I have to admit, I’ve backtracked. I’ve covered a few too many breaches of password managers and of security companies, and sophisticated nation-state attacks, to believe that there is such thing as “op sec.”
So now my goal is to try to make the lives of cybercriminals and spies harder online, and take my most sensitive communications completely offline — which in practice means meeting my most coveted sources at a set date, time and place once a quarter.
Online, I do make sure to use two-factor authentication whenever it is available. I use Gmail and Chrome’s web browser because those have proved to be the most secure email and web platforms over time. I use encryption apps like Signal, Wickr and Telegram for any sensitive online communications and text messages. I never allow any apps access to any information — like my whereabouts — that they do not need. And I try to exercise good password hygiene, by which I mean I change my passwords regularly, often to long phrases I can remember, and use different, stronger passwords for more sensitive data, like my email, banking and medical records. And as a last resort, I watch what I say in my emails and keep my web camera covered.
What tech tools or web services do you avoid to prevent sensitive information from being exposed?
Alexa, Google Home, Dropcam and anything that has real-time access to my home scare me to death. Likewise, I steer clear of any free music, games or entertainment services for fear of catching a virus. And I never, ever click on links in emails.
Also, I stay far from any app that has not been vetted by Google Play or Apple. It’s disturbingly easy for cybercriminals to design apps that mimic a benign, mainstream product, then plant it in third-party app stores. Once downloaded, those apps potentially have access to every critical piece of information you store on your phone, by which I mean everything.
There was a case this year of a seemingly benign flashlight app in the Google Play store that was stealing users’ banking information. And another flashlight app the year before that was recording audio from users’ phones and sending it to Beijing. That is pretty much my worst-case scenario.
Well, actually the worst-case scenario is someone taking control of my self-driving car. It will be a while before I feel safe buying one of those.
Equifax, the credit bureau, was hacked recently. What did you do?
You mean after I slammed my head on my desk several times? The Equifax hack continues to infuriate. Here’s a company that proved to have minimal security in place, despite the fact it houses our most sensitive information — involuntarily for many of us, I’m afraid — and was hacked after two major, recent security incidents.
As for what I did, I signed up for the credit monitoring, froze my credit and then banged my head against my desk a few more times. This is actually the second time my information has been stolen. I used Anthem for insurance, which was nearly as bad. At this point, all I can do is freeze my credit, change my passwords, set stricter security settings on my life and pray.
Beyond your job, what tech product are you currently obsessed with using in your daily life?
For a tech reporter, I’m actually fairly agnostic about tech in general. I’m not one of those people constantly experimenting with the latest, greatest apps and services. I do not understand Snapchat. Do emojis count? I am bullish on emojis.
As far as my daily tech use, the first thing I do when I wake up in the morning is turn on a podcast, usually The New York Times’s “The Daily” podcast. Then I’ll check Twitter and the Times app. I use The Times’s Cooking app to plan my groceries for the week.
I do use Instacart, though I wish I wasn’t that lazy. And I am one of Spotify’s biggest users. I probably make a new playlist once a week, then I blast it through the house via Sonos. I use Google Docs and Dropbox for work. I try my best to stay off Facebook, but I do use Instagram, mostly to entertain my dog’s followers. He has his own account: “Homerthebestdog,” though we just had to change the name to accommodate our new puppy, so now it’s “HomerandHanzo.” (Sorry, Homes!)
What could be better about the tech?
My biggest beef with the tech I use is robots. As we’ve seen in recent weeks, Facebook, Google and Twitter — especially Twitter — have a huge troll and bot problem. And these aren’t your benign Twitter egg bots. These are now Russian state-backed bots. It’s amazing to see how successful some of their propaganda campaigns have been, and I don’t go a day on Twitter without coming across an obvious bot these days.
I believe in free speech. But I do not believe in free speech for robots.
Smartphones have been equipped with fingerprint sensors for years. Now Apple is moving into face recognition for unlocking a phone. Like or dislike, and why?
That’s a tough question. I am in favor of anything that replaces passwords. Passwords are useless, annoying and security’s weakest link. So initially I applauded Apple’s move to fingerprint sensors.
The problem, of course, is that nothing is completely secure. Over the past few years, a number of security researchers have demonstrated just how successfully fingerprint sensors can be tricked. Now we are moving to facial recognition technology, which has proved to be more secure, but comes with additional privacy concerns. A number of privacy activists have said they worry Apple’s move into facial recognition will “normalize” the practice and prompt everyone from data brokers and advertisers to governments to use facial recognition technology for dodgier use cases, or surveillance.
I think they raise legitimate concerns. But I’m also of the mind-set that the people I worry most about having access to my face template — namely spies or cybercriminals I’ve angered with my reporting — will be able to access anything they want about me with enough time and resources, anyway.
(The New York Times)