August was the month that I finished coursework for my Masters degree in Mass Communication, the month I spent a week at DEF CON playing Open CTF and connecting with friends, new and old, and the month my husband and I escaped to Minnesota to see family and go on a bit of a vacation. August also saw the culmination of two projects I’d put a considerable amount of time into, as well as a very important post I put together quite quickly. It’s also the month I’ve been building up business again after a year of working overtime—so if you are in need of an investigative tech reporter, please get in touch.

The Best VPN Service (Wirecutter)

I spent months researching and testing VPNs, and these are the results. I was hesitant to take on this project after penning a post on how you couldn’t meaningfully rank VPNs back in 2016, but couldn’t pass the opportunity to write for one of my favorite sites. Luckily, I had a handful of technical experts who answered countless questions as I worked through what data I could find in an incredibly opaque industry. In particular, Dan Guido, cofounder and CEO of Trail of Bits, spent two hours talking me through the ins and outs of security audits and their limitations, security challenges I was unaware of, and other considerations that hadn’t crossed my mind. And, of course, my editors and the entire team at Wirecutter were also amazing. Sarah Jeong linked to this piece in The New York Times’ Privacy Project newsletter, which was pretty cool.

FEMA Still Struggles With Post-Disaster Planning (News21)

This piece, written in collaboration with Harrison Mantas and Kailey Broussard, is the culmination of 10 weeks of reporting on how FEMA still struggles with coordination and communication during disasters, even after years of reforms and reorganizations. It was done for News21, as part of a larger project on disaster recovery called State of Emergency. This piece was picked up by NonDoc in Oklahoma, which was neat since my fellowship (and Harrison’s!) was funded by the Oklahoma-based Ethics and Excellence in Journalism Foundation.

Facebook Insists No Security ‘Backdoor’ Is Planned for WhatsApp (OneZero)

The company is fighting back against rumors that it would scan messages on users’ phones prior to encryption… and I delved into some of the ways we could tell if this wasn’t the case. For this piece, I interviewed a WhatsApp spokesperson and Steve Weis, a fellow at the Aspen Tech Policy Hub and former software engineer at Facebook.

Coming Up

It’s been a weird month since I was on vacation for half of it and business is just revving up again now that I’m done with school, and I’m still working on some long-term projects that may or may not be up in September. At the very least, you can look forward to a profile of a marine toxicologist this month. And in October, Mr. Robot is returning…

Self-promotion doesn’t come easy for most journalists. We know that our work doesn’t have impact without an audience, and that editors look at a variety of metrics including page views. We’re used to cutting and pasting URLs and tags into a growing litany of fora. At the same time, we’ve also been trained to not be a part of the story.

And for good reason. It takes a village to write an article. Security researchers and academics sharing their findings and patiently answering basic questions. Whistleblowers and activists, anonymous or otherwise, putting themselves at great risk to speak truth to power. Non-profit organizations, doctors, experts in every capacity…without great sources, our work is nothing.

And that’s not even mentioning the team behind each publication, comprised of editors, copyeditors, fact-checkers, developers, designers, social media experts, the list goes on and on.

So when I say that I wrote 51 articles or blog posts this year for 25 different sites or publications, or that I co-hosted 12 podcasts, or that my content marketing textbook was published…well, I should really be giving that credit to everyone else.  For 2018’s Top 12, presented in chronological order, I’ll share a little bit of backstory and highlight some of the people who helped me bring the stories to fruition.

A Practical Guide to Microchip Implants (Ars Technica) An estimated 50 to 100k folks have implants; how do the benefits compare to the risks?

I thought of this story when I was at DEF CON and I saw people line up to get microchip implants injected into the subdermal fascia  between their thumbs and forefingers. This was after a Wisconsin-based tech company was getting skewered for offering to pay for its employees to be voluntarily microchipped. It was difficult to reconcile the two, and I set out to figure out what the real security risks were. I did a lot of interviews and uncovered a lot of FUD, like a game of whack-a-mole, and ended up pivoting a bit from what this piece was originally meant to be….something Ars editor Nathan Mattise is great at rolling with. Special thanks to security whizzes Tarah Wheeler and Drew Porter and to Amal Graafstra, the ever-patient Dangerous Things CEO.

Hackers Are So Fed Up With Twitter Bots, They’re Hunting them Down Themselves (The Intercept)

I learned about this story from Sean O’Brien at Yale Privacy Lab—the idea that pornbots were so ubiquitous and Twitter was so behind the curve in stopping their spread that French security researcher Baptiste Robert had come up with his own solution. Then I learned that a group of five archivists, data journalists, and academic researchers in Sweden were doing something similar. Last but not least, I finally had an excuse to interview the amazing Erin Gallagher, who creates these gorgeous data visualizations of Twitter bot networks showing clusters of retweet networks, hub accounts, and other information, using the visualization software tool Gephi. This piece was edited by the amazing Ryan Tate. (I was even interviewed for a podcast about this article, but I didn’t realize they didn’t want me to mention pornbots. Oops.)

Here’s a Long List of Data Broker Sites and How to Get Off of Them (Motherboard) (Also: What Are ‘Data Brokers’ And Why Are They Scooping up Information About You?)

These sites you haven’t heard of are sharing boatloads of info about you, which is annoying, and scary, and I’m grateful to Motherboard for letting me share what I call “the big-ass data broker opt out list” that I started compiling for local cryptoparties, and then for Trollbusters, and now for Vice. For this piece, I got great information from Amul Kalia (then at EFF), Paul Stephens at Privacy Rights Clearinghouse, Tiffany George at the FTC, Joe Sutton at DeleteMe, Harvard’s Berkman Klein Center for Internet & Society sysadmin Griffin Boyce and web engineer Tony Webster. These articles were edited by Emanuel Maiberg, who’s a pleasure to work with.

Why Is It Okay For Cellphone Companies to Sell Your Data to Third Parties? (Slate/Future Tense) We shouldn’t be complacent about this.

When I was reading about how Robert Xiao discovered the vulnerability in a platform that revealed the real-time location of basically everyone with a cellphone in the United States, I already recognized his name. I’d interviewed him for a fun post about computer security ‘Capture the Flag’ games…and now look at him. For this piece I also spoke with Chris Calabrese, vice president for policy at the Center for Democracy & Technology. This piece was edited by Torie Bosch, who is a pro.

Medical Device Security: Hacking Prevention Measures (Enterprise.nxt) With so many lives at stake, computer scientists and healthcare IT pros are motivated to develop strategies that keep patients safe from medical device hackers. They’re making progress.

This post is top of mind because I just attended the second annual CyberMed conference, where physicians, security researchers, manufacturers and regulations teamed up to address healthcare cybersecurity challenges. I continue to be inspired by the hackers and physicians and hacker physicians who work hard to harden systems, create device resiliency, and build awareness of the dangers of internet connectivity meeting pacemakers and infusion pumps, through not just talks but also harrowing simulations.

Quoted in this piece are Josh Corman, who co-founded I Am The Cavalry, Roman Lysecky, professor of electrical and computer engineering at the University of Arizona, and Dr. Jeff Tully, a security researcher and physician. Change in this space is slow, so I’m glad we have people like them chiseling away at it and hopefully helping keep us all safe.

This piece was edited by Esther Schindler, who I’m lucky to know IRL.

German Police Raid Homes of Tor-Linked Group’s Board Members (ZDNet) One board member described the police’s justification for the raids as a “tenuous” link between the privacy group, a blog, and its email address.

This post was a hand-me-down from one of my favorite security reporters, who is on staff at a publication that couldn’t run this piece. There was an incredibly tight deadline over a holiday to find somewhere to place this, and I simultaneously pitched it to every good editor I could think of. (Some even got back to me after I’d already sold it to someone else.) For this piece, I quoted the very brave Moritz Bartl. A friend who speaks the language helped me try reach out to German police for a statement, for which I am grateful. My editor was the inimitable Zack Whittaker, who is now at TechCrunch.

British and Canadian Governments Accidentally Exposed Passwords and Security Plans to the Entire Internet (The Intercept)

This article is just one of many “private” Trello boards that security researcher Kushagra Pathak (who is looking for work, by the way!) found exposed to the entire internet. Check it out, check out his Medium posts, and check out Micah Lee’s article on Pathak’s U.N. research.

A Critical Look at Sovereign Identity Startups (Breaker) A new wave of startups is offering a fundamentally different approach to data collection and use.

This article idea was given to me by my editor, Julie. Blockchain stories ain’t easy, and this one in particular was a lot to wrap my head around. In addition to several Breaker editors shepherding this piece, multiple security researchers literally spent hours on the phone and on chat with me making sure I got all the details right. I also quoted infosec pro Cem Paya and software engineer Andrew Trainor in the piece.

Full Engagement (Museum)

Museums globally are expanding their social role—and value—by engaging underserved communities.

This is another piece that came to me thanks to editors Gayle Bennett and Dean Phelus and the fact that this year’s American Alliance of Museums conference happened to take place in Phoenix. I was thrilled to interview Museum of Egyptian Antiquities curator Wesam Mansour, Milena Micić, senior curator of art collection at the Homeland Museum of Knjaževac, Serbia, Tatiana Quevedo, education department coordinator at Museo de Arte Contemporáneo de Bogotá in Colombia, Marcela Giorla, Head of Education at the Museum of Contemporary Art of Buenos Aires in Argentina, German Paley, community outreach coordinator at the Museum of Modern Art of Buenos Aires in Argentina, Ignacio Vazquez, curator at Museo Memoria y Tolerancia in Mexico City, and Susana Mejia, coordinator of programming and communications at Museo Pedro Nel Gómez in Medellín, Colombia.

Circle the City “Inspired Soles” Exhibit at Found:RE Puts Homeless Artists on Display (Phoenix New Times)

This piece started out as a class assignment for my Digital Print course at Cronkite. It was edited by Doug Markowitz. I spoke with Circle the City art teacher and former patient Michael Reilly, Found:RE cultural curator Michael Oleskow, and Circle the City Director of Development Kimberly Hall. I got to attend the exhibit with some classmates at Cronkite, which was really rewarding.

IRL Ads are Taking Scary Inspiration from Social Media (Medium/The New New)

The billboards are watching you

This post was assigned to me by talented editor Damon Beres. I spoke with software engineer Elleen Pan, author Bob Hoffman, associate professor of media design David Carroll and, Yale Privacy Lab researcher Sean O’Brien

How I Tracked Down the Delicious Israeli Pudding of My Childhood (Munchies)

Milky is iconic for those who grew up in Israel in the 80s, but proved to be a feat to find stateside.

I haven’t written about food in years, but visiting my parents in Israel brought back a flood of memories and I was grateful for the opportunity.This post didn’t really use sources other than a company spokesperson, but I had several friends and family members in Israel and Germany helping me track down prices. This piece was edited by Hilary Pollack.

BONUS

Facebook Is Not Equipped to Stop the Spread of Authoritarianism (TechCrunch)

Whether by accident or design, Facebook makes it easy for even low-tech governments to silence dissent.

This post was one that I spent months on for a publication where it ultimately didn’t get published due primarily to my concerns over source protection. I was thrilled to have it posted in a site with such a wide reach and an editor as solid as Zack Whittaker. The article includes quotes from Access Now policy director Raman Jit Singh Chima, Access Now Asia policy associate Naman M. Aggarwal, Yale Privacy Lab researcher Sean O’Brien, Human Rights Watch South Asia director Meenakshi Ganguly, and a brave source we granted anonymity due to fear for their personal safety.