[conspire] Why to be skeptical about IT reporting

[Rick Moen]

There's an old joke that the 'Information Technology' beat reporter at
any magazine was whichever one could touch-type.  There are any number
of homourable exceptions, but I'm frequently reminded of that gag in
daily reading.  Today's example:  Derek Hawkins, 'Cybersecurity' (whoa,
badassery, I'm impressed) reporter at WashPo, in the July 24th PowerPost
analysis piece.
https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2018/07/24/the-cybersecurity-202-justice-department-to-mount-another-encryption-push-despite-setbacks/5b55fd431b326b1e646954d8/

It's a security news-roundup piece, and in general is fine, but includes
one amusing howler:


  PATCHED: Google says its decision to have employees use USB devices
  called Security Keys instead of two-factor authentication has helped
                       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  curb phishing, the computer security blog KrebsonSecurity.com reported
  Monday. 

Um, hey?  What does two-factor authentication mean, again?


Google's Security Key appears to be a Feitan FIDO device (e.g.,
https://www.ftsafe.com/products/FIDO/Multi) except with custom firmware.
These implement U2F protocol (Universal Second Factor), sponsored by the
FIDO alliance of which Feitan, a security firm, is a leading member.
The FIDO dongle provides a prearranged second keypair authentication
for registered uses, alongside a PIN.

And is thus by definition two-factor authentication.


Author Hawkins's problem, I would guess was over-reliance on
Brian Krebs' cited primary-source article,
https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing/
which has misleading wording.


If you think about it, if there were _not_ a requirement for some sort
of second factor (a password/PIN or biometrics, for example), then
anyone who steals a security dongle like the Google Security Key 
would steal the ability to break into anything it can do.  Google, Inc.
would thus have eliminated one security problem (employees' reliance on
just passwords) and replaced it with a bigger one (employees' reliance
on not losing or being pilfered of a hardware dongle).

So, Hawkins's wording as stated didn't make much sense.  But you have to
_either_ know some basics of security _or_ be willing to look up terms 
like 'two-factor authentication' before using them.  On the evidence,
Hawkins did not.

And this sort of thing happens all the time in IT journalism, the
product of short deadlines, overwork, and reporters' reliance on primary
sources without really understanding those.