Perlroth, How the World Ends, and Errata

This will be my fourth and very likely final blog on Nicole Perlroth’s book, “This Is How They Tell Me The World Ends”, as far as the subject matter goes. I may write a couple more that are centered around vulnerability history, based on something included in the book, but more along the lines of “setting the record straight” with a broader misconception in the industry that certainly isn’t exclusive to this book. I say ‘may’ because it will depend on my research into a couple of topics.


As I have mentioned in prior blogs, I enjoyed this book. I feel it was very well researched and it offered information about the world of vulnerabilities that was new to me, which I appreciated. I recommend this book if you are interested in the topic of zero-day vulnerabilities and the markets around them as it is comprehensive. Finally, I really appreciate that Perlroth included extensive notes at the end that offer a variety of formal and informal citations for further reading and justification for many comments made.

I offer this opinion once again because this blog will be a bit more negative, focusing on parts of the book that I took exception with. If I am correct about any of the following criticisms, it is just as much a reflection on her editors as it is on Perlroth, so this is not leveled at her specifically. I understand errors are made, we all make them; that said, the process of writing a book should have such content go through at least three sets of eyes (if not more) so I think it is fair to level this criticism to everyone involved. While I may use Perlroth’s name below, consider it to mean “Perlroth et al” in the context above.


Errata

p6: “After three years of covering nonstop Chinese espionage, a big part of me was reassured to see that our own hacking capabilities far exceeded the misspelled phishing emails Chinese hackers were using to break into American networks.” This line so early in the book made me groan and double-take as it seems to unfairly equate an incredible variety of Chinese threat actors into a single category. While I have no doubt this characterization is true for some, I think it is not true in the bigger picture. Further, it implies that the U.S. doesn’t misspell anything in phishing mails our hackers send out to foreign targets.

p7: “The [NSA] appeared to have acquired a vast library of invisible backdoors into almost every major app, social media platform, server, router, firewall, antivirus software, iPhone, Android phone, BlackBerry phone, laptop, desktop, and operating system.” Just a page after the prior quote, this started out with my skepticism. Perlroth seems to conflate zero-day exploit with backdoor, despite them being very different things. This may be a bit nitpicky, especially since the Wikipedia definition blurs the lines, but given the topic of the book is all about vulnerabilities and exploits I think it is important to point out. Coming up in InfoSec, a vulnerability could get you access to a resource and a backdoor could as well. The difference was that one was accidental and the other intentional, but both came from the vendor. Even if the NSA pressured a vendor to include a backdoor, which they have, it is still a vendor-shipped flaw in the code with intent to subvert the security of the system. Perhaps this is terminology that is all but lost like the classic hacker vs cracker vs … debate.

p7: “Zero-days are the most critical tool in a hacker’s arsenal. Discovering one is like discovering the secret password to the world’s data.” There’s a lot to unpack here. First, zero-days are not the most critical tool in a vast majority of hacker’s arsenals. As Perlroth covers, the use of phishing attacks that do not necessarily rely on a vulnerability, or uses known but unpatched ones, are quite effective. Second, the “secret password to the world’s data” is hyperbole since any one zero-day will get you access to a fraction of a single percent of the world’s data. This description makes it sound like just one, any one, has a level of access and power they simply do not.

8 “A series of seven zero-day exploits in Microsoft Windows and Siemens’ industrial software allowed American and Israeli spies to sabotage Iran’s nuclear program.” For a book on zero-day exploits to start out incorrectly stating how many zero-day exploits were used in Stuxnet is discouraging. More so that Perlroth later cites Kim Zetter’s definitive book on the topic with glowing praise, yet still gets this bit wrong. As previously reported and referenced on Wikipedia, Stuxnet used four zero-day exploits. [1] [2] [3]

p8: “Depending where the vulnerability is discovered, a zero-day exploit can grant the ability to invisibly spy on iPhone users the world over, dismantle the safety controls at a chemical plant, or send a spacecraft hurtling to earth [sic]. In one of the more glaring examples, a programming mistake, a single missing hyphen, sent the Mariner 1 – the first American spacecraft to attempt an exploration of Venus – off-course, forcing NASA to destroy its $150 million spacecraft 294 seconds after launch, or risk it crashing into a North Atlantic shipping lane or worse, a heavily populated city.” While there has been rumors and urban legends around hacking satellites, a vast majority of which have been debunked, using the Mariner 1 as an example of what can go wrong due to a vulnerability without caveat is unfair. That spacecraft had a bug in it that has not been said to be exploitable. This is essentially the same as the countless “vulnerability reports” of applications that do nothing more than demonstrating a stability issue leading to a crash, not something that can realistically be exploited by a bad actor. This example is frustrating because later in the book, Perlroth provides many examples that are just as compelling and actually happened as a result of vulnerabilities.

p63: “In the hacking community, Charlie’s paper was alternately celebrated and condemned. Some cast him as an unethical researcher who, by selling his zero-day to the government and waiting so long to come forward with it, had put millions of Linux users at risk. Some pushed to have his cybersecurity license stripped.” I can’t imagine what this is supposed to mean since there is no such thing as a “cybersecurity license.” Even if this was to mean some certification, that is very different than a license.

p123: “Once the worm was on that first Natanz computer, a second Microsoft Windows zero-exploit kicked in – though technically, this second exploit wasn’t a zero-day at all.” This isn’t ideal for explaining this topic to non-technical readers. Introducing a new term, presumably by mistake, then immediately contradicting it in the same sentence is confusing.

p222: “Jobert would send discs flying out of Michiel’s hard drive from two hundred yards away.” I debated if this belonged in the hyperbole blog or this one and settled for here. There is simply no analogy to be had and even as an exaggeration this makes no sense.

p257: “Ekoparty was still dwarfed by Def Con, Black Hat, and RSA, but what it lacked in numbers and glitz, it made up for in raw creative talent. Absent were the booth babes and snake-oil salesmen that had overrun the big hacking conferences in the States.” Perhaps a bit nitpicky here, but of the three conferences listed, only one is a “hacking conference”. That conference does not have booth babes and essentially only merchandise vendors, so no more snake-oil salesmen than any other conference, including Ekoparty I would wager. Further, note that Black Hat has been held on three continents for many years now.

p263: “When I got to my room, the door was ajar .. Everything was just how I had left it, except the safe that had held my laptop. It was wide open. My computer was still inside, but in a different position .. I wondered if this was some kind of warning shot. I took a sober look at the laptop. It was a loaner. I’d left my real computer at home and stuck to pen and paper at the conference. There’d been nothing on the laptop when I’d left; I wondered what was on it now. I wrapped it in an empty garbage bag, took the elevator back down to the lobby, and threw it in the trash.” Personally, I find this brief part of Perlroth’s visit attend Ekoparty in Buenos Aires mind-boggling. She describes the conference as having the “best exploits on the market”, representatives from large companies looking to recruit, and countless attendees looking to sell exploits, all in a chapter titled “Cyber Gauchos“. With all of that, and the topic of the book she was researching, why would you ever throw away that laptop? Keep it, take it to someone capable of determining if it was backdoored and how. If lucky, figure out where it was accessed from in the subsequent weeks to perhaps get an idea who was behind it. That would have been a fascinating story by itself and a great addition to this chapter. Instead? A laptop with what might have been high-end unique malware was just thrown in the trash.

p332: “The only trace that it had been used was a second, complementary NSA exploit, code-named DoublePulsar, that was often used to implant EternalBlue into machines.” I think this is backwards as DoublePulsar is the implant (backdoor) and EternalBlue the remote vulnerability (CVE-2017-0144) that can be exploited to implant it.


It’s Complicated

There is one more piece of Errata that is complicated to unpack. This is due to just two lines containing quite a few bits of information, but the associated citations in the Notes section being missing or problematic. From page 6 -7 in Chapter 1, pardon the image as WordPress.com doesn’t apparently let you highlight sentences, only blocks:

The notes for chapter 1 provide citations for some of the content including in this order: a Mariner 1 incident, Menn’s article on “the NSA’s interception of Yahoo data”, Fehri’s article on the Times delaying a NSA wire-tapping story, Snowden / Vargas-Cooper bit about the same delay, and a Perlroth story leak covered by Smith. Compare the cited references to the book paragraph quoted above and it breaks down as:

  • First line is not cited but covered by many easy-to-find articles including this one by Reuters in 2013.
  • Second line is problematic as Perlroth writes that the CIA infiltrated factory floors at “leading encryption chip makers” to backdoor them, but does not offer a citation. Given that it follows a voluntary backdoor in RSA, it is a separate series of events. The wording also does not match the well-known Crytpo AG saga. Given the severity of such incidents, it seems like this would come with a reference.
  • Third line is cited as coming from Joe Menn’s article “Exclusive: Yahoo Secretly Scanned Customer Emails for U.S. Intelligence“. The first issue is that the cited article about Yahoo & Google only mentions Google twice, both to say the company denied doing any searches. The second, and more serious issue, is that the article title itself specifically counters the narrative that Perlroth offers. Yahoo scanning customer emails on behalf of the U.S. Intelligence agencies is very different than them “hacking their way into the internal servers before the data was encrypted”.
  • Fourth line is cited in the notes.

If four lines in a book are that problematic, especially in chapter one, it can be difficult to digest the rest of the material. It may cause the reader to constantly question if what they are reading is accurate and well-founded.


Parting Gift

The following quote is in the book, but one where Perlroth quoted someone she spoke with. I offer this up as a parting gift because of just how absurd it is. I wish I could say it is out of context, and it might be, but any lost context seems not to have made it in the book if so.

That’s why the Europeans are so good at writing exploits, after babies, European parents get like a year to hack.” — Charlie Miller

Studies, articles, and social media activism are just a start.

I would imagine everyone reading this, who partakes of social media to any degree, is getting worn down with the social media activists. Like everything, there are some that are effecting change and doing great work. They use the media to spread the message while helping to enact change in other ways. Basically, doing more than just ‘awareness‘. You can Tweet and Facebook and Tumblr all day long about “help our vets”, and the sentiment is great. But until you turn that effort toward people who can effect change (e.g. politicians), it’s not likely to actually help a veteran. Oh, and you do occasionally promote charities that help the veterans and donate yourself… right?

Yesterday, “Spouse-gate” happened at the ASIS / ISC2 Congress event. In a nutshell, a female InfoSec professional is a speaker at the conference, and her InfoSec professional husband joined her as a regular attendee, but via her “plus one” that the conference provides for. Each “plus one” in the eyes of ISC2 is the spouse, which by definition is the husband or wife. So imagine his surprise when he goes to the registration desk and finds the staff “utterly confused how [he] could be a spouse and asks [him] four times how [he’s] a spouse“. Did the meaning of spouse change sufficiently in the past years, that it is only applied to females? He explains several times that his wife is speaking, and he is her “plus one”, and they finally understand. Next, they give him a con swag bag and information regarding ‘spouse events’ which include shopping trips. The bag included two bottles of hand lotion, an empty photo album, shopping coupons, a magazine, and the business card for Jay Claxton, the Director of Loss Prevention at Marriott Vacation Club International.

I think it safe to say that the conference bag for spouses is a clear case of misogyny. Now, why am I posting about this? Peruse the bag contents and scroll down…

isc2-bag

I have been an outspoken critic of ISC2 for many years. In the last couple of years, I have toned down that criticism considerably, for various reasons. The biggest reason is that one of the board members, Wim Remes reached out to me and prompted many discussions over a year. He made an effort to get my feedback on how ISC2 could improve in their process, public perception, and get back on track (my words) with their intended purpose of making the security industry better. When someone in a position to effect change reaches out and demonstrates they want to make things better, it is time to help them rather than continue to criticize the organization. In that time, Wim has done an incredible job working to change the organization from the inside. Sorry for the diversion, but I feel it is important to give credit to those working very hard toward bettering our industry.

At some point in the last year or two, ISC2 has taken on a very public “pro-woman” stance (scroll through their Twitter feed). They have collectively called for more equality in the workforce in our industry. In fact, within one hour of ‘Spouse-gate’ starting, ISC2 was Tweeting about women remaining underrepresented in InfoSec. It’s hard to understand how an organization can promote a great cause while also devolving to the base levels of misogyny that are a root cause of the inequality.

isc2-tweet

Social media activism can do great things. But many of the great things that can be done get lost in the noise of people blindly re-posting feel-good messages that ultimately do very little to do actual good, and concretely support the cause. If organizations like ISC2 want to help effect real change, they need to “be the change that [they] wish to see in the world.” In short, more doing and less grandstanding.

Anatomy of a NYT Piece on the Sony Hack and Attribution

There is a lot of back-and-forth over who hacked Sony Pictures Entertainment. For a not-so-brief summary, here is an extensive timeline to catch you up. I am going to drill down on a single point as it is both fascinating and disgusting. Using a single article that is heavily influencing people around the world, and helping to polarize the InfoSec community on who hacked Sony, I want to show you exactly what you are quoting and reading. Why? Because people don’t seem to be reading past the headline or first couple of paragraphs. What seems like a strong, definitive piece, falls apart and begins to contradict itself entirely halfway through the article. The New York Times piece in question is titled “U.S. Said to Find North Korea Ordered Cyberattack on Sony“.

Consider what the headline says. First, it says that North Korea ordered the attack on Sony. Second, it says the U.S. has found out, meaning there is some body of evidence that led to that conclusion. Seems simple enough. But where does this come from?

American officials have concluded that North Korea was “centrally involved” …
Senior administration officials, who would not speak on the record …
Officials said it was not clear how the White House would respond.
Other administration officials said a direct confrontation with the North would provide North Korea with the kind of dispute it covets.

So how many officials are we talking about here? American officials? Senior administration officials? “Other” administration officials? Not a single one on record, which is very curious given named sources are the backbone of solid reporting. Are these officials part of the military? Law enforcement agency? Or just policy wonks that may or may not be getting briefed by someone with a clue?

The administration’s sudden urgency came after a new threat was delivered this week to desktop computers at Sony’s offices, warning that if “The Interview” was released on Dec. 25, “the world will be full of fear.”

Wait, so the Sony network is still entirely compromised weeks after it was publicly disclosed? That is an interesting angle, why haven’t we seen articles covering that? The company brought in to do forensics, are they losing this battle? Or did they mean the message was emailed to Sony employees, and the wording is confusing since the initial attack included actually replacing the desktop background on thousands of Sony desktops? Or was this a reference to the attackers posting that message on a public website (Pastebin)?

“Remember the 11th of September 2001,” it said. “We recommend you to keep yourself distant from the places at that time.”

This comes from the latest Pastebin post, since removed. I think that is the simple, logical explanation.

While intelligence officials have concluded that the cyberattack was both state-sponsored and far more destructive than any seen before on American soil, there are still differences of opinion over whether North Korea was aided by Sony insiders with knowledge of the company’s computer systems, senior administration officials said.

Wait a minute, the title is definitive, the U.S. says North Korea did it. Now even more unnamed officials say Sony insiders may have helped them? If you follow the whole “this is an act of war” nonsense, then any American Sony employee just committed treason, right? If it was a Japanese Sony employee, then Japan is in league with North Korea? I mean, we have to be careful on our rhetoric of war and blame, as these little comments can mean big things.

North Korea’s computer network has been notoriously difficult to infiltrate. But the National Security Agency began a major effort four years ago to penetrate the country’s computer operations, including its elite cyberteam, and to establish “implants” in the country’s networks that, like a radar system, would monitor the development of malware transmitted from the country.

So Newt Gingrich, Dave Aitel, and others are saying a North Korean attack on Japanese company Sony is an “act of war” against the U.S., but we openly admit that the U.S. government has been trying to penetrate North Korean computers for at least four years, and that isn’t an act of war? That doesn’t make sense. Either such intrusions are an act of war, or they aren’t. We can’t have this both ways.

It is hardly a foolproof system. Much of North Korea’s hacking is done from China. And while the attack on Sony used some commonly available cybertools, one intelligence official said, “this was of a sophistication that a year ago we would have said was beyond the North’s capabilities.”

So the definitive headline is now clouded by statements like these. We don’t know where the attacks originated, the tools were commonly available and had been seen in attacks years ago, but then the official says it is sophisticated? Not sure this ‘intelligence official’ has the same standards for the word ‘sophisticated’ as many in InfoSec.

But there is a long forensic trail involving the Sony hacking, several security researchers said. The attackers used readily available commercial tools to wipe data off Sony’s machines. They also borrowed tools and techniques that had been used in at least two previous attacks, one in Saudi Arabia two years ago — widely attributed to Iran — and another last year in South Korea aimed at banks and media companies.

Do we all know what a forensic trail is? This is a shaky list of circumstantial evidence at best. Given the use and history of the tools, making an assumption on who used it seems absurd.

But one of those servers, in Bolivia, had been used in limited cyberattacks on South Korean targets two years ago. That suggested that the same group or individuals might have been behind the Sony attack.

Again, do we not see how circumstantial this is? On one hand you claim the attackers are sophisticated, on the other you say they use a compromised computer for two years that would implicate them because of past attacks.

The Sony malware shares remarkable similarities with that used in attacks on South Korean banks and broadcasters last year. Those intrusions, which also destroyed data belonging to their victims, are believed to have been the work of a cybercriminal gang known as Dark Seoul. Some experts say they cannot rule out the possibility that the Sony attack was the work of a Dark Seoul copycat, the security researchers said.

Definitive headline, yet more doubt on who attacked Sony.

The Sony attack also borrowed a wiping tool from an attack two years ago at Saudi Aramco, the national oil company, where hackers wiped off data on 30,000 of the company’s computers, replacing it with an image of a burning American flag.

A public tool from two years ago, and this is influencing attribution? Investigators should be logical and skeptical. Actual evidence should be the guiding factor in their investigation and determining attribution.

Security experts were never able to track down those hackers, though United States officials have long said they believed the attacks emanated from Iran, using tools that are now on the black market.

So we couldn’t positively attribute the attack two years ago that used those tools, and now we want to use that tenuous link claiming it is some kind of ‘proof’ North Korea was involved? This makes no sense.

“It’s clear that they already had access to Sony’s network before the attack,” said Jaime Blasco, a researcher at AlienVault, a cybersecurity consulting firm.

I have given many a buzz-quote to the media, and I understand how they can be taken out of context. This is a great example. Blasco sounds like a total idiot, but I have a strong feeling he isn’t. What does this quote mean exactly? Getting access to Sony’s network requires an attack. Subsequent actions are part of that attack, or the fallout. Or does he mean “had access” in the context of a legitimate trusted employee? InfoSec people: be careful when giving buzz-quotes to journalists.

The cost of the assault was small: The attackers used readily available tools to steal data and then wipe it off Sony’s machines.

Once again, “readily available tools”, yet we are attributing this to a nation-state attack? Read between the lines and we have no real attribution at this point, at least not demonstrated by anyone. I doubt Mandiant is sharing their results with anyone publicly, leaving the rest of this to guess-work.

Representative Mike Rogers, the Michigan Republican who leads the House Intelligence Committee, said the hackers had “created a backdoor to Sony’s systems” that they repeatedly re-entered to send threatening messages to Sony employees.

Ya think? That is hacker 101 shit right there Mr. Rogers. Sophisticated malware to allow such access has been around for more than 30 years, and is trivial to get from thousands of web sites.

The North Koreans have half-denied involvement, but have left open the possibility that the attacks were the “righteous deed of supporters and sympathizers.”

Well played North Korea.

All in all, we have an article with a definitive title, “citing” between one and dozens of unnamed officials, that may be guessing like most of the world, giving as much “evidence” that it wasn’t necessarily North Korea, and it is whipping up a frenzy causing politicians and InfoSec professionals calling this war. I’ve said it for a week, and I must say it again. How about we wait for actual evidence. A public report outlining all of the forensics available, that can be peer-reviewed to some capacity, before we go rattling our saber at a country that may not be involved. Sure, North Korea is wonky on their statements implying it was them, then “half-denying” it, whatever that means (curious no one ever links to these statements, or are these more “unnamed officials” from their government?).

Remember, North Korea is the same country that threatened the U.S. with a nuclear missile earlier this year. They like to rattle their saber at everyone, but it doesn’t mean they actually did anything. Taking their implications or half-denials as fact isn’t prudent. I am not saying North Korea wasn’t involved. I am simply saying that this speculative circle-jerk is not helping anyone, and only serves to cause headache and grief. Level-heads must prevail. If you feel the need to comment on the matter, make sure you are educated about what has happened the last 30 days, and then try to be a voice of reason in this ugly mess.

On the origins of the term ‘Hacktivism’…

This blog is not about debating the definition of Hacktivism; I will leave that to the academics and self-described hacktivists. This article is to clear up confusion on the origin of the term, and point out that Wikipedia’s handling of factual information is sketchy. Further, it will point out that the Cult of the Dead Cow (cDc) happily went along with the notion that they coined the term, when they did not. Even when it was clear that their own dates and stories didn’t line up, that didn’t dissuade them from keeping up appearances.

The Wikipedia entry on Hacktivism currently states that the term was coined by cDc:

The term was coined in 1996 by a Cult of the Dead Cow member known as “Omega”.[2] However, similar to its root word hack, hacktivism is an ambiguous term (computer hacking is tied to several meanings).

There is no other reference to the source of this term today. If you look back at the page on prior dates, that isn’t the case. On May 17, 2013 we see:

The term itself was coined by techno-culture writer Jason Sack in a piece about media artist Shu Lea Cheang published in InfoNation in 1995.

This line was added by ‘Orb Weaver’ on July 23, 2009 with this edit. It was deleted by ‘Pkinnaird’ on May 20, 2013 with this edit. The notes for the edit say:

(Removed references to destructive activities since they are well described in cyberterrorism article. Clarified that the word ‘hacktivism’ is contentious and removed most discussion of hacktivists as cyberterrorists since that is a separate notion.)

This looks like an innocent edit, removing a long list of ‘hacktivism’ incidents and changing it to a few short examples. However, in doing so, this effectively killed any reference to a prior source of the word. In short, this edit is very irresponsible. I would cite you the purpose of Wikipedia and something along the lines of “factual”, but curiously enough that is not part of the mission statement. While you may quickly associate “develop educational content” as being factual, that is simply not the case. Look at the battle in the US over schools teaching evolution versus creationism. No matter which you believe in, the other safely becomes “developing educational content” as a valid argument.

The line about Omega of Cult of the Dead Cow was added on November 22, 2011 with this edit and a change message of “Term coined in 1994 by “Omega” of the Cult of the Dead Cow Hacker collective.” At the bottom of the page, the first reference is “Hacktivism and How It Got Here“, a Wired piece by Michelle Delio from July 14, 2004. Note that Delio is not known for quality journalism and was let go from Wired due to serious issues surrounding her sketchy sources and fabrications. From Delio’s article:

But no one called technology-enabled political activism “hacktivism” until 1998, when cDc members Omega, Reid Fleming and Ruffin were chatting online and were, Ruffin said, “bouncing some wacky ideas around about hacking and political liberation, mostly in the context of working with Chinese hackers post-Tiananmen Square.”
“The next morning Omega sent an e-mail to the cDc listserv and included for the first time the word hacktivism in the post,” Ruffin said. “Like most cDc inventions, it was used seriously and ironically at the same time — and when I saw it my head almost exploded.”

Interesting that Delio says it was coined by cDc in 1998 citing cDc member Oxblood Ruffin in her 2004 article, yet Wikipedia said 1994. In a different interview with Elinor Mills from 2012, Ruffin was quoted as saying it originated in 1996. The Wikipedia page has cited this source for most of the page’s history, but has changed years to mention 1994, 1996, and 1998. In most cases, Ruffin’s story is the same about the term originating in an email between cDc members, but apparently has never provided a copy of this email to journalists or made it public. It is clear that Ruffin is not a reliable source on this and is likely doing it to subvert the media, a stated objective of cDc.

An Earlier Origin

As mentioned above, Wikipedia once attributed the term differently:

The term itself was coined by techno-culture writer Jason Sack in a piece about media artist Shu Lea Cheang published in InfoNation in 1995.

A couple years ago I tried to reach out to Jason Sack to confirm this. My early attempts at reaching him did not work due to finding one email address that he no longer used. Last year, Space Rogue reached out via a different email address and got a response. We both asked Sack if he could dig up the original article and send a copy. Since he only had a copy in print, it took a while to find it, scan it in, and send it to us. But he did. As suspected, and as the original sourcing in Wikipedia says, he uses the term ‘hacktivist’ in 1995 under the pen name ‘Jason Logan’. A year or three before cDc supposedly did. Courtesy of Jason, the cover of the InfoNation magazine along with scans of the article are available as a more definitive reference (click thumbnails below for full size). As the author of this blog, I cannot update Wikipedia to correct the errors in it due to a conflict of interest. Someone else out there will have to do it.

infonation-nov-1995-00  infonation-nov-1995-01  infonation-nov-1995-02  infonation-nov-1995-03  infonation-nov-1995-04

From the article:

Fresh Kill is described by Cheang herself as a work of eco-cybernoia. An environment in which the inability to access the media of change causes the uprising of low-fi activism and hacker mentality, or “hacktivism” if you will.

Quit volunteering my time.

Every week someone, or several people, think their 140 characters is worth me spending an hour+ writing an article for them. They noticed some plagiarized text or think someone is a fraud, and they turn around and expect me to research and document it. For years now, I get mail to Errata with a single link or a couple lines of commentary, along with the expectation that is all that is needed. Voila! An article will magically appear. These days, I don’t even get an email, just a Tweet or two.

I’ve said it before, many times. I’ve given an entire presentation on the project twice. I’ve told people in person, in email, and on Twitter. For the last time:

Errata was designed to be a community project. That’s “crowd-sourced” for you new people. A couple people serve as a clearinghouse for well-written, well-documented articles. No names on the articles because if they are properly referenced then attribution is not an issue. Then the clearinghouse stands up to defend the work as needed. Simple concept.

If you are in the security industry and cannot write an Errata article, get the fuck out now. You are simply too stupid and too dangerous to be advising anyone on something so important as security. Sure the articles take a little time because they have to be solid on making logical points, being organized, and citing public information that justifies any accusations or conclusions. But anyone that does penetration testing or auditing or system maintenance should be familiar with documentation along these lines. They are not difficult to write, they are time consuming.

If it bothers you that someone plagiarized or is selling snake oil, and it should, then take the time to write your own blog. Enough of us have stood up and defended our work. We’ve shown that you can do it, quite safely, if you are responsible in your work. If you still feel it risky, write the article and send it over. Do the leg work, we’ll provide the safety net.

Until you send such articles, don’t volunteer me to write them.

Your Favorite ‘News’ Site is Likely Just A Shitty Blog

Ten years ago, your favorite tech-centric site was an online news portal. Meaning, it was run by, edited by, and written by news professionals. Old school journalists and editors, brought up through the system we all know and expect. At some point, that changed for the (much) worse, and very few realize it.

If you relied on sites like C|Net or ZDNet for news, you used to get it. A story would break, a journalist would investigate. They would send emails, make phone calls, talk to sources, consult experts, and write it up. It would then be edited by one or more people with experience editing, a demanding and precise skill. That process would ensure that articles you read were reasonably researched, accurate, and generally contained no error the journalist was directly responsible for.

Just as print newspapers fell victim to technology, so did the digital news outlets that replaced them. Instead of a new technology, they fell victim to new uses of existing technology, including the dreaded social media. Why wait 24 hours for your favorite site to publish a 500 word article, when you can get 5,000 words written by 1000 people in a matter of hours. Some of those words from people you know and trust!

This caused the same cycle; do it cheaper and faster while calling it better. Online news outlets have not been able to monetize much beyond ad revenue. Subscription models never came around, so all these years and we still don’t pay for our news. That means fewer journalists, fewer editors, and cutting back the entire process that produced quality news. Investigative journalists are a dying breed. Most chase the low hanging fruit; stories that write themselves and do not take research or follow-up. Quantity has become entirely more relevant than quality.

In keeping with that, the traditional editing process has been replaced. Journalists can update their site via their own blogs, that fit seamlessly into the ‘news’ site. There is a post-now, edit-later mentality that dominates current sites. Where “edit later” is a rare occurrence. Despite this tragic decline in journalistic standards, many of us would be fine with it if the journalists actually updated an article when required. However, that does not happen as it should.

Several months ago, all of the above was perfectly demonstrated by Charlie Osborne and Zack Whittaker at ZDNet. In an article titled “Hacker, Verizon duel over customer record claims“, the authors detail a data breach where Verizon allegedly had some 300,000 records of customers stolen by a hacker. The article was updated later the same evening, and again the next day to provide more information, but mostly speculation and he-said / she-said. The two updates, in conjunction with the original article, should make it clear to any journalist that something was suspect. The story and details changed enough in a 24 hour time period to make any skeptical person question the original source.

After the article was published, before the final update, Space Rogue did his own research into the incident. He is known for being skeptical and cautious, something journalists were once known for in the past. His research led him to write a blog titled “Anatomy of Hype” in which he debunked the ZDNet piece. During this time, he also tried to contact the authors and editors both, providing them with information and perspective. Despite that, no further updates were posted, and the article remains as-is to this day.

This transition from legitimate news to glorified blogger has been a slow, but steady transition. It has been mostly transparent to readers, both casual and devoted. With this, it is absolutely critical that their readership be aware of the journalistic standards in place, or the lack of. Remember, these news sites are fundamentally no different than a shitty blog, except they enjoy a much bigger audience.

Errata Hits Puberty: 13 Years of Chagrin

I presented on the 13 year history of the Errata project at RVAsec giving a behind-the-scenes look at the nightmare and headaches involved. Both from the project, and from the security industry. This presentation was updated slightly, and given a month later at the Black Hat Briefings 2012 in Las Vegas.

The attrition.org Errata project has documented the shortcomings, hypocrisy, and disgraces of the information technology and security industries. For 13 years, we have acted as a watchdog and reminder that industries who sell integrity should have it as well. The public face of Errata is very different than the process that leads to it. This presentation will give a unique insight into the history, process, and blowback that are cornerstones of the project. This will include statistics, how Errata has fallen short, how it can be improved, and where the project is going. Most importantly, it will cover how the industry can better help the project, both in staying off the pages on attrition.org, as well as contributing to it.

Videos of both are online and PPT / PDF available: