Password Leak Analysis
The media is more interested in information security than ever. Professionals in the field see themselves confronted with the public spotlight. It’s time to have a critical look at the machinery that is the media and develop guidelines on how to use that system for mutual benefit as well as preventing damage to reputation. To achieve a cooperation between the media and professionals in information security, we can apply knowledge we gained during projects relying on social engineering to ensure that both the media and information security will have a good day and a great story in the end.
Information security becomes steadily more important in our society. This means that it becomes more important for the media, as the media mirrors society’s focuses. Therefore, people working in information security become more important because they’re the ones to dispense expert knowledge to society via media.
This situation is new. At least to the extent that things like Heartbleed become headlines for day. Both media and IT security professionals are confronted with a new reality.
Of course, being sought after means free publicity for an information security company. It’s also rather nice because you get public recognition for the work you do. Who doesn’t like that? The problem is this: The media won’t coddle information security professionals or any kind of professional, really. They’re unforgiving hopefully not because of malevolence but because of ignorance. Remember that part about not having expert knowledge but a broad understanding?
Therefore, appearance in media is a rather risky business. In this article, we seek to prevent damage to your reputation by media before it can happen.
In this article, we’re going to deal with daily media, such as online oulets and newspapers. Most of these guidelines can be applied to monthlies or annuals as well, but it’s the daily media that is the most risky due to the fact that interviewers and interviewees have very little time to prepare and work on an article.
It’s a well-known fact that daily news are not necessarily equal to daily news. Even though all media will claim to be unbiased at one time or another, there are plenty of very obvious biases not just in the minds of reporters but also on an editorial level. As such, nobody will be able to present a solid and fairly treated left-wing opinion in a right-wing publication without either being misinterpreted ripped to pieces by readers. Or: It’s impossible to adequately represent a whitehat hacker in a publication that sees all hackers as a threat. The only person to stand his ground and come out on top in recent times is professor and theologist Reza Aslan on right-wing conservative TV channel Fox News in what will probably go down as one of the worst interviews in TV history:
It is incredibly rare that this can and will happen. Journalists work with words. They’re brilliant at that. Add a bias to that ability and an interviewee is suddenly faced with an incredibly powerful and malevolent opponent. Somewhat infamous for this is the aforementioned news outlet Fox News, one of the most opinionated channels out there that does not shy away from lying to its own audience about its own reporting as well as the facts in order to maintain its bias. Fox News will be serving as an example for reporting with bias in this article due to the fact that Fox News’ bias is blatantly obvious.
It is absolutely vital to understand these biases, even if they mirror your own worldview. Every news outlet has them. If they claim to not have them, assume that they lie. Watch a day of any news channel and you will be aware of the biases. Never forget those.
Press releases used to be a very powerful, quick and convenient way to get information out to news outlets. At some point, public relations professionals discovered the medium for themselves. Thus, every new product got its own press release, praising it to the high heavens as the next best thing. Media caught on after a while and so most press releases land in the bin, unread.
PR professionals caught on to that as well. So press releases became more sensationalistic where a simple light bulb was the first, the best, the most high-tech as well as all kind of superlatives. This is where we are currently at as a society. The press release is a glorified advertisement full of often-unwarranted hyperbole. They are also sent out for every time a CEO has lunch with someone or a product is 2.4 percent more efficient. So they’re incredibly frequent, clogging inboxes of journalists everywhere.
As such, when someone in information security writes a press release, it either needs to be hyperbolic or the risk that it won’t be read is incredibly high.
A recent example of presumably press release plus journalistic hyperbole would be the case of Chris Roberts of OneWorldLabs and his claim to be able to take airplanes out of the sky by hacking into the plane’s entertainment system, causing Val Smith of Attack Research to write a scathing article about Stunt Hacking that was widely discussed in the information securit community. By this, Roberts’ reputation was called into question.
Looking at the article that sparked all the controversy, we discover, looking past the main quote that says that planes can be taken out of the sky, that Roberts says the following:
Quite simply put, we can theorize on how to turn the engines off at 35,000 feet and not have any of those damn flashing lights go off in the cockpit.
He can theorize. Not that he’s done it or that he’s able to. He can theorize. It’s that one word that prevents Fox News from outright lying to its audience, while the rest of the article paints a picture of people with laptops making planes drop like flies. And of course, there are terrorists involved as Fox News’ right-conservative bias screams for the comparison.
The Fox News story was picked up by other media outlets. It’s an open secret that media copies media. If an outlet writes about something and it gains even a modicum of traction as well as mainstream appeal, other news outlets will copy that story.
It’s down to the first story that sets the tone and level of sensationalism of the story that will go around the world.
In information security, stories are often relying heavily on details and nuances. Just because the in-flight entertainment systems are vulnerable to attacks that would escalate privileges does not necessarily mean that planes will start raining from the sky. Or that terrorists will use the attack tomorrow. This is where IT security research and journalistic hyperbole clash.
As researchers, the question we must ask ourselves here is: Do we want an outlet like Fox News to handle our story first?
A press release would most definitely go to Fox News as well. They might pick it up first and set an unfortunate precedent without your input. This, in and of itself, is a theoretical risk that can easily be mitigated.
Sometimes, off the records statements in interviews are necessary. Be it to explain something you or your company will do in the future or how some complicated internal structure is made up. Either way, it is vital for the journalist so that he or she understands your current statements or actions, but they’re not for public ears. When that happens, do mention that this statement is off the record before speaking it and mention why. It is even better, though, to not mention it at all.
When a journalist calls or comes by, most of the time, you know the topic of discussion and why you’re being interviewed. So prepare.
Write all this down, answering the following questions regarding the topic as quickly as possible:
Put it on letterhead paper and you have something to hand to the journalists of your choice.
It is vital to control the story for as long as possible. Once it’s been published, that’s it. It is, however, impossible to dictate what a journalist has to write which is why a cooperation between journalist and researcher should be achieved. In order to do that, a researcher needs a confidante at a newspaper. Someone who he can trust will publish the story with journalistic hyperbole but retains the core truths. This can be more than one person, because the word exclusive doesn’t carry as much weight anymore as it used to.
In order to find said journalists, read technology blogs and newspaper segments. Do this for a while and note the names of the authors who have written articles that you personally liked.
Then contact the outlet or the journalist. Do not speak to intermediaries. If a story is good enough, a journalist will take some time to listen to you, your story and your idea where this should go.
Journalists know a lot. They’re among the most versatile and flexible people when it comes to knowledge and connecting these bits of knowledge. However, they sometimes lack a deep and detailed knowledge. This is why they consult experts to begin with.
In order to not be misquoted or have false information that got lost in translation slip into the article, ask to proofread the article and that it’s not to be published without your consent. This is accepted practice in journalism. In fact, in technical matters, it’s also in the best interest of the journalist to have the article proofed. But you will have to ask for it specifically.
It is extremely rare that a journalist will offer you to proofread the article you’re in. You have a right to at least read your quotes, but insist on wanting the context as well, promising to not meddle with the overall tone of the article unless it is based on falsehoods.
Once you get to proof the article, do not change the tone or the core message of it unless it is based on false information. That is not for you to do. You can try, but you’ll rarely, if ever succeed and this leads to a very frustrated journalist who will probably never call you again for anything.
This will take time. So make sure that you have the time to proofread the article you’re being sent by the journalist pretty much immediately. Schedule your day so that you can just drop what you are currently doing to proofread. Journalists are busy people, probably more busy than most would imagine. They also operate on a strict deadline that cannot be moved, no matter how hard you might want to try.
When a journalist interviews you, it’s a reasonable assumption that there will be a picture taken of you. You might love your Ninja Pirate Riding a Zombie Unicorn shirt dearly, but it is not media appropriate.
In late 2014, the European Space Agency (ESA) successfully landed a probe on comet 67P/Churyumov–Gerasimenko and collect data from there. This was a huge day. But it will probably be best remembered for Dr. Matt Taylor and his unfortunate choice in wardrobe.
Matt Taylor’s shirt depicted scantily clad women with firearms. This caused media uproar.
These are just some of the headlines that could have been avoided by a simple white shirt. Matt Taylor went on the air because he wanted to tell the world about how he and his team are the first people in human history to collect data from a comet and not to apologise for his taste in fashion. The problem is that no journalist will ever tell you to put on something different.
Here’s a standard outfit for media appearances that makes you look neither stuffy and old nor like you just crawled out of a dank basement. This is supposed to be a general purpose outfit baseline that is designed to make you look as unassuming and unspectacular as possible. Of course, when faced with a prestigious newspaper, dress above the suggestions and if a hacker mag calls, underdress.
Wear that outfit until you feel comfortable in it. Keep that outfit after you’ve washed it at the office or wear a variant thereof daily. When media appears, hop into the outfit and you can rest assured that you won’t take away from the story you want to tell. This outfit is designed to be an understatement. The most interesting thing about the story you tell to a journalist should always be the story. Not your company and not your outfit. Of course, you will be judged based on your outfit, which is why the outfit above is aimed at giving potential attackers as little as possible.
This, by the way, should reflect also in your answers. You as a person or as a company are not the star of the story unless explicitly stated. You’re a source of information about a story. Respect that.
Sidenote: Resist the urge to wear t-shirts with phrases like I read your e-mail on it, making you not look like a hacker, but like a complete dork.
Journalists are not inherently evil beings wanting to destroy you and your company. They’re simply ignorant to knowledge. So be kind. Be nice and understanding. Laugh. Smile. Offer coffee. Because if there’s one thing that journalism and IT have in common then it’s the addiction to coffee that is bordering on the unhealthy.
To summarize, here’s a printable guideline for your successful and as risk-free as possible media appearance.
Our experts will get in contact with you!
Our experts will get in contact with you!
Further articles available here