The phrase "Never send a boy to do a man's job" often comes to mind when a computer story hits the mainstream news. The idiom refers to neither age nor gender, it simply means, don't send someone unqualified to do a job they will inevitably fail at.
This came to mind, specifically, with regard to the recent WikiLeaks data dump.
Steven M. Bellovin, a computer science professor at Columbia University, blogged about his annoyance with the press coverage. Specifically, he cited The New York Times and The Wall Street Journal for merely repeating the WikiLeaks claim that the leaked software lets the CIA "bypass the encryption" employed by many secure communication apps. He wrote:
Both uncritically accepted the premise: that there's something wrong with these encryption apps. Nothing could be farther from the truth. Rather, the existence of these hacking tools is a testimonial to the strength of the encryption.
Interestingly, after Bellovin wrote his blog, the paragraph that he cited in the New York Times story was re-written. A more recent article in the Times walked this back as far as possible, saying
Some technical experts pointed out ... there was no evidence that the agency could break the encryption that many phone and messaging apps use.
Update: As I was writing this, Ryan Gallagher of The Intercept tweeted this:
Talked w/ source in Asia today reluctant to use Signal after reading ill-informed #Vault7 coverage. Sloppy reporting putting people at risk.
and this:
Source cited initial inept NYT reporting, widely circulated, which wrongly implied Signal somehow compromised. That piece did damage.
The CIA leaks showed what techies would have expected. Since the encryption used for communication is strong, the obvious attack for any spy organization is against the underlying operating system.
There are millions of stories in the press about software for encrypted communications. How many of them point out that unless the operating system is secure, all bets are off? Not many, you would have to actually understand computers to write that.
CPU MMU HACKING
Recently the design of modern CPUs was abused using JavaScript to bypass Address Space Layout Randomization (ASLR). The details on this involve the Memory Management Unit of the processor and are extremely technical in nature.
Since so very few people could actually understand the issue, it makes an interesting test case. Personally, I could only follow part of the issue; while I am familiar with page tables, I have never dealt with the inner workings of CPU caching.
On the February 21st edition of his Security Now podcast, Steve Gibson called out four articles in the tech press (this was way beyond the mainstream media) for inaccurate reporting
... one's headline was "A Chip Flaw Strips Away a Key Hacking Safeguard for Millions of Devices." Uh, no. It has nothing to do with a chip flaw. These guys have figured out how to very cleverly leverage a fundamental operational characteristic of all modern processor architectures ... Another one wrote "New ASLR-Busting JavaScript Is About to Make Drive-by Exploits Much Nastier." Uh, no. It doesn't make them nastier, it makes them significantly more possible and likely. Someone else ... was "JavaScript Breaks ASLR on 22 CPU Architectures." Uh, no. It breaks it on all contemporary CPU architectures. In one of the papers they did, they applied some of their research to 22 different CPU architectures, but that's all the ones they had around ... And, finally, "A Simple JavaScript Exploit Bypasses ASLR Protections on 22 CPU Architectures." ... There's nothing whatsoever simple about this.
The articles were from Wired, Ars Technica, Bleeping Computer and the Hacker News.
This was no one time thing, Gibson has often chided the media for mis-representing technical issues.
A January article in The Guardian, "WhatsApp backdoor allows snooping on encrypted messages" was perhaps the highest profile instance of mis-reporting. Experts came out of the woodwork proclaiming that there was no backdoor.
Eventually, The Guardian changed the title, referring to the issue as a "vulnerability" rather than a "backdoor" but they never retracted the article, despite its being debunked many times over.
Zeynep Tufekci, an assistant professor at the University of North Carolina, wrote that, "the level of irresponsibility and ignorance ... was breathtaking." Perhaps most importantly, Tukekci argued that the false reporting caused people to switch to less secure apps, something that could have serious consequences.
Her critique, signed by 71 security experts, includes this:
The behavior described in your article is not a backdoor in WhatsApp. .... [it] is a measured tradeoff that poses a remote threat in return for real benefits that help keep users secure .... If you had contacted independent security researchers, many of whom, including the EFF, have written pieces calling your story irresponsible, they could have explained the issue to you and suggested how to report it responsibly. Your story notably lacks quotes, responses, or explanations by security experts ... I recommend retracting the story, issuing an apology, and publicizing the fact that the attack is very hard, [and] the threat is tiny ...
Taking a step back, all the apps in question run on Android, yet no one points out that Android hardly ever gets bug fixes, making it a poor, if not the worst, operating system for truly secure communication.
WHAT'S A ROUTER?
Back in November, Bloomberg reported that Apple was no longer in the router business. I read the story with little interest, until I ran across this sentence:
Routers are access points that connect laptops, iPhones and other devices to the web without a cable.
That one sentence contains three mistakes. More importantly, it shows that the reporter does not actually know what a router is.
Later that day, in a follow-up video, a different Bloomberg reporter said "Amazon built routers into some of its echo type devices" which isn't even close to being true.
Two Bloomberg reporters, both reporting on routers, and neither knows what they are.
Finally, a personal note.
I have subscribed to Consumer Reports magazine for more than 20 years. Their November 2016 issue focused on protecting your privacy. One of the articles in that issue, "66 Ways to Protect Your Privacy Right Now," had a section on router security, a favorite topic of mine.
The instructions for updating a router start off with "Find an Ethernet cable" which is, indeed, a good idea. But that was followed with this:
Then use it to temporarily connect the router to your computer. You’ll be updating your router’s firmware. And losing your connection during that process could turn your router into a doorstop.
There is no way that losing the connection between a router and a computer is going to turn a router into a doorstop. The danger comes into play only when a router loses power while a firmware update is in-flight. It has nothing to do with any connected computers.
As with The Guardian, this article was clearly not reviewed by actual experts. This upset me so, that I decided then and there to let my subscription lapse.
Interestingly, this is one of the few articles the magazine makes freely available on their website. I checked it today, and the last update date is February 21, 2017. The paragraph above still hasn't changed, so no regrets on the subscription.
Too often, the media sends a boy to do a man's job.
UPDATE. March 13, 2017.
A good article on this subject was published today by Nicholas Weaver, How Wikileaks Hacked the Media. Focused specifically on the recent Wikileaks release of CIA documents, it concludes that "... the press needs to understand the real story: they were the ones hacked." Quoting Mr. Weaver:
By dumping a massive amount of data at once, Wikileaks simply overwhelmed the press and ensured that reporters couldn’t process the data. ... everybody suddenly had a copy of the data and an immediate pressing urge to report something. A few reporters, notably Ellen Nakashima at the Washington Post, did it right ... But most other reporting on the leak proved abominably bad ... in the hurry to get articles out, they simply trusted Wikileaks' "analysis" of the documents, which was deliberately deceptive and required expertise to uncover.
- - - - - - - - -
FEEDBACK
Now that Computerworld, and all of parent company IDG's websites, have eliminated user comments, you can get in touch with me privately by email at my full name at Gmail. Public comments can be directed to me on twitter at @defensivecomput