18.05.17, by Sohaib Ahmed
Reporting on cyber security issues is difficult. It’s technical, it’s fast moving, there’s very little verified information, and there are hundreds of opinions all offering the same angle.
So I have some sympathy with the mainstream press when a big issue hits, like WannaCry.
Having worked with security clients for a number of years, over a wide range of sectors, we’re used to the industry, people, and processes involved. But it’s fair to say that the mainstream press is not.
One of the most alarming angles from WannaCry was the doxxing of the security researcher who found a way to stop the rampant ransomware.
I can understand it from the media’s point of view – an anonymous security researcher discovers a way to render a multinational ransomware campaign harmless. Naturally you’d want to know who they are. But it’s not that simple.
Some security researchers have to be careful with how much information they put out – they’re at the front line of stopping scams, some of which can be incredibly lucrative for the fraudsters running them. WannaCry raised around £30k in bitcoin from people paying the ransom. If you stopped someone from being able to earn that amount of money, you can imagine they’d be unhappy. Though it is worth noting that WannaCry didn’t actually generate as much revenue as you’d expect a scam of this size to.
Now factor in that these fraudsters clearly don’t care about the law or harming/intimindating people and you can see why security researchers need to take precautions.
There was no way to identify the researcher from their blog, from Twitter, from the information on the web – this is clearly a person who wants their privacy. Which is why it’s disappointing to see the extremes to which the press went to find out the researcher’s identity. This included doorstepping friends and neighbours, people who even feature in the same photo as the researcher.
And this is especially galling when you see the resulting articles. The Next Web makes a number of good points about the coverage – belittling the researcher’s setup and very profession. Needless details were given, such as the researcher’s age, photos of them with their friends, and their location.
I’m left with the feeling that it’s irresponsible journalism, with nothing more in mind than a desperate race for clicks. There was no need to reveal that information about the researcher, and certainly not in that way.
And irony abounds. One of the journalists who wrote a piece unmasking the researcher has now locked their Twitter account.
Security issues will continue to be big news – that’s the reality of the world we live in today. So the media needs to learn how to cover these stories properly, or else alienate the security industry it relies upon to inform stories.