18.05.17, by Sohaib Ahmed
Reporting on cybersecurity issues is difficult. It’s technical, it’s fast-moving, there’s very little verified information, and there are hundreds of opinions all offering the same angle.
So I have some sympathy with the mainstream press when a big issue hits, like WannaCry.
Having worked with security clients for several years, we’re used to the industry, people and processes involved. But it’s fair to say that the mainstream press is not.
One of the most alarming angles from WannaCry is the doxxing of the security researcher who found a way to stop it.
I can understand it from the media’s point of view – an anonymous security researcher discovers a way to render a multinational ransomware campaign harmless. Naturally, you’d want to know who they are. But it’s not that simple.
Some security researchers have to be careful with how much information they put out. They are at the front line of stopping scams, some of which can be incredibly lucrative for the fraudsters running them. WannaCry raised around £30k in bitcoin from people paying the ransom. If you stopped someone from being able to earn that amount of money, you can imagine they’d be unhappy. Though it is worth noting that WannaCry didn’t generate as much revenue as you’d expect a scam of this size too.
Now factor in that these fraudsters don’t care about the law or harming/intimidating people and you can see why security researchers need to take precautions.
There was no way to identify the researcher from their blog, from Twitter, from the information on the web – this is a person who wants their privacy. Which is why it’s disappointing to see the extremes to which the press went to find out the researcher’s identity. This included doorstepping friends and neighbours, people who even feature in the same photo as the researcher.
And this is especially galling when you see the resulting articles. The Next Web makes several good points about the coverage – belittling the researcher’s setup and very profession. Needless details were provided. Such as the researcher’s age, photos of them with their friends and their location.
I’m left with the feeling that it’s irresponsible journalism, with nothing more in mind than a desperate race for clicks. There was no need to reveal that information about the researcher, and certainly not in that way.
And irony abounds. One of the journalists who wrote a piece unmasking the researcher has now locked their Twitter account.
Security issues will continue to be big news – that’s the reality of the world we live in today. So the media needs to learn how to cover these stories properly, or else alienate the security industry it relies upon to inform stories.