Re: [ISN] Newsbytes hack tries to embarrass The Register

From: InfoSec News (isnat_private)
Date: Wed Aug 22 2001 - 03:12:58 PDT

  • Next message: InfoSec News: "[ISN] Protocol used for 802.11b standard is not strong enough for information at official use only security status, expert says"

    Forwarded from: Brian McWilliams <bmcwat_private>
    
    http://www.pc-radio.com/response.htm
    
    [Refer to the version on the Web since it contains numerous 
    hyperlinked pages.  - WK]
    
    
    Statement in response to an article
    about me by Thomas C. Greene
    
    In an on-line story dated August 17, 2001, Thomas C. Greene, a
    reporter for The Register, published a vicious attack against me and
    Newsbytes, an on-line news service for which I am a regular freelance
    contributor.
    
    The title of Greene's article was Newsbytes hack tries to embarrass
    The Register.
    
    Greene gave me no opportunity to respond to his critique as part of
    his article and instead ambushed me, as he apparently does with many
    of his subjects. Thus I am posting my own response here at my personal
    Web site.
    
    Greene's article apparently was triggered by a story I did August 14
    entitled CyberCops Accused of Sloppy Police Work.
    
    Here is the lead paragraph of my article, to give you an idea what it
    was about:
    
    "A company that aims to protect on-line merchants against credit card
    thieves is doing more harm than good, according to three firms
    recently pilloried by CardCops.com."
    
    If you read my story after seeing Greene's attack, you may be
    surprised to learn that the Register isn't mentioned until the seventh
    paragraph, and Greene's name doesn't come up at all. While my story
    does quote the three merchants who refute CardCops' claims that they
    were hacked, the piece contains no direct criticism whatsoever of the
    Register, except for this sentence:
    
    "Representatives of the three companies contend that the article, and
    CardCops' report, are factually incorrect."
    
    For some reason this statement, attributed to the companies, prompted
    Greene into a tirade against me. In his August 17 story, he labels me
    a "twinkie" and "Newsbytes copy drone," and calls Newsbytes a
    "tech-news repeater."
    
    According to Greene, my story was a "would-be exposé challenging our
    accuracy."
    
    I have been trying to understand why Greene, who claims his
    journalistic trademark is skepticism, would go so ballistic when a
    veteran reporter (my brief bio is here) takes a different approach to
    covering the same story.
    
    I am no psychologist, but there appear to be several possible
    background details that might explain Greene's seemingly unprovoked
    and malevolent attack on Newsbytes and on me.
    
    1. Greene is feeling insecure. While he has earned a loyal following
    among Reg readers and is respected by many in the IT business, Greene
    has publicly stumbled in some recent articles. In June, Greene was
    forced to retract an article about on-line eavesdropping after readers
    pointed out that one of his main sources lied to him. Earlier this
    month, the editor of an influential mailing list said that an article
    by Greene incorrectly concluded that the new FBI director lied to
    Congress. So maybe Greene's unnecessarily mean-spirited attack on
    Newsbytes and me was motivated by his desire to prevent his reputation
    from eroding further.
    
    2. Greene is vindictive. In July, after one of Greene's colleagues at
    the Reg repeatedly and egregiously plagiarized my articles, I e-mailed
    the Reg's editors to complain. (I did not notify my editors or
    publishers at the time about these infractions but was instead hoping
    that the plagiarist and his editors would gracefully accede to my
    request that they desist.)  The Reg editor replied, "We don't deny
    [name deleted] had read your stories, you certainly filed before him
    ... It was just the case that the odd expression stuck in his head as
    he hurried to file."
    
    I don't know if Greene was aware of my plagiarism charge against the
    Reg, but his editors certainly knew about it when they were deciding
    whether to run his rant about me on August 17. So maybe his vicious
    attack was a way of retaliating on behalf of El Reg, as the editors
    like to call the site.  Either way, makes you wonder who really is the
    "tech-news repeater" in this business.
    
    3. Greene can dish it but he can't take it. As I noted above, Greene
    prides himself on his hard-nosed, take-no-prisoners reporting style.
    But he appears to bristle mightily when others are skeptical about his
    observations or conclusions.
    
    Last month, he was challenged by several people on InfoSec News (ISN),
    a security e-mail list to which we both subscribe. He had just
    published an article criticizing eEye Digital Security for publishing
    details on the vulnerability in IIS that led to the Code Red Worm.
    
    When I pointed out on the list that he was being hypocritical, since
    he published a link in another story to a program that exploits the
    IIS hole (unlike eEye, which never published an exploit), Greene
    replied:
    
    "i don't think it's at all hypocritical ... the most important issue
    here is the fact that i have no conflict of interest when i link to an
    exploit.  i'm not selling solutions to it."
    
    Soon thereafter, another list participant took issue with Greene's
    explanation by writing:
    
    "Imagination and `literary license' are not excuses for shoddy
    reporting, finger pointing, and utterly overlooking the large
    implications of the concepts supported by journos."
    
    After this, Greene went silent on the issue. Although we haven't met
    personally and he appears unaware of my work, maybe his attack on
    Newsbytes and me was provoked in part by this recent, if brief,
    history between us.
    
    4. Greene can't resist ad hominen attacks. In the ISN discussion over
    his story about eEye's role in the Code Red Worm, Greene said he
    detests "twinkies." When I asked him on the list to define what he
    meant, Greene wrote this:
    
    "They're gullibile, and ambitious, and well-groomed, and they don't
    expect people to lie to them. they went to schools like my alma mater
    (Williams), but they imagined their professors were all wonderful
    people, and cherish their diplomas.  they can read and digest
    difficult text, and re-cap it on command; they've learned to follow
    complex instructions, meet deadlines with pluck, and go about things
    in a 'professional' manner -- that is, without reluctance, personal
    flair or (Heaven forbid) independent moral reasoning. They lack
    imagination, talent, and most of all, courage. And they make me sick."
    
    It's unfortunate that an unhappy college experience apparently still
    colors Greene's outlook on life and other people. But I am not a
    "twinkie," even by his definition (aside perhaps from the grooming
    part, which doesn't seem real significant). After I broke stories
    about events that made them look bad, plenty of big players in the
    industry -- including Microsoft, America Online, Real Networks, and
    Dell Computer -- have turned their wrath on me.  Greene has no
    monopoly on "courage."
    
    Later, in the same ISN thread, Greene dismissed eEye's Marc Maiffret,
    an important figure in the security scene, this way: "He seems to do
    an awful lot of writing in haste, and sounds progressively more
    defensive and paranoid as time goes by. i just wonder -- assuming he's
    half the genius he thinks he is -- why he can't mount a simple,
    effective argument in defence of his actions."
    
    If I were half the genius Thomas C. Greene thinks he is, I would have
    written those two sentences to describe Greene. Or at least
    plagiarized them.
    
    Despite Greene's elevated perception of his work, there are numerous
    other journalists on the computer security beat who carry as much if
    not more of the water than he does. They write for publications and
    services such as AP, Computerworld, InternetNews.com. MSNBC.com,
    Newsbytes, News.com, Reuters, the Wall Street Journal, and Wired News.
    And although their writing may not have as much swagger or
    self-congratulatory bravado as Greene's, they break news all the time
    as fairly and shrewdly as they can.
    
    Brian S. McWilliams -- August 21, 2001
    
    
    
    At 08:23 AM 8/17/01, you wrote:
    >http://www.theregister.co.uk/content/6/21094.html
    >
    >By Thomas C Greene in Washington
    >Posted: 17/08/2001 at 11:20 GMT
    >
    >The Washington Post's tech-news repeater Newsbytes has implied that we
    >were talking bollocks when we revealed several credit card hacks in a
    >recent story entitled Hacking IIS -- how sweet it is"
    >http://www.theregister.co.uk/content/4/20960.html
    >
    >In that piece we claimed -- on the basis of something called evidence
    >-- that StrawberryNet.com http://secure.strawberrynet.com; mWave.com
    >http://direct.mwave.com; and Stic.net http://www.stic.net had been
    >hacked by means of the IIS folder traversal vulnerability
    >http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
    >bulletin/MS00-078.asp.
    >
    >In hopes of catching us with our trousers down, Newsbytes copy drone
    >Brian McWilliams hastily ran up a little would-be exposé
    >http://www.newsbytes.com/news/01/169018.html challenging our accuracy
    >on the strength of his conversations with the victim companies, all of
    >whom predictably denied being hacked.
    >
    >Of course we've seen the victims of CC hacks deny it endlessly in the
    >face of withering evidence, as Egghead did
    >http://www.theregister.co.uk/content/archive/18547.html, and as Amazon
    >did http://www.theregister.co.uk/content/archive/17387.html. We
    >consider it an occupational hazard.
    >
    >In this case Newsbytes dutifully rang the managers of the victimized
    >companies and allowed them to claim that they have no knowledge of a
    >hack. This, of course, is less than conducive to solid newsgathering;
    >there's often a sort of 'selective ignorance' at play in such
    >circumstances, we've found.
    >
    >And get this: Newsbytes performed a "scan" of some sort which
    >indicated, to McWilliams' satisfaction, that none of the sites in
    >question was vulnerable.
    >
    >"A scan performed by Newsbytes today revealed that none of the three
    >firms are (sic) currently vulnerable to the exploit which enabled
    >variants of the Code Red Worm to infect thousands of Web sites,"
    >McWilliams writes.
    >
    >Perhaps McWilliams doesn't understand that Code Red exploits the .ida
    >buffer overflow vulnerability, not the IIS folder traversal
    >vulnerability, which we claimed had been used against the sites in
    >question. A minor detail, perhaps, depending on the power of that
    >"scan" he claims to have performed.
    >
    >We, on the other hand, ran the standard folder traversal exploit on
    >all the sites, and found, at press time, that two had since patched
    >against it, while one remained wide open, though it did manage to get
    >itself patched within four hours of our story's appearance.
    >
    >We didn't mention it at the time because we knew the system was open
    >and didn't want that tiny minority of our beloved readers whom we
    >don't fully trust to screw them. But since it's now fixed, we'll tell
    >you that it was mWave, and that we had a nice look at the contents of
    >their C drive, and managed to call cmd.exe to boot.
    >
    >As for Strawberrynet, we reckon they'd prefer that we don't ring their
    >customers, whose names, addresses, phone numbers, credit card numbers
    >and expiration dates we've seen, to confirm that they've made
    >purchases there. But if Brian McWilliams insists, we'll just have to,
    >we suppose, in spite of the alarm it might cause them. Of course that
    >would be a terrible embarrassment for the company, so prudence demands
    >that we only go as far as McWilliams pushes us.
    >
    >And as for Stic.net, we've seen their customer accounts, and we know
    >how much their staff earn. We'd hate like hell to have to publish that
    >data, so we hope for their sake that Brian McWilliams won't force our
    >hand. Of course we'll do whatever we must to demonstrate our veracity.
    >
    >"For them (The Reg?) to blaspheme us and put our customers at risk
    >like that, well, this old boy and I can go out behind the barn real
    >easy," said David Robertson, president of Stic.net," to Newsbytes'
    >McWilliams.
    >
    >Yeah, we spoke with Robertson too, and he was falling all over himself
    >denying the hack, ringing us every hour on the hour for a time. We've
    >since learned that he's owned the hack, and even apologized to
    >CardCops, the organization which first brought his troubles to our
    >attention.
    >
    >He's become immensely harder for us to contact since then. For a guy
    >who seemed to have our phone number memorized, he's gone suspiciously
    >quiet of late. He's since neglected to answer our e-mail and our phone
    >calls.
    >
    >But he'll talk to twinkie journos who have absolutely no evidence with
    >which to refute him -- or us, for that matter.
    
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Aug 22 2001 - 05:31:03 PDT