A guide to journalists interviewing infosec specialists and hackers

Over the last few weeks a lot of drama has appeared with the whole WannaCry situation.

Luckily for us, a killswitch was found and used.

The killswitch was found by a security professional that is known by the handle “@MalwareTechLab” on twitter.

Unfortunately, what followed for him as a reward for helping the entire world with this was the following:

Dear journalists, this is NOT OK or even acceptable.

Having personally been interviewed before on infosec topics, seeing what happened in this situation and having been misquoted multiple times by newspapers (vs. them priting what I actually said during interviews), I though about writing a small set of rules that I believe would be nice if journalists followed when interviewing people in our industry.

1 — Ask us how we like to be addressed publicly.

Nicknames might seem silly, but we use them for multiple reasons. Maybe all of my research was published under my handle instead of my real life name, and therefore I prefer being addressed by that handle so that when people “google” for me find my research easier.

Or maybe, the person you’re interviewing just stopped one of the biggest ransomwares ever known in the last 5 years, which took a lot of time for some criminal institution to build and therefore he doesn’t want to expose real life information as to not endanger himself or others around him.

If the person says they want to be identified by their handle, don’t try to be sneaky and go around finding real life information to publish.

2 — Have a secure way to comunicate with the person/group you’re interviewing.

Infosec is hard, we get it, we do it everyday. Unfortunately, regulation/legislation about some of the things we do are sometimes in gray area. Have a way to communicate with your interviewee. Learn about Signal, Tor, OTR. It’s not super hard stuff and will make some of us a lot more confortable talking sometimes.

3 — Have a way to receive anonymous information securely.

Go to https://securedrop.org/ and learn about it, then setup one for you/your organization. They have an excellent guide for journalists — https://docs.securedrop.org/en/stable/journalist.html

4 — Vet the people you’re interviewing.

We get it, you want to publish as soon as possible and put that article out there to get it to the eyes of people before everyone else, but infosec is an industry with so, so, so, so many branches. There isn’t a single person that is an expert in all the topics. So make sure you’re talking to the person who is an expert on the topic you’re writing about. If you don’t know, ask. We’re a pretty cool community in terms of re-directing people to the right experts.

5 — Don’t misquote.

When we say things a certain ways, if we’re talking about technical work, words matter. If say exploit in one sentence and implant in another, it’s because there is a difference. Example:

@balgan: “Hacker groups started by using the doublepulsar implant, and that led to us noticing on our scans that there was a lot of machines with port 445 open and with services that were possible vulnerable to the exploit ETERNALBLUE”

What the journalist wrote: “Hacker groups used the exploits doublepulsar and eternalblue to attack machines massively”

Again, this is not ok.

6 — Allow us to review.

We want you to write the best article you possibly can. We have a lot to gain from it and so do you. So please, before publishing allow us to give a quick read and review. If you don’t want to show the entire article, please at least allow us to review our quotes within context.

I think these are the basic rules that, if followed, could make being interviewed a lot more pleasing for both sides.

Hope it helps the interactions between journalists and infosec.