The #Skyfall Hoax — Has The Infosec Space Lost Its Sense Of Humor?
The cybersecurity space has always been able to laugh at itself, in the early days of the space, trolling was pretty much part of the culture and still is. This is the part of the infosec space that people love to hate, but its also where the hacking talent in our space lives and plays.
Take your work and sec seriously, but not yourself.
Hacker culture never did take itself seriously, still doesn’t and it delights in poking fun at those people who do. The community also likes to mock those who rush out a tweet thread and a blog post every time there is any cybersecurity trend or story worth giving a take on.
Part of our community loves poking fun at almost anything and so when cybersecurity space began to fall in love with the idea of custom logos, websites and brand names for vulnerability alerts, the trends was naturally mocked as ‘marketing’, a dirty word in some parts.
The custom logo and website trend for vulnerability disclosures was started by the Graz University of Technology and their meltdown attack website. But I love Graz as a place and the people there are awesome, so I am not about to mock them for their clearly valuable contributions.
The Skyfall & Solace Hoax
It wasn't really much of a hoax, level headed commentators pointed out that a random website was the only source, the more connected ones pointed out that the chipmakers they know (who were allegedly embargoing the vulnerabilities) knew nothing about these new vulnerabilities.
But that doesn’t mean nobody was fooled, or that the infosec space did not immediately whip itself into a froth about the new vulnerabilities.
Infosec Twitter burst into action and furiously began tweeting #Skyfall and #Solace commentary, spreading the website link far and wide.
Clearly a fair sized chunk of the infosec space was taken in by this hoax, some enough to begin drafting up blog posts covering the new vulnerabilities and others by tweeting and sharing the link to it on social media.
For a while it looked and felt like a real vulnerability disclosure, long enough to fool some, before others started questioning it. Almost as quickly as it had started, twitter commentators started deleting their #Skyfall hashtag tweets as it became more and more apparent that the whole thing was a hoax.
As more and more commentators tweeted about how they were not fooled by the hoax, many more of them silently deleted their #skyfall tweets and kicked themselves for being so easily taken in by such an obvious troll.
What Was The Hoax All About?
I think it was just a good old fashioned troll. It was somebody with a cynical sense of humor out there having a laugh at the expense of those who take themselves seriously. It was a mocking attempt to fool those who really should know better into spreading around disinformation from one source.
The creator of the site later claimed that the hoax was a social experiment to highlight the point that infosec commentators would whip themselves up into a froth about any vulnerability if it had a cool name, domain and logo.
I don’t believe it, I still think it was a troll doing what a troll does best. He was just a little more motivated than your everyday twitter troll, enough to register a domain, SSL it and create a mini site around the hoax.
For sure brand names and logos give the media and social commentators something to write and tweet furiously about, a name that the public can engage with (as opposed to say CVE-2017–5753). But those brand names aren't really for the people who actually deal with these vulnerabilities in the real world, people used to dealing with things like CVE-2017–5715.
The brand names, websites and the logos are there to feed the cybersecurity hype train, to give the media something to write about and to give everyone who loves tweeting about such things a proper hashtag to tweet it with.
The whole hoax was poking fun at the sort of people who take vulnerability brand names seriously, whilst ignoring the fact that those who actually do know about these vulnerabilities do not care one bit what they are called.
The Sniffy Infosec Reaction
Most people chuckled to themselves and went on with their day, no blue team actually spent any time dealing with these new vulnerabilities, because there was nothing to deal with and no real information to go on to begin with.
But that didn’t stop some well known internet commentators from responding with attacks on the hoax, dismissing it as childish attention seeking. I personally thought Rob’s article was a bit whiny, the person behind the hoax clearly gets it enough to be satirical about it.
Others dismissed it as ‘lies and more lies’ which is amusing because that is the whole point of the hoax, it was supposed to be a lie that would eventually be exposed for what it was. Can’t help but think that Rob and Richard in his blog post were at least a little bit taken in by it at first.
Ultimately I think Gossi had the most insightful comment, he made the point that a hoax getting hundreds of thousands of hits, press coverage and analyst briefings indicated a severe lack of calm analysis. He is right too, most infosec pundits fall over themselves to rush out tweets and blog posts on new vulnerabilities and only a handful are usually worth reading.
The hoax hit a nerve for sure, it generated a lot of coverage and chatter in the process, not bad for ten minutes worth of work setting it up.
But the whole affair begs the question.
Has the infosec space lost its sense of humor?