Re: Newsbytes hack tries to embarrass The Register

[InfoSec News <isn () c4i org>]

Forwarded from: Brian McWilliams <bmcw () mediaone net>

http://www.pc-radio.com/response.htm

[Refer to the version on the Web since it contains numerous 
hyperlinked pages.  - WK]


Statement in response to an article
about me by Thomas C. Greene

In an on-line story dated August 17, 2001, Thomas C. Greene, a
reporter for The Register, published a vicious attack against me and
Newsbytes, an on-line news service for which I am a regular freelance
contributor.

The title of Greene's article was Newsbytes hack tries to embarrass
The Register.

Greene gave me no opportunity to respond to his critique as part of
his article and instead ambushed me, as he apparently does with many
of his subjects. Thus I am posting my own response here at my personal
Web site.

Greene's article apparently was triggered by a story I did August 14
entitled CyberCops Accused of Sloppy Police Work.

Here is the lead paragraph of my article, to give you an idea what it
was about:

"A company that aims to protect on-line merchants against credit card
thieves is doing more harm than good, according to three firms
recently pilloried by CardCops.com."

If you read my story after seeing Greene's attack, you may be
surprised to learn that the Register isn't mentioned until the seventh
paragraph, and Greene's name doesn't come up at all. While my story
does quote the three merchants who refute CardCops' claims that they
were hacked, the piece contains no direct criticism whatsoever of the
Register, except for this sentence:

"Representatives of the three companies contend that the article, and
CardCops' report, are factually incorrect."

For some reason this statement, attributed to the companies, prompted
Greene into a tirade against me. In his August 17 story, he labels me
a "twinkie" and "Newsbytes copy drone," and calls Newsbytes a
"tech-news repeater."

According to Greene, my story was a "would-be expos? challenging our
accuracy."

I have been trying to understand why Greene, who claims his
journalistic trademark is skepticism, would go so ballistic when a
veteran reporter (my brief bio is here) takes a different approach to
covering the same story.

I am no psychologist, but there appear to be several possible
background details that might explain Greene's seemingly unprovoked
and malevolent attack on Newsbytes and on me.

1. Greene is feeling insecure. While he has earned a loyal following
among Reg readers and is respected by many in the IT business, Greene
has publicly stumbled in some recent articles. In June, Greene was
forced to retract an article about on-line eavesdropping after readers
pointed out that one of his main sources lied to him. Earlier this
month, the editor of an influential mailing list said that an article
by Greene incorrectly concluded that the new FBI director lied to
Congress. So maybe Greene's unnecessarily mean-spirited attack on
Newsbytes and me was motivated by his desire to prevent his reputation
from eroding further.

2. Greene is vindictive. In July, after one of Greene's colleagues at
the Reg repeatedly and egregiously plagiarized my articles, I e-mailed
the Reg's editors to complain. (I did not notify my editors or
publishers at the time about these infractions but was instead hoping
that the plagiarist and his editors would gracefully accede to my
request that they desist.)  The Reg editor replied, "We don't deny
[name deleted] had read your stories, you certainly filed before him
... It was just the case that the odd expression stuck in his head as
he hurried to file."

I don't know if Greene was aware of my plagiarism charge against the
Reg, but his editors certainly knew about it when they were deciding
whether to run his rant about me on August 17. So maybe his vicious
attack was a way of retaliating on behalf of El Reg, as the editors
like to call the site.  Either way, makes you wonder who really is the
"tech-news repeater" in this business.

3. Greene can dish it but he can't take it. As I noted above, Greene
prides himself on his hard-nosed, take-no-prisoners reporting style.
But he appears to bristle mightily when others are skeptical about his
observations or conclusions.

Last month, he was challenged by several people on InfoSec News (ISN),
a security e-mail list to which we both subscribe. He had just
published an article criticizing eEye Digital Security for publishing
details on the vulnerability in IIS that led to the Code Red Worm.

When I pointed out on the list that he was being hypocritical, since
he published a link in another story to a program that exploits the
IIS hole (unlike eEye, which never published an exploit), Greene
replied:

"i don't think it's at all hypocritical ... the most important issue
here is the fact that i have no conflict of interest when i link to an
exploit.  i'm not selling solutions to it."

Soon thereafter, another list participant took issue with Greene's
explanation by writing:

"Imagination and `literary license' are not excuses for shoddy
reporting, finger pointing, and utterly overlooking the large
implications of the concepts supported by journos."

After this, Greene went silent on the issue. Although we haven't met
personally and he appears unaware of my work, maybe his attack on
Newsbytes and me was provoked in part by this recent, if brief,
history between us.

4. Greene can't resist ad hominen attacks. In the ISN discussion over
his story about eEye's role in the Code Red Worm, Greene said he
detests "twinkies." When I asked him on the list to define what he
meant, Greene wrote this:

"They're gullibile, and ambitious, and well-groomed, and they don't
expect people to lie to them. they went to schools like my alma mater
(Williams), but they imagined their professors were all wonderful
people, and cherish their diplomas.  they can read and digest
difficult text, and re-cap it on command; they've learned to follow
complex instructions, meet deadlines with pluck, and go about things
in a 'professional' manner -- that is, without reluctance, personal
flair or (Heaven forbid) independent moral reasoning. They lack
imagination, talent, and most of all, courage. And they make me sick."

It's unfortunate that an unhappy college experience apparently still
colors Greene's outlook on life and other people. But I am not a
"twinkie," even by his definition (aside perhaps from the grooming
part, which doesn't seem real significant). After I broke stories
about events that made them look bad, plenty of big players in the
industry -- including Microsoft, America Online, Real Networks, and
Dell Computer -- have turned their wrath on me.  Greene has no
monopoly on "courage."

Later, in the same ISN thread, Greene dismissed eEye's Marc Maiffret,
an important figure in the security scene, this way: "He seems to do
an awful lot of writing in haste, and sounds progressively more
defensive and paranoid as time goes by. i just wonder -- assuming he's
half the genius he thinks he is -- why he can't mount a simple,
effective argument in defence of his actions."

If I were half the genius Thomas C. Greene thinks he is, I would have
written those two sentences to describe Greene. Or at least
plagiarized them.

Despite Greene's elevated perception of his work, there are numerous
other journalists on the computer security beat who carry as much if
not more of the water than he does. They write for publications and
services such as AP, Computerworld, InternetNews.com. MSNBC.com,
Newsbytes, News.com, Reuters, the Wall Street Journal, and Wired News.
And although their writing may not have as much swagger or
self-congratulatory bravado as Greene's, they break news all the time
as fairly and shrewdly as they can.

Brian S. McWilliams -- August 21, 2001



At 08:23 AM 8/17/01, you wrote:
> http://www.theregister.co.uk/content/6/21094.html
>
> By Thomas C Greene in Washington
> Posted: 17/08/2001 at 11:20 GMT
>
> The Washington Post's tech-news repeater Newsbytes has implied that we
> were talking bollocks when we revealed several credit card hacks in a
> recent story entitled Hacking IIS -- how sweet it is"
> http://www.theregister.co.uk/content/4/20960.html
>
> In that piece we claimed -- on the basis of something called evidence
> -- that StrawberryNet.com http://secure.strawberrynet.com; mWave.com
> http://direct.mwave.com; and Stic.net http://www.stic.net had been
> hacked by means of the IIS folder traversal vulnerability
> http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
> bulletin/MS00-078.asp.
>
> In hopes of catching us with our trousers down, Newsbytes copy drone
> Brian McWilliams hastily ran up a little would-be expos?
> http://www.newsbytes.com/news/01/169018.html challenging our accuracy
> on the strength of his conversations with the victim companies, all of
> whom predictably denied being hacked.
>
> Of course we've seen the victims of CC hacks deny it endlessly in the
> face of withering evidence, as Egghead did
> http://www.theregister.co.uk/content/archive/18547.html, and as Amazon
> did http://www.theregister.co.uk/content/archive/17387.html. We
> consider it an occupational hazard.
>
> In this case Newsbytes dutifully rang the managers of the victimized
> companies and allowed them to claim that they have no knowledge of a
> hack. This, of course, is less than conducive to solid newsgathering;
> there's often a sort of 'selective ignorance' at play in such
> circumstances, we've found.
>
> And get this: Newsbytes performed a "scan" of some sort which
> indicated, to McWilliams' satisfaction, that none of the sites in
> question was vulnerable.
>
> "A scan performed by Newsbytes today revealed that none of the three
> firms are (sic) currently vulnerable to the exploit which enabled
> variants of the Code Red Worm to infect thousands of Web sites,"
> McWilliams writes.
>
> Perhaps McWilliams doesn't understand that Code Red exploits the .ida
> buffer overflow vulnerability, not the IIS folder traversal
> vulnerability, which we claimed had been used against the sites in
> question. A minor detail, perhaps, depending on the power of that
> "scan" he claims to have performed.
>
> We, on the other hand, ran the standard folder traversal exploit on
> all the sites, and found, at press time, that two had since patched
> against it, while one remained wide open, though it did manage to get
> itself patched within four hours of our story's appearance.
>
> We didn't mention it at the time because we knew the system was open
> and didn't want that tiny minority of our beloved readers whom we
> don't fully trust to screw them. But since it's now fixed, we'll tell
> you that it was mWave, and that we had a nice look at the contents of
> their C drive, and managed to call cmd.exe to boot.
>
> As for Strawberrynet, we reckon they'd prefer that we don't ring their
> customers, whose names, addresses, phone numbers, credit card numbers
> and expiration dates we've seen, to confirm that they've made
> purchases there. But if Brian McWilliams insists, we'll just have to,
> we suppose, in spite of the alarm it might cause them. Of course that
> would be a terrible embarrassment for the company, so prudence demands
> that we only go as far as McWilliams pushes us.
>
> And as for Stic.net, we've seen their customer accounts, and we know
> how much their staff earn. We'd hate like hell to have to publish that
> data, so we hope for their sake that Brian McWilliams won't force our
> hand. Of course we'll do whatever we must to demonstrate our veracity.
>
> "For them (The Reg?) to blaspheme us and put our customers at risk
> like that, well, this old boy and I can go out behind the barn real
> easy," said David Robertson, president of Stic.net," to Newsbytes'
> McWilliams.
>
> Yeah, we spoke with Robertson too, and he was falling all over himself
> denying the hack, ringing us every hour on the hour for a time. We've
> since learned that he's owned the hack, and even apologized to
> CardCops, the organization which first brought his troubles to our
> attention.
>
> He's become immensely harder for us to contact since then. For a guy
> who seemed to have our phone number memorized, he's gone suspiciously
> quiet of late. He's since neglected to answer our e-mail and our phone
> calls.
>
> But he'll talk to twinkie journos who have absolutely no evidence with
> which to refute him -- or us, for that matter.




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.