One of the people who attacked the NYT was former NSA hacker Dave Aitel, who runs a security company known as Immunity that was acquired by Cyxtera Technologies in January. Aitel said that the ransomware involved in the Baltimore attack was a strain known as RobinHood that had nothing to do with EternalBlue.
He had several other criticisms, too, all of which can be read here, including a very personal attack on the two journalists who wrote the story.
Are we going to talk about the elephant in the room?@daveaitel, if you’re going to blast a journalist for hype, then you should disclose your own conflicts of interest up front.— Chad Loder ✿ (@chadloder) May 29, 2019
You own a company in the exploit market that @nicoleperlroth has been asking hard questions about.
"Recently a misleading and terribly researched article by Nicole Perlroth and Shane Scott came out in the NYT which essentially blamed the NSA and EternalBlue for various ransomware attacks on American city governments, including Baltimore. This then ballooned to PBS and the BBC and a bunch of other places, all of which parroted its nonsense," Aitel wrote.
In a tweet, Loder told Aitel that if he was going to criticise a journalist for hype, then he should first disclose his own conflicts of interest.
"You own a company in the exploit market that @nicoleperlroth has been asking hard questions about," Loder added.
I’m not suggesting that private exploits are bad, nor that their markets or market participants are bad.— Chad Loder ✿ (@chadloder) May 29, 2019
Only this: clear conflicts of interest should be disclosed up front, especially if you are claiming hype.
Otherwise, folks read what we write and take it at face value.
Aitel's firm, Immunity, has a business model of discovering or buying exploits and then using that knowledge to protect his own customers. The exploits are never revealed to the companies whose software is affected, something that mirrors the practice of the NSA.
Loder added in another tweet: "I’m not suggesting that private exploits are bad, nor that their markets or market participants are bad. Only this: clear conflicts of interest should be disclosed up front, especially if you are claiming hype. Otherwise, folks read what we write and take it at face value."
To which well-known British security researcher Kevin Beaumont replied: "I mean if Dave is doing line by line analysis of inaccurate reporting on his blog, he might like to look at his blog post about MalwareTech creating WannaCry."
I mean if Dave is doing line by line by analysis of inaccurate reporting on his blog, he might like to look at his blog post about MalwareTech creating WannaCry ??— Kevin Beaumont (@GossiTheDog) May 29, 2019
What Beaumont referred to was covered by iTWire: Aitel had alleged that British security researcher Marcus Hutchins has a role in creating the WannaCry ransomware and then later indirectly recanted his claim after the US Government stated that North Korea was behind the malware.
iTWire contacted Aitel for comment, but he did not respond. However, this morning he put out a tweet that appeared to be relevant, stating: "The reason I respond to the issues around export control and exploits is because they speak to our fundamental rights, not because I have skin in the game, which I do not."
Most of the infosec dudes criticizing @nicoleperlroth's coverage have:— Chad Loder ✿ (@chadloder) May 29, 2019
1) Failed to disclose that they work in the private exploit market that she's raised critical questions about.
2) Ignored her male co-author, @ScottShaneNYT.
3) Been totally unbalanced in their critique. https://t.co/IjciiTDHuB
Meanwhile, Perlroth, who wrote a long Twitter thread defending the article she had authored along with Shane Scott, did not do her own reputation much good by lifting three paragraphs from an iTWire article and tweeting them (shown below) without any attribution.
These were quotes from ex-NSA hacker Jake Williams, a frequent commentator in these columns, and appeared to buttress the claims that Perlroth had made in the NYT article.
iTWire contacted Perlroth asking why she had lifted material and not attributed it to the source, but she did not respond.
After this was pointed out, Perlroth later finally linked to the source.