Security Market Segment LS
Friday, 31 May 2019 09:31

Immunity's Aitel accused of conflict of interest by security expert

Immunity's Aitel accused of conflict of interest by security expert Image by Gerd Altmann from Pixabay

The row between information security professionals and The New York Times, over an article it ran recently, claiming that a ransomware attack on local government offices in Baltimore, Maryland, was carried out through the use of a leaked NSA exploit known as EternalBlue, has moved in a different direction, with some of the infosec people themselves coming under attack – from their peers.

One of the people who attacked the NYT was former NSA hacker Dave Aitel, who runs a security company known as Immunity that was acquired by Cyxtera Technologies in January. Aitel said that the ransomware involved in the Baltimore attack was a strain known as RobinHood that had nothing to do with EternalBlue.

He had several other criticisms, too, all of which can be read here, including a very personal attack on the two journalists who wrote the story.

"Recently a misleading and terribly researched article by Nicole Perlroth and Shane Scott came out in the NYT which essentially blamed the NSA and EternalBlue for various ransomware attacks on American city governments, including Baltimore. This then ballooned to PBS and the BBC and a bunch of other places, all of which parroted its nonsense," Aitel wrote.

Aitel has now come under attack from security industry pioneer Chad Loder, the founder and chief executive of Haibut8, a security awareness training firm.

In a tweet, Loder told Aitel that if he was going to criticise a journalist for hype, then he should first disclose his own conflicts of interest.

"You own a company in the exploit market that @nicoleperlroth has been asking hard questions about," Loder added.

Aitel's firm, Immunity, has a business model of discovering or buying exploits and then using that knowledge to protect his own customers. The exploits are never revealed to the companies whose software is affected, something that mirrors the practice of the NSA.

Loder added in another tweet: "I’m not suggesting that private exploits are bad, nor that their markets or market participants are bad. Only this: clear conflicts of interest should be disclosed up front, especially if you are claiming hype. Otherwise, folks read what we write and take it at face value."

To which well-known British security researcher Kevin Beaumont replied: "I mean if Dave is doing line by line analysis of inaccurate reporting on his blog, he might like to look at his blog post about MalwareTech creating WannaCry."

What Beaumont referred to was covered by iTWire: Aitel had alleged that British security researcher Marcus Hutchins has a role in creating the WannaCry ransomware and then later indirectly recanted his claim after the US Government stated that North Korea was behind the malware.

iTWire contacted Aitel for comment, but he did not respond. However, this morning he put out a tweet that appeared to be relevant, stating: "The reason I respond to the issues around export control and exploits is because they speak to our fundamental rights, not because I have skin in the game, which I do not."

Meanwhile, Perlroth, who wrote a long Twitter thread defending the article she had authored along with Shane Scott, did not do her own reputation much good by lifting three paragraphs from an iTWire article and tweeting them (shown below) without any attribution.

These were quotes from ex-NSA hacker Jake Williams, a frequent commentator in these columns, and appeared to buttress the claims that Perlroth had made in the NYT article.

iTWire contacted Perlroth asking why she had lifted material and not attributed it to the source, but she did not respond.

Update, 2 June: Perlroth contacted the writer on Twitter and put out a tweet on 1 June, attributing the material to this writer, but neglected to mention the source – this article.

After this was pointed out, Perlroth later finally linked to the source.


26-27 February 2020 | Hilton Brisbane

Connecting the region’s leading data analytics professionals to drive and inspire your future strategy

Leading the data analytics division has never been easy, but now the challenge is on to remain ahead of the competition and reap the massive rewards as a strategic executive.

Do you want to leverage data governance as an enabler?Are you working at driving AI/ML implementation?

Want to stay abreast of data privacy and AI ethics requirements? Are you working hard to push predictive analytics to the limits?

With so much to keep on top of in such a rapidly changing technology space, collaboration is key to success. You don't need to struggle alone, network and share your struggles as well as your tips for success at CDAO Brisbane.

Discover how your peers have tackled the very same issues you face daily. Network with over 140 of your peers and hear from the leading professionals in your industry. Leverage this community of data and analytics enthusiasts to advance your strategy to the next level.

Download the Agenda to find out more


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments