Bad Journalism – Fear Mongering for hits

October 19, 2014 at 1:23 pm Leave a comment

Recently there have been a number of high profile security issues.  Heartbleed, ShellShock, and POODLE have all hit in 2014.

I must say that I like the fact that these significant security vulnerabilities are getting these hip nick-names in the media.  That means that more and more people who are less technical are going to hear about the issues.

It also means there is going to be bad journalism.  Get everyone up in arms about the latest threat, real or imagined.

Today, I ran across this really bad article:

Here’s the sub-title:

We took a hacker to a café and, in 20 minutes, he knew where everyone else was born, what schools they attended, and the last five things they googled.

Exaggerate much?  This is complete hyperbole.

How can I be sure?  Because just about every major site has gone to SSL by default.  Don’t believe me?  Go to in another tab.  You’ll see that you’re redirected to an SSL page, and you’ll have the familiar lock icon visible somewhere in your browser bar.  Even social sites like facebook have gone to SSL by default.

What does that prove?

Well, if this hacker really did have a way to get by SSL encryption so easily, without giving the victims any warning at all, then any reporter worth their salt would publish the details, as that would be a HUGE story.  On-line shopping wouldn’t be secure.  Stock trading, or any other financial transactions would be completely open to prying eyes.  And it would matter if it were at a cafe, or from the comfort of your home, you could still be victimized.

But, conveniently, this author included almost no details at all.
How is this hacker able to overcome SSL encryption?  I’d guess the answer is via a man-in-the-middle attack, whereby it presents it’s own SSL certificate and proxies the requests to the real website.  If that is the case, the end-user’s browser would warn the user that security may be compromised.  If the journalist clicked through that warning it was not mentioned in the article.  That’s a detail that should not have been glossed over, as it makes things seem far worse than reality.

I can see the possibility that random people would click through an SSL warning without thought, but the fact that there was a warning is not something that should have been skipped.  If there was no warning, that would be a story.

I suspect that the journalist who wrote this is not terribly technical.  I’ll not assume that he understands exactly what is happening and has chosen to leave out key details to get more page clicks.  For that matter, perhaps the original author had those details included, but some editor cut them out to “add more sizzle”.

Publications who wish to have any authority on matters of Internet security should get someone who is technically competent to do their reporting.  That doesn’t mean that they need to be a programmer or networking expert, but someone who understands cryptography and is aware of how security works.  Chances are good that the typical journalist is no more equipped to report on security than the people who blindly click through those SSL warning messages.

This article makes it sound like the hacker had to do nothing more than sit in the path of the traffic and he could get everything, encrypted or not.  If SSL is so easy to bypass, we should all be very worried about the people who work at ISPs, as they could easily do the same thing, but not with the 10–20 people at a cafe, but to tens of thousands of people.  ISPs generally have several large circuits that connect to their provider.  All it would take is a laptop running wireshark plugged into a mirrored port, and all that data could be captured, to be later decrypted with the magic “decryption software” the author mentions at the end of paragraph 1 under the Session 3 heading.


Entry filed under: Networking. Tags: .

TDBank – The best daily-use credit card offer I’ve seen! The Key to Budgeting

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed


October 2014
« Sep   Nov »

Most Recent Posts

%d bloggers like this: