Next month, thousands of hackers will travel to Las Vegas, and hundreds of journalists are going follow them. The adversarial relationship between hackers and the press has existed for years, but there are ways to navigate the playing field and strike a balance.
The idea for this post came from two places; Twitter and a blog post by Violet Blue over at Rapid7. The Rapid7 post has a lot of great advice for Black Hat and dealing with the media on a corporate level. It's a smart post, and it's something you should read either before or after reading this article. I'd also like to point out two additional sources from Uli Ries and The Grugq.
For the hackers:
Not everyone in the media is your enemy, but – and be real clear about this – they're not your friends either.
They're working stiffs, and like you they have a job with demands, unique pressures, and stress. For you, hacking is a way of life – it's who you are. That mindset is the same for journalists.
Granted, there's nothing wrong with having friends in the media, in fact it's helpful at times, but there needs to be a level of trust that exists in that relationship and trust is earned – even among friends.
With that said, you should know the difference between a few different media types.
Most of the bad press given to hackers or hacking related events can be blamed on a lack of understanding. Journalists are generalists for the most part, and cover a bit of everything.
So for a technology journalist, they have to cover the latest iPhone release and follow that with a story on the latest Sony hack. Yet, the most they'll know about the topic is that Sony was hacked, they created the PlayStation, and hacking Sony is bad. Generalists will generally do a good job covering the basics of a given story or topic. But that's it.
Some journalists have assigned coverage areas, such as security. But that means they have to be generalists in security. So they'll cover a new appliance release, the Sony hack, and the latest Ponemon survey all in the same day.
Does that make them an expert at all things InfoSec? No, and it would be impossible for that to happen anyway. Journalists operate on deadlines, so they rarely have the luxury of becoming masters of a given InfoSec topic.
There are exceptions to these rules, and there are journalists out there that have experience in the fields they cover, but you'll know them when you see them - trust me, they'll standout.
Bloggers are media too. Some don't agree with that statement, so there is debate around this subject. All the same, for the sake of dealing with the media you should treat bloggers wearing a press badge the same way you would a journalist at a major network or newspaper. When it comes to classifying them, some bloggers will have focus areas and others will be technology generalists.
So now that the types of media are defined, here are a few notes on dealing with the media.
Research:
When approached at a conference by a journalist, if you're the least bit unsure, politely decline the on-the-spot interview and ask that they follow-up with you. If you don't want to share your contact details, ask for their business card.
But - even if it is to decline the interview – make sure you follow-up with the journalist.
The reason you decline on-the-spot interviews is so you can learn more about the journalist, the publication they write for, and more about their style of writing. Do they have a technical background? If not, can they grasp basic technical concepts, or will you have to explain everything? Are they someone you'd feel comfortable interviewing with?
If the interview request comes via email and you're comfortable talking with the journalist, have the entire conversation via email so that you have a record of the questions and answers.
Interview settings:
On-the-Record: Everything you say can and will be used against you... or rather it will be used in the story. Everything. Imagine all that you say printed with quotes next to your picture. This is on-the-record.
Off-the-Record: Nothing you say will be attributed to you or used in a story. It's off limits.
However, you cannot say something to a journalist and then immediately claim it was off the record. It doesn't work that way. At the start of the interview, the rules of the conversation need to be defined.
It's been said repeatedly, so I'll say it too:
There is no such thing as off the record. It doesn't exist. Assume all things are on the record, at all times.
I deal with this topic among friends by operating under Chatham House Rule (the information can be used, but no identifying information is allowed). This is similar to on background.
On Background: I can print what you say, but I cannot attribute it to you. Odds are a journalist will not use background quotes or details unless they can verify it with a source on the record, but that isn't always the case. Again, define the terms of the interview before it starts.
No attribution: Sometimes people will ask a journalist for this. It's likely you've seen it used before.
If a story states that "sources in the administration / close to the investigation / familiar with the matter" have said something - those sources all requested that their statements not be attributed in most cases. You can request this too, but don't expect it to happen.
There are rules in journalism, and each news organization has their own rules and ethics considerations. It's important that you understand the basics. While the list above is a solid start, read the NYU Journalism Handbook for more information.
Interview traps:
Silence: You're asked an open ended question, and the journalist sits silent after your answer.
Most people will keep talking, and that can lead to problems. If silence is used and you've given a full and complete answer – stop speaking. If the silence continues, feel free to ask the journalist to ask their next question, or you can end the interview.
Paraphrasing: This is where misquotes come from. The journalist will paraphrase what you've said and ask "is that correct?"
If you agree, that's now your quote.
So make sure they are clear on your answers and have quoted you correctly. If the interview is via email, you can prevent many of the problems associated with paraphrasing.
Crime associations: If the question is related to something a criminal does and the journalist uses the term hacker as a generic description – remember to clarify.
A hacker didn't breach the OPM, JPMorgan, Home Depot, or Anthem – a criminal or a group of criminals did.
For Journalists:
Hackers are not criminals:
If someone compromised a network and took credit card data – generalizing them as a hacker often happens due to style and editorial calls.
However, when dealing with the hacker community, make sure you realize that (a) most hackers you'll meet are law abiding individuals who like to learn, share what they've learned, and help others; and (b) someone claiming to be a hacker who then commits a crime is a criminal – nothing more, nothing less.
Learn about the person being interviewed and what drives them:
Try to understand what makes a hacker tick, and what drives them to tinker with code or develop new processes and technology. Once you have a basic understanding of the hacker mindset, you'll find it easier to interact with them and avoid passive scorn or outright hostility.
Learn to leave the past in the past when it comes to dealing with a hacker:
What they did ten years ago isn't related to what they're doing now. Would you like to be constantly reminded of your mistakes?
Hackers who have moved on from their past deserve to be judged by their present actions and work alone, give them that courtesy. However, if they are doing something questionable, you're obligated to call them out for it; provided you understand what's going on and there is something questionable happening.
Badges:
Always, when working a con, make sure that your press credentials are visible. Attempting to hide the fact you're press form hackers is a bad idea and will guarantee that your access is revoked.
Somewhat related, never take video or pictures of hackers (alone or in groups) unless you've obtained permission. This is a privacy concern, and not something related to a criminal conspiracy.
Names and Handles:
Hackers have handles; this is how they are known to the world and rarely will they use the name given to them at birth.
When it comes to interviewing a hacker, be prepared to identify them by their handle alone. One of the main reasons hackers use handles over regular names is for privacy. Moreover, some hackers only go by their handle; so for all intents and purposes the handle is their regular name.
Attempting to pressure them for a birth name will rarely result in a positive outcome, and threatening to withhold coverage of a story because of a name only hurts you – not the hacker.
If your organization has a policy on names, and the story is significant, it might be worth asking for an exception to the rule. Finally, citing the hacker by their handle in your story will convey a level of respect that most hackers have never experienced outside of the hacking community, and for that respect to come from the media means the gesture holds additional meaning.
[Hackers: Understand that some news organizations have a policy that pseudonyms are not allowed, so handles can't be put into print. The journalist isn't at fault when it comes to such policies, and rarely will they have the power to change existing editorial rules. Also, if your handle is in anyway NSFW, it cannot be printed in most cases. Lying to the media is a bad idea, but if you're so inclined, you're not the first person to give the press a made-up first and last name – you're not going to be the last either.]
Sometimes, there's nothing you can do:
Remember, some hackers are just going to despise you because you're part of the media and nothing is going to change their minds.
The following page contains a series of questions taken from Twitter. Salted Hash would like to thank the following for their help: @jessysaurusrex @oscaron @Viss @ClipperChip @pukingmonkey