Next month, thousands of hackers will travel to Las Vegas, and hundreds of journalists are going follow them. The adversarial relationship between hackers and the press has existed for years, but there are ways to navigate the playing field and strike a balance.
The idea for this post came from two places; Twitter and a blog post by Violet Blue over at Rapid7. The Rapid7 post has a lot of great advice for Black Hat and dealing with the media on a corporate level. It's a smart post, and it's something you should read either before or after reading this article. I'd also like to point out two additional sources from Uli Ries and The Grugq.
For the hackers:
Not everyone in the media is your enemy, but – and be real clear about this – they're not your friends either.
They're working stiffs, and like you they have a job with demands, unique pressures, and stress. For you, hacking is a way of life – it's who you are. That mindset is the same for journalists.
Granted, there's nothing wrong with having friends in the media, in fact it's helpful at times, but there needs to be a level of trust that exists in that relationship and trust is earned – even among friends.
With that said, you should know the difference between a few different media types.
Most of the bad press given to hackers or hacking related events can be blamed on a lack of understanding. Journalists are generalists for the most part, and cover a bit of everything.
So for a technology journalist, they have to cover the latest iPhone release and follow that with a story on the latest Sony hack. Yet, the most they'll know about the topic is that Sony was hacked, they created the PlayStation, and hacking Sony is bad. Generalists will generally do a good job covering the basics of a given story or topic. But that's it.
Some journalists have assigned coverage areas, such as security. But that means they have to be generalists in security. So they'll cover a new appliance release, the Sony hack, and the latest Ponemon survey all in the same day.
Does that make them an expert at all things InfoSec? No, and it would be impossible for that to happen anyway. Journalists operate on deadlines, so they rarely have the luxury of becoming masters of a given InfoSec topic.
There are exceptions to these rules, and there are journalists out there that have experience in the fields they cover, but you'll know them when you see them - trust me, they'll standout.
Bloggers are media too. Some don't agree with that statement, so there is debate around this subject. All the same, for the sake of dealing with the media you should treat bloggers wearing a press badge the same way you would a journalist at a major network or newspaper. When it comes to classifying them, some bloggers will have focus areas and others will be technology generalists.
So now that the types of media are defined, here are a few notes on dealing with the media.
When approached at a conference by a journalist, if you're the least bit unsure, politely decline the on-the-spot interview and ask that they follow-up with you. If you don't want to share your contact details, ask for their business card.
But - even if it is to decline the interview – make sure you follow-up with the journalist.
The reason you decline on-the-spot interviews is so you can learn more about the journalist, the publication they write for, and more about their style of writing. Do they have a technical background? If not, can they grasp basic technical concepts, or will you have to explain everything? Are they someone you'd feel comfortable interviewing with?
If the interview request comes via email and you're comfortable talking with the journalist, have the entire conversation via email so that you have a record of the questions and answers.
On-the-Record: Everything you say can and will be used against you... or rather it will be used in the story. Everything. Imagine all that you say printed with quotes next to your picture. This is on-the-record.
Off-the-Record: Nothing you say will be attributed to you or used in a story. It's off limits.
However, you cannot say something to a journalist and then immediately claim it was off the record. It doesn't work that way. At the start of the interview, the rules of the conversation need to be defined.
It's been said repeatedly, so I'll say it too:
There is no such thing as off the record. It doesn't exist. Assume all things are on the record, at all times.
I deal with this topic among friends by operating under Chatham House Rule (the information can be used, but no identifying information is allowed). This is similar to on background.
On Background: I can print what you say, but I cannot attribute it to you. Odds are a journalist will not use background quotes or details unless they can verify it with a source on the record, but that isn't always the case. Again, define the terms of the interview before it starts.
No attribution: Sometimes people will ask a journalist for this. It's likely you've seen it used before.
If a story states that "sources in the administration / close to the investigation / familiar with the matter" have said something - those sources all requested that their statements not be attributed in most cases. You can request this too, but don't expect it to happen.
There are rules in journalism, and each news organization has their own rules and ethics considerations. It's important that you understand the basics. While the list above is a solid start, read the NYU Journalism Handbook for more information.
Silence: You're asked an open ended question, and the journalist sits silent after your answer.
Most people will keep talking, and that can lead to problems. If silence is used and you've given a full and complete answer – stop speaking. If the silence continues, feel free to ask the journalist to ask their next question, or you can end the interview.
Paraphrasing: This is where misquotes come from. The journalist will paraphrase what you've said and ask "is that correct?"
If you agree, that's now your quote.
So make sure they are clear on your answers and have quoted you correctly. If the interview is via email, you can prevent many of the problems associated with paraphrasing.
Crime associations: If the question is related to something a criminal does and the journalist uses the term hacker as a generic description – remember to clarify.
A hacker didn't breach the OPM, JPMorgan, Home Depot, or Anthem – a criminal or a group of criminals did.
Hackers are not criminals:
If someone compromised a network and took credit card data – generalizing them as a hacker often happens due to style and editorial calls.
However, when dealing with the hacker community, make sure you realize that (a) most hackers you'll meet are law abiding individuals who like to learn, share what they've learned, and help others; and (b) someone claiming to be a hacker who then commits a crime is a criminal – nothing more, nothing less.
Learn about the person being interviewed and what drives them:
Try to understand what makes a hacker tick, and what drives them to tinker with code or develop new processes and technology. Once you have a basic understanding of the hacker mindset, you'll find it easier to interact with them and avoid passive scorn or outright hostility.
Learn to leave the past in the past when it comes to dealing with a hacker:
What they did ten years ago isn't related to what they're doing now. Would you like to be constantly reminded of your mistakes?
Hackers who have moved on from their past deserve to be judged by their present actions and work alone, give them that courtesy. However, if they are doing something questionable, you're obligated to call them out for it; provided you understand what's going on and there is something questionable happening.
Always, when working a con, make sure that your press credentials are visible. Attempting to hide the fact you're press form hackers is a bad idea and will guarantee that your access is revoked.
Somewhat related, never take video or pictures of hackers (alone or in groups) unless you've obtained permission. This is a privacy concern, and not something related to a criminal conspiracy.
Names and Handles:
Hackers have handles; this is how they are known to the world and rarely will they use the name given to them at birth.
When it comes to interviewing a hacker, be prepared to identify them by their handle alone. One of the main reasons hackers use handles over regular names is for privacy. Moreover, some hackers only go by their handle; so for all intents and purposes the handle is their regular name.
Attempting to pressure them for a birth name will rarely result in a positive outcome, and threatening to withhold coverage of a story because of a name only hurts you – not the hacker.
If your organization has a policy on names, and the story is significant, it might be worth asking for an exception to the rule. Finally, citing the hacker by their handle in your story will convey a level of respect that most hackers have never experienced outside of the hacking community, and for that respect to come from the media means the gesture holds additional meaning.
[Hackers: Understand that some news organizations have a policy that pseudonyms are not allowed, so handles can't be put into print. The journalist isn't at fault when it comes to such policies, and rarely will they have the power to change existing editorial rules. Also, if your handle is in anyway NSFW, it cannot be printed in most cases. Lying to the media is a bad idea, but if you're so inclined, you're not the first person to give the press a made-up first and last name – you're not going to be the last either.]
Sometimes, there's nothing you can do:
Remember, some hackers are just going to despise you because you're part of the media and nothing is going to change their minds.
The following questions were taken from Twitter, and the answers are based on my personal opinion or experience. No two journalists are alike, which is why it's important for you to know as much as you can about the person interviewing you and your own comfort levels.
"What can I do to avoid being horribly misquoted?"
This is why email interviews are useful. You have less of a chance of being misquoted, and a way to prove the quote was wrong if needed. In the event that the interview was recorded (via phone or tape during an on-the-spot interview) the correction process is the same.
Talk to the journalist first. Explain the situation, offer the corrected quote, and wait for the changes to appear. Honestly, journalists don't like to be wrong. Plus, factual errors and misquotes can hurt a story.
If you don't hear anything from the journalist within 24-hours, try them again. If that fails, you'll need to contact their editor or the managing editor at the publication.
It's rare, but misquotes happen. Journalists are humans, prone to the same mistakes as anyone else.
No matter what though, do not get angry or start attacking the journalist for their mistakes. If you do, you're going to create a follow-up story about a hacker harassing a journalist in an angry fit of rage over a simple mistake.
"What should I do if the journalist who wants a story doesn't have the technical knowledge enough for me to explain it?"
This is tricky. If you want to do the interview and it's a story you want told, you're going to have to help the journalist along.
However, even generalists have basic knowledge for the most part. But if the journalist isn't a tech writer, you may end up explaining little things like what webcams are.
If explaining the basics is too much, politely decline the interview, because you don't have enough time to explain everything. Perhaps you can do the interview later over email...
[Journalists: Do your homework and know the basics about the topic you want to cover. Just because someone is hacking webcams and the editor demands a story on it, doesn't mean you can expect a hacker to explain everything to you. Hackers appreciate it when someone can demonstrate that they've done their homework. They realize you're not going to be an expert – but a little effort goes a long way.]
"What should a hacker do when pressured for a response from press, but they're either not allowed to reply or uncomfortable about it."
If at a conference, decline the interview politely and walk away. "I'm sorry. I don't have time to talk right now." or "I'm sorry, I'm not able to speak at the moment."
Do not say "no comment" or anything related to it.
This accepts the premise of the question being asked and suggests that you have information of value or something to hide. Likewise, saying "I can't comment" or "I can't" followed by any reason is equally as bad.
Again, if at a conference, and the journalist keeps pressuring you, if you are uncomfortable go to the event staff or security team. Journalists have rules at these shows and harassing speakers or participants is a quick way to see our credentials revoked.
So what if the harassment or pressure comes via email or the phone. If it's email, ignore it and don't reply. Don't say anything. If it's a phone call, send them to voicemail, and again remain silent.
If you work for a company with a PR team, tell them what's happening and let them deal with it. If you're on your own, and the harassment continues, talk to the journalist's direct manager.
Journalists will chase a story to the bitter end, and sometimes we can be a bit committed to getting a person on the record, but there is no excuse for harassment and you shouldn't accept it.
"What should I do when the press makes a mistake in the story and I need to have a correction made?"
You would deal with this situation the same way you would being misquoted. First, start by contacting the journalist and explain the situation. If that doesn't help, then you can go to their editor or the publication's managing editor for assistance.
Again, if no corrections are made, do not get angry with the journalist, and do not attack them for the error. It won't help your situation. However, if obvious mistakes are left uncorrected, use that as proof as to why you will no longer deal with the journalist or their publication.
Update: @4Dgifts offered an additional tip here.
When reaching out to a journalist to get a correction made, remember to avoid doing it in public. Contacting a journalist in public could create personal or professional embarrassment, adding to the embarrassment already established by the mistake in the first place.
[Journalists: We're not experts; we will make mistakes and get it wrong. While we'll catch heat for errors, it's better to get them reported and fixed as soon as possible. Hackers talk to other hackers, so accuracy and a willingness to correct mistakes is something that helps your personal reputation. They realize you're going to screw-up, but it's how you deal with it that matters.]
"What should a hacker do when a story has been written about them or their material and/or research and it's either off or horribly wrong?"
Again, contact the journalist first. Try and resolve the issue though them first before going to the editors.
"How does a hacker go about reaching out the press if they feel they've got something that needs to be public knowledge?"
This is why you do your research on the press. Most journalists are easily contacted via email or social media. Try and select the journalist you feel will best represent the story you're wanting told – and be ready to work with them to make it happen – including explaining every little detail multiple times.
"How does a hacker talk to the press if the company they work for doesn't have a PR team?"
Carefully, and that isn't a joke.
Everything you say is on the record, and there is no second chance. When answering the questions asked – assuming you don't decline the interview – weigh your answers carefully, and imagine how they will look as a headline or in a court transcript.
If you're solo, you need to understand what the story is and how you fit into it. Make sure you're clear on the questions being asked, who is asking them, why they're being asked, and if there are any other aspects to the story that could come back to haunt you down the line.
You should really have some sort of PR help at the company, even if it is on a month-to-month basis with a local firm. Also, many PR firms do media training, which is a useful skill to have under your hat.
What to see other questions here? Email them to me, ping me on Twitter, or leave a comment below.