FoxNews leads today with a dramatic story entitled “Washington confirms Chinese hack attack on White House computer.”
In other important news, experts confirmed that there was a “high probability” that tomorrow, 03 October 2012, due to the rotation of the earth on its axis, the sun would once again give the impression of rising in the East. They also claimed that dinosaurs would “in all likelihood” continue in their state of alleged extinction.
(You read it here first, folks!)
Do we really need major headlines of this sort? What information do their stories convey?
Fox dedicated over 660 words to the Chinese hacking story, but after careful reading it seems pretty clear that the incident, and the story, can be simplified quite significantly.
Here it is in 40 words, for a compression ratio of over 94%:
* A malicious spam from a computer in China reached a single unclassified computer in the White House Communications Agency.
* The computer may or may not have become infected as a result.
* Protection against malware and hackers is a good idea.
You may stand down from any coloured, or even lightly tinted, type of alert.
Please be careful of reading too much into tales like this. They may very well be true, but they may also merely distract you from other clear and present dangers in the computer security field.
To help you out, here are some of the tell-tale signs that a story of this sort has undergone what I will politely refer to as “reverse compression”.
1. The article has as its primary source another article which, on careful reading, is merely the same uncertainty in different clothing.
(The Fox News story relies exclusively on a Free Beacon article that, itself “reverse compressed” to over 1700 words, offers no actionable evidence.)
2. The article, and its primary source, use emotive and dramatic language even when noting assumptions and speculations.
(Examples here include words like “alarming,” “grave strategic damage”, “revolutionary military capabilities” and “most brazen cyberattack”.)
3. The article contains numerous words of caution that don’t distract from the drama but quietly confirm the uncertainty of the conclusions.
(Examples here include “sources partly confirmed”, “Free Beacon claimed” and “attempted hacking.”)
4. The article introduces a second story or issue in a way that invites you to infer a cause-and-effect relationship without actually claiming one.
(Examples here include “China recently moved maritime patrol boats into waters near the [islands disputed with Japan]” and “reportedly including systems used by the military for nuclear commands”.)
5. A convenient security expert pops up who’s willing to go on record as saying that we’re losing the battle and we need to change our game.
(Here, we have an outside expert in whose mouth the article can stash claims like “the cybersecurity industry is woefully behind the curve,” “training simply does not work,” and “we must rapidly adopt new technologies.”)
The training doesn’t work meme is commonly heard these days – we’ve covered it in a Naked Security piece that helps you decide whether it’s true, or even likely – and has become a handy watch-cry for sales guys touting a new technology that they claim can obviate the need for training at all.
I’ll leave it to you to decide whether that’s what’s happened here, and I’ll leave it to you to decide just how credulous you ought to be when you see a single malware-laden spam from a Chinese PC extrapolated into a story about a “cyberbreach [that] was one of Beijing’s most brazen cyberattacks against the United States.”
Be careful out there. Whether you’re an FDR admirer or not, he might have been speaking about cyberthreats and our twenty-first century response to them when he said, “the only thing we have to fear is fear itself.”
FDR’s first inaugural address, 04 March 1933. The ‘Fear itself’ part starts at 1’12”.
And that’s 651 words of reverse compression all of my very own.
29 comments on “How a single spam from China ended up as an attack on the White House”
I stopped reading after you mentioned Fox News…
Heck! I could have had 651-to-1 compression 🙂
(1 because FoxNews seems to be a single word.)
This article could have been compressed to "I don't like Fox news." since it is not actually about computer security.
I'd argue that the article is not actually about *Fox*. I would say that it *is* about security.
So I reckon you've made your case the wrong way around.
If you'd said, "This article could have been compressed to 'I don't like security/hacking headlines which offend my sense of science'," I'd have been more inclined to listen.
Of course, having gone to the trouble of writing the 651 words I might still disagree about just how compressible/redundant my article really is…
Don't mind the troll Paul… I, at least, understood your article.
Exactly what I was thinking.
I wonder what Rush Limbo has to say about this..!
Finally, a news outlet that isn't totally overblowing the hell out of the fact that the White House got some spam. It's exactly this sort of emotional borderline-yellow journalism that gets used as bullshit rationale for things like the Patriot Act.
I'm glad you finally found the opportunity to use 651 words to fully describe why you don't like Fox news and how you are a fan of FDR. God knows CNN or more likely your favorite MSNBC never do anything like this. You are just as guilty as FOX news of wasting our time and managed to make this political
Quoting what are probably FDR's best remembered words – and we're talking about the most influential democratically elected leader of the 20th century here – may be many things (most notably a cliche, a critique I'd have no choice but to accept), but to accuse me of fanbuoy US political intrigue…
…Sir! Have a heart! I live in a constitutional monarchy on the other side of the world!
As I mentioned above, this story isn't about Fox. It's about fear and extrapolation in the reporting of computer security.
And as for blaming me for "making this political", I think the original headline did that. The political angle came with the story, did it not? (White House, FDR, geddit?)
As for MSNBC – never seen it. Doesn't broadcast where I live.
October is "cybersecurity month," (the first one) and the US president is about to sign an executive order that threatens to destroy the openness of the internet.
This "attack" is perfectly timed bogus hype, another in a long line of false flag/bogus "attacks" to justify the draconian measures the government desires.
It's not about terrorism, it's about having "total information awareness," including the who, what, when why and how (and what was actually said) of literally every access to the web. One big objective is universal, and utterly unavoidable taxation.
Just for the record, it's not the first "cybersecurity month" this year.
IIRC, the first one was in 2003, making this the tenth time it's been held.
Gee, maybe news agencies should have devoted more time to Sophos’ recent misteps. Might that meet your threshold for news worthiness?
Gee, maybe they should. (Actually, they did 🙂
As for the newsworthiness – it must have met our threshold because we wrote about it here, if you recall.
Reports on what you so graciously call our "recent missteps" – provided that those reports are accurate, offer usable and useful advice, and aren't just complaining for the sake of it – do indeed, in my opinion, rate as more newsworthy than the sort of thing I am talking about here.
You forgot to mention the same/similar stories on CNN, Huffington post, MSNBC, UPI and the BBC.
Egad, they're all doing it!
Dark Reading says everything and nothing: "White House Confirms Spear-Phishing Attack."
BBC takes the middle ground: "White House confirms cyber-attack on 'unclassified' system."
El Reg chooses a cunning preposition to add a tinge of scepticism: "Hackers break onto White House military network."
Daily Mail relies on some quote marks to keep its options open: "Chinese government 'hacks into White House office in charge of the nuclear launch codes'."
Gather goes for: "White House Falls Victim to Cyber Security Breach."
My local rag, the Sydney Morning Herald, repudiates Gather's claim: "White House says it thwarted cyberattack."
MSNBC gets the cynical quotation marks out: "White House 'Cyberattack' Nothing to Panic About."
And Yahoo! sounds the most promising: "How Chinese hackers broke into the White House."
How? We all want to know that! Turns out there's no how in there. In fact, the article quickly admits that "it's not clear whether White House personnel were actually fooled by the email."
Plenty to choose from…take your pick. And your shovel, your trowel, your rake and loads more besides 🙂
For more analysis see:
"Protection against malware and hackers is a good idea."
… not using Windows is a good idea, Linux ftw
Linux is open source mostly that gives hacker more opportunities to attack. Turn off the features and services on windows you do not need, and install some antivirus and anti-malware, internet security software that has intrusion detection 2 way firewall, and setup your ipsec and firewall rules on your home or business router. Windows can only be secured if you know what you are doing. Don't forget to set up the group policies …etc….
Fox news is well…a joke they dont report the news they make the news and then report on their news they made
This whole issue of sensationalism in the mainstream media brings up an obvious-yet-unsettling thought.
When the media makes a story out of something I happen to be knowledgeable about I find it laughable and easy to see through. But by the same token, do I fail to recognize when things I not an expert in are blown out of proportion? I'd hope not, but I fear that that hope is misplaced.
And if it's a given that I can't always tell when a news story is accurate vs. when it is insubstantial alarmist claptrap, who and what do I believe at all?
But that had nothing whatsoever to do with information security. 🙂
I feel the same way. But the mystique surrounding IT and computer security, the genuine global nature of cybercrime, and the apparent popularity of any story about "hacking", seem to make this field especially prone to fear and extrapolation.
(The sad success of fake anti-virus and the extent of those fake support call scams are perhaps a proof of how fearful we can be.)
The media aren't in the journalism business any more, they're in the advertising business.
Page hits and click-through rates are king, the news is secondary.
You want safer computers in the White House ?
Install Mitt Romney, your best and only protection against malwares of mass destruction.
I don't see you offering any solid facts as to how it was just generic spam that may not have actually infected anything.
Do you spell hypocrite with an "i" or a "y" ?
Also, I am appalled that you seem to be downplaying Chinese cyber espionage capabilities and intentions by trying to refute the report.
Maybe the original source at the free beacon didn't have any "facts" because they weren't told details because the anonymous source from the US intelligence community is not at liberty to elaborate.
I'm not trying to refute the report, merely to cast it in a reasonable light that can stand scientific scrutiny.
And I'm not downplaying anyone's espionage capabilities. I'm just wondering if this particular incident really deserves to be written up as a "cyberbreach [that] was one of Beijing's most brazen cyberattacks against the United States".
After all, if this really is the best that they can do, we don't have an awful lot to worry about, do we?
Maybe – since we're on maybes – this particular one is a storm in a teacup, and we're crying wolf? That would be pretty bad, don't you think?
You are a moron of the first order. Let me know how your bashing of Red America works out for you on the bottom line or on the front line of the sales war. I am un-sub'ing from all your lists and whitewashing your brand from my memory. There is no circumstance where I ever consider your garbage for my enterprise.
I think you may have the wrong end of the stick..but sorry to see you go.
Wow. The hate is kind of bizarre and amazing yet funny.