In the world of email and tweets, you sometimes can get some interesting information from some unusual places. I recently lost my iPad and a friend my knew that. A couple weeks ago I got an email about an article I should read because he knew I had lost my iPad. The post was from Brian Krebs(@briankrebs), a security blogger, but not someone I thought my friend would normally read. The blog post was about how a group of scammers were tricking people who had lost an iOS device into clicking a malicious link - If Your iPhone is Stolen, These Guys May Try to iPhish You.
The post was already in my RSS feed1 and so I was ready to ready through Brian's post. As I read through the post I was more alarmed about some of the misleading statements than the actual phishing scam. Brian led the post with a clarification statement
That security professional source — referred to as “John” for simplicity’s sake — declined to be named or credited in this story because some of the actions he took to gain the knowledge presented here may run afoul of U.S. computer fraud and abuse laws.
Cool. For the non-IT security professional that means "John" hacked the scammers back to figure out what they were doing. And by hacked, I mean "John" did things that could get him arrested. The post continues with a summary of how "John" back traced the steps and methods the scammers were taking. Part of this process required "John" to access servers or accounts held by the scammers. From Brian's post:
John said he was able to guess the passwords for at least six other accounts on the iCloud phishing service, including one particularly...
Not cool. When my friend followed up on his email about reading the post, his first question was, 'How did he guess those guy's passwords?' "John" didn't sit at his computer and magically guess the password like we see on TV, he used very specific tools and techniques to extract the passwords from the scammer's accounts. The article completely glossed over how "John" got into the scammer's accounts and would lead an average person to think "John" had magical powers.
Then this morning it happened again - different friend, same panic note. My friend was alarmed about how scammers were locking people out of their iPhones. I looked at the link he forwarded me and again I knew the post in question because it was a security blogger Graham Culey (@gcluley), who was also in my RSS feed. I also knew Apple had fixed this in a the recent 10.3 iOS update.
Sadly my RSS feed showed this:
And when I opened the actual article, it looked like this:
Wow. There's a by-line that states this is fixed, but if you read the head line and the first part of the article it reads like this is something that can happen today and there is nothing you can do about it. At the point in the article the general reader would be freaking out, the article mentions the steps to fix the problem and then mentions Apple actually fixed it.
I don't mean to pick on Brian or Graham and the great work they do, but I'm using these posts as an example of what I've been seeing more and more from technical journalists 2 - the glossing over of details or misleading those not informed about a topic. I'm frustrated that we're seeing more "click bait" type headlines or articles from people we have trusted to explain technical and complex topics to the general public.
We get upset about news outlets that spin information we can get from multiple sources, we should be infuriated when it happens to our much narrower information channels.