Over the last week, the infosec community has had a hard lesson thrown at it. Are we going to actually learn from it though?
We are self righteous, our community, the world of infosec. We preach, make fun of, pick on, slam, and do just about anything else negative about how things get handled. We forget that we are human also, with the same tendencies. We refuse to see it, we feel we are above it, but we are not. It is a huge security hole in our world, and one that can be exploited. This reared its head in a large way with the whole Marcus Hutchins (aka: @MalwareTechBlog) situation.
Think about it, when a new breach is announced, and immediately attributed to X group or Y country what is our reaction? We laugh about it, make fun of it, joke about it. How many times on twitter have we playes the Russian/Chinese/North Korean hacker line? How often have we bitched about how fast the government lays blame on a certain group/country for hacking? How often do we say we must wait until we have more information and a better analysis? How well did we do all this with Marcus’s situation? We failed.
We failed and failed in a big way. I am not saying he is guilty or innocent, that will come out later, but our reaction to events was very telling. First we got wrapped up in not knowing why he was picked up and being held by the FBI. Wanting to know is fine, we wanted the information, but we started (and some continue) on a breach of trust issue with the Feds because of this. We started yelling for his freedom, he did not do anything wrong we claimed and he has only helped us with things like the kill switch for wannacry. Then when the indictment came out we started splintering some jumping on he didn’t do this, he could not have done this, all the way to how could he have done this. Still we had those that were just out and out blaming the FBI for bungling it and breaking trust. Yet, the FBI did nothing wrong, in fact they even respected the supposed “safe zone” of Defcon 25 (if it actually is treated as such). They waited until he was in the airport, a much easier place to make an arrest with less fuss. They held and arraigned in the normal legal time frame (24 hours from what I have been told). Yet we went off the rails because he is one of our own. We lost focus, we showed that our paranoia can be used against us.
Think about it. Let us say someone wanted to manipulate us, so we were looking in the wrong direction. The cock up not just one thing like an arrest, but an arrest, a fake malware situation, and maybe a couple other things. Our emotions start running high because of the arrest, we are so caught up in those emotions that we make mistakes on the malware and send out a huge warning because we are not thinking straight. Now, while everyone, media, corps, us, are focused on these things, a slower, stealthier attack happens. One that say brings down a power grid, messes up the 911 system, or the like. Something we could have noticed, or better yet that the Feds noticed and tried to get our help about. Where were we, the defenders? Where were we, the experts?
It really comes down to a case of practicing what we preach. It is fine to speculate and question, but to go off half cocked without all the information, in the first few minutes (ala notpetya) or hours is bad form. We are hacker/infosec. We are great are digging into things and understanding/breaking them to make them better. Something like Marcus’s situation needs to be looked at the same way we would approach a breach or worm outbreak. Put the emotions on the shelf and analyze then reassess as more information comes in. In other words, Practice what we preach.