IATC - Why journalists and hackers need each other (a panel discussion with infosec reporters) - Sea

welcome everyone to besides I'm the cavalry track this talk is entitled why journalists and hackers need each other panel discussion with InfoSec reporters we're gonna make a couple quick announcements one please silence your cellphone's we really do need those to be silent in order for you to be able to hear the presenters we are live-streaming as well so we really appreciate that too if you do have any questions just go ahead and raise your hand I'll bring the microphone to you if I somehow don't get there in time the panelist will try and repeat your question but I'll try and get there as soon as possible I would like to go ahead and thank our inner circle

sponsors who make this conference possible that includes critical stack and Valley mail as well as many other sponsors including the seller sponsors Amazon silence and Robin Hood so thank you all for that and thank you all to the volunteers that helped make this happen every year without further ado I'm gonna go ahead and hand it off to our presenters thank you thanks very much thanks everyone for coming out my name is Sean Lingus I am a reporter for a publication called cyber scoop I'm gonna introduce the other panelists in short order before I do that I want to just take a quick poll of the room how many of you on a regular basis for your

work interact on somewhat regular basis interact with journalists how many of you wish you interacted more with journalists what about less that's good all right so the genesis of this panel is is very simple the fact that we need to have an open dialogue with security researchers to do our job well and for those of us who are committed to learning the tools of the trade and really investing themselves and reporting on InfoSec you know as long as we act in good faith we feel like there should be open interaction and you know the more we talk to you the better our stories get and hopefully the better informed the kidney gets so that was

sort of the impetus behind the panel I'm gonna introduce everyone real quick and ask them to sort of explain weather here briefly why they wanted to participate and then give it example of how in their reporting sort of expectations of the non journalists different from reality and how they they went about their reporting so from right from my right all the way across the stage we have Lily Lily Nate hey Newman from Wired Kim Zetter who's a freelance journalist and who wrote the book on Stuxnet and Joe Cox who is with motherboard and that's a lot of reporting on privacy as well and so really when you start us off yeah hey everyone I'm Lily um I wanted to

participate in this panel because I noticed that there's a lot I want to know from the community and from sources all the time that's my whole job but there's also a lot that people seem to want to know from me which has kind of been surprising to me that people say oh do you know someone at that company like that would be really helpful or maybe we could you know go through the PR team to try to find out more about you know this thing that I'm trying to disclose to the company or you know I would never be able to do that or oh do you know the researchers at this research team at

this university because I felt kind of weird we're kind of competitors I didn't want to approach them but maybe you could ask them what you they think about my paper you know or I'll just do that and they're like wow that's so awesome like I you know I always wanted to know what this person thought about our work or you know all these connections and interactions that I never would have thought of so I thought it was a really cool idea to do this panel and I talked more about what you guys are experiencing and what the community feels about it so I guess I guess we're a journalist can help you is sometimes someone will come to me and they they

discovered something or they think they've discovered something but they don't really know and so I as a journalist can actually help them determine whether or not that's true I can vet it against the company I can bet it against other researchers I know that there are researchers who they told me that they come to me before they do interviews with other reporters because they don't know what they have sounds good can they don't know they don't know what they have to include when they talk to reporters and so they'll start to give me stuff that doesn't matter at all and I'll say come on guys let's let's get to the important stuff cut out all the technical stuff or

okay now give me the technical details or something like that and they said that I mean these are also PR people who are with the researchers who tell me that they sit there and they take notes and then they figure out how they're going to present it formally either in a press release or in a bug or in a blog post or then then open it up for general interviews I didn't know that for a long time that that's what they were doing and at first I was kind of annoyed but actually I'm glad that they want to communicate better and so I mean journalists don't have the time necessarily to help you with your

research and your stories but they can't be a sounding board to tell you for example oh that's really old we've seen that a decade ago especially for new people who are just on in on you know doing research and they don't understand they don't have the context of all the back history so that's one of the services that you can do hey yeah so over the past couple of years I've probably been doing panels similar to this RSA or um besides Dublin was another one and the main motivation behind them is that hackers and journalists can do stuff together for the greater good I mean for the majority of my sources they're criminals or independent researchers who aren't

people who have the backing of a PR team so if a teenage hacker comes to me they're probably not going to be very experienced with talking to a journalist and as for the first question you know expectations one will be hey I put this data up on alpha Bay or some other talking service can you please link to the listing so people will come and look at it because clearly sauce have motivations and I have mine as well which is publishing something hasn't been done before and you have to explain that there's a balance between yes I still want to cover this data breach because you know the company should be aware users should be aware and it's just a

more general public interest story but I can't help you sell your data dump so it's sort of explaining that dynamic and obviously not just that specific example but more generally this balance between how we can work together to do something that is actually beneficial is on the reason I'm talking of these sorts of things it's great and there's sort of a natural tension between journalists who want to publish information based on our reporting and people sometimes in the security community who want to keep the name of the victim organization that was breached private or not disclosed or wanted to walk up with that line of disclosure that we're willing to cross so how do each of you navigate that

tension and your day to day work whether well you had a good movie we argued about this I think um so I understand if you have an NDA and you don't want or you can't disclose the client or if you're a researcher and you found a vulnerability in someone else's system and your PR people don't want to expose who they are I understand those kinds of relationships but what I try to explain to people is that first of all readers eyes glaze over stories that don't include details they want those dig down deep details that actually help them to put it into context and if you're let's say the security person at in a chemical

plant and all of these hacks are happening in the critical infrastructure but they haven't happened to one of your competitors yet then what you're gonna hear from your boss when you try and go to him to increase the budget is why show me why this is important or they'll think none of our competitors are being hacked none of our competitors are spending this money on it why should I and so actually publicizing the name of a victim actually puts that on the map for all of those executives who don't think that they in particular have a so I think the naming is important I think the naming is important also because then people can ask that company

what happened and get more details when you go to conferences if you don't know who it is then you're not going to get more information we all have this information sharing thing right with the government and we all know that it's not not perfect and there's still a lot of people who don't know what's going on in attacks what you get are the IOC s and nothing beyond that and so I think that if there if we want to as community to have more of that information sharing then I less shaming maybe and then that won't make people hesitant to name themselves but I mean everyone is in the same boat in terms of being vulnerable

and I think it helps I think I think there's one person shame another transparency like in naming the victim I mean how are we going to change behavior and lose security without naming who was hacked it's it's it's a delicate dance but I think it's one that were obviously going to be biased towards more disclosure of that and then coming to the table with researchers who may not feel that what exactly that way to understand where we're coming from is helpful for everyone so we address what like the elephant in the room so there I mean there was a story obviously a the the one in Saudi Arabia and when I journalist published the name of that

company he received a lot of criticism of that or a lot of flack I would have published the name as well if I if I've gotten it and I think in that case it was particularly important to name it because when the hack was first publicized there was a media outlet that published the wrong name without vetting it and so I thought that it was important that this researcher or that it's journalists who we need to discover it sets the record straight and by the way you know those stories that have the errors stay online so when someone does a Google search of what happened they alight on that story and they still see that the wrong company's name in it

so at the very least to be able to have something else on a Google search that actually says what the name is is helpful and I think it's yes to just setup what everyone's incentives or motivations are like Joe is saying before and in the case of trying to find out who a victim is because it's in the public interest or it you know provides context and details that help readers understand more about the situation it's like journalists job is to find out as much information as possible and publish it if your job is to try to keep that information from getting out ok that's your job but it doesn't change what the journalists job is so the

journalist is going to try to find a way you know find a way a different source or a way around you and so you know that may be frustrating but it's not surprising it's the nature of the situation so sometimes I think it's helpful to just like have a refresher of that where everyone stands because it's not personal or it's not about one person's company it's just the whole point of the journalist job and again if your job is to try to keep something from getting out because you think that's important in a certain way then that's your prerogative you know I mean I guess just very generally and this is more of a hypothetical but the only time

really very generally speaking they're journalists is not going to you know name a victim or organization or something like that is when naming them would disproportionately cause harm so for example I've done a lot of work on spouse wear which is physical access malware use against people in abusive relationships we don't go around daxing people who have been you know sexually assaulted and malware puts on their devices naming a company can be somewhat different of course if there was a genuine risk of life the journalists would consider that but I can't immediately think of a case where we would be name the company is going to cause some real harm it may cause share damage and you know financial issues

which of course you would bear in mind but it's not gonna Sara Lee stop you from publishing something if it's true and if it's in the public interest what about bearing in mind how an adversary the hacking group or what-have-you would change its tactics if you publish information sometimes we get grief from researchers who say oh well you may think this is newsworthy but if you put this out there then we're gonna make it harder for us to protect victim potential victims I mean how how much of that has to factor into what you do I don't have an exact example for that but one just recently was that um you know the anonymous message board a

Chan has lost its CloudFlare support is the main register of that sort of thing there's a mirror currently online and an official one set up on a a sort of quote-unquote dark web service you know one of these various decentralized services we decided not to name that specific one even though yeah sure you could go google it you go figure out but we don't want to provide a step-by-step guide for people to find this version of the website and I imagine you can make the same argument for well we're not gonna do a how-to of it how apt for you can go break into this specific system what's something like that when you do get to a certain granular level of

detail you may need to be more careful with the sort of information you're putting out there with the Edward Snowden documents I would personally have a lot of issue publishing individual selectors for some of the things because you may then be identifying targets or something like that so the more granular to get I think you have to be even more careful about what you're actually going to publish yeah speaking of daxing you mentioned doc st. Joe and I'm wondering if there should be a voluntary InfoSec journalist code of conduct where we all it's not complicated it's basic things that we all say we're not doing I mean maybe we don't have to say it but where this is

coming from is I get a little bit upset when someone who you know I'm not gonna name names but people so someone does doc someone a journalists out there does Doc's a researcher and then there's an uproar Oh see this is how it is with journalists and I think that sort of behavior obviously needs to be kept off sighs didn't and and put out and there's other basic things that we don't do and you don't have to have the you know really righteous not to do them it's just common sense so we did her job you're not a horrible person you don't do certain things but should there be like a a document out there where people who

are less familiar with what we do say okay well these people are part of the you know accepted community of InfoSec reporters who will not do these things or will do these things is that or even pursuant I don't like the idea of some sort of repository a document listing the good and the bad journalists tax the Ducks yes yes I see we may not see me it sure generally very generally speaking there can be some agreed-upon rules such as you're not going to you know Doc's a victim of abuse or something like that but there is so much variety in our occupation which is why it's so important that when you do have information it's preferable you go to a

journalist you know that work you follow you've seen what they've done before and maybe you've seen how they've treated the similar subject before so then you have some sort of expectation of how they're going to handle it I know people of course who they could have been my sources but maybe on friends of them so it's not appropriate for them to come to me they'll go to a journalist and then they may get screwed over but to actually answer the question it's so varies that I think it would be difficult and even beyond a logistical way of actually making a document like that alright true true and I was gonna say in what ways do you guys feel like

standard journalistic best practices are not enough for the special situations of InfoSec I'm just curious what you guys think because I tend to try to in my own reporting and making my own decisions just try to go back to like very basic tenets of what have you agreed upon with the source what have they said you know it are the parameters of their willingness to work with you or not or as Joe is saying like what is the potential for a danger or harm to either a source or sort of a another party that is brought into the story so I'm curious I'm not saying there aren't you know specific things but that's what I tend

to try to use is just the very sort of most basic foundational ways of doing all journalism that's kind of what I try to think about I there is there is sort of a different approach that you take to someone who is a professional spokesperson right who who is trained to work with journalists and there's a different approach that you take to people who actually you know don't have any experience talking to reporters if I'm talking to a PR person I'm not gonna lay down the ground rules to them I try to do that when I talk with someone who's not used to working with journalists when they start to say something's off the record I stop them

and I say or they say something on background I know that the the general public has a different view of what on background means then what journalists understand it to mean and that I think creates a lot of pain when it turns out that you've told a journalist something and you think on background actually means that you're not going to get quoted and that's not true so I try to lay out the rules as soon as someone uses one of those those buzz words I stop them and ask them what do you what do you mean by that because I just want to make sure that we both understand what that means and then it turns out

that they don't actually know and so we go through them and I'll explain all all three of them on the record off the record on background or on deep background and sometimes even with PR people PR people love to say we're just gonna tell you this on background on background means you can use it but what they actually mean by that is just to you know ask girls we're gonna tell you something so you understand what it means but we don't want you actually using it so even with PR people you have to stop him and say okay this is so I consider that part of the ethics of journalism and if someone comes back to

me afterwards if I've done it I did an interview recently with a guy who he was surprised when I called him but he was surprised that it was me calling him and that sort of put him off guard and he started talking to me and then we get off the phone and he texts me and he says can we make that all off the record and I said no but I did do a fact check with him so he was comfortable afterwards what I was using and then I got the facts right yeah we have questions I wanna we're any questions again but I will make an exception for Josh it was this kind of the moderator

so I don't want to like talk too much but I had a just a comment on what Lily said about how do you approach it slightly differently with InfoSec I mean simply put with it's a security researcher whose trust you're trying to gain and who maybe doesn't have a lot of experience you know be a little bit kind of gentler with the person and said it like whereas if we're going into a press conference with with DOJ or DHS official it's you know it's a nice fight we're going throwing questions out I mean there's there's no holds bar is I mean I think you're you're there to grill them right I'm not really necessarily all the

time here to grill people who have come to me with the discovery of vulnerability or whatever you know something you know as they are they or something so it's a little bit of a different treatment I mean you want to bet you want to ask questions you want to ask our questions but you're not like you know this isn't taxpayers dollars that you're asking about how they're being spent but I do you know I do not want to ruin your flow it's just I saw some people gasp with your definitions on background could someone give me a call definitions for each of those categories because most people in here not afraid to join them because some

other journalist will say well no that's not to Jack the definition we use well yeah so this is what I kind of meant about everything is a little bit wonky a little bit different so really really generally speaking on the record is your name will be used you can be quoted background typically Silicon Valley companies and tech companies like to do it all background whereas you can paraphrase what we've said and you can attribute it to say Microsoft but you don't name the person who said it deep background not just paraphrasing you could have put it in quotes you can quote the sue you can quote what they said but you just can't attribute it to

them and they don't always you they don't usually mean that when they say yeah yeah when they say on background that's usually the UH administration official you don't even have identified the organization often sometimes you do so and this is why you lay out the terms especially when I brought up the teenage after example earlier I don't retort on background with teenage hackers either on the record or off typically but using their handle but these terms are garbage and they mean pretty much nothing a lot of time right so I sometimes just go dance it background right well I would just say this means I can quote you but I'm only gonna use your hacker handle or

something like that I'll just get super explicit anyway back to the list yes please okay so background you can and this is my my use of background again it's going to vary so that's why you want to set the the terms background means that you can quote someone the full words of what they said but you wouldn't you wouldn't name them and you would figure out how to attribute them do you want to be attributed as an FBI official or you know a government official whatever deep background can quote them all that but you're gonna move the attribution further away so instead of saying an FBI official you're going to say someone with knowledge of the situation you want

to move them out of the agency so that the pool of people that could possibly be the source is much broader and wider sometimes it's about protecting the source but I do I do say to people sometimes sometimes they don't want to be identified at all and they want that deep background and I say to them but a reader reading this story is going to want to know why you are in a position to know this information so it's helpful for me and it self before the reader if I can actually say you're an FBI official that note that shows them how close you are to the information and that you're not abusing the anonymous

source designation I would just say that touches on I know if the off-the-record is just you know whatever but no actually there is another thing I love do you want to say that and ask him okay I mean I just think it touches on two things which is that there are two main priorities or obligations when it comes to a journalist is protecting the anonymity of the source if that's what the story involves there's also an obligation to the readers to be as transparent as possible with where this information came from like is Kim touched upon we can just say our source familiar with and that may not be someone inside and exploit company now maybe someone who spoke to

someone who then spoke to someone else from a rival export company or something like that which muddies the water doesn't make the story as good and the reader has no idea about the veracity of the information as long as it is not infringing on the anonymity or the protection of the source the reader comes first and I said that very carefully because obviously you say that people may oh you don't care about normal sources no no if the anonymity is guaranteed and it's solid the main obligation is in the reader and the transparency in the story itself and making it clear and fair to everyone wait wait I agree I agree we are here to

service the reader and that's that's primary the sources as well because we can't do our job without sources and so there's a balance there that you explained to sources what you need for the reader to trust the article and to trust what the the information is you're giving you the off-the-record things so this gets a little touchy because there are journalists that do this and and some people consider them unethical if you tell a journalist so something is off the record they're not supposed to be able to use that information but you can use off-the-record information to then go obtain that information on the record somewhere else so if a government official tells me something and they

said look this is classified I can't tell you this but I'm going to tell you this off the record and you need to use it it's important good information but you can't use it because that person has told you off the record but now you know where to start your search for information and an armed with that knowledge now you can start asking around and saying I heard about this situation or I heard something about this to someone else and say can you tell me anything about it and that's perfectly fine to do there are journalists to operate on the edge of that in a kind an ethical way but I'll leave it there I only knows I don't only only all

circumstances where journalists have done something unethical tonight on one I also just want to note that again I just think it's about everyone understanding what everyone's job is and what their motivations are the true off the record thing is don't tell a journalist right like if you really want to be sure your house record so are you talking the reason I bring it up is just because you know I think people get into all these confusions because they're forgetting like what we're talking about here you know and yeah please tell us everything you know don't we don't want to be on off-the-record we don't want you to stay away but yeah I mean I think if everyone

could just keep in mind the parameters of the project here and the sort of collaboration it would help there to be fewer surprises because nobody is trying to no one wants officers right exactly and genuinely because it is a collaborative effort and I think you know journalists feel you know that positive building of something together when you know you work on a story with someone where everybody feels like a tough issue is well represented or you know well explained or and that the readers really benefited so that's why I just bring that up even though it's type of it's because you know there everyone has power and control in these situations and can make the choices that

are right for them so we're doing pretty well on time there's gonna be time for more questions which are fun I did want to ask Lily and Kim one thing and there's my little intro anecdote to that preparing for black hat and DEF CON I did not give my email to the to be distributed to the RF professionals doesn't know how to find me but I got a deluge of pitches asking to meet with executives and about I don't know 80 90 percent of them were offers to talk with male executives and they were often actually coming from female PR professionals I don't know what to make of that but the bottom line is that it got me

thinking more about representing diverse voices and community and who we quote who we talk to and of course that means we absolutely should have a you know as many female InfoSec reporters as we can so that's a long-winded way of introducing can you describe to the audience and to us what it's like to be a woman InfoSec reporter how is it different than being a woman InfoSec security researcher even though you're not I mean that's that's hard to answer but how how does that how do you approach your job that way how do you overcome bias that you and discrimination that you experience as a result of your gender take it away I was hoping Kim would start because you

said something on when we were preparing for this that I thought was really interesting about what whether things have gotten better or worse so I've been at this for a while um and when I my first Def Con I had started a PC world and one of my colleagues had just come back from DEFCON and he's describing this hacker conference and I just thought this was brilliant you know a conference for hackers who actually go and have sessions panel sessions talking about this so I asked him to take me with him the following year and I didn't know what to expect and I walk into the Alexis Park hotel and I walk into the room I know for Alexis Park we all miss

it and there were like a thousand people in the room and I would say 95% of them were men and I didn't know how I was going to be treated or how people would react to me and I was amazed at the amount of respect that I was given and during those years of covering this people were immensely respectful and helpful and helping me to get up to speed on this this topic I'm not a tech person by nature I'm an English lady in major and I think that people didn't see that difference what they saw was I was really interested in the topic and eager to learn that has changed over time the more people that have gotten into

InfoSec that the law this has become the more of a hot topic it's become there are a lot of different people now in this community and there is bias there is dismissiveness there is condescension what can I say people don't expect that I know anything I waited this I was at an event in DC a couple of months ago I'm a speaker at the conference we have a speakers dinner I'm sitting there at a table a couple of men sit down I'm talking to the one next to me and the guy across from me comes from a security company says to the guy next to me oh is this your wife and it's a speaker's dinner so I think his

assumption though regardless of the context of the situation was always going to be that I'm not there for knowledge that I have or any expertise that I have and I was telling Lily I was bothered by how much I was bothered by that I shouldn't I felt like I shouldn't have been bothered by it and I was trying to brush it off but s container went on I was getting more and more angry about it but anyways so I don't think that we've improved I think as the community has gotten larger it's gotten worse yeah I wonder if maybe that is because there are more women in the community and there is progress and that

therefore there's more of a push back and it's sort of an active thing and there's so there's more attention and it's more on everyone's minds but yeah I definitely feel it also and I feel that when a lot of your sources are men I find that there's some difficulty with just navigating semi social situations where you get some of your you know best information and you're really just kind of hanging out with someone learning about what they're interested in or what they're working on it's kind of some difficulty navigating those situations with ease an example I always give is just that there's a real societal stigma against women buying men drinks but journalists aren't really allowed to accept lots of free

stuff from people so generally what male journalists do is they just post up somewhere and they say I'm buying everybody come hang out or you know they asked a couple sources to come and they buy all the drinks but I find that sometimes there's a little bit of awkwardness about that when I'm trying to sort of host that type of like casual hangout with a you know a few people and it's like really small stuff like that that you wouldn't necessarily think about and I'm pretty you know willing to just kind of confidently try to do something and get everyone to go along with it and I'll really try to put myself out there but you feel you push

up against these societal rules or limitations or standards where suddenly you're like wow it's really hard to push back on this and it's actually making not fostering the situation that I wanted in order to be talking to people so that's a big thing that I notice and think about a lot and I think there's just a lot of background thought going into negotiating interactions that should be really you know casual and straightforward that and I think many of my male colleagues in the field do not need to put in that thought there's no there's another element of that and that especially since we're in black hat I wear a black hat and besides and DEF CON

at Vegas of course and that is when I it happens I don't actually I can't remember the last time it's happened but a lot of companies used to host their events at the shadow bar and I don't know if you're all familiar with the shadow bar but there are naked women dancing behind screens and so you're at a bar and you're in a professional professional setting and you're trying to do your job and it is very sexualized environment and so that's difficult to do and I was also at a conference where I was I really wanted to engage with the people who were there after the conference and we're all gathering after the conference and they're talking about

where to go and they're going to go to a strip club so they didn't invite me and I didn't really I didn't know initially what's going on but they were sort of kind of moving away away from me to organize where they were going and then I found out later that that's why what had happened so that kind of thing I mean we're trying to do our job or in professional settings and I suppose a male reporter would have gone with them or they would have invited him or but those those are the kinds of things that we run up against in trying to do our job yeah and you see how like the choices there are really poor because

even if they do invite you to the strip club then you're like at the strip club this is actually happen to me and you're just like okay like I kind of wanted to know like what you're working on and they're like what's new with you so it's just like sometimes you're just between a rock and a hard place with you know and I think there's that push back in in the community also like well you wanted to be invited you know there's that vibe so it's it's pretty difficult to navigate and basically to summarize I think that is the biggest thing I that characterizes the experience for me is just needing to do a lot of extra work

in the background to make it seem like everything's just chill great thanks for sharing your perspectives on that we're gonna go to the audience if you have questions you look wired and ready to it pepper us with questions you don't feel free if you want to to identify yourself otherwise no worries hey um really interesting thanks for thanks for saying those was there's the voice coming from I see I'm back sorry speaking Blackfoot intro okay you go ahead sir all right yeah hi yeah so I'm gonna completely derail your super and what I was thinking about before which is like for me there's a real dichotomy when it comes to reporting things to reporters which is

that like for me if I want to get something out there it's because I want people to be I really think there's something busted with this microphone am I just being cut off every now and then I'm pointing at my mouth if you give me a different cheese gadget and shout if you want but I don't know whether that is allowed just talk okay sorry so there's like a dichotomy of when I give things to report because when I give things out I want the public to be informed especially since there's so much like confusion about what people should care about when it comes to security and I find that like there's two possible routes that that end up happening one

the article at the ends up being really really technical and the result is that a reader who reads that doesn't really know how this should interpret the information the other outcome is that the article ends up being really sensationalist and then the person end up just really like worried existentially about something that may potentially be a very technical vulnerability that only affects saying enterprise systems for example is there anything that I can do to I don't know make it so that the things that are produced as a result of my work or just in general end up having people come away with the kind of information about like here's how much I should worry about this thing and here's the effect

there's gonna have on my life or something else in my life instead of just like the headless chicken effect that we see so much insecurity I can tell you that yes it's how I mentioned earlier about choosing a journalist who you maybe follow either on Twitter or some other way and you're familiar with their work who's going to present the information in a way that you think is um going to be the best way to inform the public the journalist may disagree and they may do another thing but for one example have recently just it's a very bread and butter story very normal one about how a Russian developed cryptographic standard had some potential flaws in it and other members

of a regulatory body took issue of that and for us the story was the geopolitical context around that and around this tension within the body between nation-states for story we weren't actually particularly invested in the super technical details of this cryptographic floor so we didn't go into detail on that some readers on Twitter especially we're like well where's the technical details we linked to the white paper so people can go read that for if they want for us for a more general audience we're emphasizing that geopolitical angle so it really and if they had gone to I don't know adjourn this to some the register or something or maybe Kim who's a lot more technical than me maybe the article

would have been more technical in nature but it really does depend upon the journalist in the outlet so I would just think about who you're gonna give it to rather than the first journalist you think of in five seconds or you can give it to a couple of journalists I mean you give it to the person who you know is going to do the technical story and then also give it to someone who's going to do maybe the broader chefs I mean you see a story in CNN right and then you also see it in done by an info SEC reporter and so the readers who want both or who want one or the other can

get them yeah I think that's a good thing like a you know it's positive that there are choices about how something what gets focused on because there's a lot of parts to everything you know next question alright so my name is Klaus Holman of that same Twitter handle because I'm not afraid of being dark psych himself talks but when you're talking about and I'm going to darks him Brian Krebs before you said he should be ostracized and thereafter you left out mentioning by name which just not ostracize I was wondering why I did that fair point I was ostracizing the behavior in general any I don't need to point fingers at a specific person I

just want to make it clear from how I and the people on the stage approach their profession and not doing that I mean look he's faced plenty of criticism for what you're referring to I think so I don't feel the need to personally you know called anyone in particular I'm just talking about standards of professional behavior so I've been actually thinking if you get too much into the back-and-forth especially on Twitter it's not a good use of your time so that's my hi I'm Stacy and this is Park comment part question so I'm sorry I've already forgotten all of your name okay the woman on my right mentioned having to do a lot of work in

the background to make sure everything seems chill that's called emotional labor and it's a huge burden that women bear both in the workplace and in the home and it's the invisible work of managing other people's feelings and google it you go down a rabbit hole um but I just thought I'd throw this back out there how big of a burden is that in your jobs is that something you see on a regular basis or is that something that happens now and then just kind of curious how pervasive it is oh yeah yeah it's a huge burden I also think of it as something called the third shift - the first shift is your job second shift is tasks like you know

laundry or you know cleaning up trash at work or you know can be in any context and the third shift is thinking to do that or thinking to approach someone you know to plan for something in advance or yeah and women generally are socialized to be more focused on the third shift so I see that coming up or or the emotional labor and I see that coming up in my job all the time with colleagues with sources I mean I definitely noticed that sources will tell me a lot of stuff about their personal lives send me photos of their kids and I like welcomed that and I'm you know really down for it but I I noticed that I receive it

disproportionately and I think it just has to do with expectation expectations' and it can be good you know it for a journalism you know people feel more comfortable you can remember things about their personal lives that they've told you and bring them back up as a way that you know to make people feel more comfortable and that used to kind of remember them and you see them so you know I try to make the best of it and you know use it in positive ways which is genuine but I yeah it's also crap ton of work I also want to say that you know a lot of people in in PR or at the spokespeople

of organizations that we deal with and companies and things like that a lot of them are women but there are also particularly in government at government agencies where the spokespeople are men and there's this entire relationship that they develop with male reporters this very buddy relationship and it's it's a it's something that female journalists have to deal with constantly and that you are you're left out of that and so you are constantly calculating in terms of how you approach someone how you get the information that you need how you're going to be perceived what you're going to be left out of what you're going to be included in it is a it is a big part of the job more than I

think a lot of us ever really acknowledged for a long time but it's there yeah it's a great point I mean the buddy but the but that we can cut turn on the charm and you know be brownie with another with a male spokesperson in a way that it's not really just preparing a parody like they call it a parody like the joke okay experience as a male reporter well I think what Lily said really hit home about the drink buying drink situation where you could oh yeah I'm buying you know let's talk let's chat and it's sort of people don't think give it a second thought or as it's a different dynamic there yeah what

Kim just said it really resonated - about about the ability of a male reporters to just kind of get chummy and and and you know I don't know what the right analogy is but talk sports and you know just be you know about trying to relate to the from a guy perspective and then is there anything else in particular you're looking for no it's okay I mean I don't I don't I mean I just I'm not sure how helpful this comment is but some sources because I mean when we're doing a piece we will work in a team of course their editors their journalists as well multiple people are behind every story I can't say exactly the story right now but

there is a female protagonist who is a victim of some sort of abuse and they'll leave like that and it was better that we hired a female photographer for that very particular context and that's just something that is more appropriate for the story easy to handle and it just would feel very strange if I turned up so as bad as this delegating that work to someone more capable enables to like I would say also that we're in trying to write more about these kinds of issues as a male reporter you want to be very thoughtful about it so I ask female friends reporters researchers for advice on houses to start you know talking about those

things and not come come off as a woke dude or insensitive dude or whatever the vibe you don't want to give off is and how at the same reason like when I spent a little time freelancing in West Africa and meat I did a story on the LGBT community in cote ivoire where I was living and I'm not gay not from Cote d'Ivoire so those are two things I had to take a long time to try to understand and and and think in a different way about before I asked a question or you opened my mouth so I guess that's why I don't have a lot of that like I'm trying to think more about it and I think you

know what my co-panelist said today there's actually helpful for my thought process I just also want to add sorry before we move on I can't speak to it myself but I just want to say that you know trans and non-binary folks in the community and reporters all face a lot of challenges as well and I think do a lot of important work trying to like open up all of this and you know change the paradigm so we have just about four minutes left okay thanks for presenting the recent news on VLC and the follow-on feels to the media player and the follow-on reporting and some expose exposure if I think some assumptions about around like what type of editing

maybe mitre and the CBE program is actually doing before the release TVs I think well Arthur any lessons learned on y'all's end as far as like do you fact check these reporting systems are you assuming that the CBS are that did by miter which I guess it wasn't perhaps as much as much as we think thank you so I'm not familiar with that particular case I don't know if you are but I will say of course we've met things of that nature of the CV scoring is an ongoing debate in the community but I tend to come to those pages last like I kind of only look at it when I'm going to pull the link or if I want to check against

other materials that I've gathered or something I'm I don't know maybe that maybe I shouldn't admit that or maybe that's just me or something but I I don't find that I like really heavily rely on that stuff because it's always coming from checking with sourcing or you know cross-referencing or something so when you're talking about CV score CDSs is a severity of the vulnerability I don't I mean the scale is very Harbinger hit or miss yeah so I I do what I do is just ask people would know how serious is this I mean is that score indicative of it so it's more of a it's not a mathematical thing and in terms of describing the severity of a

vulnerability in a story I'm just super briefly it yeah it highlights the importance of fact-checking no journalist likes to screw up one I had was just in the wake of wanna cry some to independent researchers spoke to me they're not affiliated with each other at all and they both said version of wanna cry without the kill switch so I heard from one very reputable cyber security company Kaspersky and then go to another researcher who's independently discovered it that looks like a story turns out it was wrong and we had to retract the story and that is unfortunate ultimately it falls down to the journalist has to bear responsibility for them yeah you've got two different people saying the same

thing I thought very drunk off because it sucks right the journalist really has to be sure we should probably just I mean I know we didn't have time but and you got a question but the Bloomberg thing you know when you're all leaving but yeah I mean they say they say that they have 18 sources we don't know who those sources are so it's hard for us on the outside to weigh those and say what are they 18 bad sources or are you know many of them actually good and so the journalists aren't really responsible for that I don't know we we don't have enough information to go on that but if you if you solidly have 18 source of

saying thing mean you had only two but there's a point where you reach where you say okay I vetted this enough and I've got to publish and even then you can be wrong so I'm not saying Bloomberg did that but yes all right there's a lot of pictures to the room to keep going so since we can't go a little bit long because we don't somebody immediately after you but um since this is it since this is the I am the cavalry track and we are focused on public safety human life I want to shift back maybe somewhere in that vicinity we like to say we want to raise the alarm without being alarmist because we don't scare

people away from life-saving medical devices we also don't want a blind faith and trust in things that are indefensible and insecure but there's that old paradigm that we've all been told if it leads it leads right for one of the axioms of coverage even if it's not you it might be your editor it's fair right if it bleeds it leads so what's the right tensions for us to carry around as we pitch stories or approached or so that we can have one of those things that catalyzes investigation and corrective action without being hyperbolic it's kind of building up the question in the back but also there's a different trend where you know so it's gonna sound like a departure would I'm

gonna triangulate I probably know about a hundred forever days that people tell me is their confessional during DEFCON these are old zoo hackers they'll grab me to DEFCON they'll say I found this thing I can't tell anyone it'll never get fixed and a lot of people will get hurt but now I'm seeing it's kind of like a business strategy to come up with a for every day and drop them to get coverage because sensationalist so how do we navigate your motivational structure in your editors with the cavalry mission to raise the alarm without being an alarmist when there seems to be a trend maybe towards more people dropping very serious or ec2 critical unmatchable for every day's and

getting a lot of reward for that so how do we do our job in our mission in this room in light of the other motives excellent question I think during the prep call you were talking and good about that and you want to start like like disclosure basically and the process did you have something that I guess I'm trying a complete blank just to clarify those to me to thank you guys for every day's like whether it's an older school a oh they'll take those to their grave right it's not about full disclosure they just have decided those things are too risky it only advantages adversary but now that that's softening like it's an excellent question I think the challenge

for us as journalists and media is maybe if one of us passes on it and says oh well first of all none of us want to be in the in the business of trafficking and FUD and the ultimate allegation against you know a journalist but not the ultimate one but at the same time if somebody comes to me with a vulnerability in medical life dependent medical equipment and I think well that's scary but that seems like overblown and scary to try to get clicks and then I don't write about it and somebody else from a reputable publication writes about it and then somebody else there's a cascade like well why didn't I write about that and

you know maybe we were satisfied with our ethical decision we feel good about ourselves but there is a bit of a herd mentality in the way of people approach that the only other thing I would say about sort of balancing between motivating and scaring is the headlines are really hard and we often don't write those and how do you get people you don't Kim was talking about in the prep how do you don't want there's so many boring headlines that you throw away because they're like well why would anyone read them they're the same so yeah there's so much tension and wrapped up into that and I think you're right there is a bigger tendency these days of

people of people to want to get that information out there for whatever their motivation is people that won't take the forever days to their grave and so we need that's more than ever to be more challenging to cover medical security things pacemakers to people like oh crap you know look at this big recall that's why I'd like calling folks like you who when when we do see that information how do we put in the context help me first of all help lend credibility to what I'm writing about by including a quote from a credible med sec expert but also like grounded you know the headline is gonna be scream something but like grounded a little something high up in the story

where you're like okay well you know here's how to fix it or whatever that's what's one of these we were talking in the prep call is that impression that people are just publishing stories get clicks and you know you see that all the time on Twitter when people say that and yes there are publications that do that that they're in the business of click getting clicks but when you're writing a story and you're going over the headline I mean the headline the editors that I work with we collaborate on the headline they will put some um some samples some suggestions and then I yay or nay and we tweak them until we come up with a headline that I feel is

representative of the story that isn't always the case I've worked with editors that really don't care I worked in places where you have someone who's not a journalist putting the headline on stories and so it you really have to weigh that at every outlet it's it's all different but in terms of the what we were talking about in the call about the cliques and stuff you want it you want people to read the story you don't want a boring headline or headline that doesn't quite get the gist of it and so you are balancing that between not making it sensational but also exactly wanting readers to actually get the information so and in terms of forever

days I think it is - Josh this point that journalists are just trying to manage whatever's going on so if people are taking those to their grave that's probably not the type of thing that a journalist would act actively dig into and try to get the story on and try to reveal but if it's going to come out anyway if someone has decided that they're going to release it then it becomes the thing that's more like what Shaun was saying of well do do I want to do it myself and trying to make sure it's done right in a controlled way or do I want to you know leave it to others and because that you know I don't want

to participate in it I've so you need to make that decision and at the point where something's going to come out that's the point where then we as a society are going to be forced to reckon with the truth of this thing or the reality of this vulnerability or this situation whether we want to or not so then journalists are kind of needed again to give people as much information as we can about that so that we can try to figure out something to do about that situation and the last thing I'll say quickly is just that because there is so much news all the time and there is so much fatigue I've written a few stories

that about what I felt where essentially for every day as there were as I was hearing about it I was like oh crap there's never I get fixed and like people didn't really read the story and didn't really care and that doesn't mean I mean people who want to know know and you know are on it but it's like there's a lower dealing with a lot of weird trends or sort of audience reactions to stuff that's really tough to manage where you're like well I don't want to overhype it but like this is a really big deal guys I'm like no one's reading this story so like do you not care you know it's it's just really hard to manage

everybody everybody's interests and where their attention is are you I think we're just gonna go the final words here if you have any final parting my only final words of thanks for coming out keep talking us keep opening up the dialogue of course we make mistakes we're not out up here trying to preach too much you know it's just it's just about transparency and learning from each other

[Applause]