“We Should All Step Back from Security Journalism” after Barrett Brown. “I’ll Go First.“


#1

[Permalink]


#2

Americans are perfectly comfortable talking about political prisoners and their various causes, up until we get to our own shores. At that point you’ll see all kind of semantic tap dancing, because as long as there are elections, we must call it a democracy. (And why would any democracy need to imprison journalists?).


#3

The Internet is not the USA and the USA is not the world (understandably a thing often forgotten by many Americans), and the US laws aren’t world laws regardless how much they would wish to be.

Can the jurisdiction difference be leveraged here? Possibly including taking advantage of geopolitical tensions? Regardless how much it makes a Texas prosecutor hopping-mad, he is rather unlikely to get a Russian journalist/fact-checker/consultant extradited.


#4

i am torn about this. on the one hand i handle sensitive, hacked intel every single day so this ruling is relevant to my livelihood. on the other, you don’t. post. links. to. CC’s. you do one to four things–contact the webhost, contact the issuer, contact the customer, contact the FBI. in that order.

financial and PII data is not the same as exposing bugs or zero days. and it is trivial to mask PII if you feel the need to release it to prove a point. however the sentence here is reeee-diculous–all Barrett really needed was perhaps outpatient rehab and community service.


#5

So only Russian journalists can effectively criticize the American government’s security apparatus and vice-versa? I tend to think that’s a problem in itself, more than a solution. If we’re really at that point, the solution involves burning something to the ground.


#6

Yup. We gots us plenty of jailed dissidents now.


#7

that is where i disagree with quinn–journalists should expose more security failures, not less. this is really just about ethics in… oh crap :smiley:


#8

It is not a solution. It is a workaround, and poor one, but it is on the table as an option.

Attacking the root of the problem is preferable but more long-term. Deployment of long-term strategy together with immediate workarounds is the must-do here.

I agree. Flamethrowers set to BURN!


#9


#10

The issue of reporting on something that you’re too close to is a problem that is a hard one to manage. I don’t have a good technique for addressing this issue. When I’ve been in that situation I’m burden with guilt for not letting the public know about the evil that is being done, but on the other hand I feel like I’m stabbing my co-workers and friends in the back. Part of the problem is that when I sign-on to do a duty for an agency I go in 100%, but I retain my humanity and sense of justice no matter what. These two things do create a cognitive dissonance that is quite uncomfortable. I have no easy answer.


#11

I will admit I have not followed Barrett Brown closely but scanning a few linked articles from the piece above, it reads a little bit like death by cop to me. This guy said he was going after an FBI agent’s family on YouTube? Proclaimed himself the Voice of Anonymous? Posted public links to credit card info?

I dunno.


#12

We ran out of The Perfect Heroes.
We have to do with the imperfect ones now.


#13

of course barrett brown didn’t post a link to CC’s, he post a link to a large cache of information stolen from a defense contractor in order to solicit help in analyzing it’s contents - meaning he didn’t know everything that was in it.

he also wasn’t the one who posted the actual cache. in order for him to have masked out the PII as you suggest he would have had to post his own copy of the cache (which frankly sounds even more legally tenuous than posting a link to something someone else put online) but only after doing a preliminary analysis of it’s contents himself in order to determine if there was PII in it and mask any that was found.

and frankly, who expects credit card numbers in a cache of data from a defense contractor? does the government pay by mastercard? i wouldn’t have expected their products/services would be something you could put on your credit card.


#14

Seriously, if you can’t take the literal minute to do a regex search for cc/SSN in stolen data, don’t link to it in public! This is basic, basic due diligence. And failing this kind of diligence means more people have the pleasure of credit monitoring, new cards, and calling their bank when they are in a different country.

The sentence is way out of line, and the linking shouldn’t be criminal. But when in doubt, actually read your stolen data.


#15

you make it sound like it was a simple text file one could easily perform a search on. i have a feeling that if that were the case, brown wouldn’t have needed to solicit help analyzing the data.


#16

Le sigh. If you want to be treated professionally, act professional. The file format doesn’t enter into it. Decode the PDFs. OCR the images. Read the data with your eyes. And if a person doesn’t know how to do those things then there are people in the community that do.

And this is not an academic debate. As a researcher or security journalist this is part of your job description.


#17

it really seems like people want to conflate posting the information itself with simply copying a link to it into an IRC chatroom. the damage had already been done by someone else before barrett brown came along. someone other than barrett brown put the cache of documents online. he simply pointed to it and asked for help analyzing it’s contents.

in order to point at a scrubbed copy of the cache he would have had to first produce a scrubbed copy (which takes time and resources that, as an independent journalist, he may not have had) and then put that copy of the cache online (which as previously mentioned is even MORE legally dubious than sharing a link).

and it’s not like he published the link in a story or anywhere else on the web that made it easier for people to find the cache - he shared the link in an IRC chatroom. only the people who were in the chatroom would have seen it.

edited to add: in fact, boingboing themselves have publicly linked to the docs, and they’ve done so on the web. i don’t see you bemoaning their actions.


#18

Do you expect them to pay in cash? There are only a few options and checks are on their way out.


#19

Bitcoins?
[ducks and covers]

(Really, BTC have no issues with leaked user databases, unlike creditcards.)


#20

not physical cash, but certainly actual money rather than credit. maybe transfer the funds into the contractor’s account.