This is a bit of a break from my usual writing style.
I typically like to stay oriented upon descriptions of hardware and software subjects, or a real-world security issue. But this is a very real problem, and one that I feel strongly about. I wouldn’t go so far as to call myself a proper journalist, I have far too much respect for the title. I do however read many articles by a multitude of other publications every day, and the trends I have observed, I find disturbing.
There is an old concept in U.S. journalism, known as “yellow Journalism”. This is to refer to writing that is exaggerated, unprofessional, or at its worst, directly dishonest. It comes from the days of print newspapers, and would often refer to print publication that used bold headlines, flashy color and garish layouts to sell copies off of print stands. The business of selling newspapers could be a tenuous one, and keeping your readers engaged was of utmost importance.
I have to draw a few parallels to our modern internet version of journalism. Revenue sources on the internet post 2000 mostly rely on ad revenue. Subscription models are not terribly common compared to this, and can have varying levels of success. Traffic is the keyword to discuss when talking about making a business out of the internet. If you can draw more people to your site, you make money.
If you can keep them there, you make even more money.
The things that grab the most attention are Fear, Uncertainty, Doubt, and if you can swing it, Anger.
It has been a few years since I was introduced to the concept of using F.U.D. as a sales strategy. This was something a sales person had instructed me about using when trying to close sales of technical products. I cannot say I personally find that mantra to be ethical, morally sound, or the proper way to conduct business.
These core concepts become especially pronounced when discussing technical security in writing. It becomes a show to see who can report on the most frightening and mysterious “dark web hackers”. Every breach becomes a catastrophe, every leak a parade of media sensationalist writing.
I can appreciate the outline @Professor_Plum gave in his Defcon 25 talk, entitled “Digital Vengeance” when he pointed out the issue with calling every cyber attack “sophisticated”. It seems to be laced into every journalistic offering on a cyber-security related topic. It’s one of many buzz-words writers like to toss in to gain a grip on their readers. Because fear, uncertainty, and doubt sell.
Link to Professor_Plum’s talk about remote access tools(RATS)
All this alarmist style of reporting does is whip people into a frenzy, without giving them a solid course of action to follow. It isn’t based in logic, common sense, or anything related to how computing works in the real world. Modern journalism seems to be incredibly bad at covering anything remotely technical. Whether it is yet another article about the dangers of wireless devices, nonsense about the latest consumer widget or gadget, or a poorly written “hacker expose” featuring a high schooler in a hoodie, journalists and reporters seem to routinely miss the point.
Technology isn’t inherently good, or inherently bad. It is only a more advanced tool. Now that it is a commonly used tool, we have a responsibility as engineers, ethical hackers, security researchers, and journalists, to make sure that what we tell people is factually accurate, responsible, and in a format people can understand.
There are far more common, more sensible things we can tell people to start doing to be more secure. It won’t attract as much traffic as publicizing the latest widespread security mistake, or spreading fear about state-run attack campaigns. But it is more important.