«

»

Mar
10

2011

Vanity Fair reporter freak-out

Vanity Fair had an article about Stuxnet. Here’s some background information on this creative piece of embarrassment.

Vanity Fair’s writer Michael Joseph Gross visited us last year. I agreed to spend two days with him as I thought it could be helpful to spread the message about the threat posed by Stuxnet-inspired malware well behind technical publications. On his request, I explained Gross in detail what control systems are, how they are different from IT, and how Stuxnet works. He got a hands-on introduction to Siemens controllers, demonstrating the Siemens software’s behavior before and after infection on a real system, and explaining the meaning of the diagnostic output he saw. We explained sections of actual attack code and how we reverse engineer such code. I explained the difference between basic production control systems and digital safety systems, extending into instrumentation and control details. In addition to the technicalities I thoroughly briefed Gross on background topics that are essential for understanding Stuxnet, such as politics, timeline of events (starting in 2006), and insights on major stakeholders such as ICS-CERT and the vendor. On his request, I provided extensive interview prep material for his upcoming interviews, and provided contacts at INL and DoE. Also on his request, I arranged an interview for Gross with one of our clients (a global player in the steel industry) who had been infected with Stuxnet.

It seems like so much hardcore information was a little bit over Gross’ head, so he decided to focus more on me as a person. Why not. I don’t know, however, why he needed to portray me as a complete jerk, and did not hesitate to provide “evidence” that is totally absurd (who is really interested in my shoe wear?) and misleading by purpose. For example, Gross, who may be unfamiliar with the dress code for German consultants, began to show a bizarre interest for selected fashion items. He wants to hold my wrist watch, inspects it thoroughly and asks if it is a famous brand or particularly expensive. It is not. Then he grabs my tie (literally) and turns it around to see the brand label. It’s a no-name product, again. Next he inquires about my shirt. Again, a no-name product. (I’m happy that he didn’t want me to take it off to inspect the brand label.) I tell Gross that I don’t buy fashion by designer name. However next he draws the grand price. It happens that my shoes are from a well-known Italian designer. He follows his hot trace and asks which shoes I wore the day before, the ones with that particular structure, and asks about the material. I say, let me think… I believe it were the ostrich shoes. I see Gross’ face taking on a weird look as if I had said something obscene or if he had just experienced sudden intestinal problems, but don’t give it any significance. In his article, this bizarre episode reads: “My preference is for Dolce & Gabbana shoes,” he says. “Did you notice, yesterday I wore ostrich?”, turning reality completely around.

Gross writes that I had sleeping problems and that I couldn’t tell if I was a genius or crazy. Gross knows in which context these remarks were made, but he deliberately doesn’t tell. I did have severe sleeping problems during the first weeks of Stuxnet analysis because I was horrified about what I saw and just couldn’t find rest. The malicious controller code and the question what it was trying to do didn’t let me sleep. (If anybody is interested in it, I don’t have sleeping problems any longer.) The genius/paranoid thing goes back to the early days of Stuxnet research, when nobody saw what we were seeing. Those were the days when we published a step-to-step guide for fellow researchers to understand Stuxnet, along with a video capture of Wireshark traffic. Those were also the days when I had discovered the potential meaning of the project name Myrtus but did not publish it “because you would think I’m nuts”. We never even mentioned the Myrtus/Esther stuff in our blog because we don’t give it much significance. Gross knows all this, but decided not to tell in a story he wants the reader to believe is a character study of me. Gross also knows that attribution is something that concerns me least about Stuxnet, but suggests otherwise. His reporting that I googled “Iran” and “nuclear” is complete nonsense, and he knows it. He even has the Iranian target focus in writing from me, but it wouldn’t have matched with the picture he is trying to paint of me.

On the second evening of his visit we are sitting in a bar. It is clear that the interview is over, Gross had just talked me into ordering another drink, and we talk about personal stuff, mine and his; relationships, future plans etc. I mention that I think about moving to California someday. Gross goes then to great length in describing how beneficial his story will be for my career, asks if I would be willing to sign an exclusivity agreement etc. pp. I point out for the fifth or second time that the ONLY thing I’m interested in is to get out the message of the threat posed by Stuxnet-inspired malware and that I wouldn’t benefit from all the wonderful things he is going to write about me anyway because his paper isn’t even for sale on German news stands. I tell him again that I have no particular desire to be mentioned more than briefly in his story. He then switches to the topic of a portrait photo of me for the article. I confess that I’m a great admirer of Ann Leibowitz and for long had wanted her to portray me. So I say jokingly that the only benefit I could see for myself is to have Leibowitz take a crispy shot of me for the cover page, which could eventually one day even help in attracting American women (I’m single). Not even Gross can view me as so stupid to think I would actually believe to go on VF’s cover. Nevertheless, Gross writes: “Langner loves the attention that his theories have gotten. He is waiting, he says, for “an American chick,” preferably a blonde, and preferably from California, to notice his blog and ask him out.“ He says this about the person who researched the most technical facts on Stuxnet’s payload, in weeks of hard labor, who had told him verbatim more than once that he is NOT interested in getting attention. It is simply disgusting.

Now Vanity Fair does have some approach to quality control which they call “fact checking”. A “fact checker” contacts the sources to verify that all information is correct. Funny enough, the “fact checker” is not interested in checking the most blatant nonsense, but in fine-tuning information that supports the writer’s bias. Certainly their “fact checker” did not ask: Ralph, is it true that you write your blog to attract blonde Californian chicks? He will have known that my answer would have been “are you out of your mind?” Instead, the “fact checker” explores some background on a commercial computer program I had written as an undergraduate. Gross was very interested in this program. The “fact checker” asks if it is true that this program didn’t sell. No, it’s not, actually it was the all-time best selling software application in its niche. Reading this, Gross is no longer interested in this stuff and drops the subject. The “fact checker” also asks if I’m a centrifuge expert. Certainly I’m not, which is hardly surprising for anyone. However, Gross experienced how meticulously I researched the I&C and physics of potential Stuxnet targets when I talked him through the design documentation of a turbine protection system (at that time we were working on the Bushehr target theory) down to the details of 2oo3 wiring and logic. He knew that I discussed attack vectors with power plant engineers with on-site experience in Russian nuke plants. He knew I was working on the NPP target theory with one of the very few European engineers who actually designs turbine protection systems for power plants (I even invited Gross to visit him, but the expert wasn’t available that day). He also knows that for the centrifuges, I discuss technical issues with the best contacts one can wish for in this matter, ranging from centrifuge development and test engineers to the best nuclear scientists in the world, some with on-site experience in Natanz. So after going through “fact-checking”, here is what you read: “Langner admits that he is not a centrifuge expert, but says that he regularly speaks with such experts.” I believe it’s a safe bet to assume that the “fact checker” would have loved to get me on the record writing that I’m not a centrifuge expert, period.

Only an idiot does not learn from experience. So I will revise our media policy and will no longer accept interview requests in our office or interviews that focus on me as a person rather than on our work.

Ralph Langner