llimllib/gist:989727

## gistfile1.txt
Mar, 10 2011

Vanity Fair reporter freak-out
Vanity Fair had an article about Stuxnet. Here’s some background information on
this creative piece of embarrassment.

Vanity Fair’s writer Michael Joseph Gross visited us last year. I agreed to
spend two days with him as I thought it could be helpful to spread the message
about the threat posed by Stuxnet-inspired malware well behind technical
publications. On his request, I explained Gross in detail what control systems
are, how they are different from IT, and how Stuxnet works. He got a hands-on
introduction to Siemens controllers, demonstrating the Siemens software’s
behavior before and after infection on a real system, and explaining the
meaning of the diagnostic output he saw. We explained sections of actual attack
code and how we reverse engineer such code. I explained the difference between
basic production control systems and digital safety systems, extending into
instrumentation and control details. In addition to the technicalities I
thoroughly briefed Gross on background topics that are essential for
understanding Stuxnet, such as politics, timeline of events (starting in 2006),
and insights on major stakeholders such as ICS-CERT and the vendor. On his
request, I provided extensive interview prep material for his upcoming
interviews, and provided contacts at INL and DoE. Also on his request, I
arranged an interview for Gross with one of our clients (a global player in the
steel industry) who had been infected with Stuxnet.

It seems like so much hardcore information was a little bit over Gross’ head,
so he decided to focus more on me as a person. Why not. I don’t know, however,
why he needed to portray me as a complete jerk, and did not hesitate to provide
“evidence” that is totally absurd (who is really interested in my shoe wear?)
and misleading by purpose. For example, Gross, who may be unfamiliar with the
dress code for German consultants, began to show a bizarre interest for
selected fashion items. He wants to hold my wrist watch, inspects it thoroughly
and asks if it is a famous brand or particularly expensive. It is not. Then he
grabs my tie (literally) and turns it around to see the brand label. It’s a
no-name product, again. Next he inquires about my shirt. Again, a no-name
product. (I’m happy that he didn’t want me to take it off to inspect the brand
label.) I tell Gross that I don’t buy fashion by designer name. However next he
draws the grand price. It happens that my shoes are from a well-known Italian
designer. He follows his hot trace and asks which shoes I wore the day before,
the ones with that particular structure, and asks about the material. I say,
let me think… I believe it were the ostrich shoes. I see Gross’ face taking on
a weird look as if I had said something obscene or if he had just experienced
sudden intestinal problems, but don’t give it any significance. In his article,
this bizarre episode reads: “My preference is for Dolce & Gabbana shoes,” he
says. “Did you notice, yesterday I wore ostrich?”, turning reality completely
around.

Gross writes that I had sleeping problems and that I couldn’t tell if I was a
genius or crazy. Gross knows in which context these remarks were made, but he
deliberately doesn’t tell. I did have severe sleeping problems during the first
weeks of Stuxnet analysis because I was horrified about what I saw and just
couldn’t find rest. The malicious controller code and the question what it was
trying to do didn’t let me sleep. (If anybody is interested in it, I don’t have
sleeping problems any longer.) The genius/paranoid thing goes back to the early
days of Stuxnet research, when nobody saw what we were seeing. Those were the
days when we published a step-to-step guide for fellow researchers to
understand Stuxnet, along with a video capture of Wireshark traffic. Those were
also the days when I had discovered the potential meaning of the project name
Myrtus but did not publish it “because you would think I’m nuts”. We never even
mentioned the Myrtus/Esther stuff in our blog because we don’t give it much
significance. Gross knows all this, but decided not to tell in a story he wants
the reader to believe is a character study of me. Gross also knows that
attribution is something that concerns me least about Stuxnet, but suggests
otherwise. His reporting that I googled “Iran” and “nuclear” is complete
nonsense, and he knows it. He even has the Iranian target focus in writing from
me, but it wouldn’t have matched with the picture he is trying to paint of me.

On the second evening of his visit we are sitting in a bar. It is clear that
the interview is over, Gross had just talked me into ordering another drink,
and we talk about personal stuff, mine and his; relationships, future plans
etc. I mention that I think about moving to California someday. Gross goes then
to great length in describing how beneficial his story will be for my career,
asks if I would be willing to sign an exclusivity agreement etc. pp. I point
out for the fifth or second time that the ONLY thing I’m interested in is to
get out the message of the threat posed by Stuxnet-inspired malware and that I
wouldn’t benefit from all the wonderful things he is going to write about me
anyway because his paper isn’t even for sale on German news stands. I tell him
again that I have no particular desire to be mentioned more than briefly in his
story. He then switches to the topic of a portrait photo of me for the article.
I confess that I’m a great admirer of Ann Leibowitz and for long had wanted her
to portray me. So I say jokingly that the only benefit I could see for myself
is to have Leibowitz take a crispy shot of me for the cover page, which could
eventually one day even help in attracting American women (I’m single). Not
even Gross can view me as so stupid to think I would actually believe to go on
VF’s cover. Nevertheless, Gross writes: “Langner loves the attention that his
theories have gotten. He is waiting, he says, for “an American chick,”
preferably a blonde, and preferably from California, to notice his blog and ask
him out.“ He says this about the person who researched the most technical facts
on Stuxnet’s payload, in weeks of hard labor, who had told him verbatim more
than once that he is NOT interested in getting attention. It is simply
disgusting.

Now Vanity Fair does have some approach to quality control which they call
“fact checking”. A “fact checker” contacts the sources to verify that all
information is correct. Funny enough, the “fact checker” is not interested in
checking the most blatant nonsense, but in fine-tuning information that
supports the writer’s bias. Certainly their “fact checker” did not ask: Ralph,
is it true that you write your blog to attract blonde Californian chicks? He
will have known that my answer would have been “are you out of your mind?”
Instead, the “fact checker” explores some background on a commercial computer
program I had written as an undergraduate. Gross was very interested in this
program. The “fact checker” asks if it is true that this program didn’t sell.
No, it’s not, actually it was the all-time best selling software application in
its niche. Reading this, Gross is no longer interested in this stuff and drops
the subject. The “fact checker” also asks if I’m a centrifuge expert. Certainly
I’m not, which is hardly surprising for anyone. However, Gross experienced how
meticulously I researched the I&C and physics of potential Stuxnet targets when
I talked him through the design documentation of a turbine protection system
(at that time we were working on the Bushehr target theory) down to the details
of 2oo3 wiring and logic. He knew that I discussed attack vectors with power
plant engineers with on-site experience in Russian nuke plants. He knew I was
working on the NPP target theory with one of the very few European engineers
who actually designs turbine protection systems for power plants (I even
invited Gross to visit him, but the expert wasn’t available that day). He also
knows that for the centrifuges, I discuss technical issues with the best
contacts one can wish for in this matter, ranging from centrifuge development
and test engineers to the best nuclear scientists in the world, some with
on-site experience in Natanz. So after going through “fact-checking”, here is
what you read: “Langner admits that he is not a centrifuge expert, but says
that he regularly speaks with such experts.” I believe it’s a safe bet to
assume that the “fact checker” would have loved to get me on the record writing
that I’m not a centrifuge expert, period.

Only an idiot does not learn from experience. So I will revise our media policy
and will no longer accept interview requests in our office or interviews that
focus on me as a person rather than on our work.

Ralph Langner
	Mar, 10 2011

	Vanity Fair reporter freak-out
	Vanity Fair had an article about Stuxnet. Here’s some background information on
	this creative piece of embarrassment.

	Vanity Fair’s writer Michael Joseph Gross visited us last year. I agreed to
	spend two days with him as I thought it could be helpful to spread the message
	about the threat posed by Stuxnet-inspired malware well behind technical
	publications. On his request, I explained Gross in detail what control systems
	are, how they are different from IT, and how Stuxnet works. He got a hands-on
	introduction to Siemens controllers, demonstrating the Siemens software’s
	behavior before and after infection on a real system, and explaining the
	meaning of the diagnostic output he saw. We explained sections of actual attack
	code and how we reverse engineer such code. I explained the difference between
	basic production control systems and digital safety systems, extending into
	instrumentation and control details. In addition to the technicalities I
	thoroughly briefed Gross on background topics that are essential for
	understanding Stuxnet, such as politics, timeline of events (starting in 2006),
	and insights on major stakeholders such as ICS-CERT and the vendor. On his
	request, I provided extensive interview prep material for his upcoming
	interviews, and provided contacts at INL and DoE. Also on his request, I
	arranged an interview for Gross with one of our clients (a global player in the
	steel industry) who had been infected with Stuxnet.

	It seems like so much hardcore information was a little bit over Gross’ head,
	so he decided to focus more on me as a person. Why not. I don’t know, however,
	why he needed to portray me as a complete jerk, and did not hesitate to provide
	“evidence” that is totally absurd (who is really interested in my shoe wear?)
	and misleading by purpose. For example, Gross, who may be unfamiliar with the
	dress code for German consultants, began to show a bizarre interest for
	selected fashion items. He wants to hold my wrist watch, inspects it thoroughly
	and asks if it is a famous brand or particularly expensive. It is not. Then he
	grabs my tie (literally) and turns it around to see the brand label. It’s a
	no-name product, again. Next he inquires about my shirt. Again, a no-name
	product. (I’m happy that he didn’t want me to take it off to inspect the brand
	label.) I tell Gross that I don’t buy fashion by designer name. However next he
	draws the grand price. It happens that my shoes are from a well-known Italian
	designer. He follows his hot trace and asks which shoes I wore the day before,
	the ones with that particular structure, and asks about the material. I say,
	let me think… I believe it were the ostrich shoes. I see Gross’ face taking on
	a weird look as if I had said something obscene or if he had just experienced
	sudden intestinal problems, but don’t give it any significance. In his article,
	this bizarre episode reads: “My preference is for Dolce & Gabbana shoes,” he
	says. “Did you notice, yesterday I wore ostrich?”, turning reality completely
	around.

	Gross writes that I had sleeping problems and that I couldn’t tell if I was a
	genius or crazy. Gross knows in which context these remarks were made, but he
	deliberately doesn’t tell. I did have severe sleeping problems during the first
	weeks of Stuxnet analysis because I was horrified about what I saw and just
	couldn’t find rest. The malicious controller code and the question what it was
	trying to do didn’t let me sleep. (If anybody is interested in it, I don’t have
	sleeping problems any longer.) The genius/paranoid thing goes back to the early
	days of Stuxnet research, when nobody saw what we were seeing. Those were the
	days when we published a step-to-step guide for fellow researchers to
	understand Stuxnet, along with a video capture of Wireshark traffic. Those were
	also the days when I had discovered the potential meaning of the project name
	Myrtus but did not publish it “because you would think I’m nuts”. We never even
	mentioned the Myrtus/Esther stuff in our blog because we don’t give it much
	significance. Gross knows all this, but decided not to tell in a story he wants
	the reader to believe is a character study of me. Gross also knows that
	attribution is something that concerns me least about Stuxnet, but suggests
	otherwise. His reporting that I googled “Iran” and “nuclear” is complete
	nonsense, and he knows it. He even has the Iranian target focus in writing from
	me, but it wouldn’t have matched with the picture he is trying to paint of me.

	On the second evening of his visit we are sitting in a bar. It is clear that
	the interview is over, Gross had just talked me into ordering another drink,
	and we talk about personal stuff, mine and his; relationships, future plans
	etc. I mention that I think about moving to California someday. Gross goes then
	to great length in describing how beneficial his story will be for my career,
	asks if I would be willing to sign an exclusivity agreement etc. pp. I point
	out for the fifth or second time that the ONLY thing I’m interested in is to
	get out the message of the threat posed by Stuxnet-inspired malware and that I
	wouldn’t benefit from all the wonderful things he is going to write about me
	anyway because his paper isn’t even for sale on German news stands. I tell him
	again that I have no particular desire to be mentioned more than briefly in his
	story. He then switches to the topic of a portrait photo of me for the article.
	I confess that I’m a great admirer of Ann Leibowitz and for long had wanted her
	to portray me. So I say jokingly that the only benefit I could see for myself
	is to have Leibowitz take a crispy shot of me for the cover page, which could
	eventually one day even help in attracting American women (I’m single). Not
	even Gross can view me as so stupid to think I would actually believe to go on
	VF’s cover. Nevertheless, Gross writes: “Langner loves the attention that his
	theories have gotten. He is waiting, he says, for “an American chick,”
	preferably a blonde, and preferably from California, to notice his blog and ask
	him out.“ He says this about the person who researched the most technical facts
	on Stuxnet’s payload, in weeks of hard labor, who had told him verbatim more
	than once that he is NOT interested in getting attention. It is simply
	disgusting.

	Now Vanity Fair does have some approach to quality control which they call
	“fact checking”. A “fact checker” contacts the sources to verify that all
	information is correct. Funny enough, the “fact checker” is not interested in
	checking the most blatant nonsense, but in fine-tuning information that
	supports the writer’s bias. Certainly their “fact checker” did not ask: Ralph,
	is it true that you write your blog to attract blonde Californian chicks? He
	will have known that my answer would have been “are you out of your mind?”
	Instead, the “fact checker” explores some background on a commercial computer
	program I had written as an undergraduate. Gross was very interested in this
	program. The “fact checker” asks if it is true that this program didn’t sell.
	No, it’s not, actually it was the all-time best selling software application in
	its niche. Reading this, Gross is no longer interested in this stuff and drops
	the subject. The “fact checker” also asks if I’m a centrifuge expert. Certainly
	I’m not, which is hardly surprising for anyone. However, Gross experienced how
	meticulously I researched the I&C and physics of potential Stuxnet targets when
	I talked him through the design documentation of a turbine protection system
	(at that time we were working on the Bushehr target theory) down to the details
	of 2oo3 wiring and logic. He knew that I discussed attack vectors with power
	plant engineers with on-site experience in Russian nuke plants. He knew I was
	working on the NPP target theory with one of the very few European engineers
	who actually designs turbine protection systems for power plants (I even
	invited Gross to visit him, but the expert wasn’t available that day). He also
	knows that for the centrifuges, I discuss technical issues with the best
	contacts one can wish for in this matter, ranging from centrifuge development
	and test engineers to the best nuclear scientists in the world, some with
	on-site experience in Natanz. So after going through “fact-checking”, here is
	what you read: “Langner admits that he is not a centrifuge expert, but says
	that he regularly speaks with such experts.” I believe it’s a safe bet to
	assume that the “fact checker” would have loved to get me on the record writing
	that I’m not a centrifuge expert, period.

	Only an idiot does not learn from experience. So I will revise our media policy
	and will no longer accept interview requests in our office or interviews that
	focus on me as a person rather than on our work.

	Ralph Langner