public
Last active

  • Download Gist
gistfile1.txt
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128
Mar, 10 2011
 
Vanity Fair reporter freak-out
Vanity Fair had an article about Stuxnet. Here’s some background information on
this creative piece of embarrassment.
 
Vanity Fair’s writer Michael Joseph Gross visited us last year. I agreed to
spend two days with him as I thought it could be helpful to spread the message
about the threat posed by Stuxnet-inspired malware well behind technical
publications. On his request, I explained Gross in detail what control systems
are, how they are different from IT, and how Stuxnet works. He got a hands-on
introduction to Siemens controllers, demonstrating the Siemens software’s
behavior before and after infection on a real system, and explaining the
meaning of the diagnostic output he saw. We explained sections of actual attack
code and how we reverse engineer such code. I explained the difference between
basic production control systems and digital safety systems, extending into
instrumentation and control details. In addition to the technicalities I
thoroughly briefed Gross on background topics that are essential for
understanding Stuxnet, such as politics, timeline of events (starting in 2006),
and insights on major stakeholders such as ICS-CERT and the vendor. On his
request, I provided extensive interview prep material for his upcoming
interviews, and provided contacts at INL and DoE. Also on his request, I
arranged an interview for Gross with one of our clients (a global player in the
steel industry) who had been infected with Stuxnet.
 
It seems like so much hardcore information was a little bit over Gross’ head,
so he decided to focus more on me as a person. Why not. I don’t know, however,
why he needed to portray me as a complete jerk, and did not hesitate to provide
“evidence” that is totally absurd (who is really interested in my shoe wear?)
and misleading by purpose. For example, Gross, who may be unfamiliar with the
dress code for German consultants, began to show a bizarre interest for
selected fashion items. He wants to hold my wrist watch, inspects it thoroughly
and asks if it is a famous brand or particularly expensive. It is not. Then he
grabs my tie (literally) and turns it around to see the brand label. It’s a
no-name product, again. Next he inquires about my shirt. Again, a no-name
product. (I’m happy that he didn’t want me to take it off to inspect the brand
label.) I tell Gross that I don’t buy fashion by designer name. However next he
draws the grand price. It happens that my shoes are from a well-known Italian
designer. He follows his hot trace and asks which shoes I wore the day before,
the ones with that particular structure, and asks about the material. I say,
let me think… I believe it were the ostrich shoes. I see Gross’ face taking on
a weird look as if I had said something obscene or if he had just experienced
sudden intestinal problems, but don’t give it any significance. In his article,
this bizarre episode reads: “My preference is for Dolce & Gabbana shoes,” he
says. “Did you notice, yesterday I wore ostrich?”, turning reality completely
around.
 
Gross writes that I had sleeping problems and that I couldn’t tell if I was a
genius or crazy. Gross knows in which context these remarks were made, but he
deliberately doesn’t tell. I did have severe sleeping problems during the first
weeks of Stuxnet analysis because I was horrified about what I saw and just
couldn’t find rest. The malicious controller code and the question what it was
trying to do didn’t let me sleep. (If anybody is interested in it, I don’t have
sleeping problems any longer.) The genius/paranoid thing goes back to the early
days of Stuxnet research, when nobody saw what we were seeing. Those were the
days when we published a step-to-step guide for fellow researchers to
understand Stuxnet, along with a video capture of Wireshark traffic. Those were
also the days when I had discovered the potential meaning of the project name
Myrtus but did not publish it “because you would think I’m nuts”. We never even
mentioned the Myrtus/Esther stuff in our blog because we don’t give it much
significance. Gross knows all this, but decided not to tell in a story he wants
the reader to believe is a character study of me. Gross also knows that
attribution is something that concerns me least about Stuxnet, but suggests
otherwise. His reporting that I googled “Iran” and “nuclear” is complete
nonsense, and he knows it. He even has the Iranian target focus in writing from
me, but it wouldn’t have matched with the picture he is trying to paint of me.
 
On the second evening of his visit we are sitting in a bar. It is clear that
the interview is over, Gross had just talked me into ordering another drink,
and we talk about personal stuff, mine and his; relationships, future plans
etc. I mention that I think about moving to California someday. Gross goes then
to great length in describing how beneficial his story will be for my career,
asks if I would be willing to sign an exclusivity agreement etc. pp. I point
out for the fifth or second time that the ONLY thing I’m interested in is to
get out the message of the threat posed by Stuxnet-inspired malware and that I
wouldn’t benefit from all the wonderful things he is going to write about me
anyway because his paper isn’t even for sale on German news stands. I tell him
again that I have no particular desire to be mentioned more than briefly in his
story. He then switches to the topic of a portrait photo of me for the article.
I confess that I’m a great admirer of Ann Leibowitz and for long had wanted her
to portray me. So I say jokingly that the only benefit I could see for myself
is to have Leibowitz take a crispy shot of me for the cover page, which could
eventually one day even help in attracting American women (I’m single). Not
even Gross can view me as so stupid to think I would actually believe to go on
VF’s cover. Nevertheless, Gross writes: “Langner loves the attention that his
theories have gotten. He is waiting, he says, for “an American chick,”
preferably a blonde, and preferably from California, to notice his blog and ask
him out.“ He says this about the person who researched the most technical facts
on Stuxnet’s payload, in weeks of hard labor, who had told him verbatim more
than once that he is NOT interested in getting attention. It is simply
disgusting.
 
Now Vanity Fair does have some approach to quality control which they call
“fact checking”. A “fact checker” contacts the sources to verify that all
information is correct. Funny enough, the “fact checker” is not interested in
checking the most blatant nonsense, but in fine-tuning information that
supports the writer’s bias. Certainly their “fact checker” did not ask: Ralph,
is it true that you write your blog to attract blonde Californian chicks? He
will have known that my answer would have been “are you out of your mind?”
Instead, the “fact checker” explores some background on a commercial computer
program I had written as an undergraduate. Gross was very interested in this
program. The “fact checker” asks if it is true that this program didn’t sell.
No, it’s not, actually it was the all-time best selling software application in
its niche. Reading this, Gross is no longer interested in this stuff and drops
the subject. The “fact checker” also asks if I’m a centrifuge expert. Certainly
I’m not, which is hardly surprising for anyone. However, Gross experienced how
meticulously I researched the I&C and physics of potential Stuxnet targets when
I talked him through the design documentation of a turbine protection system
(at that time we were working on the Bushehr target theory) down to the details
of 2oo3 wiring and logic. He knew that I discussed attack vectors with power
plant engineers with on-site experience in Russian nuke plants. He knew I was
working on the NPP target theory with one of the very few European engineers
who actually designs turbine protection systems for power plants (I even
invited Gross to visit him, but the expert wasn’t available that day). He also
knows that for the centrifuges, I discuss technical issues with the best
contacts one can wish for in this matter, ranging from centrifuge development
and test engineers to the best nuclear scientists in the world, some with
on-site experience in Natanz. So after going through “fact-checking”, here is
what you read: “Langner admits that he is not a centrifuge expert, but says
that he regularly speaks with such experts.” I believe it’s a safe bet to
assume that the “fact checker” would have loved to get me on the record writing
that I’m not a centrifuge expert, period.
 
Only an idiot does not learn from experience. So I will revise our media policy
and will no longer accept interview requests in our office or interviews that
focus on me as a person rather than on our work.
 
Ralph Langner

Please sign in to comment on this gist.

Something went wrong with that request. Please try again.