The story of a possible prank

Posted on by

In 2011 a security researcher pulled – what I believe – a prank on a well-known org. He made them publish a paper with an appendix containing a non-sensical data. I reported this to the org in 2012 as soon as I discovered it. I was actually flabbergasted at that time that someone could be that bold to pull the org’s leg this way (risking both author’s and org’s credibility), but it was still 2 months before the infamous Nmap Guide made it to the news and trolling security orgs became a norm.

I forgot about it for a long time, but recently it came back to me & I checked the web site of the org to see if they pulled the paper – the paper is still there – 3+ years after I reported it – the goofy appendix is of course there as well.

I must emphasize that I do not have a proof that it is a prank, but the non-sensical information included in the paper cannot be a result of a typo, or an accident; it looks like someone deliberately made stuff up. Of course, if it is just a result of the author’s ignorance or it was the intern who wrote that it would make it for even more lulz.

I don’t want to mention the gore details for many reasons. Thanks for understanding.

I do want to mention though 2 interesting side-effects of this paper being published:

  • The information was copied to other blogs (not too many, but always).
  • Based on the information in this paper someone created IDS signatures – talk about quality & tests

You may be wondering why I am posting such a vague info at all.

It’s simple: question everything you read.

I personally make tones of mistakes. I sometimes read some of my older posts and I find bugs. Not only typos, but actual logical bugs that make me really ashamed. I don’t like to be wrong, I really don’t, but if I am the only finding out then what about the poor guys who believed it then and believe it now?

There is a certain responsibility of a writer, a researcher to ensure the quality of the writing is at the appropriate level. But it is impossible if there is no feedback. Especially the critical one.

To certain extent I can understand frustration of HC when he insists on receiving feedback from readers. Seeing people retweeting, but not reading can be certainly disheartening. In my opinion expectations of a blog writer should be very low here, and it keeps me sane writing & babbling anytime I feel like – at certain level I don’t even care – these are more my notes that I feel may be interesting to share, less my interest or a will to change the world (we all die; I am great at parties 🙂 ).

BUT

But if there is one thing that I care about is accuracy. If I make a mistake and no one tells me, it really sucks. And the fact is that most of people don’t even bother to read in-depth anymore. Everything is ‘just in time’ – you only read stuff when you need it. I do it all the time. Skimming is a necessity. And this is fine, as long as the stuff you read is correct.

But it rarely is 100%.

So if you read this – please read whatever you read with an assumption that what you read may not be 100% right. It is especially important with materials endorsed by orgs. Like everyone who made their hands dirty & sinned by publishing – they sometimes publish bad quality stuff. Only these who don’t do anything make no mistakes at all.

Keep your eyes open.