Thursday, February 06, 2014

That NBC story 100% fraudulent

Yesterday (Feb 5 2014) On February 4th, NBC News ran a story claiming that if you bring your mobile phone or laptop to the Sochi Olympics, it'll immediately be hacked the moment you turn it on. The story was fabricated. The technical details relate to going to the Olympics in cyberspace (visiting websites), not going to there in person and using their local WiFi.

The story shows Richard Engel "getting hacked" while in a cafe in Russia. It is wrong in every salient detail.
  1. They aren't in Sochi, but in Moscow, 1007 miles away.
  2. The "hack" happens because of the websites they visit (Olympic themed websites), not their physical location. The results would've been the same in America.
  3. The phone didn't "get" hacked; Richard Engel initiated the download of a hostile Android app onto his phone. [update here] and he had to disable the security on the phone to do it
I had expected the story to be about the situation with WiFi in Sochi, such as man-in-the-middle attacks inserting the Blackhole toolkit into web pages exploiting the latest Flash 0day. But the story was nothing of the sort.

Instead, the hacking in the story was due to the hostility of Olympic themed websites. The only increased danger from being in Russia is geolocation. Google uses your IP address to increase the of rank local sites, so you'll see more dodgy Russian sites in the results. You can disable this feature in your Google account settings.

Absolutely 0% of the story was about turning on a computer and connecting to a Sochi network. 100% of the story was about visiting websites remotely. Thus, the claim of the story that you'll get hacked immediately upon turning on your computers is fraudulent. The only thing that can be confirmed by the story is "don't let Richard Engel borrow your phone".

That leaves us with the same advice that we always give people:
  1. don't click on stuff
  2. patch your stuff (browser, Flash, PDF)
  3. get rid of the really bad stuff (Oracle's Java)
  4. don't click on stuff
  5. oh, and if you really are in Sochi, use VPN over the public WiFi
I gleaned these details from Kyle Wilhoit, the expert quoted in the story, and his Twitter feed. He's working on a blog with the full technical details. I'm sure it'll be great, with lots of details about what hackers can find with Maltego, the dangers of hostile websites, and so on -- the sort of great information totally lost in the nonsense that is the NBC story.

By the way, the easy way to figure out where journalists commit fraud is by watching for "passive voice". Journalists normally avoid passive voice, preferring stronger language. But, when they need to hide things, they passive voice to cover up details. Saying "was hacked" covers up the fact that Richard Engel hacked himself by knowingly downloading a hostile Android app. In other word, active voice wouldn't have worked, because it would have required identifying who put the virus on the phone. He couldn't report that a "hacker put the virus on the phone" because the hacker didn't, Richard Engel did. He couldn't very well have reported, in the active voice, "I downloaded the virus". Thus, the passive voice, "the phone was hacked", avoiding this inconvenient detail of who did what.

Some forums with lots of comments on this story:


  1. Anonymous7:39 PM

    Can we PLEASE talk about the way he opens the MacBook Air box? What the hell is going on there?

  2. The only reason I watched the video was to see how he opened the MacBook Air. WTF? "BOX COMPLICATED. COMPUTER NOW."

  3. I was almost screaming at my PC when he was tearing at the box like a dog. Not cool at all.

  4. The box opening was hilariously
    NOT a reverential "unboxing" people who buy Apple products normally engage in. I immediately noticed it was a little aghast.

  5. In this case, you give Mr. Engel way too much credit. He doesn't use 'my phone was hacked' because he is trying to be deceptive. He says it because he doesn't know any better. The box opening didn't both me, but it just underscores the point.

    The general press tends to get a fair bit wrong when reporting on technical matters.

    And I say all that as someone who likes the news and most of Mr. Engel's reporting.

    Cheers, Bill.

  6. >not going to their in person


  7. Thank you. The story as aired was so empty and useless. I kept looking in vain for the sense.

  8. These details interested me:

    He wanted the headline, all computers and phones will be hacked and quickly. BUT

    1) he took a PeeCee and a Mac, featured the Mac unboxing, and showed both computers, but he said that his computer (singular) was hacked in minutes, showing a PeeCee screen but never the Mac screen. The Expert said that "this computer in particular" (emphatic singular) was sending data to Russian servers. Then he said that both computers were hacked within 24 hours. The PeeCee in minutes, and both within 24 hours. Why wasn't the headline all about how much more quickly one type "got hacked" than the other?

    2) Did he forget to test the most popular and most talked-about electronic gadget on the planet? Or did the result of that test not fit his message? If he took a PeeCee and a Mac, surely he would have taken an Android and an iPhone. But we never saw or heard of an iPhone. Or, obvs, an iPhone getting hacked. Just the Samsung. And the headline idea was no device was safe.

  9. Kudos on actually knowing what passive voice is. However, you are still wrong on the motivation for it. Distribution of passive voice is governed by many factors, not just attribution of agency. One of these factors is how relevant the identification of the agent is and "was hacked" is one of those examples where the action (or rather its consequences) is much more relevant than the actor or the process. Other examples include "was found" and, most typically, "was fired". It is utterly irrelevant who did the firing, whether it was your manager or someone in HR, the only important thing is that you are now without a job. Same with "was hacked", perhaps doubly so, since most speakers of English have very little clue about the process of hacking.

  10. Regarding Engel's technique for opening the MBA box ... take a close look at Kyle Wilhoit's face as Engel is tearing the box apart. Wilhoit had amazing composure in not bursting out laughing.

    Also, if Wilhoit had already opened the MBA box (to set it up back in the USA), shouldn't the box have been relatively easy to open?

    I'd like to see how Engel opens a pizza box.

  11. Watched the "report". So he does a story on hacking, downloads some malware (even our children are warned not to do that)-- then OMG i been hacked... so many backdoor holes in this story ....

  12. Clearly the Russians had already hacked the MBA box making it difficult for Engel to open in an elegant fashion. This left only one option, Engel employed a brute-force technique to liberate the MBA.

  13. In Sochi Russia, Box Hacks You

  14. ↓↓↓↓↓↓↓↓↓

  15. NBC needs to post a retraction publicly on-air.

    I remember when Journalist used to do research on their news reporting, this was a joke and a lie.

    Brian Williams and his team need to go back to busting pedophiles on his old show if he is going to do sensationalism news reports.

  16. Shorter NBC:
    In Soviet Russia, new technology unbox you!!

  17. the box wuz hacked!

  18. This comment has been removed by a blog administrator.

  19. Can some one explain to me why i need to remove oracels java ? is it a joke ? is it due to security hole found in java 7 ?

    1. Anonymous7:30 PM

      This comment has been removed by the author.

    2. Author suggests removing oracle, someone tries to explain why, author removes explaination. But seriously, why should I remove Java? I hope someone can clarify

  20. This comment has been removed by the author.

  21. This comment has been removed by the author.

  22. Mike, you don't necessarily need to remove java, but the java web start part of it. It has proven to be massively vulnerable to attack.

  23. That is why people with no IT knowledge should not write such posts/news. It scares normal people. Clicking every button on every page loading in the browser will always lead to a bad situation... you do not have to be an IT expert to know this.

  24. This comment has been removed by a blog administrator.


Note: Only a member of this blog may post a comment.