There’s been a lot of back and forth in the blogosphere this past week about the outing of a Dateline NBC reporter at Defcon, and some of the more interesting reaction has been among various journalists who covered the spectacle.
Some think the reporter deserved to be booted the way she was, while others think the affair was mishandled by Defcon organizers.
I fall into the latter camp, but before I explain why a little background is in order:
Michelle Madigan, a producer for Dateline NBC, decided to go undercover at the hacker gathering with a hidden video-camera to see if she could out an undercover federal agent at Defcon and make a story out of the perceived shady deeds that transpire there. Defcon organizers were tipped off to what she was up to and repeatedly asked her to get a press pass. She declined and was outed when Defcon organizer Jeff Moss decided to initiate a “spot the undercover reporter” game in the ballroom. Madigan fled the ballroom and walked briskly to her car with a gang of camera-toting journalists and other attendees in tow. A YouTube video of the Defcon-Madigan affair has gotten plenty of hits since then.
While all this was going on, I was at the Las Vegas airport waiting for the flight home from Black Hat. But I’ve since read a variety of perspectives from other journalists who were there.
CNET Senior Editor Robert Vamosi sympathized with Defcon’s organizers in his blog post:
“Defcon requires members of the press to sign a lengthy document barring the use of photography except when all parties within the shot agree,” he noted. “But Defcon, unlike Black Hat, uses anonymous badges, and even when, as a member of the press, I wanted to talk to someone, I would often learn only their alias, not their real names.”
That NBC’s Dateline showed up hoping to reward its audience with an image of a real hacker doing something illegal on camera is downright sleazy, Vamosi wrote, adding, “There are rules for the attending press, and they chose to flaunt them.”
He concluded: “NBC should realize that the real criminals are not at Black Hat or Defcon; they’re out making money in St. Petersburg, Russia; or in Guangdong province, China; or in Kansas. Maybe Dateline’s Madigan should take her pinhole cameras there instead.”
ZDNet blogger George Ou agreed, pointing out that Madigan was given every opportunity to get a press pass and get access to any of the speakers and attendees above board.”Even after the secret videotaping she was offered a chance cover the rest of the conference with an official press badge,” Ou wrote. “This is my second year covering Defcon and I’ve never had any problems getting photos or video from willing attendees and speakers but that’s not what Madigan was going after. She wanted to paint a picture that would shock ‘people in Kansas’ about Defcon and that’s not what Defcon is about. The Feds, press, and hacker community have built up a level of mutual trust at Defcon so that we have a place to talk openly and honestly. After taking an unofficial poll in the press room here, not one person appreciated Madigan’s antics.”
But fellow ZDNet blogger Ryan Naraine took the opposite view, saying he thought the whole affair was childish, over the top and just plain unnecessary.
“There’s the irony of underground hackers preaching about rules and trust. Please. What’s so criminal about going undercover to get a news story?” he asked. “Hackers at this conference take great pride in doing man-in-the-middle password hijacks for Wall of Sheep giggles. Defcon folks routinely commandeer Las Vegas television displays, ATM screens and hotel TV networks. Suddenly, OMG, a female TV reporter with a camera rigged into her handbag is a terrorist on wheels.”
Naraine noted that Defcon represents an entire subculture built on breaking rules, just as Madigan was trying to do. “This is an industry that celebrates the ignoring of EULAs, encourages social-engineering (pretexting) and basks in the glory of sticking it to the man,” he wrote. “Yes, law-breaking in the hacking world is romanticized.”
With that, he wondered if it was truly necessary for Moss to trigger a mob frenzy to get Madigan tossed from his conference. His conclusion is that it wasn’t.
Vamosi and Ou are right to take Madigan to task for trying to flaunt the rules they so diligently follow. The Defcon organizers had every right to kick her out for refusing a press badge.
But I’m with Naraine on the larger point that this was handled in a way that reeked of hypocrisy. It was silly for the Defcon folks to make the big public display, and I particularly disliked the way they set Madigan up for a media feeding frenzy.
It’s been well documented that reporters were, as Ou put it, “well briefed” on what was about to happen so they could cover it. All staffers had to do was take her aside and escort her out without a crowd of taunters in tow.
The reason the whole situation was wrong is that Black Hat and Defcon, in my opinion, are supposed to be about exposing security threats and giving IT security pros some defensive measures they can take back to their offices and use for the greater good.
True, a lot of the anonymity that goes with the territory, especially at Defcon, is designed to make researchers and government agents more comfortable and protected so a frank exchange of information can take place. But if the goal is to enlighten security pros about the dangers they face, spectacles like the Madigan affair are a distraction that keeps a lot of people from paying attention to some of the threats they are there to learn about.
About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at email@example.com.