The NY Times fumbles Bluesnarfing at the Oscars
posted March 2nd 2005 8:14AM
Has the New York Times fallen prey to the hysteria over
Bluesnarfing? John Markoff and Laura M. Holson have an article today about how one of the guys from Flexilis spent
the Academy Awards hanging out front trying to Bluesnarf celeb's phones. Purely for research purposes, of course, and
the piece makes it clear that they didn't actually "tap into" anyone's phones and grab any sensitive data.
Yes, using Bluetooth to grab sensitive data from a cellphone is possible, but the article is misleading from the very
first paragraph, saying that as many as "100 people who walked the red carpet had cellphones vulnerable to the kind of
privacy invasion that recently gained Ms. Hilton a new round of unwanted notoriety." This is incorrect.
Paris Hilton's cellphone, the T-Mobile Sidekick, doesn't
have Bluetooth, and isn't vulnerable to the "same kind of privacy invasion." You can split hairs and say that they're
talking about the taking data itself, regardless of how it's accessed, as the privacy invasion, but then you might as
well talk about how Gmail or Hotmail is vulnerable to the same kind of privacy invasion if someone manages to hack into
your account.
They make it worse a little later in the piece when they write that 50 to 100 of the attendees had smart cellphones
whose contents - like those of Ms. Hiltons T-Mobile phone - could be electronically siphoned from their service
providers central computers. Again, this is incorrect. The Sidekick stores its data on a central server, but very,
very few cellphones do this. Bluesnarfing a cellphone to grab its directory or whatever would not give you access to a
service providers central computer.
Then even more confusingly, they dont specify what percentage of these 50 to 100 handsets with Bluetooth that
Flexilis detected were in discoverable mode or not. This actually does make a big difference in how easy it is to grab
data off of a Bluetooth-enabled cellphone, and most handsets have discoverable mode disabled by default. Yes, its
messy and the particulars can be difficult to explain, but you cant do a story about Bluetooth security without
talking about how Bluesnarfing is generally only possible under specific circumstances; discoverable mode, for starters
is one of them. And yes, while its possible to Bluesnarf without a phone being in discoverable mode, its far, far
more difficult.
So rather than address any of the actual subtleties of whats going on or make a realistic assessment of the threat
(which exists, but by all accounts is actually pretty minimal), the Times decided to just accept at face value the
claims of a publicity-hungry security firm (remember, these companies literally have to scare up business) in order to
deliver a story about celebs and cellphone security that would somehow tie into what happened to Paris Hilton, and make
it sound like what happened to her could happen to anyone. Bluesnarfing is real, but eliding the differences between
Bluesnarfing and the hacking of Paris Hiltons Sidekick is not just irresponsible, its ultimately counterproductive to
the entire discussion about cellphones, privacy, and security.
The inaccuracies in the NY Times are inexcusable to anyone that understands the technology, but unfortunately seem to be an inevitable side-effect of dumbing-down the detail for Joe Public (or over-hyping a story for effect).
You have, however, managed to contradict yourself:
"Bluesnarfing is only possible under specific circumstances...discoverable mode"
"its possible to Bluesnarf without a phone being in discoverable mode"
Amen to that. People should be up in arms over what passes for science and technology journalism in the New York Times.
I edited to make that a little more clear, but you selectively quoted what I said.
The New York Times gets it wrong? Who would have thunk it!
What a dope. Then again, its the NY Times.
What a dope. Then again, its the NY Times.
Well critiqued, Peter! I agree completely!
Anyone remember John Markoff as the journalist who led the hype machine that helped place Kevin Mitnick in prison?
Amen!
I'm tired of journalists who don't do the research necessary before publishing incorrect information, particularly when it comes to Bluetooth Security.
It is a bit annoying when science and technology gets dumbed down in the media. However I do think you are right to be heavy on this particular article as it does go over the top a bit. hype hype hype
Haha, I read this article yesterday, and was VERY frustrated with how much stupidity and bullshitting and lack of research went in to (or didn't go in to) the article. I was thinking in my head most of the things you wrote down, but I don't have a blog, so good of somebody to actually respond to that article.
The NYTimes technology reporting is a joke. It's always behind the times, always gets important technical details wrong, and (worse yet) is read by thousands upon thousands of unsuspecting "intellectuals." Sigh. Thanks for taking them to task, Peter.
Has someone called them on it in a letter to the Editor?
Unless people keep the press honest, they'll just publish whatever it takes to sell papers
Not to defend the Times or anything, because their tech coverage has always been pretty bad, but you know, a newspapers' first responsibility is to accurately report the news. It may seem like they did not do that in this case, but the news here is that a security firm "discovered" that a significant number of cellphones are vulnerable to hacks. Now, the security firm may be wrong, but it is not really solely the Times' responsibility to verify that. They are accurately reporting the news: that a security firm believes a lot of bluetooth phones owned by celebrities are insecure. Whether the security firm is wrong is not up to the Times to figure out, any more than it's up to the Times to figure out if Iran really is developing nukes, or if China really wants to invade Taiwan. Their job is to report, that's all.
I just get a little sick of the traditional news bashing that goes on all over the net sometimes. I mean it was right here on this site that I first saw suggestions that T-Mobile's servers themselves had been hacked when the Paris Hilton thing happened... only later was that corrected, when we learned it was just her password that had been compromised. Net journalism is not beholden to any higher standard of accuracy than traditional news media, that's for sure (just read half the stories Drudge comes up with for proof of that).
Not every article is a "research" piece, nor does every article have to be. All the Times is doing is reporting what this security firm told them - that's the news. They are completely up front about it too - it says right in the first paragraph: "According to a Los Angeles security consulting firm that went skulking outside the Academy Awards ceremony in Hollywood on Sunday..."
I'm sure the Times did enough research on this company to know that they're not a completely bogus company; that they are, in fact, a security firm. That makes the source good enough to quote. And they were apparently the only security firm standing outside the Oscars, so they are really the *only* quotable source.
Not to mention, how many outright press releases do you see parroted as "news" all over the net (including here)?
Jeff, the Times bungled basic facts in their story--I'm not disputing that they accurately reported the actions of Flexilis--and I think they have an obligation to get the technical facts of their articles correct, just like I do. They're doing a story about technology that makes basic factual errors about the technology they're discussing. This isn't about merely "reporting" what some company claims they did.
PS - I don't have any sort of grudge against the NY Times. I've actually written for them a few times, and it's the only newspaper I'll bother to read in its physical form. This isn't about bashing traditional media, I'd have written the same response no matter who had published this.
Jeff - Ask Dan Rather how important it is to verify the information you are reporting :)
re: 12 -
"They are accurately reporting the news: that a security firm believes a lot of bluetooth phones owned by celebrities are insecure. Whether the security firm is wrong is not up to the Times to figure out, any more than it's up to the Times to figure out if Iran really is developing nukes, or if China really wants to invade Taiwan."
that's b.s., and it's a wrong analogy. The Times isn't simply reporting what the security firm is saying or doing, it implicitly is putting its weight behind it. I as a lawyer have something to say about a lot of things. The Times won't cover my thoughts, unless it believes there really is a underlying concern or problem that underscores what I'm saying.
Secondly, it IS the Times' responsibility to check the basic facts. If the Times reports that some state official claims Iran has nukes b/c it's importing a lot of "platinum" for nuke manufaturing, or that China is planning to invade Taiwan by going through the "Bering" Strait, it has the responsibility to find out that this just ain't possible.
It's exactly the same kind of shoddy journalism and lack of fact-checking re: Iraq's WMD that the Times was forced to apologize for (e.g. Iraq importing "tubes"), etc. And I'm a Times subscriber, BTW.
It is unfair to say that this is a piece of shoddy journalism or that The New York Times didnt fact check. In Markoffs article a comparison was made between two mobile security situations that didnt clearly describe the differences between the two types of vulnerabilities. While It may be hard to determine what the author means by the same kind of privacy invasion, its not hard to understand that no matter how a phone book is stolen from a mobile device, it is a pretty serious issue.
This is not hype. With increasing reports of vulnerabilities in mobile devices and service provider architectures, its pretty clear that mobile service providers and cell phone manufactures need to place a greater focus on security. Markhoff makes note of this key issue in his article and it would be a shame to overlook this talking point because of an unclear and non-technical description of two different types of hacks.
Huh? You say that "in Markoffs article a comparison was made between two mobile security situations." There's no comparison whatsoever - read the article again. The author simply takes at face value the idea that Bluesnarfing leads to data being lifted off central computers, a la Paris Hilton's case.
And regarding fact-checking, as Peter mentioned (and suggest you read again), a bit of fact-checking would've shown 'em that Hilton's case could NOT have been done through Bluesnarfing. To not mention this is misleading and speaks of laziness - shoddy journalism is what I'd call it.
I think this is more a case of sloppy writing and editing as opposed to out-and-out bad tech journalism. Compared to most newspapers of its class and heritage, the NYT does an admirable job of keeping on top of the industry. David Pogue is a respected author and columnist, and his reviews are fair and well-researched.
In this case, the writing was not precise. Will this matter to the paper's mostly non-techie audience? Likely not: the issue will scare them, and digging deeper into the technical differences likely won't change that fact.
I think we need to understand who the audience is here, and what the paper is delivering to that audience. It's a decidedly different focus than, say, PC Magazine would take.
I'm not defending, opposing, or supporting any one perspective. Merely trying to show that there are many ways to look at this, and all are equally worthy of consideration.
Carmi
http://writteninc.blogspot.com
It is the basic facts that needs to be known by any reader of the Times for them to actually know that the Paris Hilton incident is not possible by just having a guy standing there holding a phone.
Articles need not be dumbed down, leaving out the technicaol jargon. That's what the journalists do, they write up articles that informs the readers, not parroting off what someone is saying.
If the IQ situation is that serious over there, there's always diagrams or cute faced cartoons so as not to scare the readers. I don't know, but just a suggestion...
NY Times Correction: March 5, 2005, Saturday:
Because of an editing error, an article in The Arts on Wednesday about a security company's test of the vulnerability of cellphones to privacy invasion at the Oscar ceremony on Sunday made an erroneous comparison to the recent hacking of Paris Hilton's phone. Data from that phone was obtained by someone who tapped her service provider's central computers. At the Oscars, the test conducted by the security company determined that data stored on as many as 100 phones carried by people who walked the red carpet could have been intercepted directly.