Discover more from The Save Journalism Committee
The Cascade Effect
Today’s goal: deconstructing an example of the cascade effect (where a mistake by one outlet reverberates throughout the media ecosystem).
Note that total length today is well under half of Monday’s. I’m listening!
[EDIT: 08-06-21 - This was my third post from the summer of 2020 about the Twitter hack. Part 1, part 2. I’m coming back almost a year later to add a few footnotes, and to link this larger update / retrospective, which is hopefully the end of the series.]
About This Newsletter
The NYT doesn’t look great here. But this isn’t some big exception. I can do a daily-ish newsletter with multiple such examples purely from outlets that most professional-class folks consider credible — which, incidentally, I’m going to do.
What’s my motive here? I’m a long-time paid subscriber to the NYT and several others. I adore good journalism. A society thrives in some rough proportion to the quality of its information flow, which is precisely why I think it’s crucial to point out failures and blind spots. To the degree that I pick on the NYT the most, it’s because of their cultural prominence. If I can get them to acknowledge the scope of the problem, others may follow suit.
I’ve given up 85-90% of my income to focus on this project. Some find this weird. The point of the social internet, I’m told, is to perform ironic detachment. Well, I suck at that. I have exactly zero fucking chill about the damage that misinformation has caused in recent years. And I think others will join me once they get a sense of how deep/pervasive these problems are. This isn’t about some Trumpian #fakenews argument. It’s about broken models and profound costs.
No one should take my word for anything. I have copious receipts. And if anything I’ve said proves to be untrue or unfair, I’ll pay meaningful penalties out of pocket in penance. The truth should be that important.
And, yes, I’m absolutely going to continue to use the NYT’s own marketing to make my point. I’ll stop when they issue their first correction/retraction in response.
(That said, please be nice to the journalists involved. It’s not that they don’t bear some responsibility. They do. But this is ultimately about systems, not individuals.)
A Narrative Emerges
I pushed out a longform sequel about the Twitter hack on Monday that was, well, quite long. (If you read it, bless you, you can safely skip to the next section. For everyone else we’ll do a quick summary here.)
My piece centered on a NYT piece from last Friday, the gist of which was:
They interviewed three (possibly four) young members of a Discord group that was into stealing/swapping “OG” social media handles (rare names that you could only get if you signed up super early for a given platform)
On July 7th, a stranger (“Kirk”) joined said Discord
On July 14th/15th, Kirk reached out to two well-known members with an offer to the effect of “I’m a Twitter employee and can get you any OG handles you want; if you line up buyers I’ll give you a kickback”
Kirk demonstrated his access to a Twitter admin panel that allowed him to effectively change account ownership with a few clicks/keystrokes (by changing the password recovery email address and disabling 2FA)
The morning of July 15th, said individuals (one of whom bought a handle themselves) lined up buyers as requested
As Kirk was delivering the handles, he kicked off a separate gambit (taking over high-profile accounts and using them to run a crypto scam) that the OG youths stressed they weren’t involved in
Said youths specifically asked the Times to clarify their limited involvement
That all in mind, consider the headline that the NYT went with:
Hackers Tell the Story of the Twitter Attack From the Inside
And this central claim (emphasis mine):
The interviews indicate that the attack was not the work of a single country like Russia or a sophisticated group of hackers. Instead, it was done by a group of young people — one of whom says he lives at home with his mother…
The problems here:
While the three may be hackers in some general sense, we have no reason to believe that any of them were among the hackers who carried out the attacks.
Their involvement, per testimony/evidence provided to the NYT, was narrow to being buyers/fences. A stranger approached saying “hey would you like me to steal some stuff for you?” and they said “yes please”. That’s still criminal, sure. But it obviously doesn’t make them the people who planned/executed the thefts.
What the NYT failed to note was that Kirk, by continuing on to the more public scams, actually called attention to the stolen handles, thus making it almost certain that they’d get seized/suspended/returned (which has already happened to two-thirds of the handles listed in the story). Put more bluntly, Kirk took their money and then screwed them.
Now, sure, it’s possible that Kirk is just another OG forum member. Perhaps one who created a new identity so as to take advantage of the others / exact some vendetta.
Even if true though:
That has nothing to do with what the other three did / didn’t do.
No one seems to know anything certain about Kirk’s identity or motives, making any speculation there just that. Ruling out more nefarious parties being responsible on the back of this reporting seems remarkably premature.
To emphasize that last point:
The user known as Kirk did not have much of a reputation in hacker circles before Wednesday. His profile on Discord had been created only on July 7.
But the identity of Kirk, his motivation and whether he shared his access to Twitter with anyone else remain a mystery even to the people who worked with him.
Kirk, whoever he was, had stopped responding to his middlemen and had disappeared.
Taking this all together:
The NYT said the hack “was done by a group of young people”.
The three young people quoted had told/shown the NYT that they didn’t do it (and stressed their desire for the NYT to make this clear)!
I trust we see the problem here.
As a sanity check, here is how security journalist Brian Krebs framed it:
The New York Times last week ran an interview with several young men who claimed to have had direct contact with those involved in last week’s epic hack against Twitter. These individuals said they were only customers of the person who had access to Twitter’s internal employee tools, and were not responsible for the actual intrusion or bitcoin scams that took place that day. But new information suggests that at least two of them operated a service that resold access to Twitter employees for the purposes of modifying or seizing control of prized Twitter profiles.
While the final sentence there is interesting, the point here (and this isn’t a shot at Brian) isn’t whether they were guilty of involvement with other incidents in days past, as that’s neither here nor there to the fact that the NYT presented no evidence that any of them were involved with pulling off this particular hack (which went far beyond heisting handles into serious criminal territory). Those three OG youths, whatever their prior misdeeds, were pretty clearly customers here.
Anyway, this narrative didn’t end with the NYT.
The Clickshare Machine
As one would imagine, lots of outlets are happy to draft behind majors like the NYT without much in the way of additive reporting or independent due diligence — which is exactly the outcome you’d expect from the incentives involved. There’s a trending story? Let’s quickly mash up our own rundown so that we get some clicks too before the attention window closes!
This is, uh, a problem. While I’m vaguely empathetic as to how journalism has had to adapt to social media platforms that were founded some 15 years ago now, I struggle to imagine on what grounds one could argue that blind reinforcement isn’t dangerous.
Note: I don’t fault Morning Brew quite as much, in that their business is just aggregating the news. Most professional-class people uncritically trust the NYT, and have never encountered an argument as to why they shouldn’t (hence this newsletter). But I’ll stand on my ground that any editor who read the NYT coverage closely should have noticed the inconsistencies, which were not subtle.
As an example of seeing-but-not-seeing the problem, The Verge starts with:
Reporters [from the NYT] tell the stories of four individuals involved in the hack and how exactly it spiraled out of control and resulted in the takeovers of some of the platforms most high-profile and sensitive accounts.
and then gets around to:
The OGusers hackers spoke with The Times to clear their names and play down their involvement in the attack; they say Kirk was the mastermind…
Right. Three young people (the NYT never says anything about the fourth) say “please make it clear to your readers that we were just customers; Kirk did all of this on his own”. The Verge, seeing some tension here, avoids making quite the same mistake as the above outlets. Even so, their headline was “Go read The New York Times’ incredible account of how the Twitter attack may have happened”.
Et Tu, AP?
Allison Nixon, chief research officer at cybersecurity firm 221B said in an email Sunday that the people behind the attack appear to have come from the “OG” community…
“Based upon what we have seen,the [sic] motivation for the most recent Twitter attack is similar to previous incidents we have observed in the OG community — a combination of financial incentive, technical bragging rights, challenge, and disruption,” Nixon wrote. “The OG community is not known to be tied to any nation state. Rather they are a disorganized crime community with a basic skillset and are a loosely organized group of serial fraudsters.”
It’s something of a standard line to say that the AP is highly credible on account of their “just the facts” bulletin style. And most days I agree.
They got the date of the hack wrong and left in a pretty obvious typo (implying that any editorial input was limited/rushed)
They authority-quote someone who attributes the attack to the OG community on the basis of motives that are generically true of most hacking collectives
They give no room to the idea that it could have been anyone else (or that some larger power could have been using such a community as a proxy)
(One big counter-narrative that hasn’t been widely discussed: while the stolen handles bit certainly looks/sounds like typical OG activity, the larger crypto scam is something quite different. Stealing a handle is criminal-y. Accessing a Dutch politician’s DMs and leveraging Joe Biden’s Twitter to commit wire fraud is risking serious prison time. Also, per the NYT, one of Kirk’s Bitcoin addresses was used in a similar email scam the next day. While there are people in the orbit of the OG community who do cross into aggressive criminal behavior, we need to be cautious about speculation here.)
Anyway, we again have zero hard evidence advanced that might help us understand:
Who/what is Kirk?
What did he/they want?
What did he/they take?
To what end(s)?
It’s a little weird to me that we aren’t seeing much sustained curiosity in those directions. And it’s disheartening to see the AP pushing speculation like this without making it clear what it is. Maybe Nixon’s confidence was reinforced by the NYT reporting? And maybe the AP leaned on that too in their decision to run this? Only they could say. But this is exactly what we need the AP to not be doing.
(In fairness to Nixon, she gave a separate statement to Brian Krebs about the OG youths being culpable even if they told the truth about their limited involvement, just in context of their demand inducing supply. This is a fair point so far as it goes, but is also an aside here, as we don’t know that Kirk’s decision to run the Bitcoin scam was predicated on the lesser incentive of also stealing handles. Plus it elides the consequence of Kirk’s decision in how it impacted the value of the stolen handles.)
The Contributor Conundrum
Ok, one last quick one.
Forbes relies on a contributor model that more or less intentionally abstracts editorial responsibility. While we won’t get into that more today, I want to highlight this from a Senior Contributor (starting with the lede; italics mine):
Bottom Line: Shattering the false sense of security in tech, the recent Twitter hack blended altruism, fame, greed, social engineering via SIM swapping and insider threats to steal $120,000 from victims when the economic and political damage could have been far worse.
And the opening of the third paragraph (again, italics mine):
Using SIM swapping, in which threat actors trick, coerce or bribe employees of their victims to gain access to privileged account credentials and administrative tools, hackers were able first to change the email address of each targeted account.
So, here’s the thing: there is zero public evidence to date that SIM-swapping was used.
Now, it’s possible (perhaps even quite likely!) that Kirk used SIM-swapping at some stage of acquiring the employee credentials.And it’s possible that the author has some private knowledge of this being the case. But the point of journalism is to show your work so that others can replicate it. Because the main alternative to replication is uncritical repetition. And I trust we can see why the latter is a dangerous thing indeed.
This newsletter takes a tremendous amount of work to create. Please consider supporting via a subscription. It’s $5/mo, and for the next six weeks or so I’m donating 100% of revenues (less taxes; pro-rated for annual) to the Thurgood Marshall College Fund so that readers can test-drive my work without giving me a penny personally as I prove my value case.
He/they actually screwed the kids more directly too. The NYT later confirmed that Kirk was actually going in and manually overriding some of the email changes.
I’m not sure anymore this is actually that fair/meaningful of a point, as it turns out that most of the stolen usernames were inactive, else held by other members of the OG community. So the impact of the theft was super low. That some/many members of this community were also involved in more aggressive / criminal “games” is an aside. Buying/fencing these specific goods on this specific day from someone who presented themselves as a crooked Twitter employee was an exceptionally low-level crime in itself.
A year later and I’ve seen zero indication that SIM-swapping was used for this particular attack.