Saturday, November 21, 2015

The Thread and Xindi...

http://xindibot.pixalate.com/
If you've not watched it yet, you need to take one hour and one minute and watch the Netflix The
Thread". It's a documentary on the Boston Marathon and how amateur internet crowdsourcing played a role ...and how they got it wrong. It's worth the watch.

As I watched the video, it reminded me of days past. I followed bugtraq, alt.hack and about another dozen usenet groups until the pace of keeping up became overwhelming.  Now,  I read closed communities like Red Sky Alliance (of course), and I follow several semi-closed and a few open, Google groups. And again, I'm getting the point where the amount of traffic (some good, some bad) is becoming wild.  If you're looking for heavy loads of raw data as cyber events unfold, there are a dozen places one can look. The open source groups, like Reddit during the Boston Bombing (documented in The Thread), are becoming as much of a bitch session as they are about fact. So be prepared. Open source intelligence isn't always an easy ride, which is what I watched as Xindi unfolded this week.

Nearly two weeks after watching The Threat I remember the power of open source crowd sourcing. It's truly amazing, but one quote has stayed with me since --"Mob rule"--it was a phrase used by one woman to describe how Reddit and other open sourced crowdsourcing news sources got it wrong. I won't spoil the ending, but a theory was offered on circumstantial evidence, emotions ran high, and within hours, internet users from all over the world hogpiled on, singling out one person as the mastermind.

This week, Pixalate, another intelligence company issued a report on a botnet called Xindi. My team was asked to comment on the botnet and whether or not we thought it had any real substance. My malware guy thought it might be a hoax. The intel folks thought otherwise. We watched the open source threads, each with their own opinions. One in particular reminded me of the virtual hogpile I talked about a moment ago on Reddit.

The report was posted. It detailed impression fraud, supported by a vulnerability in a process, and the authors extrapolated out potential damages if left unchecked. From an intel perspective, I actually liked the product! It was a bit heavy on the marketing for my taste, but it laid out the fact that there was a bug, the fact that it was used for impression fraud, and if left unchecked, offered some examples of how it bad it could be (which by the way, reminded me very much, of speculation that ensued during the early hours of Heartbleed).

The malware guys in the group immediately dumped on the report --no indicators; they outed victims; heavy marketing; a F500 was outed.  Even inside my little company, we had two very different thoughts, both at opposite ends of the swing of the pendulum.

So why is it that a simple intelligence report, with obvious gaps, but also obvious positives, drew such attention. How could it be that this one report generated so much (negative) discussion?  Not sure, but here's what I do know... I love analytic differences. It makes for better decision making. Crowdsourcing isn't always right, but it gives every participant the ability to come to their own conclusions. Should one use crowdsourced data blindly? Of course not. Think for yourself --but don't be afraid to take on the thoughts of others in coming to your own conclusions.

Interestingly enough, in one group, pounding the Xindi report got more air time than the ISIS attack in Paris. In another, there were no mentions of either. In another, a very busy industry list, Paris got four mentions, Xindi none. 

And now? First reported in one of the more active groups at 9:06AM on the 17th, by 10PM on the 19th the conversation is nearly dead.... on to the next topic. Starwood Hotels is now under the spotlight.

Have a great weekend and a fattening Thanksgiving!
Jeff