The recent uproar over fake news in the U.S. Presidential campaign was depressingly familiar to me. I’ve been dealing with the issue on topics related to my specialized field for more than a decade, and there’s no sign that the problem is getting better.
As with its political counterparts, tech-related fake news comes in all flavors. Some is deliberate disinformation, but most is the outgrowth of a one-two punch: ignorant reporting, fueled by a click-driven echo chamber.
The latest example is a story published last week by IDG’s ARN, an Australian website aimed at the reseller market.
The headline above that story is accurate enough, but the subhead is complete fantasy. And the opening two paragraphs of the story compound the error.
FireEye has recently struck a deal Microsoft [sic], designed to place the security vendor’s iSIGHT Intelligence into Windows Defender, an inbuilt Windows security offering.
Terms of the deal will see FireEye gain access to telemetry from every device running Windows 10, serving up access to almost 22 per cent of the total desktop market, alongside laptops and Windows mobile phones. [emphasis added]
What’s strange about this story is that it’s based on a press release from three weeks earlier, which managed to escape into the world with little notice, probably because the “news” was mostly a yawner.
Crucially, though, that release doesn’t contain the word telemetry, nor does it say anything even remotely resembling the inflammatory statement in that subhead and second graf from ARN.
In fact, it’s pretty clear that the author of the story has literally no clue what WDATP is. (I’ll get to that in a minute.)
But the fact that this story was factually challenged didn’t stop the echo chamber from repeating it over and over again. Here’s a snippet from Google News, collected just minutes ago, four days after the story first appeared:
Even my old friend Woody Leonhard got in the act, posting a story with the provocative headline Is Fireeye getting access to all Win10 telemetry data?
In it, he noted that Fireeye has “deep ties in the corporate and cybersecurity worlds.” The story ends oddly: “I can’t imagine that it’s true,” Woody writes, “but the report’s scary.”
Tell that to anyone who just skimmed the headlines and read the first few paragraphs without scrolling down.
Eventually, someone at Microsoft got wind of the story and released a statement forcefully denying it:
The nature of the deal between Microsoft and FireEye is to license threat intelligence content from FireEye iSIGHT Intelligence. This additional layer of intelligence includes indicators and reports of past attacks collected and edited by FireEye and enhances detection capabilities of Windows Defender Advanced Threat Protection (WDATP). The deal does not include the sharing of Microsoft telemetry.
Unfortunately, that statement ended up tacked to the end of a story at BetaNews, which still has the original headline, with a single word tacked onto the end: Microsoft shares Windows 10 telemetry data with third parties [Updated]. [Nope, that story doesn’t deserve a link.]
Meanwhile, the ARN story is still sitting there, uncorrected.
Over at Bing News, the situation is even worse. Google News at least filters out low-quality websites, whereas Bing’s algorithm spews out copycat stories from sketchy sites like nextpowerup.com, latesthackingnews.com, and winbuzzer.com.
Those sites appear to be following the same business model as the Russian and Macedonian sites that fed a steady stream of garbage into online services during the recent Presidential election.
The sad part about this whole mess is that it could have been avoided with even minimal fact-checking by anyone involved. In fact, all they had to do was read the Fireeye press release and ask how the author of the original story came up with that conclusion.
Oh, wait, the Google News snippet from Softpedia News notes that they did exactly that:
“[T]he official press release that Fireeye posted today [it was actually three weeks earlier] says nothing about Microsoft providing them with access to information collected from Windows 10 systems, but…”
In other words, the author of that story spotted the enormous problem with it and chose to run with it anyway, adding a bogus click-baiting headline that ignored their own suspicions.
Please kill me.
So, what’s the real story here?
Windows Defender Advanced Threat Protection has nothing to do with Windows 10 telemetry collection. As the name suggests, it’s an advanced feature that is available by subscription only for large organizations running Windows 10 Pro and Enterprise editions.
The privacy statement for WDATP contains this language:
[Y]our data is isolated through access authentication and logical segregation based on customer identifier. Each customer can only access data collected from its own organization and generic data that Microsoft provides.
Customer data is isolated from other customers and is not shared. However, insights on the data resulting from Microsoft processing, and which don’t contain any customer specific data, might be shared with other customers. Each customer can only access data collected from its own organization and generic data that Microsoft provides.
My colleague Mary Jo Foley wrote about it back in March, when the service was announced. The point of WDATP, as a September white paper notes, is to allow enterprise security professionals to find evidence of attacks that have “made it past all other defenses (post breach detection).” The point is to provide “actionable, correlated alerts for known and unknown adversaries trying to hide their activities on endpoints.”
Microsoft even noted that the service provides a “built in unique threat intelligence knowledge base … [with] actor details and intent context for every threat intel-based detection – combining first and third-party intelligence sources.”
That latter portion includes Fireeye’s data source.
The WDATP infrastructure is intensely private. When an organization signs up for the service, they get a dedicated, secure portal to analyze information collected from within their organization. If a security professional finds a suspicious file that might have been used to compromise a device or a network, they can choose to submit it for further analysis, using that threat database to locate clues about the origin of the attack and what it might have done.
And no, Fireeye neither wants nor needs general-purpose telemetry information from Windows 10 devices. That information wouldn’t be even remotely relevant to their mission.
Like the proven garbage that polluted Facebook and the web in the run-up to the Presidential election, this sort of story thrives on confirmation bias. If you believe that Evil Microsoft is secretly harvesting all your secrets, you have no incentive to analyze “evidence” of this sort. It’s much easier just to copy, paste, and publish.
And that same confirmation bias works to reinforce fake news like this, garnering clicks and other evidence of interest that drives stories to the top of search results, regardless of their inherent accuracy.
In politics and tech, the problem is one of algorithms. Google has made some baby steps in the direction of improving its results by banning many content mills from its news page, but there’s no such filter for verifiable truth. And until there is, this is a problem that will get worse, not better.
Source: SANS ISC SecNewsFeed @ November 27, 2016 at 06:57PM