llimllib · May 24, 2011 21:24
diff --git a/gistfile1.txt b/gistfile1.txt
 Mar, 10 2011

 Vanity Fair reporter freak-out
 Vanity Fair had an article about Stuxnet. Here’s some background information on
 this creative piece of embarrassment.

 Vanity Fair’s writer Michael Joseph Gross visited us last year. I agreed to
 spend two days with him as I thought it could be helpful to spread the message
 about the threat posed by Stuxnet-inspired malware well behind technical
 publications. On his request, I explained Gross in detail what control systems
 are, how they are different from IT, and how Stuxnet works. He got a hands-on
 introduction to Siemens controllers, demonstrating the Siemens software’s
 behavior before and after infection on a real system, and explaining the
 meaning of the diagnostic output he saw. We explained sections of actual attack
 code and how we reverse engineer such code. I explained the difference between
 basic production control systems and digital safety systems, extending into
 instrumentation and control details. In addition to the technicalities I
 thoroughly briefed Gross on background topics that are essential for
 understanding Stuxnet, such as politics, timeline of events (starting in 2006),
 and insights on major stakeholders such as ICS-CERT and the vendor. On his
 request, I provided extensive interview prep material for his upcoming
 interviews, and provided contacts at INL and DoE. Also on his request, I
 arranged an interview for Gross with one of our clients (a global player in the
 steel industry) who had been infected with Stuxnet.

 It seems like so much hardcore information was a little bit over Gross’ head,
 so he decided to focus more on me as a person. Why not. I don’t know, however,
 why he needed to portray me as a complete jerk, and did not hesitate to provide
 “evidence” that is totally absurd (who is really interested in my shoe wear?)
 and misleading by purpose. For example, Gross, who may be unfamiliar with the
 dress code for German consultants, began to show a bizarre interest for
 selected fashion items. He wants to hold my wrist watch, inspects it thoroughly
 and asks if it is a famous brand or particularly expensive. It is not. Then he
 grabs my tie (literally) and turns it around to see the brand label. It’s a
 no-name product, again. Next he inquires about my shirt. Again, a no-name
 product. (I’m happy that he didn’t want me to take it off to inspect the brand
 label.) I tell Gross that I don’t buy fashion by designer name. However next he
 draws the grand price. It happens that my shoes are from a well-known Italian
 designer. He follows his hot trace and asks which shoes I wore the day before,
 the ones with that particular structure, and asks about the material. I say,
 let me think… I believe it were the ostrich shoes. I see Gross’ face taking on
 a weird look as if I had said something obscene or if he had just experienced
 sudden intestinal problems, but don’t give it any significance. In his article,
 this bizarre episode reads: “My preference is for Dolce & Gabbana shoes,” he
 says. “Did you notice, yesterday I wore ostrich?”, turning reality completely
 around.

 Gross writes that I had sleeping problems and that I couldn’t tell if I was a
 genius or crazy. Gross knows in which context these remarks were made, but he
 deliberately doesn’t tell. I did have severe sleeping problems during the first
 weeks of Stuxnet analysis because I was horrified about what I saw and just
 couldn’t find rest. The malicious controller code and the question what it was
 trying to do didn’t let me sleep. (If anybody is interested in it, I don’t have
 sleeping problems any longer.) The genius/paranoid thing goes back to the early
 days of Stuxnet research, when nobody saw what we were seeing. Those were the
 days when we published a step-to-step guide for fellow researchers to
 understand Stuxnet, along with a video capture of Wireshark traffic. Those were
 also the days when I had discovered the potential meaning of the project name
 Myrtus but did not publish it “because you would think I’m nuts”. We never even
 mentioned the Myrtus/Esther stuff in our blog because we don’t give it much
 significance. Gross knows all this, but decided not to tell in a story he wants
 the reader to believe is a character study of me. Gross also knows that
 attribution is something that concerns me least about Stuxnet, but suggests
 otherwise. His reporting that I googled “Iran” and “nuclear” is complete
 nonsense, and he knows it. He even has the Iranian target focus in writing from
 me, but it wouldn’t have matched with the picture he is trying to paint of me.

 On the second evening of his visit we are sitting in a bar. It is clear that
 the interview is over, Gross had just talked me into ordering another drink,
 and we talk about personal stuff, mine and his; relationships, future plans
 etc. I mention that I think about moving to California someday. Gross goes then
 to great length in describing how beneficial his story will be for my career,
 asks if I would be willing to sign an exclusivity agreement etc. pp. I point
 out for the fifth or second time that the ONLY thing I’m interested in is to
 get out the message of the threat posed by Stuxnet-inspired malware and that I
 wouldn’t benefit from all the wonderful things he is going to write about me
 anyway because his paper isn’t even for sale on German news stands. I tell him
 again that I have no particular desire to be mentioned more than briefly in his
 story. He then switches to the topic of a portrait photo of me for the article.
 I confess that I’m a great admirer of Ann Leibowitz and for long had wanted her
 to portray me. So I say jokingly that the only benefit I could see for myself
 is to have Leibowitz take a crispy shot of me for the cover page, which could
 eventually one day even help in attracting American women (I’m single). Not
 even Gross can view me as so stupid to think I would actually believe to go on
 VF’s cover. Nevertheless, Gross writes: “Langner loves the attention that his
 theories have gotten. He is waiting, he says, for “an American chick,”
 preferably a blonde, and preferably from California, to notice his blog and ask
 him out.“ He says this about the person who researched the most technical facts
 on Stuxnet’s payload, in weeks of hard labor, who had told him verbatim more
 than once that he is NOT interested in getting attention. It is simply
 disgusting.

 Now Vanity Fair does have some approach to quality control which they call
 “fact checking”. A “fact checker” contacts the sources to verify that all
 information is correct. Funny enough, the “fact checker” is not interested in
 checking the most blatant nonsense, but in fine-tuning information that
 supports the writer’s bias. Certainly their “fact checker” did not ask: Ralph,
 is it true that you write your blog to attract blonde Californian chicks? He
 will have known that my answer would have been “are you out of your mind?”
 Instead, the “fact checker” explores some background on a commercial computer
 program I had written as an undergraduate. Gross was very interested in this
 program. The “fact checker” asks if it is true that this program didn’t sell.
 No, it’s not, actually it was the all-time best selling software application in
 its niche. Reading this, Gross is no longer interested in this stuff and drops
 the subject. The “fact checker” also asks if I’m a centrifuge expert. Certainly
 I’m not, which is hardly surprising for anyone. However, Gross experienced how
 meticulously I researched the I&C and physics of potential Stuxnet targets when
 I talked him through the design documentation of a turbine protection system
 (at that time we were working on the Bushehr target theory) down to the details
 of 2oo3 wiring and logic. He knew that I discussed attack vectors with power
 plant engineers with on-site experience in Russian nuke plants. He knew I was
 working on the NPP target theory with one of the very few European engineers
 who actually designs turbine protection systems for power plants (I even
 invited Gross to visit him, but the expert wasn’t available that day). He also
 knows that for the centrifuges, I discuss technical issues with the best
 contacts one can wish for in this matter, ranging from centrifuge development
 and test engineers to the best nuclear scientists in the world, some with
 on-site experience in Natanz. So after going through “fact-checking”, here is
 what you read: “Langner admits that he is not a centrifuge expert, but says
 that he regularly speaks with such experts.” I believe it’s a safe bet to
 assume that the “fact checker” would have loved to get me on the record writing
 that I’m not a centrifuge expert, period.

 Only an idiot does not learn from experience. So I will revise our media policy
 and will no longer accept interview requests in our office or interviews that
 focus on me as a person rather than on our work.

 Ralph Langner
	Mar, 10 2011

	Vanity Fair reporter freak-out
	Vanity Fair had an article about Stuxnet. Here’s some background information on
	this creative piece of embarrassment.

	Vanity Fair’s writer Michael Joseph Gross visited us last year. I agreed to
	spend two days with him as I thought it could be helpful to spread the message
	about the threat posed by Stuxnet-inspired malware well behind technical
	publications. On his request, I explained Gross in detail what control systems
	are, how they are different from IT, and how Stuxnet works. He got a hands-on
	introduction to Siemens controllers, demonstrating the Siemens software’s
	behavior before and after infection on a real system, and explaining the
	meaning of the diagnostic output he saw. We explained sections of actual attack
	code and how we reverse engineer such code. I explained the difference between
	basic production control systems and digital safety systems, extending into
	instrumentation and control details. In addition to the technicalities I
	thoroughly briefed Gross on background topics that are essential for
	understanding Stuxnet, such as politics, timeline of events (starting in 2006),
	and insights on major stakeholders such as ICS-CERT and the vendor. On his
	request, I provided extensive interview prep material for his upcoming
	interviews, and provided contacts at INL and DoE. Also on his request, I
	arranged an interview for Gross with one of our clients (a global player in the
	steel industry) who had been infected with Stuxnet.

	It seems like so much hardcore information was a little bit over Gross’ head,
	so he decided to focus more on me as a person. Why not. I don’t know, however,
	why he needed to portray me as a complete jerk, and did not hesitate to provide
	“evidence” that is totally absurd (who is really interested in my shoe wear?)
	and misleading by purpose. For example, Gross, who may be unfamiliar with the
	dress code for German consultants, began to show a bizarre interest for
	selected fashion items. He wants to hold my wrist watch, inspects it thoroughly
	and asks if it is a famous brand or particularly expensive. It is not. Then he
	grabs my tie (literally) and turns it around to see the brand label. It’s a
	no-name product, again. Next he inquires about my shirt. Again, a no-name
	product. (I’m happy that he didn’t want me to take it off to inspect the brand
	label.) I tell Gross that I don’t buy fashion by designer name. However next he
	draws the grand price. It happens that my shoes are from a well-known Italian
	designer. He follows his hot trace and asks which shoes I wore the day before,
	the ones with that particular structure, and asks about the material. I say,
	let me think… I believe it were the ostrich shoes. I see Gross’ face taking on
	a weird look as if I had said something obscene or if he had just experienced
	sudden intestinal problems, but don’t give it any significance. In his article,
	this bizarre episode reads: “My preference is for Dolce & Gabbana shoes,” he
	says. “Did you notice, yesterday I wore ostrich?”, turning reality completely
	around.

	Gross writes that I had sleeping problems and that I couldn’t tell if I was a
	genius or crazy. Gross knows in which context these remarks were made, but he
	deliberately doesn’t tell. I did have severe sleeping problems during the first
	weeks of Stuxnet analysis because I was horrified about what I saw and just
	couldn’t find rest. The malicious controller code and the question what it was
	trying to do didn’t let me sleep. (If anybody is interested in it, I don’t have
	sleeping problems any longer.) The genius/paranoid thing goes back to the early
	days of Stuxnet research, when nobody saw what we were seeing. Those were the
	days when we published a step-to-step guide for fellow researchers to
	understand Stuxnet, along with a video capture of Wireshark traffic. Those were
	also the days when I had discovered the potential meaning of the project name
	Myrtus but did not publish it “because you would think I’m nuts”. We never even
	mentioned the Myrtus/Esther stuff in our blog because we don’t give it much
	significance. Gross knows all this, but decided not to tell in a story he wants
	the reader to believe is a character study of me. Gross also knows that
	attribution is something that concerns me least about Stuxnet, but suggests
	otherwise. His reporting that I googled “Iran” and “nuclear” is complete
	nonsense, and he knows it. He even has the Iranian target focus in writing from
	me, but it wouldn’t have matched with the picture he is trying to paint of me.

	On the second evening of his visit we are sitting in a bar. It is clear that
	the interview is over, Gross had just talked me into ordering another drink,
	and we talk about personal stuff, mine and his; relationships, future plans
	etc. I mention that I think about moving to California someday. Gross goes then
	to great length in describing how beneficial his story will be for my career,
	asks if I would be willing to sign an exclusivity agreement etc. pp. I point
	out for the fifth or second time that the ONLY thing I’m interested in is to
	get out the message of the threat posed by Stuxnet-inspired malware and that I
	wouldn’t benefit from all the wonderful things he is going to write about me
	anyway because his paper isn’t even for sale on German news stands. I tell him
	again that I have no particular desire to be mentioned more than briefly in his
	story. He then switches to the topic of a portrait photo of me for the article.
	I confess that I’m a great admirer of Ann Leibowitz and for long had wanted her
	to portray me. So I say jokingly that the only benefit I could see for myself
	is to have Leibowitz take a crispy shot of me for the cover page, which could
	eventually one day even help in attracting American women (I’m single). Not
	even Gross can view me as so stupid to think I would actually believe to go on
	VF’s cover. Nevertheless, Gross writes: “Langner loves the attention that his
	theories have gotten. He is waiting, he says, for “an American chick,”
	preferably a blonde, and preferably from California, to notice his blog and ask
	him out.“ He says this about the person who researched the most technical facts
	on Stuxnet’s payload, in weeks of hard labor, who had told him verbatim more
	than once that he is NOT interested in getting attention. It is simply
	disgusting.

	Now Vanity Fair does have some approach to quality control which they call
	“fact checking”. A “fact checker” contacts the sources to verify that all
	information is correct. Funny enough, the “fact checker” is not interested in
	checking the most blatant nonsense, but in fine-tuning information that
	supports the writer’s bias. Certainly their “fact checker” did not ask: Ralph,
	is it true that you write your blog to attract blonde Californian chicks? He
	will have known that my answer would have been “are you out of your mind?”
	Instead, the “fact checker” explores some background on a commercial computer
	program I had written as an undergraduate. Gross was very interested in this
	program. The “fact checker” asks if it is true that this program didn’t sell.
	No, it’s not, actually it was the all-time best selling software application in
	its niche. Reading this, Gross is no longer interested in this stuff and drops
	the subject. The “fact checker” also asks if I’m a centrifuge expert. Certainly
	I’m not, which is hardly surprising for anyone. However, Gross experienced how
	meticulously I researched the I&C and physics of potential Stuxnet targets when
	I talked him through the design documentation of a turbine protection system
	(at that time we were working on the Bushehr target theory) down to the details
	of 2oo3 wiring and logic. He knew that I discussed attack vectors with power
	plant engineers with on-site experience in Russian nuke plants. He knew I was
	working on the NPP target theory with one of the very few European engineers
	who actually designs turbine protection systems for power plants (I even
	invited Gross to visit him, but the expert wasn’t available that day). He also
	knows that for the centrifuges, I discuss technical issues with the best
	contacts one can wish for in this matter, ranging from centrifuge development
	and test engineers to the best nuclear scientists in the world, some with
	on-site experience in Natanz. So after going through “fact-checking”, here is
	what you read: “Langner admits that he is not a centrifuge expert, but says
	that he regularly speaks with such experts.” I believe it’s a safe bet to
	assume that the “fact checker” would have loved to get me on the record writing
	that I’m not a centrifuge expert, period.

	Only an idiot does not learn from experience. So I will revise our media policy
	and will no longer accept interview requests in our office or interviews that
	focus on me as a person rather than on our work.

	Ralph Langner