The head of American security firm Immunity, Dave Aitel, appears to be backtracking on his claims, made in August, that British security researcher Marcus Hutchins had "something to do" with the WannaCry ransomware which hit Windows computers globally in May.
Hutchins was hailed as a hero by many after he accidentally stopped the spread of WannaCry by registering a domain that was present in the malware's code. He was later arrested in Las Vegas over alleged charges of having created a banking trojan named Kronos, along with an unnamed co-conspirator.
Aitel made the claim about Hutchins' alleged connection to WannaCry on his blog. But on 23 December, he took a step backwards, writing, "In fact, I had bet @riotnymia some INFILTRATE tickets that this would go the other way. Looks like she should book a trip! :)" @riotnymia is the Twitter handle for Emma McCall, a cyber security analyst at Riot Games.
INFILTRATE is a security conference which Aitel's company organises annually.
{loadposition sam08}Aitel did not explain exactly how the rest of the world should know about his private wagers and rank them above his public pronouncements.
His comments came a few days after US homeland official Tom Bossert publicly laid the blame for WannaCry on North Korea. iTWire ran a story that pointed out this, in effect, left egg on Aitel's face given his earlier public claim about Hutchins.
I contacted Aitel on Twitter, asking, "I asked you for your take on the WannaCry announcement. You chose not to reply. You publicly claimed Marcus Hutchins was behind WannaCry. Are you now denying that?" Unsurprisingly, he has not replied.
In his 23 December post, Aitel praised Bossert, but criticised journalists at his (Bossert's) media conference for asking about the NSA link to WannaCry — one NSA exploit, ETERNALBLUE, which was leaked on the Web by the Shadow Brokers last year was used by the attackers — and also hitting out at those who asked about the US Government's Vulnerability Exposure Policy. "There was the usual blame-the-NSA VEP nonsense which he (Bossert) pushed back on strongly and (imho) correctly," Aitel wrote.
The VEP appears to be a sensitive topic with Aitel; his company follows a policy of buying exploit information from others and then using it to protect his own customers against those exploits. The companies whose products are vulnerable are never told about the flaws.
The NSA has been criticised for crafting exploits for flaws that it has never disclosed to companies. Aitel, it must be mentioned here, is a former NSA employee.
Aitel also implicitly criticised iTWire for saying he had egg on his face, pointing out, "A more balanced approach was taken by TechBeacon taking into account Brian Kreb's article." This is the same Krebs who quietly pulled an article in which he had claimed a Russian link to the Shadow Brokers leak, publishing a note about it at the end of another article and disabling comments on that piece. Well-known blogger Marcy Wheeler has questioned whether Krebs had some kind of agenda in writing this article.
When Krebs was asked about it in the comments on his next article, personal slurs suddenly started appearing under fake names.
The comment below appeared after Krebs had been contacted by email — his contact email is not on the home page of his site, but buried in a long, laudatory spiel about himself — and provided the correct address for my personal blog. To call it childish and puerile would be dignifying it.
Aitel also took up cudgels for Kaspersky Lab, a Russian security firm whose products have been banned from use in the US public service. "We resolutely torture people and companies accused of hacking based on essentially tea-leaf reading from law enforcement (on one hand) or our intelligence organisations (in the case of nation state attribution). Kaspersky, of course, is one of those," he wrote.
But a few months back, Aitel was on a different track (listen from 34:00 onwards): "Kaspersky is an intelligence asset of the Russian Government and I'm amazed that we haven't seen action yet from the Australians, and the Germans and the Brits to do exactly what the US did – which is basically ban it. I mean at the point when Best Buy pulls your product off the shelves, I mean someone at Best Buy got a message and a briefing from an US Government official that said, 'this has to go'.
"Listening to Kaspersky, he understands clearly what the Americans are saying about his product and he's pretending that he doesn't. On the other hand, he has 300 million reasons a year not to deal with the behaviour that they are accusing him of. He probably thought he'd never get caught.
"It's hard to believe what he saying on Twitter and his interviews... I don't see any possibility that Kaspersky A-V is not a signals intelligence tool."
Ironically, these comments were made on a podcast put out by Patrick Gray, an Australian who once used the methods of Fox News — "some people are saying" — to accuse Aitel of unethical practices.
Gray's podcast lists the week's security stories (all compiled from other sources), rubs businesses the right way and when people criticise him, he blocks them from his Twitter feed.
If anything, this whole merry-go-round illustrates one thing: in infosec, as in life, all is not as it seems.