It seems some people still miss the point about my previous post — the focus is on the misleading PR approach, not the contents of the talk or speaker’s ability. So in that vein, let’s compare the two articles, both post-talk and pre-talk (same author, same publication, two weeks apart.)
|First Article||Second Article|
|Title||“New class of attack targets embedded devices”||“New attack puts routers, cell phones at risk”|
|Major tech focus||JTAG (no NULL pointers)||NULL pointers (no JTAG)|
|Impact||“criminals could … steal sensitive information from mobile phones or redirect Internet traffic on routers”||“Jack plans to show how his attack could be used to make changes to the firmware of a router so that it injects a malicious code into any executable files downloaded from the Internet” (i.e. this talk)|
The second article gets it right. It has enough details to know the general type of attack being discussed, downplays the hype, and lacks the misleading focus on JTAG. If the first article had never been written, I wouldn’t be discussing any of this.
The important thing to note is that the same author wrote both, so the only difference had to be the information that was provided to him. It was easy for me to recognize the PR influence since previous companies I’ve worked at have done the same thing. Security researchers, please make the effort to provide accurate details when announcing your talk, despite pressure from your PR department to overhype it or withhold information necessary to even know the topic.