Over the weekend a startling bit of news came into my inbox. According to a press release emailed to me on Saturday, an obscure security firm known as Rustle Research had identified a cross-site scripting vulnerability in the NSA's website that could allow for drive-by malware installs. Rustle's "ethical R&D whitehat red team" notified the spooks and allowed them to fix the hole before going public.
I thought, Wow, this is kind of a big deal. Why haven't I heard more about it? I stopped reading after the second paragraph and searched Google -- nothing on any exploits targeting NSA.gov.
[ For a humorous take on the tech industry's shenanigans, subscribe to Robert X. Cringely's Notes from the Underground newsletter andfollow Cringely on Twitter. | Get the latest insight on the tech news that matters from InfoWorld's Tech Watch blog. ]
But reading through the rest of the release led me to a different conclusion: Someone was trying to troll me and other members of the media. Here's the money part of the release:
Field researchers curiously perusing nsa.gov stumbled upon XSS vulnerabilities on the main NSA front facing webserver. Both vulnerabilities were found in shoddily outsourced third-party software written in ColdFusion -- which we all know is the worlds greatest mark-up language.
"Anyone with an internet connection can use the XSS vulnerability to impersonate NSA personnel and web traffic," says Horace Grant, a researcher with Rustle Research. "Why are unreliable third parties creating the software that guards our national secrets?"
No mainstream sites bit on the fake release, which also contained a link to one of the more disgusting types of image available on the Net. (I'll leave that to your imagination -- once seen, it cannot be unseen). It then proceeded to trash Adobe ColdFusion, deceased journalist Michael Hastings, and WikiLeaks volunteer turned FBI informant Sigurdur Thordarson.
There's also a link that allegedly shows how the exploit worked, but really redirects to a site that plays an audio file (very loudly) repeating, "Hey everybody, I'm looking at gay porno!"
A handful of obscure sites ran the release verbatim, though it's unclear whether those sites are also under control of the Rustlers.
Who's researching Rustle Research?
I Googled the sender of the email, Jaime Cochran. Co-chair of the five-person Rustle League, the transgender Cochran has boasted about wanting to become the Andy Kaufman of trolling (language NSFW). Per a profile of Cochran in Vice mag:
"Trolling is a form of social commentary or satirical performance art for people who take themselves too seriously on the internet," said Jaime Cochran, co-chair of Rustle League. Cochran (she goes by the handle [censored] on Twitter) is a 20-something online security professional and "aspiring porn actress" who, when we met for coffee in her home city of Chicago, described her style as "cerebral trolling" or even "an interactive comedy routine", before comparing herself to Andy Kaufman....