I was a library geek throughout my childhood. The library in our town was too far to get to on my own and we didn’t have buses. I loved the Bookmobile, until I read every book on it. One of the main reasons I loved school was because I could go to the library! I volunteered at the library, I helped people find information using the green Guide to Periodic Literature books. Heck, my undergraduate major was Information Studies, hosted in the School of Library Science at FSU (now it’s in the School of Information), where we learned how to build systems for people not only to store data, but more importantly find and retrieve data through critical thinking.
One thing that my addiction to libraries and archival systems has taught me is the importance of checking your source. Is the information you are using from a credible and valid source? Are you sure that nothing about the source will invalidate or discredit the information that you are consuming?
You’d think given the proliferation of information these days, it would be easy to validate the sources of online content. But it’s actually the mass quantity of data that makes it hard to validate source material. And because source information is hard to validate, it is even more important that we are critical of the content we read and reuse. This is especially important when it comes to technologists and what seems to be technical data.
There have been a few examples of technically vague (at best, incorrect at worst) articles over the last week or so. Let’s examine one example and apply library science techniques to critically examine technical articles you read.
Example 1: Microsoft Office 365 hit with massive Cerber ransomware attack
Step 1: Read the post and the title thoroughly. Does anything in the post sound out of place? As a technical person, is there something about the post that just seems off? Go back and re-read the article.
This particular post has actually been edited since the first time I read it to correct the things that seemed impossible for the Office 365 platform. The first thing that jumped to my mind was this question. If this is so widespread why haven’t we seen it on our tenant? Secondly I thought , why isn’t the platform grinding to a halt? I’ve been through a widespread virus as a sysadmin, and that’s what I’d expect to see.
Go with your instincts. If your techie Spidey senses are tingling then don’t be afraid to critically examine the article in question.
Step 2: Is the article from a credible source? Things I look for in credibility are whether or not other people who are in the same segment of the industry read the magazine, and what are their ads for.
This article is from SC Magazine, which says it is a magazine “for IT security professionals”. SC magazine ads I get served up are for their security conferences and newsletters, which have articles that are most likely funded by security vendors. This isn’t good or bad, it just is. How do I know this may be the case? I work in marketing now y’all. 😉
Step 3: Is the author credible? If you don’t already know about the author, then the internet can help you figure this out. Things to look at are how long has this person be writing about this particular space? Does the person hold any certifications in the topic (LinkedIn is great for this)? Do other people promote their work or point of view (searching twitter for the person’s name + topic or name + publication can help bring visibility to that). This doesn’t mean the author isn’t credible, but it may mean you need to double-check that the important technical nuances haven’t been glossed over by an author without the technical depth to properly position the topic.
The author of this article is Doug Olenick, Online editor. According to his SC Magazine article, he has been an editor for 20 years, mostly in the consumer space. He’s been at SC Magazine for almost a year. The fact that he’s not a security expert, and that he comes from the consumer space makes me a bit cautious on Olenick’s expertise on this particular topic.
Step 4: Is this article the original source? What you’re looking for here is if this article is explaining or editorializing another article. In this case, this article is not the original source. It is bringing attention to a post on the cloud security firm Avanan’s blog.
Once you’ve made the determination that the article you’re not examining isn’t the original source, you must critically examine the potential new original source:
Step 1: Right away, the title sets me on edge a little bit with a “Widespread Attack on Office 365 Corporate Users with Zero-day Ransomware Virus”. Pretty sensational. Also the ransomware is described as a zero-day ransomware virus, which confuses two security terms and doesn’t make a lot of sense to me. I immediately know to read this article very critically. Some of the security terminology sounds off to me (I’m not a security expert though). Additionally how they described how their software did better than Microsoft with regards to detecting the virus seemed very self-serving.
Step 2: The article is from Avanan, a security vendor. They offer a cloud security platform for most of the major SaaS applications.
Vendors are always suspect because they want to sell you something. I work at a vendor, and I expect people to challenge what we write on our blog. We have the comments open for a reason people!
Step 3: The author is Steven Toole, Avanan’s CMO for about a month now. While he’s worked as a marketer (even CMO) at other tech startups, he’s never been at a security vendor. He has worked at a content analysis company, and has used content to build and fuel their funnels, AKA he builds content specifically designed to draw eyeballs to a startup. The sensational headline worked to build up a frenzy and get people talking about his security company, but he’s not a credible author, because he’s a CMO at a vendor and he’s not qualified to speak technically on this topic.
Step 4: This article is the primary source for the SC Magazine article, as well as many other media outlets. I get 351K results when I google “Cerber 365”, and most of them quote this blog post.
Concluding Thoughts
The bottom line is that it’s up to each of us to be sure the articles that we read, and then share are credible sources of information. Don’t be afraid to question authors, and raise your hand in protest when half-truths are being peddled around as truth. We owe it to our industry to hold each other – and those who are authoring technical content – to a higher standard.