Aitel made the comments on Twitter, also saying he had been mischaracterised as a former NSA analyst by Perlroth. Strangely, the NYT reporter did not name Aitel, though she claimed that Immunity at one stage trained the Turkish army in cyber techniques. "One contractor, Immunity Inc., founded by a former N.S.A. analyst, embarked on a slippier slope. First, employees say, Immunity trained consultants like Booz Allen, then defense contractor Raytheon, then the Dutch and the Norwegian governments. But soon the Turkish army came knocking," the article claims.
The article in question, published on 6 February, argues that the US has lost control of the global battle with state-controlled malicious attackers due to its hubris.
Guess who wasn't an NSA analyst ? Me ! ;) pic.twitter.com/78bcRuUsdi— daveaitel (@daveaitel) February 6, 2021
Its premise is probably best summed up by this paragraph: "Three decades ago, the United States spawned, then cornered, the market for hackers, their tradecraft, and their tools. But over the past decade, its lead has been slipping, and those same hacks have come boomeranging back on us."
Uh, can anyone name the seven 0day in stuxnet? pic.twitter.com/9gqBIoJIVn— daveaitel (@daveaitel) February 6, 2021
One Twitter user, who responded to Aitel's tweet about Stuxnet, said that seven zero-days had not been used, "but 7 vulnerabilities patched in the immediate remediation following Stuxnet analysis matched codepaths exploited by Stuxnet".
Guess who was given ample opportunity to clarify his title in our fact checking conversations, or that he wasn’t training Turkish military? Dave Aitel. Instead, when asked, his answer was: “I would never comment on my customers.” There’s a reason he is nitpicking now after years. https://t.co/an3OrOetf9 pic.twitter.com/dr1XIeE7qZ— Nicole Perlroth (@nicoleperlroth) February 6, 2021
In response to Aitel's criticism, Perlroth fired back: "Guess who was given ample opportunity to clarify his title in our fact checking conversations, or that he wasn’t training Turkish military? Dave Aitel.
"Instead, when asked, his answer was: 'I would never comment on my customers'. There’s a reason he is nitpicking now after years."
She added later: "And why he has tried to pre-empt and criticise my reporting. It’s because I fact-checked every single thing, down to his bumper stickers, with him. He knew exactly what was going to come out."
And why he has tried to preempt and criticize my reporting. It’s because I fact checked every single thing, down to his bumper stickers, with him. He knew exactly what was going to come out.— Nicole Perlroth (@nicoleperlroth) February 6, 2021
In a later tweet, Aitel said: "I critique this kind of reporting when I don't think it accurately represents the space. I'll have more after I read the book."
Aitel told this writer many years ago in his only detailed interview available online that he worked as a computer scientist with the NSA.
Asked for his impressions of the article, former NSA hacker Jake Williams said he had nothing to add to what he had already tweeted; his earlier tweets were a series of cyber offence vs cyber defence polls.
Neat idea in theory, not remotely practical. Let's look at why.— Jake Williams (@MalwareJake) February 6, 2021
Are we including defensive ops here too? If not (and I can't imagine we would, that's HUGELY problematic), where is the line between offense and defense? Please read through and opine 1/https://t.co/ULBKyGsEf6 pic.twitter.com/ZCNOK1EbZJ
Another well-known security researcher, who posts as Thaddeus E. Grugq, also took issue with details in the article, pointing out that Aitel was an operator at the NSA, not an analyst.
You say “tools were hacked in 2017.” There is no evidence to indicate when they were acquired, so even saying 2016 is dubious. Analyst vs operator are very different roles. Symantec analysis is not of the same caliber as @codelancer (who’s credited on one of the CVEs).— thaddeus e. grugq (@thegrugq) February 7, 2021
He also contested Perlroth's claim that tools from the NSA were exfiltrated in 2017. Her reference was to the group known as the Shadow Brokers; the group released an initial list of what it claimed were NSA exploits in August 2016, seeking likely buyers. It then dumped the whole lot online in April 2017. One of these exploits, known as EternalBlue, was used to craft the ransomware known as WannaCry which wreaked havoc in many countries in May 2017.
The identity of the Shadow Brokers still remains unknown, with the NSA telling iTWire in September 2020, that it had no information to offer as to was behind the group, despite a probe that was reported to have been going on for 15 months in November 2017.
Grugq wrote: "You say 'tools were hacked in 2017'. There is no evidence to indicate when they were acquired, so even saying 2016 is dubious. Analyst vs operator are very different roles. Symantec analysis is not of the same calibre as @codelancer (who’s credited on one of the CVEs)."
You can keep screenshotting out of context, but really, I recommend fresh air.— Nicole Perlroth (@nicoleperlroth) February 7, 2021
He also questioned a claim made by Perlroth that the NSA had control over the market for hacking tools. The article claims: "As the market expanded outside the N.S.A.’s direct control, the agency’s focus stayed on offense. The N.S.A. knew the same vulnerabilities it was finding and exploiting elsewhere would, one day, blow back on Americans. Its answer to this dilemma was to boil American exceptionalism down to an acronym — NOBUS — which stands for “Nobody But Us.” If the agency found a vulnerability it believed only it could exploit, it hoarded it."
Grugq wrote: "This claim is that there was a single market and that it was controlled by NSA? That is not true. Even just the hacker underground trade in 0days, which is well documented, shows that there was no “the market” and NSA didn’t have direct control or even a monopsony."
Perlroth shot back: "You can keep screenshotting out of context, but really, I recommend fresh air."
This is not the first time that ex-NSA hackers have attacked Perlroth's reporting. In May 2019, she and two others, Scott Shane and David Sanger, came under fire after they wrote a yarn based on a leak from security firm Symantec, claiming that Chinese spies had gained access to a number of NSA exploits and used them for attacks, well before they were leaked by the Shadow Brokers.
On that occasion, Aitel was joined by another NSA alumnus, Robert M. Lee, and Williams in defending his former employer, the premier US spook agency..
But some of Aitel's peers took aim at him, pointing out that he had a conflict of interest. One, named Chad Loder, wrote: "You own a company in the exploit market that @nicoleperlroth has been asking hard questions about."
More recently, Williams took issue with a piece that Perlroth and Sanger wrote along with a third reporter, Julian Barnes, claiming that the wares of a software company known as JetBrains could have a connection to the supply chain incident involving SolarWinds' network management software known as Orion.
One defender I know called it "the NYT denial of service." I'm sorry if that hurts the author's feelings, but perspective and all...— Jake Williams (@MalwareJake) January 8, 2021
"Officials are investigating" is hardly enough with something this big. The impact of speculation like this is HUGE for network defenders. 2/4
He blasted the authors for wasting the time of infosec practitioners who had to divert their attention from other tasks to check for compromises in JetBrains' software.
In September last year, Perlroth and Sanger were criticised in these columns over an article in which they tried to hype up the so-called Russian threat to the US ahead of the 2020 presidential poll.
Update, 8 February: Perlroth sent the graphic below which details the seven zero-days that she claims were used in crafting the Stuxnet malware. The information was credited to American security firm Symantec.