People often ask about my background in journalism. I give the same general response to everyone: Working in journalism is similar to cyber threat intelligence. It’s a lot of researching, reporting, writing, and talking to people. You develop sources, collection processes, and reporting methods, with the goal of communicating important information to readers. 

At first this response was my way of saying I belong here. Now, it is my way of saying The community needs more people like me. 

When I first transitioned from journalism to threat intelligence, people seemed curious about the move. I figured the novelty would wear off eventually — being defined by my previous career in a new one I was attempting to develop became frustrating. I wanted to build my skill set, dive head first into a technical role and shed my journalism identity like a snakeskin. Having a unique background seemed like a detriment. Everyone I knew and worked with seemed to come from similar worlds: computer science, network security, the military and intelligence services. I felt like I didn’t belong. 

The transition was not easy. But the most difficult part for me was realizing my value. I thought I wanted to “fit in” to a community defined by the (mostly male) people who work in it. The loudest and most well-known voices are people with backgrounds that starkly contrast my own. I read the recommended handbooks, watched countless hours of YouTube, filled notebooks with lessons learned from my contemporaries. I began attending and speaking at conferences. I started to develop my own voice and engage with “customers,” that is, the people working tirelessly to protect their businesses from cyber threats. The people I wanted to help. The people reading what I wrote, and listening to what I had to say. 

Eventually I realized a background in journalism is invaluable in cyber threat intelligence. Effectively communicating threats to all audiences — from defenders to operations engineers to CISOs — is a skill most people do not have. And effective communication that tells a reader what they need to know and what to do about it is a key piece of making threat intelligence useful. (I recently spoke at the SANS CTI Conference on this topic, and how journalism concepts and skills can be translated to produce clear, concise threat intelligence.)

I do not think all journalists should become threat intelligence analysts. Journalism is vital for an educated, thriving world, one where people in power are held accountable. And one where cybersecurity is better understood. However, I think the industry needs to change the way we think about effective threat intelligence reporting and analysis, and bring in more people like me who think differently, who have different backgrounds, and who bring unique voices to cybersecurity.

CJ, my director at Dragos, said I was the most creative analyst he’d ever worked with. I think this was due, in part, to taking a critical look at information, sources, and processes, and rigorously questioning them. Sometimes I would find information that had been overlooked. Sometimes I found patterns in data that no one else had. And sometimes I confirmed the hypotheses of my peers, but approached the conclusion differently. CJ helped me realize that creative thinking and different ways of approaching problems was important, and that “fitting in” was not necessary.

Dragos took a chance on me and helped me develop into a really great cyber threat intelligence analyst (if I do say so myself). And I’m so beyond stoked to continue my work at Proofpoint. 

As I am on break between jobs, I thought it would be a good time to jot down some advice to journalists and other people with core skills beyond computer science or traditional intelligence. We need you in this field. And if I can help build a path for you, I’d like to be able to do it. 

My friend Katie Nickels, the director of intelligence at Red Canary, has already done a lot of this work, and I highly recommend reading the following: 

FAQs on Getting Started in Cyber Threat Intelligence

A Cyber Threat Intelligence Self-Study Plan: Part 1

Her work focuses on the practical elements, so I would like to provide the following things to consider to complement her existing work, specifically focusing on the transition from journalism to CTI. 

1. Think about the reasons why you are a journalist. I cared about informing people of threats, playing a small part in making the world a bit more informed. Journalism to me meant constantly learning and helping others do the same. This dovetailed with the work I did at Dragos (and soon at Proofpoint!). What are your reasons? Will you find the same fulfillment in a role outside of journalism?

2. Remember you will not see your byline as often, if ever. You will not get the adrenaline rush of hitting publish on a scoop. You will be part of a team that works together, and the content you create will usually not have your name on it. Personally, this was a bit hard to get used to. Everyone has an ego and I think journalists sometimes have a larger one than others — we publish things with our name on it and like to get the credit. On a team of analysts, researchers, hunters, etc., CTI is a team sport. At least, it should be. 

3. If you are lucky you will work with some of the smartest, nicest, friendliest people who know that CTI is a team sport. They will help you learn and grow as an analyst and as a person.  

4. Working in the private sector means you are beholden to business interests, not the public who read your work. CTI is marketing. There are layers of interests your public work must go through before it sees the light of day, not just editors and fact-checkers with the occasional lawyer review. 

5. You will learn that CTI is not magic; it is staring at a screen for hours and hours hoping you find something interesting and then dig until you do. Sometimes you won’t. 

6. You will have to approach every customer differently. You will have to do sales work. You will have to massage the way you speak depending on the audience. But you probably know how to do this based on years of developing sources and knowing what people want to hear to get them to tell you things. 

7. The cybersecurity and CTI communities in general still value “technical skills” over “soft skills.” I hate that term. Katie Nickels suggests calling it “core skills.” That is so much better. 

8. The industry can be sexist. This will come as no surprise to female journalists who have to deal with it in the media industry, too. Women will need to fight harder to prove their value. Just something to think about. 

9. Knowing you helped make an organization — and its people — more secure is very, very rewarding. 

10. CTI pays better.

I love working in cyber threat intelligence. I love being an analyst. I am so blessed that life’s path took me in this direction. One day I might go back to journalism. And one day I would like to write a book. Until then, I will keep telling stories to help people protect themselves. 

This week, the U.S. Department of Justice unsealed charges against six Russian intelligence officers for malicious cyber activities against the U.S. The indictment revealed a laundry list of crimes tied to the defendants who allegedly work for Russia’s Main Intelligence Directorate of the General Staff of the Armed Forces (GRU) Unit 74455. The DOJ blames them for:

·      Causing mass blackouts in Ukraine

·      Distributing malware that disrupted global supply chains and cost businesses billions

·      Messing with companies and government entities in Georgia

·      Disrupting and sowing discord during the French elections

·      Preventing holding Russia accountable for its use of “weapons-grade nerve agent” in a foreign country

·      Attempting to sabotage the 2018 Winter Olympics

 The GRU entity behind the attacks is colloquially known as Sandworm, ELECTRUM, BlackEnergy, Telebots, Voodoo Bear, and Iron Viking, among others. (Note: Naming conventions vary from threat intelligence providers and government entities. For the purposes of this blog, I’ll call them Sandworm. ELECTRUM is what my company Dragos calls the initial access group associated with CRASHOVERRIDE.)

Sandworm is a notorious group – as documented in Andy Greenberg’s terrific book – and have singlehandedly caused billions of dollars in damages, plunged cities into darkness, and proved to be a poisonous thorn in the side of businesses, politicians, human beings, countries and their respective intelligence agencies for years. Sandworm has become the chief villain in the theater of cyberwar, that, despite unmasking, has yet to face any consequences.

The DOJ indictment contains 50 pages describing a lot of disruptive and destructive activity attributed to this group. Some of it, including the 2015 and 2016 cyberattacks on Ukraine’s electric infrastructure, could have had very real human consequences. And yet, the defendants are only charged with conspiracy to conduct computer fraud and abuse, conspiracy to commit wire fraud, wire fraud, damaging protected computers, and aggravated identity theft.

To be fair, that’s really all the lawyers can do, considering some of this group’s most egregious activities were executed well away from U.S. soil. However, it is another line on a growing list of cyberattacks conducted by foreign actors that have yet to see any real consequences.

Although the U.S. department of Treasury has issued sanctions on entities in response to hacks, including NotPetya and 2016 election interference. Additionally, this summer, the European Union issued its first cyber-related sanctions on North Korean, Russian, and Chinese individuals and entities responsible for cyberattacks known as WannaCry, NotPetya, and Operation Cloud Hopper. They followed that up recently with additional sanctions on the head of the GRU this month for an attack that – as my cyber husband and reporter Patrick Howell O’Neill points out – happened way back in 2015. But sanctions and indictments generally do little to dissuade state-backed operators. They essentially put restrictions on finances and travel. Generally, organizations and people residing within the country or union implementing the sanctions cannot conduct business with the sanctioned entities, nor can those who are sanctioned travel within those regions. But cyberattackers carry on with little regard to consequences. The 2018 U.S. sanctions on Russia’s GRU, for instance, have not stopped Russian adversaries from continuing activities – including targeting the 2020 Olympic and Paralympic Games, U.S. businesses and government entities, and even entities working on coronavirus vaccine research.

Frustratingly, there has been no accountability or consequences for destructive attacks on critical infrastructure that took down electricity in Ukraine. The BlackEnergy event in 2015 and CRASHOVERRIDE, the 2016 attack that caused blackouts in the country, were major cyber events that impacted innocent citizens, and yet there was no global outrage or response.  

There is an ongoing conversation in various circles from policy to security to law enforcement over the concept of “cyberwar.” What do we do about it? How do we prevent it? What, actually, is cyberwar? People put on their suit jackets and thinking caps and debate the merits of sanctions, offensive cyber operations, and (ugh) “hacking back.” Effectively, global scholars and hackers and lawyers are attempting to come up with the “rules of cyberwar” in a time when cyberattacks can impact human life.

As Dragos’ vice president of intelligence Sergio Caltagirone and I write in the book “Cyber War & Cyber Peace in the Middle East: Digital Conflict in the Cradle of Civilization,” despite cyber warfare capabilities existing and being deployed for over a decade, cyber warfare norms and civilian protections are nonexistent. 

Until norms are established and enforced, cyberspace will effectively be a lawless landscape, with adversaries targeting any entity that furthers economic and national interests regardless of humanitarian cost. Espionage, disruptive malware, and destructive attacks can ultimately endanger societal structures and individual welfare. The ultimate and early costs of international inaction will land squarely on the shoulders of civilians, given the current cyber threat environment. 

Having no real consequences for disruptive or destructive cyberattacks is not good for cyber “norms” and boundary setting. The ongoing and frequent conversation around “rules of cyberwar” has no foundation to build on.

Until such time as operators receive more than a slap on the wrist for disruptive and destructive cyberattacks, hackers will be empowered to continue their behavior. So, what does that look like? Well, society is working on it. As we explain in our chapter, Caltagirone and I write: 

At a minimum, countries should prohibit cyberattacks impacting or harming civilians, which would include any disruption to critical infrastructure. Building on the work of civil society organizations, governments, and technology firms, Microsoft in 2017 released a whitepaper suggesting ten rules a digital Geneva Convention should contain. The first rule is, “Refrain from attacking systems whose destruction would adversely impact the safety and security of private citizens (i.e., critical infrastructures, such as hospitals, electric companies).”

 The threat of disruption to critical infrastructure is real, as we have observed in Ukraine and Saudi Arabia. The potential impact on human life, the environment, and the necessary infrastructure for survival is very real, too. As a cyber threat intelligence analyst, I enjoy the indictments, the sanctions, the official attribution of cyber operations to threat actors. But the human in me wonders: but where are the consequences? Where is the accountability?

Ransomware is exhausting. The criminals behind cyberattacks that encrypt computers, and now steal and leak data, while completely disrupting business as usual are predatory, callous jerks. Ransomware is often described as a 21st century hostage attempt, run by cartels of various shapes and sizes, offering “ransomware-as-a-service” opportunities and messing with everything from schools to hospitals to small businesses. I dislike comparing types of crime and reducing the complex nature of ransomware cybercrime to a simple encryption scheme. Because if we have learned anything since 2017 it’s that ransomware and the operators behind it are becoming increasingly adept at disrupting the underpinnings of society – whether they mean to or not. 

Let me be clear: This is not cyberwar. It is activity revealing an intricate web of flawed systems that rely on insecure computing, invasive vendor operations, and interconnected services that drive our daily lives. Ransomware, especially in the last three years, has shown how fundamentally connected the world is and how we are supported by various supply chains, from agriculture to manufacturing to healthcare to elections. We rely on computers working correctly in order to live. And I would argue no other cyber threat comes as close to holding a mirror up against our enmeshed reality and exposing its flaws.

The discourse that bubbles up whenever ransomware is discussed is fascinating, if not flawed. Ransomware is definitely targeting elections! Ransomware is definitely not targeting elections! Can both statements be correct? (Well, no, but the answer is a bit more complicated.) 

Ransomware is a major threat to every industry. But perhaps not a direct threat. The indirect impacts of ransomware can have as much, if not more, impact than the encryption activities.

Take, for example, sheep. Earlier this year, auction buying software platform Talman suffered a ransomware attack. Talman is the largest supplier of in-house wool IT systems globally, and more than 75% of the industry in Australian and New Zealand use the company’s products. Australia alone is one of the world’s largest wool producers and 2017 data suggests its wool exports were around $3.615 billion. So, it’s a booming business.

In February, Talman’s ransomware attack brought wool buying and trading to a halt across Australia. According to local reports, auctions were cancelled for a week, “preventing 44,000 bales of wool worth up to $70 million entering the marketplace.” The incident put added pressure on an industry already beset by the coronavirus pandemic and bushfires that blazed across the country. Wool farmers and brokers were immediately impacted both financially and logistically. But the disruption would have domino effects on buyers and their customers like textile mills, manufacturers, and others in the business who rely on timely shipments for production and distribution.

Australia’s wooly woes are a great example of how companies around the world are interconnected through what people refer to as the “supply chain.” This is formally defined as “the sequence of processes involved in the production and distribution of a commodity,” but can be everything from software that supports auctioneering to the manufacturers that make your phone to the vendors that have remote access to industrial operations. You as a consumer are, in fact, part of the supply chain, albeit a link somewhat toward the end.

Ransomware has revealed that these links are fragile. In 2017, we saw WannaCry and NotPetya (not a ransomware, I know) bring companies to their knees, disrupting logistics, manufacturing, and healthcare. In 2020, we see Ryuk, Maze, Sodinokibi, and multiple other ransomwares and their operators targeting and disrupting steel production, state and local governments, and software providers that happen to work with organizations supporting U.S. elections.

Various government agencies and the tech behemoth Microsoft have warned ransomware is one of the largest threats to the upcoming elections. But it’s not the ballots or voting machines that concern experts. As Microsoft said in its blog announcing a disruption of the infamous Trickbot malware, “adversaries can use ransomware to infect a computer system used to maintain voter rolls or report on election-night results, seizing those systems at a prescribed hour optimized to sow chaos and distrust.” Effectively messing with the tools we use to function in a democracy. This, my friends, is the supply chain.

(I would like to point out here however that there has been no public evidence of adversaries actually doing this and if you are aware of ransomware adversaries specifically targeting software and services supporting election systems in an effort to disrupt the U.S. elections please message me on Keybase as I would love to know.)

In my role as senior cyber threat analyst at the industrial cybersecurity firm Dragos, I scour the web (clear and “deep” thank you) looking for evidence of ransomware attacks and the consequences they have on businesses. Often the public looks at ransomware in a vacuum: this attack locked up computers at this company and they either had to pay a million dollars or work with the FBI to get their stuff back. (I’m simplifying it, I know.) Sometimes the monetary cost of ransomware is revealed in the millions of dollars either because a company paid for the decryption key, or it cost them dearly to rebuild impacted systems. Note to analysts and reporters: Federal financial filings are treasure troves of ransomware data and what attacks cost businesses.

However, it is impossible to know the true cost of ransomware. Not just in monetary expenditures, but in the loss of business, reputational damage, physical harm done to people, or the emotional and psychological toll on people who have been victimized by a ghost. It is also difficult to learn how much of an impact the ransomware had on customers and partners. Companies will frequently say the attack did not impact their customers or operations, but sometimes we eventually learn that it did.

Ransomware is a scourge on our interconnected world, but I believe companies, industries, and society as a whole can come out stronger and more resilient after facing down these adversaries. Ransomware – at least the initial access and encryption – can generally be prevented by practicing proper security measures. “Security Hygiene” it is called, but I hate that term. We also must realize that no matter the link along a chain of supply and demand, it is strong, and it is valuable, and a tiny disruption can make the whole thing fall apart.

Fortnite is a massively popular third-person shooter game, and its highly-anticipated Android version is coming soon. However, the launch has a caveat: Fortnite won't be available on the Google Play Store. Instead, users will have to download it directly from the game's website.

Fortnite maker Epic Games CEO Tim Sweeney told The Verge the company wants to have a "direct relationship" with customers by cutting out the middleman, Google, and in this case also cutting out Google's 30% cut on in-app purchases. But the move could also mean users will have a more direct relationship with malware developers, too.

Bypassing the Play Store also means bypassing its built-in security protections while conditioning people to feel comfortable with downloading apps and services directly from the web. The Google Play Store isn't totally malware-free of course, but its protections like Google Play Protect and regular application security audits mean users who get apps from trusted developers directly from Google's marketplace are better protected than those who install third-party apps outside Google's official store. 

To install a third-party app from a website outside of Google Play (a method called "sideloading"), users must allow apps from unknown sources by modifying the device's security settings. This will let you download Fortnite; but it would also make it easier for illegitimate developers to get you to download malicious content. We've already seen how bad actors will take advantage of Fortnite's move to Android—when the company announced its Android app would be available this summer, Fortnite scams and malicious downloads began popping up on YouTube and around the web to make money off unsuspecting users looking for the game's mobile version. 

It's somewhat understandable from a business perspective. Fortnite hit $1 billion in revenue from in-app purchases last month, and the company doesn't want to split the check with Google. (Apple also takes a chunk of apps' revenue, however the company makes it virtually impossible for iOS users to legitimately download apps from anything but the iOS App Store). 

But from a customer perspective, it sucks. Security experts, tech companies, and app developers all agree it's best practice to only download apps from trusted developers, and only from legitimate app stores. By shirking these practices, Epic Games is normalizing behavior that can lead to kids' phones getting hacked. 

For instance, hackers could masquerade as legit Fortnite representatives or gamers and trick people into downloading malware. This method of phishing Android users to install bad apps and spyware has been used by state-backed adversaries and average bad actors alike. 

Sweeney appears to have a lot of faith in Fortnite users fully understanding proper Android security hygiene. That includes remembering to disable allowing downloads from unknown sources once they've got the game (unless they're running Android Oreo, which asks for permissions individually), and being able to identify malicious applications from the legitimate Fortnite app in the first place. 

By avoiding the Google Play Store, it appears Epic Games is putting profit over the risk of privacy and security issues for its users. In doing so, its players lose. 

Update: A previous version of this post misstated Fortnite's revenue. My bad, thanks Jordan! 

It's that time of year again. Time for the annual pilgrimage to the desert for two major security conferences, Black Hat and DEF CON. That means it's also time for me to have at least one breakdown over too many or too few calories from foods I consider "bad" or "safe." 

I do not have a normal relationship with food. But with all the diets and paleo recipes and celebrity poop teas of our age, what is really normal anyway? Well, it's probably not being afraid of anything with dairy, sugar, or too many carbs, and it's definitely not restricting yourself because if you eat a slice of pizza you will hate yourself for a week. 

Traveling is really difficult for me. I am in recovery from anorexia and purge disorder, and although I went through extensive therapy to try and tame my demons and learn that it's okay to eat more than oatmeal, whenever I break from my normal eating patterns, some of my bad habits return. I think about how many calories are in whatever I put in my body, and tell myself if I eat something I consider "bad," it will ruin everything I have worked so hard to maintain. 

In my life there are four main food groups: vegetables, grains, protein, and fear. I am afraid of pizza. Of fried chicken. Of mayonnaise and thick cuts of meat. And don't get me started on cheese. Cheese is the boogeyman, the scariest food of all. Sometimes I eat my fear foods, and then I feel terrible for days, regretting every bite.

This is not normal, and it is not healthy. I know this, and I am working on it. Part of maintaining a healthy relationship with food is maintaining healthy habits. At home, my fiancé and I cook vegan recipes regularly, and stick to the foods I consider "safe." That means nothing fried, nothing with heavy meat or dairy, and bowls bursting with fresh fruits and vegetables. It's a comfortable rhythm, and thanks to therapy and mindful habits I feel like I can get through my life without the specter of an eating disorder suffocating me. 

That all falls apart when I travel, especially for work. I joke about this a lot on the internet, about where to find avocados in Las Vegas or that groceries stores are too far from the Strip. I hide behind self-deprecating humor because it's easier than being honest. I also joke about the time I started bawling in the middle of a casino during another tech conference (CES) because I hadn't eaten vegetables (or really anything) all day. Gamblers thought I was drunk; I was actually on the verge of collapse and self-harm. My friend AJ knew, and walked up and down the Strip with me for a while until we found something I considered "safe" to eat. I will never forget the way he smiled -- because I can see why it's humorous when your friend is crying about broccoli -- but didn't judge me, and instead helped me get through the darkness.

Meals on business trips are largely predicated on the food at the venues, at the scheduled dinners, and at whatever line is the shortest. They are also booze-filled, which, for me, exacerbates the feelings of disgust and likelihood of harmful behaviors when my habits are broken. I try hard to stick with what I am comfortable with, but I also don't want people to wonder why I'm not eating what everyone else is.

I am extremely good at hiding things; I just want people to think I'm normal.

I might be embarrassed about my behaviors, but I shouldn't be. At least 30 million people in the US have an eating disorder, and almost 1% of American women will have anorexia at some point in their lives, according to the National Association of Anorexia Nervosa and Associated Disorders. There are millions of people like me -- and chances are some of them go to technology conferences. 

If you are one of those people and you experience the struggle of trying to maintain healthy habits and not self-harm while at events like Black Hat or DEF CON, I want you to know you are not alone. I don't have a solution for surviving Las Vegas or the best ways to plan to eat healthy on business trips because I have not figured it out myself. It is still extremely hard for me. But hopefully by talking about it I can help alleviate the shame and stigma that surrounds eating disorders and encourage people to discuss this with their friends or colleagues who will be sharing the environment if they feel comfortable enough to do so. 

I am not ashamed to have an eating disorder. But it took me quite a while to come to that conclusion. Self-hatred and shame are invisible, but they are absolutely devastating to your body. Some people looked at me with complete disgust when I told them about my behaviors, and those are the looks, the voices, and the feelings I used to focus on. Now I think about the compassion and kindness friends and strangers have shown me when I admit Hey, this shit is really hard!. A kind and empathetic response to these feelings is so powerful, and helps the shame lift. 

I'm excited to spend time in the desert with my friends and coworkers, and hopefully learn a thing or two. And I also hope that this time is easier than the last. If it isn't, that's okay, too. 

Dyn, a performance management company, published a blog post this week highlighting successful collaboration between transit service providers, IXPs, and the anti-spam community to effectively kick an abusive company off the internet.

Bitcanal is the company behind a years-long border gateway protocol (BGP) hijacking campaign. The group took over large groups of IP addresses that didn’t belong to them and allegedly sold some to spammers while participating in a campaign of abusing the fundamental systems that make the internet work and distribute content to your eyeballs. Some IPs belonged to non-existent businesses, but, as security journalist Brian Krebs points out, other addresses managed by legitimate organizations including the Texas State Attorney General’s office the US Department of Defense were roped up in the scheme. Krebs reports researchers have tied Bitcanal to the suspected theft of millions of IPv4 addresses.

Researcher Ronald Guilmette kickstarted the recent plot to takedown Bitcanal, working with transit providers including GTT and Cogent, and internet exchange points (IXPs) to play whack-a-mole when Bitcanal tried to reconnect through other companies. This week internet service provider Hurricane Electric and transit provider IPTelecom disconnected Bitcanal, rendering them “cutoff from the global internet,” Dyn’s Director of Internet Analysis Doug Madory wrote.

What struck me about his post was the definitive declaration tucked in at the end: “IXPs are not just a neutral transport bus anymore. They facilitate a unique service that malicious actors can leverage. Like it or not, this makes IXPs responsible too.”

IXPs are in charge of the infrastructure for traffic exchanges between ISPs and content delivery networks (CDNs). If IXPs are seen as complicit in enabling malicious activity and responsible for helping to police it when it becomes unwieldily, then perhaps that ethos could also extend to other internet services enabling bad actors: Social networks.

There is a groundswell of criticism directed at Twitter, Facebook, YouTube, and others for the roles they play in allowing malicious content, bullying, disinformation, and other bad content to proliferate on their platforms. Elected officials in both the US and UK have called on executives for Facebook and Twitter to explain how it’s possible for bot-armies and fraudulent (and often dangerous) information to proliferate on its platform to influence public opinion. The criticism came to a head when a whistleblower for Cambridge Analytica described how his company collected 50 million people’s Facebook data to build psychographic profiles of users in order to sell advertising. The UK fined the social network £500,000 for failing to protect users’ data (which is virtually nothing to Facebook, a company that made $11.97 billion in mostly advertising revenue last quarter).

There are of course differences between IXPs and social networks, fundamental building blocks versus social networks we opt-in to use. One could argue people know what they’re getting into — potential harassment, disinformation, and human monetization — when signing up for these platforms. However, social networks have become almost as fundamental to the way people use the internet as the pipes responsible for it.

Facebook used its Internet.org initiative to provide connectivity to developing countries as an on-ramp to Facebook itself. Its “Free Basics” program includes Facebook and Messenger as part of the free apps available to users where data is cost-prohibitive. (The Outline reported in May that Facebook is pulling its Free Basics plan from some countries following criticism.) About 45% of US adults rely on Facebook for their news. And at the same time it promises to combat disinformation, it still allows popular and harmful conspiracy theorist content to thrive. At an event with reporters this week, Facebook said it’s committed to fighting false news in the same breath as it defended permitting one of the biggest arbiters of that content on its platform.

Despite years of promises, Twitter, too, has failed to properly handle abuse as it simultaneously promotes its value to humanity while being the US President’s favorite platform. Its executives continuously promise to purge suspicious accounts — including this week’s tweet from CEO Jack Dorsey and a report from the Washington Post that the company suspended 70 million accounts in the last couple months — but often consider death threats and other harassment as insufficient evidence of violating its standards. People engage with the world’s biggest events — political, sporting, television — on the same platform used by propagandists to spread disinformation to millions of people during the 2016 US presidential election.

Facebook and Twitter could perma-ban accounts that continuously tweet harmful harassment and hate speech. Twitter has kicked off individual high-profile users for inciting hate speech and mobs of trolls, but that number is tiny. Social networks are loathe to remove speech or humans from their platforms; for both companies, the right to speech and to post virtually whatever you want is engrained deeply in their ethos, and booting publishers or people off their platforms would force them too much into an editorial role. (Facebook’s CEO Mark Zuckerberg recently told Congress it is a “technology company” not a media company, an argument that prevents it from being regulated like broadcasters). Banning accounts can have a financial impact, too. Twitter stock fell 9% on Monday following the news it suspended millions of accounts. 

There are complexities around free speech—it's certainly not as cut and dried as shutting down IP hijackers—but its harmful effects are often extremely obvious. For example, the death threat cited earlier that Twitter ignored until the verified user put them on blast, and one popular conspiracy theory propagated online that resulted in a man bringing an assault rifle to a pizza parlor; he ended up sentenced to four years in jail.

Content distribution services have stepped up before to make editorial decisions about the information flowing on their services. In 2017, Cloudflare dropped neo-Nazi website The Daily Stormer from its network, and web-hosting providers GoDaddy and Google both also dumped the site. The move sparked a debate over power on the internet and whether CDNs and other service providers should decide what can be viewed online.

As billions of people become increasingly reliant on these companies as part of our daily communication and knowledge consumption, it’s time for them to more definitively address their role as responsible stewards of news and information, and the impact bad actors can have on the world beyond the web.

[Social networks] are not just a neutral transport bus anymore. They facilitate a unique service that malicious actors can leverage. Like it or not, this makes [social networks] responsible too.

A friend recently asked for suggestions of what to do in Paris. Here, I give some.

I was there for four days and pointedly avoided most of the tourist destinations because I’ve been to them already. The Champs-Élysées was only worth visiting because the popup art exhibit Art-Élysées, with 75 galleries showcasing work through three pavilions that took up much of my afternoon. The Louvre was teeming with visitors taking selfies, and the Eiffel Tower, though nice to look at, only required about ten minutes of an evening.

So, without further ado, I present to you my Suggestions Of Things To Do in Paris.

What to do

Street Art Tour. This was the best thing I did on my trip. Our guide took us on a tour of Belleville and surrounding neighborhoods. It was a little over three hours, so it’s quite a commitment, but totally worth it.

Canal Saint-Martin, where you might stumble across a flea market bursting with vendors selling trinkets and junk, and the occasional diamond in the rough. I purchased a handful of postcards from 1919-1956. They belonged to someone who died.

Marché des Enfants Rouges, a the oldest covered market in Paris, selling everything from crepes to cheese to fruits and vegetables, along with some of the best Moroccan food I’ve eaten. It’s right next to a ton of lovely little boutiques and antique shops, though I suggest going any other day but Sunday, as most of them are closed.

Aligre Market, a colorful outdoor market where locals do their shopping.

Classical music at La Saint-Chapelle, the holy chapel on the Île de la Cité. It’s a beautiful setting to hear a chamber music concert, and if you’re lucky and the lighting is right, the stained glass is truly something to behold.

Jardin des Plantes and the National History Museum are overflowing with visitors, but wandering through the gardens that are home to plants with medicinal purposes, and the corridors of humanity’s history is will make you forget about bumping into random strangers with selfie sticks.

You can get lost in the poetry on the second floor of Shakespeare & Company, the floor dedicated to Sylvia Beach that contains volumes unable to be purchased. In reading nooks, visitors leave little notes, and the worn wood and homey decor makes you feel right at home among the books.

The shops and art galleries along Rue des Francs Bourgeouis and Rue Rambuteau are where I found presents for my family. Street musicians including full jazz bands and an opera singer are set up along the sidewalks, and there are a handful of quaint antique stores and jewelers among the galleries and clothing stores. (The GILDA vintage shop is absolutely worth visiting if you’re into that sort of thing.)

Artazart Design Bookstore is a paradise for designers, photographers, DIYers, chefs, artists, makers, and everyone in between.

Where to eat and drink

Shakespeare & Company Cafe, the cafe next door to the bookstore, has a variety of delicious vegan and gluten-free options, including a peach cobbler to die for. It’s a bit pricey, but that comes with the tourists.

Le Comptoir Général is difficult to explain. It’s a tiki bar, wine bar, coffee bar, and snack bar, all rolled into one. Its plush interior invites you to sit for hours with friends, or wander its large, open floor plan decorated with pop culture and historical artifacts. The patio is quite welcoming, especially in nice weather, although it can get a little smoky, because, well, it’s Paris.

Liberté Patisserie Boulangerie is near Canal Saint-Martin, and it was here I had the most exquisite and delicate pistachio tart I’ve ever eaten in my life.

I was sick of bread and cheese when I stumbled upon Siseng, a fabulous Asian fusion restaurant that’s relatively inexpensive and incredibly delicious. I waited about 15 minutes to get a table for one, but it was worth the wait.

Rue Montorgueil is a lovely pedestrian street lined with cheese shops, wine shops, boulangeries, rotisseries, fish markets, flower markets, and the occasional boutique.

Eat With lets you attend a dinner party with a total stranger. My Argentinian-inspired meal was phenomenal, a five-course meal cooked by Belén Gowland, a Le Cordon Bleu-trained chef and all around amazing human.

This is the first in a series of posts I wrote in my notebook while on vacation in 2015. Republishing it here.

A smell can tell you a lot about a place. Does the putrid smell of garbage mask the smell of window box gardens and falafel stands like it does in New York on trash day in the summer? This smell tells you New York needs to work on its infrastructure.

Paris in the fall smells like a symphony of a city fully lived in, overflowing with people who are only there for a moment, and those who have lived there for decades. It smells like cigarettes and fresh-baked bread. It smells like fog and tour buses. It smells like the damp, dead leaves that crunch or slide under your feet when you walk to the subway, which, while being efficient and easy to navigate, smells like the blood and sweat of a city that’s held humanity and commerce in its arms for centuries.

I like riding the trains in Paris. You see all kinds of people in transit—tourists folding and unfolding their maps, making sure they’re headed in the right direction and inevitably get off a stop too early or too late. Old ladies dressed in colorful wool with black patent leather shoes, reading pages of yellowed French novels. Moms lecturing their bored-looking children about homework that wasn’t turned in on time. Drunk people.

The best part about traveling by train is that it’s impossible not to fit in. You are one of hundreds of people traveling in the same general direction, none with anything in common except that your bodies are simultaneously gliding the same way, which means you all have more in common than you might have considered in the first place.

Along with luggage and groceries or maps and books, each person carries with them a story that is not immediately obvious. When you ask one about it, you’ll discover their stories are just like yours, but with different characters, emotions, belonging, and scents. Your stories are the same because you’re each carrying it with you; it clings to you like a shadow. Different because no one is the same.

I get off the train in the 12th arrondissement. It smells like spices from the rotisserie and coffee from a nearby cafe. I walk a few blocks through the rows upon rows of fruits and vegetables in Aligre Market, stopping for a banana and a slice of fresh bread bursting with nuts and dried fruit, so hot that the first bite singes my tongue and I have to wait impatiently to finish it. I keep walking. It smells like vegetables transported in crates that mushed up a tomato or two en route.

My boots slip on the cobble stones as I wander into Oberkampf. Here, no tourists clutter the streets, and shop keepers stand outside smoking with neighbors, all of whom seem to have their hands full of baguettes. Saturday mornings must be the time to refill the pantry.

A child no older than six walks by with his own grocery bags full of fresh-baked carbohydrates. A man in a window three floors up, whistles and waves at him between drags of his cigarette. The boy smiles and nods, careful not to drop his packages.

I wait outside a cafe for the street art tour to start. On a large blue wall, “Mother Teresa is Kate Moss,” is spray-painted haphazardly as if the person didn’t really believe in their graffiti. By the time the group begins its tour, the black graffiti is painted over, and Mademoiselle Kat is preparing to put up her own masterpiece on Le Mur. It’s a commissioned wall that changes each fortnight, our guide, Virginie, explains.

Things are changing throughout these neighborhoods, which include Oberkampf and Belleville. Artists like Késa and Diamant take to the streets with art meant to provoke and inspire you to look up, away from your feet and your phone. At the same time, the city is slowly chipping away at the culture that makes these neighborhoods so diverse and vital. Here is the “real Paris,” Virginie says. Different cultures giving the neighborhood its diversity in food, clothing, and art. And smells.

It is here that street art is as much a part of Parisian culture as croissants. Along Rue de Noyez, professional artists’ work is intertwined with the public’s, adorning walls gifted to the street artists by the city. But soon one of these walls will disappear; a projects building will be erected to house the people who are getting displaced, or cannot afford to live in their apartments anymore. Gentrification, Virginie says, means that soon many of these ethnic restaurants will be replaced with hip joints attracting a new kind of crowd to the neighborhood. The “real Paris” is disappearing. And so is the street art.

Take pictures to put on Facebook, she says. This way the art can live on.

By the time we’re back in front of the blue wall, it is covered with zombie brides.

My ankle burns as I follow the streets to Canal Saint-Martin. No one I walk by looks up, and I find that now I have a hard time looking anywhere else.

I pass by multiple vegan restaurants and fusion cuisines on my way to a place that could only be described as a hipster haven. Le Comptoir General has a tiki bar, coffee bar, wine bar, and snack bar, decorated with pop culture and history I know little about. No one is speaking English.

Across the canal is a design and bookstore, and I find myself wishing I knew more people who appreciate the same things I do. Those who keep coming to mind are exes. They would love it here.

I fall in love with the boutiques and cafes, and cacophony of noise that seeps out through the streets of the canal neighborhood. It reminds me of Brooklyn. Or Valencia street. It is then that I realize that this is what Virginie meant by Paris losing itself. I think for a second that I am part of the problem.

I buy black and white shoes from the Bensimon popup store. I drink organic coffee.

At night by the Eiffel Tower, you can feel an electric human energy. It’s fueled by selfie sticks and city maps, tired children and grumbling locals who, by accident, find themselves in the middle of it. I buy a baguette and eat it in a silent park, watching the light fade from lavender to navy to a deep, dark black, and the tower change from an orangeish yellow to a bold, sparkly gold.

I yell at a man selling trinkets who won’t leave me alone. My foot hurts. I’m tired. I walked 18 miles today.

Perhaps it is because I romanticized it so much in my head that Paris feels like a bit of a let down. Or perhaps that it’s because I’m on the tail end of my solo trip, not hearing a voice I recognize for days, seeing couple after couple cuddled up in cafes, or strolling through markets feeding each other bits of crepe. I’m happy for them and a little envious. For they surely planned their trip better than I did.

But I end up at a warehouse party with a bunch of design students on drugs, so there’s always an unexpected adventure when traveling serendipitously.

Some places smell like love. Paris is not one of those places. You may sense it briefly on the wind as it rustles the changing trees along the Champs-Élysées, or in a quiet moment when you’re sitting alone on a park bench. But then someone wanders by with a cigarette, and it disappears in a puff of smoke.

The serenity I found in Bruges was not matched in Paris. It’s too busy, too big, too transitory, while being rooted in history. It’s familiar and unrecognizable. It can overwhelm you, or force you to stumble upon something entirely unexpected.

I’m not sure I found what I was looking for in Paris, though I’m not entirely sure what that would be. I half-expected to know it when I saw it.

Someone recently told me I had too many expectations. Perhaps he is right, and true inspiration or romance comes when you’re not looking for much of anything at all.

On my final evening in Europe, I wander through the third arrondissement, and the Île de la Cité. Lit up at night, cathedrals like Notre Dame look even more imposing. Sainte-Chapelle is completely dark on the outside, inside illuminated only by a soft glow of yellow lights. The stained glass towers over the room, lifeless, its beauty snuffed out with the sunset. A man with a violin begins to play to a small audience in the freezing chapel.

The notes cascade like raindrops echoing on the stone walls of the church. Slow, fast, impossible chords filling my heart with joy, melancholy, curiosity, and frequently, heartbreak. With each piece he exposes something of himself, and with it, a part of me, too. I sit so still my legs go numb, my brain thinking of things I tried to forget, and remembering moments long-forgotten.

Sixty minutes feels like sixty seconds by the time he is done.

I am the only other solo patron at the program. Sitting in front of me, an old man who shuffles when he walks became a statue, his expression not changing from the moment he sits down to the time his feet shuffle slowly out of the theater.

I feel lighter when I leave the chapel, as if the heaviness I felt inside is carried off by notes composed long ago.

The train is quiet and smells like old, worn clothes. When I get to the quiet street on which my temporary apartment sits, filled with photos of best friends, postcards, and post-it notes, scribbles reminding the bed’s occupant that life is beautiful and love is real, I say goodnight to Paris.

My breath glistens in the moonlight.