[yorwba]

Who was the target audience for the long-form article? It has some technical details, but they appear to be used more for decorative effect. E.g. the string daa0 c7cb f4f0 fbcf d6d1 from the hexdump is eventually revealed to correspond to C:\Windows, but isn't actually explained. I was able to come up with the following Python for the obfuscation: [hex((i + 153) ^ ord(c)) for i, c in enumerate(r'C:\Windows')] but most of your readers probably just see a jumble of letters and numbers they're told has some significance, but which appears incomprehensible to them.

Did you do testing with focus groups to determine whether the longer article helped people "understand how these intrusions are actually working" or whether it just made readers aware that they don't understand?

[hakantan]

This is a very good question. By now, there is a git repo (https://github.com/br-data/2019-winnti-analyse) for the more technical folks (includes yara, some scripts etc.)

We don't have focus groups, but we want to convey to our readers are certain understanding how these operations work. What threat hunting is, why it is important and all that.

At some point you have to make some certain decisions. One was not to explain what a rolling xor is. So yeah, we had to simplify a lot. The truth is, though, this stuff is hard for most people, myself included.

Hope that helps.

[yorwba]

I didn't expect you to deliver a crash course that would allow even non-technical readers to understand all details, so I realize that you had to leave out a lot. That puts you in an awkward spot where your explanation probably creates more new questions than it answers.

Some news websites hesitate to put external links in their articles because they lead readers off the site, but I think they can be helpful to provide jumping-off points for the interested reader. For example, the git repository could be linked somewhere in the article, or as part of the "about the project" section at the end.

PS: The top-level comment of this thread was flagged and hidden, so most users won't see your replies here. You might want to post another top-level comment with the additional information you provided here, or maybe ask the mods via hn@ycombinator.com to make your replies visible.

[akuji1993]

> Some news websites hesitate to put external links in their articles because they lead readers off the site

For me, this is almost always a sign, that they don't think that high about their own content. If your content is great and you write engaging articles that are interesting to the reader, he will return. Trying to stop the reader from leaving, in a browser tab he can close at any time, is kind of ridiculous to me..