36 comments

[ 2.5 ms ] story [ 86.6 ms ] thread
Wow, this entire article seems to be more a "let's repost every tweet that hates Krebs". Most of it assumes he is a "a 50-year-old dude in a suit" doing cyberstalking, but I don't think that is an accurate description. Keep in mind, much of the criminal hackers do not like Krebs because he exposes them. People Swat his house and attempt to entrap him. So reposting a bunch of hate-Tweets is stupid.

Yes, Krebs' does his own research, but he also has hundreds of security researchers and contacts that provide him info, many of those are insiders. In his book Spam Nation, he even goes to Russia to visit a crime boss to ask tough questions. This isn't some cyberstalker.

Krebs is a better researcher than most, so I tend to trust his doxx. Most of the info he publishes is already public (poor opsec) and he is more thorogh than Reddit. Can he be wrong? Sure..... should he doxx? I don't know, that's an ethics question.. but if he's wrong on this, I'm sure Brian will reconsider that in the future

> but if he's wrong on this, I'm sure Brian will reconsider that in the future

If I remember right its not the first time he has gotten such things wrong, and mostly responded by blocking people criticizing him for it on Twitter.

> If I remember right its not the first time he has gotten such things wrong,

I must have missed that. Could you find that article for me?

It’s linked in the original article here. :)

> In March 2018, he came under fire from users of a German image board pr0gramm.com after he revealed details about several admins and moderators in an article which claimed to identify who was behind the cryptocurrency mining service Coinhive.

https://itwire.com/security/image-board-admins,-mods-doxxed-...

> In April last year, Krebs was again slammed by security researchers after he doxxed two of them on Twitter, apparently because he disagreed with them about the operations of Spamhaus.

https://itwire.com/security/infosec-researchers-slam-ex-wapo...

There are two issues to consider here: whether he is correctly identifying the people he doxxes and the ethical implications of his decision to do so. He received a fair bit of backfire for doxxing security researchers a few years ago (including @notdan) https://itwire.com/security/infosec-researchers-slam-ex-wapo...

For me (and I'd imagine most folks coming to a board called "Hacker News"), doxxing independent security researchers for the crime of port scanning is highly unethical behavior, and this vigilante crusade to doxx hackers is appearing to generate yet more collateral damage in the reckless pursuit of clout.

I agreed with everything you said until the last four words. What would make you think that Krebs is motivated by a "reckless pursuit of clout?"
I suppose we can never truly know what motivates anyone to do anything. I'm not committed to that stance, but even if he had the most pure of motivations it wouldn't materially change the consequences (both ethical and practical) of his actions.
He might be good at his work but he's not a god, he can't be right 100% of the times. We still have to evaluate him based on evidence everytime he utters anything.
No, it doesn't work that way. If he wrongly doxxed someone once, it is definitely fair to harshly judge him for doing so again.

When people make a bad mistake, you don't just press a reset button after and judge their next, related bad mistake in isolation.

It’s time to stop listening to this guy. He’s got a history of doxxing people he doesn’t like, for trivial things like bad reviews even.

Please don’t promote or link Krebs.

Ok this is entirely off topic, but I'll ask because Krebs is being discussed. Does anyone else find the comments on his blog posts incredibly toxic relative to other tech blogs?

I've seen his site linked on HN several times and in many of those cases, the content was fine, but the comments seemed to turn into strange, angry rants.

Yup, and given his proclivity to dox it is concerning that some call for violence.
Concerning, but not surprising. Doxxing is violence; or at least a precursor.
My brief take on his comment section was that they were more superficially corny. Things like "Listen up bad guys, crime doesn't pay!!1"

I enjoy his blog posts, but I usually binge read them every few months.

It's on topic. If you have a platform, you have some responsibility for how your audience behaves. If you don't discourage bad behavior among your fans, you're encouraging it.
>He’s got a history of doxxing people he doesn’t like, for trivial things like bad reviews even.

source?

The article contains some examples - the relevant section is in the first half of the page. I'm not sure how trivial they are though
So one article from a source I’ve never seen before today?

Sure I’ll take that as gospel truth.

> I'm not sure how trivial though

He doxxed a guy for, in his words, leaving a "really bad review of my book." https://twitter.com/briankrebs/status/543992830256238593?s=2...

It's in the article.
Anecdotal, but a few years ago I had an acquaintance doxxed and written about by Krebs for no particular reason. He contacted Krebs over IM to supply some details about an upcoming article, if I recall something about a DDoS ring. At some point, their conversation deteriorated and, to my recollection, he started trolling Krebs a bit.

Come a few days later, Krebs dropped a new blog on his site about a DDoS ring. The article starts fine, but in the middle of it, it brings up my acquaintance. For no reason. It has his full dox, and even has a picture of him along with some screenshots of their IM session.

Now, it wasn’t explicitly stated that he was connected to the DDoS ring, but Krebs placed him in the article anyway, leading readers to understand that he was implicated — falsely of course.

Was trolling Krebs in bad taste? Probably. Worthy of being lumped in with a bunch of DDoS skids, doxxed, and more? Doubtful.

so why didn't your "acquaintance" sue him for libel then?

I'm sorry, but i'm calling BS on this. if someone wrote something damaging about me (especially a well known figure like Krebs), i would sue the living crap out of them. this isn't some dude on twitter that no one listens to making a false statement, this is a credible and world renown journalist making a false statement. that right there would be enough for any lawyer to sue based on libel and seek damages.

Not only would litigation cost tens of thousands of dollars (out of reach for this person) and risky, nothing Krebs said was technically false. Krebs made no specific claims about his involvement, just included him in the article without explicitly stating why.
“Only the mastermind is guilty. Everyone else are just inconsequential actors. No one lied, they just made mistakes. Yes I’m involved in Internet crime antics but I’m innocent.”
The New York Times is getting into the attribution game now?
i find it very hard to believe that Krebs would just randomly blame some person without credible evidence. just as i stated in my response to @invokestatic:

"this isn't some dude on twitter that no one listens to making a false statement, this is a credible and world renown journalist making a false statement."

Krebs would have a lot to lose if he didn't do his research and made stuff up for the sake of a story. i'm sorry but i personally think this is just a poor attempt at discrediting him.

> i find it very hard to believe that Krebs would just randomly blame some person without credible evidence

I do not find this hard to believe. He could have simply made a mistake. He could have evidently credible evidence which ends up being flawed. This defense of Krebs is baffling to me, because it doesn't even defend his actions on their merits and his claims on the evidence he provided. The argument in Krebs's favor is that you trust Krebs, which is a fine enough point but unlikely to convince people who don't trust Krebs.

Even if he is right about this person, publicly revealing them instead of just contacting the police seems like a highly questionable decision to me.

Does anyone else find itwire.com articles incoherent to read?
Trying to dunk on Krebs in his area of expertise just makes you look like an idiot.

He’s a brand at this point, and a well respected one.

Ha, hah! The NYT has the gall to accuse someone else of doing the same thing they do!

Yes I think Krebs went over the line for no good reason other than maybe thinking he was scooping all the other people in cybersecurity, but they NYT is also not blameless and will do whatever advances their own agenda. Maybe they’ll be introspective about this, but I doubt it.

> Maybe they’ll be introspective about this

Strange request of an entire organization. I imagine this ebbs and flows with the individual employees that join/leave.