New York Times says Krebs wrongly implicated Briton in Twitter hack(itwire.com)
itwire.com
New York Times says Krebs wrongly implicated Briton in Twitter hack
https://itwire.com/security/new-york-times-says-krebs-wrongly-implicated-briton-in-twitter-hack.html
36 comments
There are two issues to consider here: whether he is correctly identifying the people he doxxes and the ethical implications of his decision to do so. He received a fair bit of backfire for doxxing security researchers a few years ago (including @notdan) https://itwire.com/security/infosec-researchers-slam-ex-wapo...
For me (and I'd imagine most folks coming to a board called "Hacker News"), doxxing independent security researchers for the crime of port scanning is highly unethical behavior, and this vigilante crusade to doxx hackers is appearing to generate yet more collateral damage in the reckless pursuit of clout.
For me (and I'd imagine most folks coming to a board called "Hacker News"), doxxing independent security researchers for the crime of port scanning is highly unethical behavior, and this vigilante crusade to doxx hackers is appearing to generate yet more collateral damage in the reckless pursuit of clout.
I agreed with everything you said until the last four words. What would make you think that Krebs is motivated by a "reckless pursuit of clout?"
I suppose we can never truly know what motivates anyone to do anything. I'm not committed to that stance, but even if he had the most pure of motivations it wouldn't materially change the consequences (both ethical and practical) of his actions.
> but if he's wrong on this, I'm sure Brian will reconsider that in the future
If I remember right its not the first time he has gotten such things wrong, and mostly responded by blocking people criticizing him for it on Twitter.
If I remember right its not the first time he has gotten such things wrong, and mostly responded by blocking people criticizing him for it on Twitter.
> If I remember right its not the first time he has gotten such things wrong,
I must have missed that. Could you find that article for me?
I must have missed that. Could you find that article for me?
It’s linked in the original article here. :)
> In March 2018, he came under fire from users of a German image board pr0gramm.com after he revealed details about several admins and moderators in an article which claimed to identify who was behind the cryptocurrency mining service Coinhive.
https://itwire.com/security/image-board-admins,-mods-doxxed-...
> In April last year, Krebs was again slammed by security researchers after he doxxed two of them on Twitter, apparently because he disagreed with them about the operations of Spamhaus.
https://itwire.com/security/infosec-researchers-slam-ex-wapo...
> In March 2018, he came under fire from users of a German image board pr0gramm.com after he revealed details about several admins and moderators in an article which claimed to identify who was behind the cryptocurrency mining service Coinhive.
https://itwire.com/security/image-board-admins,-mods-doxxed-...
> In April last year, Krebs was again slammed by security researchers after he doxxed two of them on Twitter, apparently because he disagreed with them about the operations of Spamhaus.
https://itwire.com/security/infosec-researchers-slam-ex-wapo...
Thanks!
There was the Shadow Brokers story, where he claimed to have identified the NSA leaker: https://www.emptywheel.net/2017/11/28/the-russian-metadata-i...
Then there was the thing where he doxxed two other researchers apparently just because, not even for assuming some crime: https://itwire.com/security/infosec-researchers-slam-ex-wapo...
Then there was the thing where he doxxed two other researchers apparently just because, not even for assuming some crime: https://itwire.com/security/infosec-researchers-slam-ex-wapo...
there was also his Thaddeus Zu/Ashley Madison story, which was pure conjecture
He might be good at his work but he's not a god, he can't be right 100% of the times. We still have to evaluate him based on evidence everytime he utters anything.
No, it doesn't work that way. If he wrongly doxxed someone once, it is definitely fair to harshly judge him for doing so again.
When people make a bad mistake, you don't just press a reset button after and judge their next, related bad mistake in isolation.
When people make a bad mistake, you don't just press a reset button after and judge their next, related bad mistake in isolation.
Anecdotal, but a few years ago I had an acquaintance doxxed and written about by Krebs for no particular reason. He contacted Krebs over IM to supply some details about an upcoming article, if I recall something about a DDoS ring. At some point, their conversation deteriorated and, to my recollection, he started trolling Krebs a bit.
Come a few days later, Krebs dropped a new blog on his site about a DDoS ring. The article starts fine, but in the middle of it, it brings up my acquaintance. For no reason. It has his full dox, and even has a picture of him along with some screenshots of their IM session.
Now, it wasn’t explicitly stated that he was connected to the DDoS ring, but Krebs placed him in the article anyway, leading readers to understand that he was implicated — falsely of course.
Was trolling Krebs in bad taste? Probably. Worthy of being lumped in with a bunch of DDoS skids, doxxed, and more? Doubtful.
Come a few days later, Krebs dropped a new blog on his site about a DDoS ring. The article starts fine, but in the middle of it, it brings up my acquaintance. For no reason. It has his full dox, and even has a picture of him along with some screenshots of their IM session.
Now, it wasn’t explicitly stated that he was connected to the DDoS ring, but Krebs placed him in the article anyway, leading readers to understand that he was implicated — falsely of course.
Was trolling Krebs in bad taste? Probably. Worthy of being lumped in with a bunch of DDoS skids, doxxed, and more? Doubtful.
so why didn't your "acquaintance" sue him for libel then?
I'm sorry, but i'm calling BS on this. if someone wrote something damaging about me (especially a well known figure like Krebs), i would sue the living crap out of them. this isn't some dude on twitter that no one listens to making a false statement, this is a credible and world renown journalist making a false statement. that right there would be enough for any lawyer to sue based on libel and seek damages.
I'm sorry, but i'm calling BS on this. if someone wrote something damaging about me (especially a well known figure like Krebs), i would sue the living crap out of them. this isn't some dude on twitter that no one listens to making a false statement, this is a credible and world renown journalist making a false statement. that right there would be enough for any lawyer to sue based on libel and seek damages.
Not only would litigation cost tens of thousands of dollars (out of reach for this person) and risky, nothing Krebs said was technically false. Krebs made no specific claims about his involvement, just included him in the article without explicitly stating why.
It’s time to stop listening to this guy. He’s got a history of doxxing people he doesn’t like, for trivial things like bad reviews even.
Please don’t promote or link Krebs.
Please don’t promote or link Krebs.
Ok this is entirely off topic, but I'll ask because Krebs is being discussed. Does anyone else find the comments on his blog posts incredibly toxic relative to other tech blogs?
I've seen his site linked on HN several times and in many of those cases, the content was fine, but the comments seemed to turn into strange, angry rants.
I've seen his site linked on HN several times and in many of those cases, the content was fine, but the comments seemed to turn into strange, angry rants.
Yup, and given his proclivity to dox it is concerning that some call for violence.
Concerning, but not surprising. Doxxing is violence; or at least a precursor.
My brief take on his comment section was that they were more superficially corny. Things like "Listen up bad guys, crime doesn't pay!!1"
I enjoy his blog posts, but I usually binge read them every few months.
I enjoy his blog posts, but I usually binge read them every few months.
It's on topic. If you have a platform, you have some responsibility for how your audience behaves. If you don't discourage bad behavior among your fans, you're encouraging it.
>He’s got a history of doxxing people he doesn’t like, for trivial things like bad reviews even.
source?
source?
The article contains some examples - the relevant section is in the first half of the page. I'm not sure how trivial they are though
> I'm not sure how trivial though
He doxxed a guy for, in his words, leaving a "really bad review of my book." https://twitter.com/briankrebs/status/543992830256238593?s=2...
He doxxed a guy for, in his words, leaving a "really bad review of my book." https://twitter.com/briankrebs/status/543992830256238593?s=2...
Not entirely sure I'd call that post 'doxxing' - it read as more of a "Oh look - this guy who left a bad review of my book has just been sent to prison for 18 years for cybercrime."
(Does it count as doxxing if the DOJ does it? [https://www.justice.gov/opa/pr/ukrainian-national-who-co-fou...] )
(Does it count as doxxing if the DOJ does it? [https://www.justice.gov/opa/pr/ukrainian-national-who-co-fou...] )
the link to the article was posted on this page.
I'll post it again: https://itwire.com/security/infosec-researchers-slam-ex-wapo...
It's in the article.
Ha, hah! The NYT has the gall to accuse someone else of doing the same thing they do!
Yes I think Krebs went over the line for no good reason other than maybe thinking he was scooping all the other people in cybersecurity, but they NYT is also not blameless and will do whatever advances their own agenda. Maybe they’ll be introspective about this, but I doubt it.
Yes I think Krebs went over the line for no good reason other than maybe thinking he was scooping all the other people in cybersecurity, but they NYT is also not blameless and will do whatever advances their own agenda. Maybe they’ll be introspective about this, but I doubt it.
> Maybe they’ll be introspective about this
Strange request of an entire organization. I imagine this ebbs and flows with the individual employees that join/leave.
Strange request of an entire organization. I imagine this ebbs and flows with the individual employees that join/leave.
Does anyone else find itwire.com articles incoherent to read?
“Only the mastermind is guilty. Everyone else are just inconsequential actors. No one lied, they just made mistakes. Yes I’m involved in Internet crime antics but I’m innocent.”
The New York Times is getting into the attribution game now?
i find it very hard to believe that Krebs would just randomly blame some person without credible evidence. just as i stated in my response to @invokestatic:
"this isn't some dude on twitter that no one listens to making a false statement, this is a credible and world renown journalist making a false statement."
Krebs would have a lot to lose if he didn't do his research and made stuff up for the sake of a story. i'm sorry but i personally think this is just a poor attempt at discrediting him.
"this isn't some dude on twitter that no one listens to making a false statement, this is a credible and world renown journalist making a false statement."
Krebs would have a lot to lose if he didn't do his research and made stuff up for the sake of a story. i'm sorry but i personally think this is just a poor attempt at discrediting him.
> i find it very hard to believe that Krebs would just randomly blame some person without credible evidence
I do not find this hard to believe. He could have simply made a mistake. He could have evidently credible evidence which ends up being flawed. This defense of Krebs is baffling to me, because it doesn't even defend his actions on their merits and his claims on the evidence he provided. The argument in Krebs's favor is that you trust Krebs, which is a fine enough point but unlikely to convince people who don't trust Krebs.
Even if he is right about this person, publicly revealing them instead of just contacting the police seems like a highly questionable decision to me.
I do not find this hard to believe. He could have simply made a mistake. He could have evidently credible evidence which ends up being flawed. This defense of Krebs is baffling to me, because it doesn't even defend his actions on their merits and his claims on the evidence he provided. The argument in Krebs's favor is that you trust Krebs, which is a fine enough point but unlikely to convince people who don't trust Krebs.
Even if he is right about this person, publicly revealing them instead of just contacting the police seems like a highly questionable decision to me.
Yes, Krebs' does his own research, but he also has hundreds of security researchers and contacts that provide him info, many of those are insiders. In his book Spam Nation, he even goes to Russia to visit a crime boss to ask tough questions. This isn't some cyberstalker.
Krebs is a better researcher than most, so I tend to trust his doxx. Most of the info he publishes is already public (poor opsec) and he is more thorogh than Reddit. Can he be wrong? Sure..... should he doxx? I don't know, that's an ethics question.. but if he's wrong on this, I'm sure Brian will reconsider that in the future