I recently participated in an “Ask Me Anything” interview on Reddit.com about investigative reporting. I spent the better part of a day responding to readers about the challenges and rewards of independent journalism and a focus on data breaches, cybercrime and cybercriminals. It occurred to me today that I hadn’t mentioned the interview yet on this site, so here it is. The discussion is now locked, but feel free to follow-up with your own questions here in the comments, and I’ll answer the better ones as time permits.
Pointer to Reddit ‘Ask Me Anything’ Interview
Advertisement
Hi Brian, I missed the Reddit ask anything; I do have a question; the recent attack in protonmail the encrypted mail service; how likely do you believe it might be state sponsored and if it was / is what do you believe are the implications; these are trying to make PGP accessible to the ordinary user and possible now have states attacking this principle.
I don’t believe that it was state-related. There are a few groups out there — more each week, though — that are trying to ride the coattails of some people with some very heavy weaponry (or at least a mastery of ways to vastly expand the use of available firepower).
There is a ton of junk hardware being shipped worldwide by networking companies and ISPs, and each are just as culpable for cleaning up the mess.
Imagine the $#1+storm that’s coming with the Internet of Things that are semi-secure, let alone the huge tidal wave of things that really weren’t developed with security in mind. We’re not equipped as a nation to fight the fight that’s coming. That much is certain, unless we change the dynamic. And soon.
Hi Brian,
I’m struggling to decide on where to host my domain’s email. It’s basically come down to trying to decide whether I’d like to sacrifice some privacy by allowing Google to host my email, or (potentially) sacrificing security in order to have privacy.
Any suggestions on how to handle this?
(For everyone who’s going to suggest Fastmail – I’m using them now, but there’s no way to have true 2 factor protecting your email, there’s always a master password without 2 factor protection)
I was with neomailbox for a year, but then switched to runbox, as their plan is cheaper and had 5x the email storage. neomailbox and runbox were both affected in the DDoS that hit most small providers, for runbox I was unable to send/receive for about 5 hours. It’s completely worth it in my opinion to pay for email (and domain – $10 yearly), for the runbox micro plan it’s $34.95 yearly. I prefer to pay money than pay with privacy and my identity.
Look at all the hosting sites like Go Daddy, Network Solutions, Register.com or the like. They usually offer a service bundle of some sorts. One on of these – I forget which one, I seen a deal where they’d provide one domain, and like a few hundred email boxes all configurable by you as long as you own the domain name. The cost was like 300 bucks for 3 years or 5 years.
I have a handful of email addresses throughout the world. Its basically like the ring of trust several outer email boxes are to be used for registration and initial contact emails. As the email gets better, the work and play emails are separated. I think its best to have 3-5 emails of which 3 can pretty much go checked once a week or so. if anything is worth a darn on the 3 cannon fodder emails, they can be forwarded to the trusted email addresses.
Great work, Brian. The same is true in medicine–prevention isn’t attractive because doing a thing so that something doesn’t happen–it’s unclear how that saves money to the higher-ups. But ultimately it does.
Please tell Kevin we said Hi.
Brian I missed the AMA. But one comment to one of your responses. Someone asked about Linux POS, and in jest you said “Are there any” which seems so true it’s crazy these setups people come up with. Most of the time to keep it cheep. But don’t forget about Toshiba 4690, it’s non windows (and not an iPad).
Side note this is the wildest use of anything apple I have seen for a POS system https://i.imgur.com/drHLU2k.jpg
OMG, tell that restaurant, cafeteria, fast-food place where you took that the health department is about to shut them down! So many violations, where do I start?
I know a hotel / restaurant that’s new POS system works on java, the touch screen terminals are OpenSUSE with the java POS program, and then there’s the handhelds which are iPads that communicate with the server’s java program.
The server runs on Windows Server 2012 R2, running the java server and client.
I’d love for them to ditch the windows platform entirely and make the server a GNU/Linux distro too.
I commend your bravery. Reddit is the grease trap of the internet. It’s maybe one step removed from 4Chan. Hope you had fun!
Really interesting to see that AMA. Lots of questions I had were answered. It’s quite clear to see you’re a decent person with morals. I still haven’t purchased your book Brian, but I will be doing so in the near future. Hopefully one day I will have a website like this. Keep doing what you do man, always a pleasure to read.
I was wondering if you were aware of the Integrated Adaptive Cyber Defense (IACD) project. It seeks to reduce the amount of time to detect, amount of time to react, and increase information. It is not prescriptive, but establishes a framework. At the October community day, they demonstrated a system automatically detecting and blocking an attack in real-time.
https://secwww.jhuapl.edu/IACDCommunityDay/
Glad to see this posted.
As for the transitive-verb question with “Krebsing” as the answer, please consider the horror of executives when they hear the words “60 Minutes is in the lobby.” Add now “Brian Krebs is on the phone.” and they get a lightening bolt of (generally well deserved) fear. Imagine the CEO of TalkTalk trying to explain why, after 3 breaches, customer data wasn’t encrypted.
Hebrew for “lightening” is “baraq” and “Baraq Krebs” conjures up a modern day warrior with historical powers to smite the cyber evil, opponents of truth, justice and … oops … segued to Superman.
Keep up the good work.
Jonathan @NC3mob
And the American way! There – I finished it for you. Three things I definitely believe in, even though many of us mess it up!
+1 to you Jonathan!
“Hebrew for “lightening” is “baraq””
Cocaine is a hellava drug.
Great session, but I feel that people need to know what to do when confronted with scammers trying get personal information? I wrote a piece call report scammers, it was up for years until one editor decided to take it down? I liked it because it was advocating a central agency to direct and manage reports and try to get them off the web once and for eve!r
I guess Ignorance is Bliss. Go visit Toys R Us. They have nice shiny objects of many types to keep your ADHD in check. = )
QUESTION: (hand raised)
What is your logic of thought or process when you pick a story to analyze and report on? As of late there are so many events in the cyber security arena that it will have most common folks head spinning in circles.
I think I answered this somewhat in the AMA. I generally stay away from the story that everyone else is covering. I try to produce content you can’t find anywhere else.
On top of that, I try to tell stories with stories from actual victims and people dealing with these massive challenges.
You’re right, of course; these days the bigger question is what *not* to write about 🙂
We hear so much about defective software as an entry point for invasion of our systems. But what about hardware which has been designed to be used to break into our systems? We know that the NSA jiggered hardware random number generators to produce not-so-random numbers so that they could break codes. We also know that Intel has a “feature” on some of its chips which allow those machines to be controlled from elsewhere even if powered off, all supposedly for remote maintenance. But we buy a whole lot of hardware from China, a country whose government is demonstrably hostile to us. Is ANYONE looking at the chips and boards we buy from China (or anywhere else) to see if there are hidden entrances in that hardware enabling clandestine access to our systems?
First, thanks for the informative world view, as always.
I was intrigued by the fact that you used a D&D term to describe one person as “Chaotic Neutral”. You’ve spent a lot of time with hackers and more specifically criminals. (1) In your experience, what drives most of these individuals? Greed? A chance to display their skills? An effort to move up in the world? (2) Has your view of the criminal underworld changed in this regard since you first started this beat?
In short, I’d love to hear your perspective on the psychology of the criminals you cover.
Your comment has me thinking. Perhaps fodder for another post. Stay tuned!
Bk
The biggest problem I see is the USA and most of the world are trending towards police states. Along with new military grade weapons to use on civilians, no doubt billions are also being spent on the digital equivalent. Do you think we (the people) stand a chance against the rich/powerful and their global mission to subjugate the poor all over the world by any means necessary?
Question: This deals with journalism as a whole. There seems to be a lack of editorial oversight in many print media outlets, almost no oversight online. Your site seems different in this aspect. Have you noticed this trend or am I overly critical?
Mr. Krebs, your comment about sanity and due process going out the window in a child porn case couldn’t be more true. I had a possession case back in 2006 in Traverse City regarding 2 videos, found on disc in a cyberstalking investigation and following search n seizure. One video originated from what was later shown to be legal adult website MET. The other video i pled guilty to cause burning a video onto disc at the time in Michigan was a 20 yr. charge and i couldn’t satisfy the Affirmative Defense-proof female in video was at least 18 – required evidence under Michigan law to offer the defense she was an adult. I did 44 months in prison and register as a sex offender. Two years after getting out of prison i found the amateur female and evidence lacking in 2006 – she confirmed she was 18 when the video was produced.