Tech reporter Brian Krebs hacks it on his own, one scoop at a time

Independent tech reporter Brian Krebs poses with the source of a recent scoop — a credit card reader at a local Target. (Photo by Mark Stencel)

Few news stories in the past month landed on homepages and front pages with a louder thud than the theft of credit and debit card information from millions of Target customers.

The Target break-in was the latest scoop for Brian Krebs, an independent technology reporter who writes at KrebsOnSecurity.com. Brian, 41, has made the Internet’s seedy side his beat and his livelihood since The Washington Post cut him loose four years ago.

Now he does his gumshoeing from a home office in the D.C. suburbs. There he spends hours a day working a network of sources among the world’s digital criminals and crime-fighters.

“I want to write stories you can’t find anywhere else,” he says.

Like a pulp detective, squeezing snitches for clues in a gloomy bar, Brian is as much a target as he is a hunter. In the past year, police appeared at his doorstep, guns drawn, after someone spoofed a local phone number to report a hostage situation at his home. Another “fan” (as Brian calls them) organized a Bitcoin fundraiser to send a package of heroin to his doorstep.

Brian and I overlapped at the Post, where we both worked our way up from entry-level jobs just out of college in the early- and mid-1990s. For Brian that meant answering phones in the circulation department, followed by stints working as a copy aide, a dictationist and an editorial assistant before he got a full-time reporting job with a tech news service owned by the Post. That assignment landed him a gig as a reporter at washingtonpost.com, where he eventually hosted the Security Fix blog — building on a self-taught expertise in the digital underworld developed after a worm infected his home network.

Brian’s bylines appeared both in print and online. But after the Post eliminated his job in 2009 during the convergence of the digital and print newsrooms, he used his severance to strike out on his own, launching his own blog. Now Brian says he’s making more than he did as a full-time blogger for the newspaper company.

“I decided to go solo because I was still smarting from the layoff,” he says, adding that he “didn’t want to put myself in another position where someone else could decide whether I should have a job and what I should write about. Probably a small part of me just wanted to see if I could make it on my own.”

Brian and I caught up recently by email and in-person (at the Starbucks in a mutually convenient Target, of course) to talk about the challenges and upsides of working independently.

Full disclosure: As a former coworker and regular reader, I made a modest $25 contribution to Brian’s site last year. But Brian says the donation button is just a small, albeit much appreciated, part of his income. About half of the revenue comes from advertising. The rest comes primarily from paid speaking appearances around the world and occasional freelance writing and research. He also signed a deal with Sourcebooks last year to tell the story of two Russian cybercrime oligarchs his site helped expose. (Brian says the book, Spam Nation, should be ready for publication in 2014.)

The Business

Without revealing exactly how much he makes, Brian says his work brings in enough money to cover his share of the bills. He gets health coverage through his wife’s work, which helps financially. They don’t have kids.

Working alone means Brian has to be his own publisher — an area in which he says he sometimes gets “pushback from fellow journalists.” Brian manages sales and relationships with advertisers, almost all of which are involved in the topics he covers. The publisher side of the job means he sometimes has to explain to disappointed sponsors why their buys never guarantee coverage. He also says he discloses relationships when he needs to refer to an advertiser — as was the case in a story this week that quoted the co-founder of a threat intelligence firm. (“Full disclosure: Malcovery is an advertiser on this blog,” Brian noted parenthetically with the quote.)

As his own publisher, Brian sometimes turns down money, too. A couple of experiences appearing in corporate webinars convinced him those gigs were too “skeevy.” “I do draw the line,” he says. But he does make paid in-person speaking appearances for corporate and governmental audiences — something editorial guidelines at media organizations like the Post would prohibit.

Brian monitors traffic and impressions for his advertisers. He also maintains advertising standards and handles ad hosting himself — especially after someone tried using a third-party advertising service to post malware on his site.

The site typically generates about half a million page views per month. Big stories produce huge spikes in Brian’s readership, including a record 1.2 million page views last month that came with the Target revelation and follow-up posts. Most of his audience comes via Google, but he also scans the metrics to see how his stories play in social media, where links from Twitter, Facebook and Reddit are the primary drivers. Nearly 10,000 people have signed up for his email newsletter.

‘A lot of communicating’

The demanding responsibilities of the business and site still take less time than the reporting. Brian devotes a couple hours a day to “raw research” and another few hours to “source maintenance.” That involves a lot of phone time, plus IM, Twitter, Facebook chat, texting, encrypted email — Brian has even been teaching himself Russian, since much of the news on his beat originates in what was once the Soviet Union and its former satellites.

“There’s a lot of communicating in whatever way people want to communicate,” he says. “It may not be my preferred method of communicating.”

All of this reporting pays off with loyal readers, even at companies who fear finding themselves covered on his site. “As someone who does payment card security for a brick and mortar retailer, ‘Brian Krebs’ is a name I never ever want to see flash across my Caller ID,” one admirer wrote in a recent reader comment.

Brian consistently posts new items a few times a week. Some items are newsy. Some are explanatory. Others take his readers deep into the pursuit — first-person computational narratives illustrated with log files, bits of code and screen shots. Brian has handy Pandora channels to provide soundtracks while he’s working: Bach for number-crunching and analysis; movie scores when he’s chasing “bread crumbs”; noise-canceling headphones for deadline stories.

“I don’t think of my work in terms of writing. I think of it in terms of stories,” he says. “Some stories write themselves. Others take more explication.”

Tradeoffs

He misses having an editor to help him develop ideas — and to rescue him from typos and misspellings. When he can, he steps away from work for a bit so he can reread his copy with fresh eyes before hitting the “publish” button. “Fortunately I have that luxury. Most of what I do is not time-sensitive.”

At the Post, lawyers scoured much of Brian’s work before it was published, especially given the sensitivity of the subject matter. As an independent journalist, Brian does not have that level of air cover — or scrutiny. But he does have occasional — and anonymous — help from “one of D.C.’s most talented media attorneys,” who has privately volunteered his services. “I couldn’t afford him even if I owned a media company,” Brian says.

With Brian’s own expertise, he, too, could lead a more lucrative life, perhaps as a security analyst or consultant. He is not especially interested in making “oodles of money.”

“That’s not really what’s most important to me,” he says. “Plus, I’d almost certainly give up a lot of access to certain coveted sources in the process, and with that would come fewer big stories. As you can probably tell by my answer, I really can’t imagine doing anything but journalism, and I’m still hooked on the rush of chasing an exclusive story that I know is going to become international news and/or affect positive change.”

Brian also says he is not eager to return to a big newsroom. “It would have to be a pretty incredible and flexible offer,” he says, adding that he’s “respectfully declined” several opportunities from major publications. “It’s fair to say my independence has pretty well spoiled me, and that’s probably the part of my work that is most important to me now.”

Brian thinks others can be just as spoiled — if they have the right angle. “I’ve done everything in my power to encourage other journalists to go out on their own,” he says. “Pick a niche or a focus and go for it.”

* * * * *

Going Solo

Tech reporter Brian Krebs says he often urges “miserable” former colleagues to consider operating independently, as he has since his blogging job at The Washington Post was eliminated in 2009. But Krebs also will say there are advantages and disadvantages to his way of doing business. Here’s his list of potential pros and cons based on his first four years as a solo act:

Pros

• Total editorial freedom
• Not having to constantly follow the work of other reporters
• Ability to earn income from a variety of creative tasks that aren’t directly related to writing
• Getting paid to travel to exotic places for public speaking
• Scooping the big dailies :)
• Working most days from home in my pajamas or just taking random days off

Cons

• Lacking a staff of incredibly talented, smart and witty editors
• Working your ass off for an uncertain outcome
• The ever-looming prospect of being ignored or disregarded by sources or would-be interview subjects (e.g., saying you’re calling from the Post opens a lot more doors than telling people you’re an independent reporter)
• Less face-to-face interaction with colleagues and sources
• No one is standing over you asking about the idea for your next big story

Mark Stencel (@markstencel) is NPR’s former managing editor for digital news. He previously worked in both print and digital journalism, holding senior newsroom and business positions at The Washington Post, Congressional Quarterly and CQ’s Governing magazine. He also covered science and technology for the News & Observer in Raleigh-Durham, N.C. Stencel began his career at the Post as an assistant to political columnist David S. Broder.

We have made it easy to comment on posts, however we require civility and encourage full names to that end (first initial, last name is OK). Please read our guidelines here before commenting.

  • http://twitter.com/qka qka

    Failure to talk to Brian will earn you a comment like this: Target has yet to honor a single request for comment from this publication, and the company has said nothing publicly about how this breach occurred. (from http://krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion-malware/ )

    As i learned in my media training classes, “No comment” is never a good response.

  • feekoningin

    Or maybe those phone calls won’t be returned because folks don’t want their companies to end up on the national news.

  • feekoningin

    This is the best part of this story: “Now Brian says he’s making more than he did as a full-time blogger for the newspaper company.

    “I decided to go solo because I was still smarting from the layoff,”
    he says, adding that he “didn’t want to put myself in another position
    where someone else could decide whether I should have a job and what I
    should write about. Probably a small part of me just wanted to see if I
    could make it on my own.”

    The same thing happened to me four years ago when I lost my job as managing editor of a women’s magazine. And I made the same decision Brian Krebs did, largely for the same reasons. I will go through Hell and high water before I go back to working for someone else full time. My livelihood will never again depend on someone else inept business practices. I also am always in a position to reject assignments, fire clients and take vacations without permission. I highly recommend striking out on your own.

  • SFMH57

    At this point, I’d wager that the name “Brian Krebs” WILL open doors and get phone calls returned. GO GET EM, BRIAN!

  • http://www.onlinesecurity123.com/ Scott Lewis

    Brian is a fantastic writer! Thanks for sharing this. All of us in the IT security space are grateful to have Brian around through his up to date and relevant stories!