What Bleeping Computer’s Catalin Cimpanu looks for in a cybersecurity story
Cybersecurity reporters have one of the toughest jobs in journalism.
Attack trends can change by the day as reporters’ inboxes fill with claims of the next big hack or discovery, leaving them sifting through and confirming the technical details, all while translating complex topics into easily understandable and interesting stories for their readers.
As the security news editor for Bleeping Computer, Catalin Cimpanu takes on this challenge, writing on the latest in the security world for its millions of readers. If you’re following the cybersecurity space, you’ve most likely seen his reporting on Twitter or read his work on Bleeping Computer, where he covers malware outbreaks, movements on the Dark Web, hacking news, and more.
I had the opportunity to hear from him on what he looks for in a story, who makes a good source, and what he’s following in the industry. Here’s what he said.
What makes for a good security story?
A backstory. Reporting facts is fine and dandy but providing background information is usually the way to go if you want people to remember your articles. In online media, there’s also the side of journalism where good stories are the ones that get all the reads. For those, sadly, you need blood and gore. The more people affected by an incident, the more the reads, hence the “better” the story.
What is the most helpful thing a source can provide? Least?
Independently verifiable information is the best thing a source can provide. Least? I can’t say I have received unusable information. Even bad tips can teach you something. Researching bad tips teaches you how to research and how to recognize bad tips.
What do you see as some of the major trends in cybersecurity moving the industry forward?
I never bother myself with where and how the cybersecurity industry goes and evolves. My job is to report on it. As a reporter, you have nothing to gain by knowing where the industry evolves.
Profits for cybersecurity companies and public interest in infosec reporting are two very different things. For example, there’s quite the big business behind enterprise firewall solutions, but most people couldn’t care less about stories on one.
But if you insist on a trend, it’s probably adware. Adware is a gray legal zone. Recently there’s been a surge in adware, especially the one delivered via Chrome extensions, but with little reporting on it because 1) people are already used to it because there’s so much of it, 2) adware firms have good lawyers.
How important is Twitter for your job? How do you use it?
I get more people to talk to me via Twitter than via email and phone combined. So, for me, it’s quite useful. I spend a lot of time on it because of this reason.
How do you communicate securely with sources? How should other journalists be doing this?
When I first understood my employer wanted me to cover infosec topics, I did it all by the book. Wiped clean PC at regular intervals, enabled full disk encryption, got a PGP key, enabled OTR on XMPP, installed all the encrypted IM clients I could find, etc.
After two years, I have yet to receive an encrypted email and only two sources specifically asked for OTR in XMPP chats. This is most likely because I cover the technical topics in IT security, such as malware reports, scientific research, post-mortems, and others. The type of Snowden-like paranoid sources with incredibly sensitive information don’t usually come with that data to Bleeping Computer, a site specialized in “computer”-related topics.
Even if it’s pretty obvious for some journalists out there that they will most likely never get to use a secure channel with their source, it’s better to have them at hand. You never know what’s going to happen. They should be ready.
Thanks, Catalin. For more advice on placing stories in top tech media, take a look at our Media Q&A series.