FYI, bbaskin here. The article ran with my initial tweet but did nothing to ask me for more, or read additional tweets where I gave more details. I've made comments there, and other places (even here), with more details but all were downvoted. The account was protected to try and slow its spread, but that didn't work, so it's public again. And people can read the additional details, but none will.
The account was made private, temporarily, to try and reduce the spread of the tweet due to that article. It didn't work as the text was still visible on news articles, and because people couldn't then see the actual updates. So, the account was made public again.
There is more to the story than the initial tweet and, unfortunately, as the tweet's author, I wasn't aware that article was written or published or else I could have elaborated some more in it.
It needs to be clear that Forbes was not compromised and there is no technical wrongdoing on their part in this matter. This is an advertisement network issue. Forbes has been very responsive to communications and have worked continuously to follow up on this. This incident does, indeed, show negatively on them and they were very quick to try and locate the incident to pass on to advertising networks.
Their major issue was in the requiring of users to disable ad blockers. That's where the focus should be as it opens a possible attack vector into your system.
The Java Update page was configured to download a "setup.exe", which raised every red flag there is. However, at the time of this ad appearing, setup.exe soft-failed to a download page for Java 8u25. Soft fail meaning that "setup.exe" returned an HTML page instead of the executable. This likely means that the ad page wasn't "activated" at the time. Additional Javascript I uploaded to the link below shows that it did have code to rotate between multiple executables, as well:
I also posted a URL trace of the events around that time, if anyone likes to dig into those things. It's basically a reverse chronological list of every URL Chrome made:
NASA Agency Bureaucracy Lets Historic Antique Slip From Their Fingers
If it didn't take them six months to reach out... Even a quick call "Hey, this is NASA. We heard you have one of our rovers. Could we just send someone over to verify?"
Ego branding for the sake of hiring egotistical developers and analysts. Therein lies the rub.
A "rock star" can be a real thing. It could be someone who continually, and repeatedly, produces great work that impacts the entire community. These people exist most don't want the branding. But companies can't hire them; they're too expensive.
So the "rock star" became the one-hit wonder person. Someone who released a nifty script on github and gave a con talk on it. Two years ago.
Slowly, over time, that rock star status has turned into "most influential". That is, those with the most twitter followers, regardless of how good they are at their craft. Don't know anything beyond basic Ruby coding and lack knowledge of security programming... but have 50K followers? Rock Star! HIRED!
Considering oneself a rock star in order to apply for such a job breaks the whole "No Asshole Rule" for hiring.
Trolling against her proves many of her points. Many take trolling as a sport to revel in their anonymity, but the threatening comments are extreme. (https://twitter.com/femfreq/status/504718160902492160/photo/1)
In my opinion, her videos are, in places, poorly researched with many leaps of logic mixed with heavy opinions. But, they still contain very valid points and can be civilly debated.
Evolve, people. At least keep the trolling to a respectable severity.
The publishers were already experiencing this issue when they forced 30+ day delays before Redbox and Netflix could carry their movies, hoping to get in as many sales as possible. Now, I won't be surprised to see that exclusivity period creep up to 45 days or even 60 days.
We need a story now, quick. We need something to put on airtime because our marketing is calling around our advertising clients to see who wants to bid on the next hour of airtime. The big need to get something up quick, even if it's very low quality, such as a poorly recorded video interview without a transcript... oh, wait...
I was confused in reading the write-up. If the interview was scheduled three months in advance, why did he say that he only had one day to prepare for the "CS" style interview? Where did this "December Interview Preparation Tips" come from? Only partial bits of data are given, none of which support the poster's side of the story.
And what phone were you using that didn't have speaker phone capabilities? Nearly all land line phones do that, as well as all mobile phones. Skype crap happens all the time, even on perfect connections. You roll with it. And, if you can't, then you'll likely have problems in a technology company.
In summary, this reads as: "HR department had too many applicants and I slipped between the cracks for scheduling, then I bombed my interview but it really wasn't my fault. Really!"
LeakID (and/or their client) just claimed copyright over malware. Not just any malware, but targeted malware against a corporation for the intent of theft of intellectual property and unauthorized access of computer systems.
IANAL, but LeakID should then be held liable and responsible for their "copyrighted works".
It cannot "be exploited remotely to execute arbitrary code". It can only crash the service. There is no RCE developed for this vulnerability, yet. The article itself even says this (even though it's author submitted it here):
""" Creating a working exploit for the CVE-2012-0002 vulnerability is not trivial, Microsoft security engineers Suha Can and Jonathan Ness said in a blog post on Tuesday. "We would be surprised to see one developed in the next few days. However, we expect to see working exploit code developed within the next 30 days."
The PoC is pretty basic, but an experienced exploit writer can modify it to achieve remote code execution, the researcher said. """
Yes, MS12-020 is a big deal. But, not THAT big of a deal, yet. Stop flinging FUD around about things that haven't yet happened.
So an anti-nuclear story posted by a user named 'mdsolar' with a blog running very anti-nuclear posts. He also is involved in a business that rents solar systems to homes (http://www.blogger.com/profile/14124764472206647347).
Christ, Slashdot. Can you be a bit more opaque in posting biased stories?
That was the news THIS MORNING. Then it was found that Pirate Bay couldn't be accessed by anyone. Web server died. It sounds like they segment traffic to certain web servers based on IP ranges for load-balancing, and the one for the Comcast group died. No big conspiracy here.
You save money on time and logistics, but you also have to create a work area in your home. Certain organizations have sqft requirements. You also need to establish locked areas to hold files and documents. And, ultimately, you're no longer allowed to check-out. With a standard job you are expected to be responsive during your normal work hours (say 9--5:30). With telecommuting the work hours shift and you will easily find yourself on call 12 hours a day. Additionally, you lose camaraderie with your coworkers, a chance to hunker down and drive through projects faster, and possible extensive delays in communications.
Then factor in the possibility of children banging down the door to play, and the guilt you feel by having to shuffle them out to finish a project. Then a spouse who takes advantage of you "being there" for babysitting, phone calls, emotional chats, and I'd rather be at work during the day.
Where does the debate continue? There was no link in the summary pointing to any ongoing debate. Just the previous Slashdot story and the main wikipedia article. There have been no edits to the OMM talk page for a week.
GPS is just the latest iteration of navigational assistance. Before it was Google Map printouts. And before that was AAA trip books. And then hand-written maps and directions given over the phone. And it goes on. Think of "Go down about two sees and look for a red barn, then turn left." How are any of these different from a GPS? What happens if the barn fell down, or was painted, or was too dark to see?
Each has the same issue of the driver not intelligently understanding when things go different from what the directions in front of them say. Overall, GPS does help because it means no longer stopping to ask for directions.
I can't see it being a bad thing to become reliant on a technology to help you from getting lost.
Great idea, and I can't wait for it to surface. But, don't get your hopes up. Brian Krebs reported on this back in February (http://krebsonsecurity.com/2010/02/blade-hacking-away-at-drive-by-downloads/) and it's been vaporware the entire time. Demo videos look great, but there has been absolutely no public movement on the project since this spring.
Slashdot Mirror
FYI, bbaskin here. The article ran with my initial tweet but did nothing to ask me for more, or read additional tweets where I gave more details. I've made comments there, and other places (even here), with more details but all were downvoted. The account was protected to try and slow its spread, but that didn't work, so it's public again. And people can read the additional details, but none will.
The account was made private, temporarily, to try and reduce the spread of the tweet due to that article. It didn't work as the text was still visible on news articles, and because people couldn't then see the actual updates. So, the account was made public again.
Really a philosophical wrongdoing :)
There is more to the story than the initial tweet and, unfortunately, as the tweet's author, I wasn't aware that article was written or published or else I could have elaborated some more in it.
It needs to be clear that Forbes was not compromised and there is no technical wrongdoing on their part in this matter. This is an advertisement network issue. Forbes has been very responsive to communications and have worked continuously to follow up on this. This incident does, indeed, show negatively on them and they were very quick to try and locate the incident to pass on to advertising networks.
Their major issue was in the requiring of users to disable ad blockers. That's where the focus should be as it opens a possible attack vector into your system.
The Java Update page was configured to download a "setup.exe", which raised every red flag there is. However, at the time of this ad appearing, setup.exe soft-failed to a download page for Java 8u25. Soft fail meaning that "setup.exe" returned an HTML page instead of the executable. This likely means that the ad page wasn't "activated" at the time. Additional Javascript I uploaded to the link below shows that it did have code to rotate between multiple executables, as well:
http://pastebin.com/raw/KwKxek...
I also posted a URL trace of the events around that time, if anyone likes to dig into those things. It's basically a reverse chronological list of every URL Chrome made:
http://pastebin.com/raw/wsiD1v...
So, unfortunately (or fortunately), there was no zero-day drive by attacking my system. But, the capability was there.
NASA Agency Bureaucracy Lets Historic Antique Slip From Their Fingers
If it didn't take them six months to reach out... Even a quick call "Hey, this is NASA. We heard you have one of our rovers. Could we just send someone over to verify?"
Ego branding for the sake of hiring egotistical developers and analysts. Therein lies the rub.
A "rock star" can be a real thing. It could be someone who continually, and repeatedly, produces great work that impacts the entire community. These people exist most don't want the branding. But companies can't hire them; they're too expensive.
So the "rock star" became the one-hit wonder person. Someone who released a nifty script on github and gave a con talk on it. Two years ago.
Slowly, over time, that rock star status has turned into "most influential". That is, those with the most twitter followers, regardless of how good they are at their craft. Don't know anything beyond basic Ruby coding and lack knowledge of security programming... but have 50K followers? Rock Star! HIRED!
Considering oneself a rock star in order to apply for such a job breaks the whole "No Asshole Rule" for hiring.
Agreed, especially in the case of one Reddit troller (who was fired from his job... good riddance):
http://gawker.com/5950981/unma...
Trolling against her proves many of her points. Many take trolling as a sport to revel in their anonymity, but the threatening comments are extreme.
(https://twitter.com/femfreq/status/504718160902492160/photo/1)
In my opinion, her videos are, in places, poorly researched with many leaps of logic mixed with heavy opinions. But, they still contain very valid points and can be civilly debated.
Evolve, people. At least keep the trolling to a respectable severity.
The publishers were already experiencing this issue when they forced 30+ day delays before Redbox and Netflix could carry their movies, hoping to get in as many sales as possible. Now, I won't be surprised to see that exclusivity period creep up to 45 days or even 60 days.
We need a story now, quick. We need something to put on airtime because our marketing is calling around our advertising clients to see who wants to bid on the next hour of airtime. The big need to get something up quick, even if it's very low quality, such as a poorly recorded video interview without a transcript... oh, wait...
What is this, a Japanese RPG? Can you possibly squeeze any more ellipses into that summary?
An article that automatically plays two videos, one with full audio, upon being loaded? Such actions should preclude such articles from being posted.
Won't somebody please think of the bandwidth?!
I was confused in reading the write-up. If the interview was scheduled three months in advance, why did he say that he only had one day to prepare for the "CS" style interview? Where did this "December Interview Preparation Tips" come from? Only partial bits of data are given, none of which support the poster's side of the story.
And what phone were you using that didn't have speaker phone capabilities? Nearly all land line phones do that, as well as all mobile phones. Skype crap happens all the time, even on perfect connections. You roll with it. And, if you can't, then you'll likely have problems in a technology company.
In summary, this reads as: "HR department had too many applicants and I slipped between the cracks for scheduling, then I bombed my interview but it really wasn't my fault. Really!"
LeakID (and/or their client) just claimed copyright over malware. Not just any malware, but targeted malware against a corporation for the intent of theft of intellectual property and unauthorized access of computer systems.
IANAL, but LeakID should then be held liable and responsible for their "copyrighted works".
It cannot "be exploited remotely to execute arbitrary code". It can only crash the service. There is no RCE developed for this vulnerability, yet. The article itself even says this (even though it's author submitted it here):
"""
Creating a working exploit for the CVE-2012-0002 vulnerability is not trivial, Microsoft security engineers Suha Can and Jonathan Ness said in a blog post on Tuesday. "We would be surprised to see one developed in the next few days. However, we expect to see working exploit code developed within the next 30 days."
The PoC is pretty basic, but an experienced exploit writer can modify it to achieve remote code execution, the researcher said.
"""
Yes, MS12-020 is a big deal. But, not THAT big of a deal, yet. Stop flinging FUD around about things that haven't yet happened.
But 2008 wants its stories back.
So an anti-nuclear story posted by a user named 'mdsolar' with a blog running very anti-nuclear posts. He also is involved in a business that rents solar systems to homes (http://www.blogger.com/profile/14124764472206647347).
Christ, Slashdot. Can you be a bit more opaque in posting biased stories?
If they're securing the rights to do so, then they have plans to do so.
That was the news THIS MORNING. Then it was found that Pirate Bay couldn't be accessed by anyone. Web server died. It sounds like they segment traffic to certain web servers based on IP ranges for load-balancing, and the one for the Comcast group died. No big conspiracy here.
And why link to PCWorld? Who are they? TorrentFreak broke the news and continually updated it through the day. They should be cited:
http://torrentfreak.com/comcast-blocked-the-pirate-bay-110512/
You save money on time and logistics, but you also have to create a work area in your home. Certain organizations have sqft requirements. You also need to establish locked areas to hold files and documents. And, ultimately, you're no longer allowed to check-out. With a standard job you are expected to be responsive during your normal work hours (say 9--5:30). With telecommuting the work hours shift and you will easily find yourself on call 12 hours a day. Additionally, you lose camaraderie with your coworkers, a chance to hunker down and drive through projects faster, and possible extensive delays in communications.
Then factor in the possibility of children banging down the door to play, and the guilt you feel by having to shuffle them out to finish a project. Then a spouse who takes advantage of you "being there" for babysitting, phone calls, emotional chats, and I'd rather be at work during the day.
"There have been no edits to the OMM talk page for a week."
Where does the debate continue? There was no link in the summary pointing to any ongoing debate. Just the previous Slashdot story and the main wikipedia article. There have been no edits to the OMM talk page for a week.
Shoddy, shoddy, shoddy submission.
Maybe they're referring to the SignPost article that has a handful of comments from a few days ago?
http://en.wikipedia.org/wiki/Wikipedia:Wikipedia_Signpost/2011-03-07/Deletion_controversy
GPS is just the latest iteration of navigational assistance. Before it was Google Map printouts. And before that was AAA trip books. And then hand-written maps and directions given over the phone. And it goes on. Think of "Go down about two sees and look for a red barn, then turn left." How are any of these different from a GPS? What happens if the barn fell down, or was painted, or was too dark to see?
Each has the same issue of the driver not intelligently understanding when things go different from what the directions in front of them say. Overall, GPS does help because it means no longer stopping to ask for directions.
I can't see it being a bad thing to become reliant on a technology to help you from getting lost.
I meant to comment earlier, but my iPhone alarm didn't go off.
Great idea, and I can't wait for it to surface. But, don't get your hopes up. Brian Krebs reported on this back in February (http://krebsonsecurity.com/2010/02/blade-hacking-away-at-drive-by-downloads/) and it's been vaporware the entire time. Demo videos look great, but there has been absolutely no public movement on the project since this spring.
When it gets released, THEN post something to /.