FYI, bbaskin here. The article ran with my initial tweet but did nothing to ask me for more, or read additional tweets where I gave more details. I've made comments there, and other places (even here), with more details but all were downvoted. The account was protected to try and slow its spread, but that didn't work, so it's public again. And people can read the additional details, but none will.
The account was made private, temporarily, to try and reduce the spread of the tweet due to that article. It didn't work as the text was still visible on news articles, and because people couldn't then see the actual updates. So, the account was made public again.
Really a philosophical wrongdoing
There is more to the story than the initial tweet and, unfortunately, as the tweet's author, I wasn't aware that article was written or published or else I could have elaborated some more in it.
It needs to be clear that Forbes was not compromised and there is no technical wrongdoing on their part in this matter. This is an advertisement network issue. Forbes has been very responsive to communications and have worked continuously to follow up on this. This incident does, indeed, show negatively on them and they were very quick to try and locate the incident to pass on to advertising networks.
Their major issue was in the requiring of users to disable ad blockers. That's where the focus should be as it opens a possible attack vector into your system.
The Java Update page was configured to download a "setup.exe", which raised every red flag there is. However, at the time of this ad appearing, setup.exe soft-failed to a download page for Java 8u25. Soft fail meaning that "setup.exe" returned an HTML page instead of the executable. This likely means that the ad page wasn't "activated" at the time. Additional Javascript I uploaded to the link below shows that it did have code to rotate between multiple executables, as well:
http://pastebin.com/raw/KwKxek...
I also posted a URL trace of the events around that time, if anyone likes to dig into those things. It's basically a reverse chronological list of every URL Chrome made:
http://pastebin.com/raw/wsiD1v...
So, unfortunately (or fortunately), there was no zero-day drive by attacking my system. But, the capability was there.
NASA Agency Bureaucracy Lets Historic Antique Slip From Their Fingers
If it didn't take them six months to reach out... Even a quick call "Hey, this is NASA. We heard you have one of our rovers. Could we just send someone over to verify?"
Ego branding for the sake of hiring egotistical developers and analysts. Therein lies the rub.
A "rock star" can be a real thing. It could be someone who continually, and repeatedly, produces great work that impacts the entire community. These people exist most don't want the branding. But companies can't hire them; they're too expensive.
So the "rock star" became the one-hit wonder person. Someone who released a nifty script on github and gave a con talk on it. Two years ago.
Slowly, over time, that rock star status has turned into "most influential". That is, those with the most twitter followers, regardless of how good they are at their craft. Don't know anything beyond basic Ruby coding and lack knowledge of security programming... but have 50K followers? Rock Star! HIRED!
Considering oneself a rock star in order to apply for such a job breaks the whole "No Asshole Rule" for hiring.
Agreed, especially in the case of one Reddit troller (who was fired from his job... good riddance):
http://gawker.com/5950981/unma...
Trolling against her proves many of her points. Many take trolling as a sport to revel in their anonymity, but the threatening comments are extreme.
(https://ancillary-proxy.atarimworker.io?url=https%3A%2F%2Ftwitter.com%2Ffemfreq%2Fstatus%2F504718160902492160%2Fphoto%2F1)
In my opinion, her videos are, in places, poorly researched with many leaps of logic mixed with heavy opinions. But, they still contain very valid points and can be civilly debated.
Evolve, people. At least keep the trolling to a respectable severity.
The publishers were already experiencing this issue when they forced 30+ day delays before Redbox and Netflix could carry their movies, hoping to get in as many sales as possible. Now, I won't be surprised to see that exclusivity period creep up to 45 days or even 60 days.
We need a story now, quick. We need something to put on airtime because our marketing is calling around our advertising clients to see who wants to bid on the next hour of airtime. The big need to get something up quick, even if it's very low quality, such as a poorly recorded video interview without a transcript... oh, wait...
What is this, a Japanese RPG? Can you possibly squeeze any more ellipses into that summary?
An article that automatically plays two videos, one with full audio, upon being loaded? Such actions should preclude such articles from being posted.
Won't somebody please think of the bandwidth?!
I was confused in reading the write-up. If the interview was scheduled three months in advance, why did he say that he only had one day to prepare for the "CS" style interview? Where did this "December Interview Preparation Tips" come from? Only partial bits of data are given, none of which support the poster's side of the story.
And what phone were you using that didn't have speaker phone capabilities? Nearly all land line phones do that, as well as all mobile phones. Skype crap happens all the time, even on perfect connections. You roll with it. And, if you can't, then you'll likely have problems in a technology company.
In summary, this reads as: "HR department had too many applicants and I slipped between the cracks for scheduling, then I bombed my interview but it really wasn't my fault. Really!"
LeakID (and/or their client) just claimed copyright over malware. Not just any malware, but targeted malware against a corporation for the intent of theft of intellectual property and unauthorized access of computer systems.
IANAL, but LeakID should then be held liable and responsible for their "copyrighted works".
It cannot "be exploited remotely to execute arbitrary code". It can only crash the service. There is no RCE developed for this vulnerability, yet. The article itself even says this (even though it's author submitted it here):
"""
Creating a working exploit for the CVE-2012-0002 vulnerability is not trivial, Microsoft security engineers Suha Can and Jonathan Ness said in a blog post on Tuesday. "We would be surprised to see one developed in the next few days. However, we expect to see working exploit code developed within the next 30 days."
The PoC is pretty basic, but an experienced exploit writer can modify it to achieve remote code execution, the researcher said.
"""
Yes, MS12-020 is a big deal. But, not THAT big of a deal, yet. Stop flinging FUD around about things that haven't yet happened.
Hokey religions and ancient weapons are no substitute for a good blaster at your side. - Han Solo
