Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 internet speed test! ×

Comment Re:Primed? Likely? (Score 1) 406

FYI, bbaskin here. The article ran with my initial tweet but did nothing to ask me for more, or read additional tweets where I gave more details. I've made comments there, and other places (even here), with more details but all were downvoted. The account was protected to try and slow its spread, but that didn't work, so it's public again. And people can read the additional details, but none will.

Comment Some things exaggerated (Score 0) 406

There is more to the story than the initial tweet and, unfortunately, as the tweet's author, I wasn't aware that article was written or published or else I could have elaborated some more in it.

It needs to be clear that Forbes was not compromised and there is no technical wrongdoing on their part in this matter. This is an advertisement network issue. Forbes has been very responsive to communications and have worked continuously to follow up on this. This incident does, indeed, show negatively on them and they were very quick to try and locate the incident to pass on to advertising networks.

Their major issue was in the requiring of users to disable ad blockers. That's where the focus should be as it opens a possible attack vector into your system.

The Java Update page was configured to download a "setup.exe", which raised every red flag there is. However, at the time of this ad appearing, setup.exe soft-failed to a download page for Java 8u25. Soft fail meaning that "setup.exe" returned an HTML page instead of the executable. This likely means that the ad page wasn't "activated" at the time. Additional Javascript I uploaded to the link below shows that it did have code to rotate between multiple executables, as well:


I also posted a URL trace of the events around that time, if anyone likes to dig into those things. It's basically a reverse chronological list of every URL Chrome made:


So, unfortunately (or fortunately), there was no zero-day drive by attacking my system. But, the capability was there.

Comment But loses its meaning quickly (Score 4, Interesting) 80

Ego branding for the sake of hiring egotistical developers and analysts. Therein lies the rub.

A "rock star" can be a real thing. It could be someone who continually, and repeatedly, produces great work that impacts the entire community. These people exist most don't want the branding. But companies can't hire them; they're too expensive.

So the "rock star" became the one-hit wonder person. Someone who released a nifty script on github and gave a con talk on it. Two years ago.

Slowly, over time, that rock star status has turned into "most influential". That is, those with the most twitter followers, regardless of how good they are at their craft. Don't know anything beyond basic Ruby coding and lack knowledge of security programming... but have 50K followers? Rock Star! HIRED!

Considering oneself a rock star in order to apply for such a job breaks the whole "No Asshole Rule" for hiring.

Comment Just proves the point (Score 5, Insightful) 1262

Trolling against her proves many of her points. Many take trolling as a sport to revel in their anonymity, but the threatening comments are extreme.

In my opinion, her videos are, in places, poorly researched with many leaps of logic mixed with heavy opinions. But, they still contain very valid points and can be civilly debated.

Evolve, people. At least keep the trolling to a respectable severity.

Comment The big rush (Score 4, Insightful) 175

We need a story now, quick. We need something to put on airtime because our marketing is calling around our advertising clients to see who wants to bid on the next hour of airtime. The big need to get something up quick, even if it's very low quality, such as a poorly recorded video interview without a transcript... oh, wait...

Comment Yawn (Score 4, Insightful) 241

I was confused in reading the write-up. If the interview was scheduled three months in advance, why did he say that he only had one day to prepare for the "CS" style interview? Where did this "December Interview Preparation Tips" come from? Only partial bits of data are given, none of which support the poster's side of the story.

And what phone were you using that didn't have speaker phone capabilities? Nearly all land line phones do that, as well as all mobile phones. Skype crap happens all the time, even on perfect connections. You roll with it. And, if you can't, then you'll likely have problems in a technology company.

In summary, this reads as: "HR department had too many applicants and I slipped between the cracks for scheduling, then I bombed my interview but it really wasn't my fault. Really!"

Comment Hold them to the fire (Score 5, Interesting) 125

LeakID (and/or their client) just claimed copyright over malware. Not just any malware, but targeted malware against a corporation for the intent of theft of intellectual property and unauthorized access of computer systems.

IANAL, but LeakID should then be held liable and responsible for their "copyrighted works".

Comment Not entirely true (Score 4, Informative) 94

It cannot "be exploited remotely to execute arbitrary code". It can only crash the service. There is no RCE developed for this vulnerability, yet. The article itself even says this (even though it's author submitted it here):

Creating a working exploit for the CVE-2012-0002 vulnerability is not trivial, Microsoft security engineers Suha Can and Jonathan Ness said in a blog post on Tuesday. "We would be surprised to see one developed in the next few days. However, we expect to see working exploit code developed within the next 30 days."

The PoC is pretty basic, but an experienced exploit writer can modify it to achieve remote code execution, the researcher said.

Yes, MS12-020 is a big deal. But, not THAT big of a deal, yet. Stop flinging FUD around about things that haven't yet happened.

Slashdot Top Deals

(1) Never draw what you can copy. (2) Never copy what you can trace. (3) Never trace what you can cut out and paste down.