At televised sporting events, a prankster, usually drunk, will sometimes run onto the field to make a spectacle. Yet, the broadcast always cuts away, so as not to encourage the behavior even more in the future.
Perhaps we could consider a similar policy on submissions and upvotes about site-defacements? The hack will already get plenty of attention from the normal visitors of the affected site, and coverage in other 'gotcha' outlets. Maybe we should dampen, rather than multiply, the coverage.
(A post-incident report with details of the vulnerability and valid countermeasures would be interesting. And if the normally-trusted site was at any point subverting visitors with malware, that too would warrant a warning submission. But racing to report and upvote each graffiti incident almost seems to be cheering it on.)
Sporting events have just one broadcaster. One person who controls what you see. Online, everyone is a broadcaster. That changes the game. Not everyone will agree to such a policy. And you just need one player to disagree to make it impractical.
Case in point: 9/11 attacks were shown on TV repeatedly - because there was more than 1 player who could do the broadcasting.
I don't think incidents could (or should) be completely hidden, as in the sporting example. But they could be less promoted.
We don't all have to magnify the events. Each news site (and voter) can decide where they want to play on the information continuum. Should News.YC be more gotcha-tabloid-if-it-bleeds-it-leads, or less?
I think there could be some cheering going on given the love-hate relationship between TechCrunch and the HN crowd, but I don't think anyone wishes them ill.
Thats weird. I could have sworn there was a green 'share this' icon/link right below the hackers text. I was going to say maybe thats the source of the vulnerability.. its not in your screen cap though.
You do have to hand it to Arrington to run an interstitial welcome.html ad on there today based on the volume of traffic coming in to check out the hacking story . . .
Which hasn't been updated with details as promised. The lack of details here and the fact that you got hacked again makes it look either like you don't know how he got in, or that there were multiple vulnerabilities.
I gotta tell you, that interstitial is pretty poorly implemented anyways (was?).
Any time I try to visit a link to TC now, the interstitial comes up and then sends me to the front page. I'm not going to dig through to figure out where the actual content lives. Although, I've already dealt with the ads, so maybe it doesn't really matter.
An interstitial ad is an advertisement put in between content - the welcome.html that was on TechCrunch today was an ad greeting ALL users of techcrunch with a little "click here to see the website" at the top.
I absolutely dislike techcrunch, but the idea that they somehow took advantage of this situation and put up that ad it ludicrous. I can tell you from experience that interstitial ads are not done on the spot out of no where. They are high paying ad campaigns that is negotiated well in advance with (usually) only a single type of product/services.
I don't visit techcrunch often (its actually hard-coded banned in my hosts file), but I can bet it was planned couple of days in advance for this weeks apple announcement, or if it is the unlikely scenario that it happened the same day that they were hacked; it was merely a coincidence.
You just don't wake up one day and put up an interstitial ad in high traffic site.
I have to disagree that this is out of the realm of possibility - TechCrunch's ad team is very creative and moves fast, and their inventory is IN DEMAND!
They sold ads written on a WHITEBOARD shown on their streaming office cam for goodness sake.
Nearly every modern ad serving platform allows for interstitials, so this is within the realm of imagination.
But he didn't, so my crackpot theory is out the window.
Interstitials ads are not the same thing as whiteboard ads. Like I said you just don't wake up one day and put them up within 24-48 hours.
Your theory is still a crackpot theory even if someone from TC didn't point it out. I doubt you have any IRL experience in selling online ad inventory.
Yes almost _all_ popular adservers allow interstitials, doesn't mean you see them all the time. Why? Because high paying inventory are only available in certain time of the year. Including, high-profile product launch and holiday shopping season.
Since there still seems to be a debate about exactly what weakness was exploited, that conclusion is unwarranted.
For that matter, a truly thorough cracker (with more time than constructiveness) might go to the trouble to identify more than one weak point, hold some in reserve, and exploit them sequentially over time - either to offer a more depressing experience to the site owner or to discredit the site's technical team [taking advantage of people willing to jump to your conclusion :) ]
If there is more than one weak point, do they even need "conclusion-jumpers" to discredit their technical team? Assuming of course that it's not more than one 0day.
Getting hacked twice in short time doesn't automatically mean incompetence. There could be literal dozens ways of entry - including all the third party javascript services they run. Also we don't even know if the attack was done using a 0day exploit.
A sign of incompetence would be if they had their whole database wiped out and they did'nt have any backup (ala codinghorror.com) or they got hacked exactly the same way 1 month from now.
Getting hacked 2 days in a row only means they couldn't find the weakness yet. 48 hours is not a long time. Twitter gets hacked more often than this.
They very well could be incompetent, but you are judging too soon.
> Getting hacked 2 days in a row only means they couldn't find the weakness yet.
Because, you know, restoring from a backup is the same as securing a site, right? And there's no way that a hacker could do worse things? Because infecting some visitors or something similar wouldn't hurt their reputation?
Sorry for the outburst, but this happens way too often.
GARY COLEMAN: I didn't say it was nice! But everybody does it! And ain't it fun to
watch figure skaters falling on their asses?
NICKY: Sure!
GARY COLEMAN: And don'tcha feel all warm and cozy, Watching people out in the rain!
NICKY: You bet!
GARY COLEMAN: That's...
GARY AND NICKY: Schadenfreude!
Eventually, the hacker got 'hacked' by the media. Amusing. Should he be remembered, he'll be 'the guy who wanted to promote his porn site'.
Side effects, the new ad campaign benefits from the traffic peak and Techcrunch gains visibility.
I suspect the kid behind the hack is actually working FOR techcrunch ;)
My two cents: I guess they were using xmlrpc to post to the blog. The incutio xmlrpc library (or rather the metaweblog api which wordpress uses) requires that you send the username and password in the clear, so a man in the middle could easily gain access to their wordpress install.
I think a bigger problem is that they didn't separate the posting accounts from the admin accounts. Otherwise, the only damage that could have been incurred is to mess with posts.
I dont think its back up yet.
All the links are showing this -
Sorry, we couldn't find the page you were looking for. Please return to the homepage.
but the home page is up looks like and so are all the ads :) (funnily enough even on broken pages the ads are not broken)
Perhaps we could consider a similar policy on submissions and upvotes about site-defacements? The hack will already get plenty of attention from the normal visitors of the affected site, and coverage in other 'gotcha' outlets. Maybe we should dampen, rather than multiply, the coverage.
(A post-incident report with details of the vulnerability and valid countermeasures would be interesting. And if the normally-trusted site was at any point subverting visitors with malware, that too would warrant a warning submission. But racing to report and upvote each graffiti incident almost seems to be cheering it on.)