“Boy CEO” Mark Zuckerberg’s Two Smartest Projects Were Growing Facebook And Growing Up | Fast Company
From studying leaders he admired to taking elocution lessons, Zuckerberg made his evolution into a world-class CEO a personal project. Photo by Martin Schoeller/August
It was a minor meta moment, the perfect inside joke to kick off a September day that was otherwise all business. The occasion was f8 2011, the erratically scheduled, mostly annual conference for Facebook developers and social-media innovators, a gathering that now has a pilgrimage-like quality for the Facebook faithful. It is one of the few opportunities for legions of Mark Zuckerberg fans viewing the event live online to observe their spotlight-averse hero perform a rite native to the CEO species: the keynote address. Ladies and gentlemen, Mark Zuckerberg. The whoops turned to laughter almost immediately; it took only a few seconds for the assembled engineers, designers, brand stewards, marketing mavens, nonprofiteers, pundits, bloggers, and investors to realize that they were being punked.
On stage was the comedian Andy Samberg, fully in character as “Zuck Dawg” in a hoodie, jeans, and Adidas sandals. “I want to start by focusing on some key issues,” he said. “The first is the importance of authentic identity. I …” he paused, hand over heart, “… am Mark Zuckerberg.” It was a delicious moment for the Facebook staff, now 3,200 strong. For them, it’s always been about identity. Since Facebook’s February 2004 launch, the company has succeeded because hundreds of millions of people—slowly at first and then in crashing herds—became comfortable sharing their true selves on the site. It is precisely that authenticity that makes Facebook matter to its 845 million users. If Marshall McLuhan had lived long enough to have a Facebook profile, his status might read thus: The medium isn’t just the message; the medium has become us.Zuckerberg’s bet was that Facebook’s guiding essence, the Hacker Way, could be baked into a new style of management for a new type of company.
But the moment belonged first and foremost to Zuckerberg, who for years has had his own identity problem: “boy CEO.” Young, arrogant, and awkward—no one believed that Zuckerberg could survive the adult swim of real business, and thanks to his depiction in The Social Network, some folks will forever see him as the fatally flawed psychopathic robot nerd looking to steal your code, your personal data, your girlfriend. “I don’t think about it … much,” he once told me when I asked him how he handles all the noise, measuring his words as he always does. “I understand why people need to have these dialogues, to ask these questions. We have so much to do here, we don’t think about it if we don’t have to.”
I first met Zuckerberg and his colleagues five years ago, when Facebook had just 19 million users and was on the verge of opening up its platform to outside developers. Looking back on more than 400 hours of reporting with Facebook staffers, investors, and people in the site’s ecosystem, including a visit in late December, plus more than seven hours of one-on-one interviews with Zuckerberg, one fact is clear: The only thing that could have derailed Facebook’s climb to Internet domination was the inexperience of a young CEO. He had never held a proper job before and, by virtue of his own ballsy negotiations, could not be ousted from his position. (Facebook, citing IPO-quiet-period restrictions, declined to make Zuckerberg available for this story.) But what was largely interpreted as control freakery in service of a bigger exit strategy turned out to be a real vision. “So many businesses get worried about looking like they might make a mistake, they become afraid to take any risk,” he told me after the company moved into its first grown-up tech campus, on Palo Alto’s California Avenue, in 2009. “Companies are set up so that people judge each other on failure. I’m not going to get fired if we have a bad year. Or a bad five years. I don’t have to worry about making things look good if they’re not. I can actually set up the company to create value.”
You Know What’s Cool? A Billion DollarsNine of the big winners when Facebook goes public.
Founder, chairman, and CEO
The venture capitalist led an early $12.7 million funding round.
Cofounder and first CTO
The entrepreneur was Facebook’s founding president.
The PayPal cofounder was Facebook’s first angel investor.
The artist received stock options for murals painted at Facebook HQ in 2005.
(Plus an additional 39 million in restricted stock units worth more than $1.1 billion)
Cofounder and first unofficial spokesperson
The Washington Post Co. CEO has sat on Facebook’s board since 2008.
$45 million*Based on a $100 billion valuation
This February, as part of his effort to ensure that this remain true, Zuckerberg asked investors to back a company in which he will retain 57% of the voting stock. He outlined the company’s guiding principle, which he calls the Hacker Way, in a personal letter to potential shareholders that accompanied the IPO filing. This is the idea that gives Facebook its identity—as a company that questions assumptions, moves fast, takes risks, shares information, and learns from other smart people. Nowhere does this manifest itself more clearly than in the company’s regular hackathons, extended coding sessions where employees race to invent new products. “What you’ll hear over and over and over again is ‘why?’ ” says HR chief Lori Goler of a culture filled with millennials (average age: 28) who question the purpose of every feature and expect a logical answer.
Turning that “we’re all coding together in one big room, and we get great ideas and move fast because anyone can walk up to anyone else” ethos into a business required the young CEO to turn his hacker sights on himself. An experiential learner, Zuckerberg transformed himself with astonishing discipline into a CEO worthy of the company he was building. “Look, we were so young,” Zuckerberg told me back in 2007. “When we first got here [to Silicon Valley], we knew that there was so much we just didn’t know.” He was 22 years old when he made that poignant observation. He had arrived in Palo Alto when he was 20.
Zuckerberg is one of the few CEOs in history to come to significant power without his personality fully formed, and he was smart enough to take himself on as a project. His maturity as a CEO and Facebook’s open culture are the result of what can be considered the longest hackathon in history.
My first visit to Facebook, in February 2007, started as a typical one. I was to begin and end the day with a one-on-one with Zuckerberg, with a series of get-to-know-the-company meetings in between. He arrived 20 minutes late for our first meeting, holding a paper bowl of Cheerios and looking more like an overworked paperboy than a new-media mogul. (Later that day, then-COO Owen Van Natta, a Valley veteran and early Facebook “adult,” would roll his eyes and tell me, “The kids eat way too much cereal around here.”) Zuckerberg confessed that he’d been up early to “work on something” and had fallen back asleep. He appeared to be telling the truth: Sleep creases surrounded his red eyes, and he was wearing the same thing he’d worn at the Fast Company photo shoot the day before. He was an odd mix of friendly, quirky post-teenager and philosopher king in training. He would talk about his love of Guitar Hero and Chicken McNuggets, yet he’d always return to the ideas that openness and connecting people were all that really mattered to him, and that he thought Facebook could change the world. Zuckerberg had already faced numerous tests as the site grew, from opening it up to any person over the age of 13 to jumping into the crowded digital photo-sharing market with a simply designed product (tag your friends!) that blew the others away.
Zuckerberg’s most important lesson as a “boy CEO” came from Facebook’s first flush of popularity in corporate America. He spent a lot of time in 2006 talking to the likes of Viacom and Yahoo, both of whom were kicking the tires on acquiring Facebook for up to $1 billion. The mogulizing had taken him away from the company, which was burning through cash; his absence sent waves of discontent through a staff that didn’t know what its leader was thinking. Are we selling? Not selling? Raising money? “What were we going to do, not take the meetings?” recalls Facebook cofounder Dustin Moskovitz, defending his friend. “We were learning about the world by talking to these people.”
But Zuckerberg got the message. “I needed to be more open,” he told me. Encouraged by legendary Silicon Valley recruiter Robin Reed, he hired an executive coach to help him identify and hone the essential skills of running a fast-growing company. He began to study and evaluate the successful people and companies around him, tapping them for insider lessons in leadership. “He is a sponge for process—in a way I’ve rarely seen,” Accel partner and early Facebook investor Jim Breyer told me. Zuckerberg instituted regular all-hands meetings so people could hear directly from him what was happening, and he began to tackle the tough issues of organizational design and personal accountability. (One of Sheryl Sandberg’s first great acts as COO was to hold a public forum exploring women’s issues, including their scant numbers in the engineering ranks, with Zuckerberg’s support.)
As public interest in Facebook grew, Zuckerberg had to master grace under the judgmental glare of the public spotlight—amplified in large measure by Facebook’s own success as a platform to share information. He sometimes seemed like a boy trying on the role of a CEO. He overrelied on jargon and talking points during public presentations, and he exhibited anxiety, even in front of audiences of his peers, making him seem shifty, fragile, and untested. His first appearance on the Today show took so much out of him that he pushed back that day’s meetings to walk the New York City streets and decompress. “I’m trying to get Dustin to do more media so I don’t have to do it as much,” he told me, recounting the story later. “It’s not the most fun thing.” Though the protective cocoon that formed around Zuckerberg and his young cohorts (Moskovitz and fellow cofounder Adam D’Angelo had little interest in speaking to the public) had the unfortunate effect of obscuring his more heartfelt motives, it provided much-needed room for him to work on the product and gave him time to prepare for the crucibles to come.
Back at headquarters, the young Zuckerberg could be his true self and could help his company define its own true self as it grew. In 2007, MySpace was the dominant social network, with Facebook but one of many upstart competitors. Zuckerberg needed the smartest people; to hire them, he had to make the case that Facebook was their best bet. When Zuckerberg and I circled back that first day we met, I sat in while a fairly sophisticated HR team updated its CEO on hiring. Zuckerberg ran the meeting with a good-natured crispness. Facebook’s early-recruiting efforts focused on employee referrals, which were a good way to create a pre-vetted band of brothers. “Oh, that guy?” Zuckerberg said as they ran through the list of names. “He taught me and D’Angelo at Exeter!” The hiring strategy netted essential employees such as Andrew Bosworth, who had taught Zuckerberg at Harvard and is now the company’s director of engineering. (He’s also the one who later invented the company’s all-important BootCamp program, where new hires learn the history of Facebook’s code.)
They knew they were going to run out of former teaching assistants to hire. The company set up a recruiting program that deeply involved even rank-and-file engineers in the process of finding their future peers. All had interviewing duties. The normally reticent and overworked programmers did campus visits, attended tech meetups, and even traveled to a little event in Austin called South by Southwest (which was explained in detail to Zuckerberg). Knowing that their efforts were important and appreciated, they took on the recruiting effort with unalloyed enthusiasm.
Two things made all this effort remarkable and essential to Facebook’s success. For starters, the team built the first of many tools designed to help everyone work together efficiently. They cobbled together a wiki that let everyone share feedback, recommendations about candidates, and ideas of how to persuade the undecided to fall their way. The wiki made the lives of the recruiting team infinitely easier. To this day, regular employees are critical to finding and wooing potential hires. More important, perhaps, the team approached every hire with an eye on the future. “The people we hired were capable of solving the problems we knew were coming,” Bosworth explains, launching into a high-level riff on cognition theory and communication biases before boiling it back down. “You have to be prepared to jump in, make stuff, and grow.”
When I visited with Zuckerberg in late 2009, almost three years after our first meeting, he was more seasoned and yet very much the same. This was the year he wore a tie every day, to telegraph that it was a serious year for the company. As always, he had a good story to tell, this one about bumping into Intel’s bellicose former CEO Andy Grove, who was visiting an executive at Facebook’s new headquarters. Zuckerberg had been studying the history of Intel’s strategy, and after they were introduced, Grove offered some unsolicited feedback. “I said something about what we were trying to do,” recalled Zuckerberg, “not just trying to build the biggest business, but do things that were really good. Then Andy said …” and Zuckerberg modulated his voice to mimic the septuagenarian Hungarian-American’s, “ ’Oh, that’s the biggest bullshit.’ ” Zuckerberg laughed, at the memory and his own impression. “Andy went on to say, ‘All these companies pretend that they’re trying to do something good and really they just need to be competing and killing each other.’ ” Zuckerberg wiped his eyes. “I totally like him. He yells at me no matter what we’re talking about.”
Though grateful for the feedback, Zuckerberg didn’t change course. He was still exceptionally focused on Facebook’s culture. As the company and service grew—it had 1,200 employees and 400 million users around the time we met in 2009—he and his colleagues worried endlessly about the death-by-meeting blues. Facebook had grown into 135,000 square feet in Palo Alto and many locations around the world. It was a quarter-life crisis in the making, the sinking realization that you can’t stick it to the man if you become The Man. In Facebook’s world, Google had become The Man. Engineers there checked in code, then waited as it disappeared for days, weeks, even months. Tales of the company’s bureaucracy were becoming legend—especially at a company loaded up with Google refugees. “You feel like you have to make a choice at some point,” said Mike Schroepfer, Facebook’s VP of engineering. “Will the system be reliable or will the innovation be fast?”
The Hacker Way was designed to sidestep this Faustian bargain; Zuckerberg’s bet was that the guiding essence of Facebook could be baked into a new type of management system for a new type of company. The philosophy respects efficiency above all else. And that could be applied beyond engineering. “Can we take what used to take 10 clicks for someone to get the information they need and reduce it to three?” Zuckerberg told me, recounting a conversation he had with an engineer running the tools group about a better system for the customer-service team. “It saves time over thousands of operations. What can we do with that time?”Facebook is a company designed by millennials for millennials. “As we like to say, ‘Pixels talk,’ ” says Joey Flynn, one of the designers of Timeline. “You can do anything here if you can prove it.”
Everything about how professionals interact and communicate was up for grabs. “We were born out of a mission,” explains Goler, “so any process we have must serve a clear purpose. Since we started with none, we really thought everything through.” The only thing that mattered: Help people do their work faster. Nothing was too sacred. “Email is poorly designed and useless,” reported Zuckerberg, citing a study the company had conducted. “Most subject lines are ‘hi,’ ‘hey,’ or left blank. What’s that tell you?” Instead, a series of internal tools evolved to let people communicate in a way that was more informal and more natural to the projects they worked on, such as a quick acknowledgment-badge system simply called “thanks.” The company then embraced a comprehensive feedback tool called Rypple, much of which was built and evolved within Facebook, with engineering teams as guinea pigs. (It has since been acquired by Salesforce.com.) Gone are the workflow management systems of a manufacturing age. Instead, says Rypple cofounder Daniel Debow, the software created a social environment where people and projects can keep in touch in an easier way. “We’re just amplifying existing behaviors—like texting, posting on walls, and looking at photos—that help people communicate more efficiently in ways that they already do.”
Inside the New Facebook HeadquartersThe social-networking giant moved into its new Menlo Park, California, digs last December. Here are never-before-seen images from the expansive new campus.
“What should reviews look like?” asked Molly Graham, then the head of culture and engagement at Facebook, citing another standard management practice that was up for, well, review. “We struggled hard. In the end we developed a system that’s meant to fairly reward people for their contributions to the company and is meant to help people grow.” The company encourages employees to form teams around projects of passionate interest, a natural way to craft a nontraditional career path showcasing competence, not brandishing credentials. “As we like to say, ‘Pixels talk,’ ” says Joey Flynn, a product designer on Timeline. “You can do anything here if you can prove it.” The company delivers promotions (and bonuses) twice a year. For millennials, who have grown up with the constant micro-interactions of pokes, badges, texts, tweets, and wall posts, the system fits their need for feedback and validation. As Graham points out, “This is a company designed by millennials for millennials.”
The company does still make traditional calls—the era of riding RipStiks down the hall, for example, came to an end when an intern broke his wrist. But for an idea that has turned into a company, Facebook has done a remarkable job of using its collaborative philosophy to develop the workforce it had into the innovators it needed. Back in 2007, Matt Cohler, Facebook employee No. 5 (and currently a venture capitalist who invested in both D’Angelo’s and Moskovitz’s startups), put a very flat, bare-bones management structure in place. There were few vice presidents, for example, and Zuckerberg had only five direct reports. “We were determined to keep things as flat as possible,” Cohler told me. “The harder we make it for people to invent together, the faster we fall behind.”
When I last visited Facebook in December, employees were packing up “the Bunker,” as they call their old digs, in preparation for a move to a 1-million-square-foot campus in Menlo Park. Sitting amid the packed boxes and lightbulbs with some A-players, including Flynn and engineer Josh Wiseman, it became clear that the foundation that Cohler had put in place had held up under the weight of rapid, enormous growth. One of our group was former Google superstar Lucy Zhang, who decided to come to Facebook in 2011 when it bought her group-messaging startup, Beluga. “I left Google because I couldn’t take enough risks there,” she said unironically. “Here, I can really do things.”
At the end of my first visit, back in 2007, Zuckerberg spent the last hour quizzing me about what I had picked up about the company. He asked me about the themes that we’d talked about in the morning, particularly openness. “Did you find that to be true?” he asked me. “How did you know? What were people saying? How did they talk about the culture? Like, specifically?” It was the first of many times he’s turned the table on me, and one of the best ways a non-Facebook employee can feel what it’s like to have assumptions dissected by one of the sharpest minds in tech. He nodded as I spoke, listened, laughed at my impressions of his friends. But what he wanted to know was simple: Could my experience confirm what he hoped was true of his fledgling company?
And then he gave me a piece of advice, meant for my writing of the Facebook story. But it serves just as well as the underlying force guiding Facebook and Zuckerberg himself: “It’s iterative, right?” he said. “You’ll write it, then next year you’ll write another story, and another, and eventually, the story will be the way you want it.”
A version of this article appears in the April 2012 issue of Fast Company
Hackers wanted $50,000 to keep Symantec source code private | Security - CNET News
As part of a sting operation, Symantec told a hacker group that it would pay $50,000 to keep the source code for some of the its flagship security products off the Internet, the company confirmed to CNET this evening.
An e-mail exchange revealing the extortion attempt posted to Pastebin (see below) today shows a purported Symantec employee named Sam Thomas negotiating payment with an individual named “Yamatough” to prevent the release of PCAnywhere and Norton Antivirus code. Yamatough is the Twitter identity of an individual or group that had previously threatened to release the source code for Norton Antivirus.
“We will pay you $50,000.00 USD total,” Thomas said in an e-mail dated last Thursday. “However, we need assurances that you are not going to release the code after payment. We will pay you $2,500 a month for the first three months. Payments start next week. After the first three months you have to convince us you have destroyed the code before we pay the balance. We are trusting you to keep your end of the bargain.”
A Symantec representative confirmed for CNET the extortion attempt in this statement:
In January an individual claiming to be part of the ‘Anonymous’ group attempted to extort a payment from Symantec in exchange for not publicly posting stolen Symantec source code they claimed to have in their possession. Symantec conducted an internal investigation into this incident and also contacted law enforcement given the attempted extortion and apparent theft of intellectual property. The communications with the person(s) attempting to extort the payment from Symantec were part of the law enforcement investigation. Given that the investigation is still ongoing, we are not going to disclose the law enforcement agencies involved and have no additional information to provide.
However, after weeks of discussions regarding proof of code and how to transfer payment, talks broke down and the deal was never completed. A group called AnonymousIRC tweeted this evening that it would soon release the data. “#Symantec software source codes to be released soon. stay tuned folks!!! #Anonymous #AntiSec #CockCrashed #NortonAV.”
Apparently after weeks of discussions, Yamatough’s patience was wearing thin, leading to an ultimatum:“If we dont hear from you in 30m we make an official announcement and put your code on sale at auction terms. We have many people who are willing to get your code. Dont f*** with us.”
The exchange gets contentious at times, with Yamatough suggesting that Symantec was trying to track the source of the e-mails:“If you are trying to trace with the ftp trick it’s just worthless. If we detect any malevolent tracing action we cancel the deal. Is that clear? You’ve got the doc files and pathes [sic] to the files. what’s the problem? Explain.”
Another e-mail, with the subject line “say hi to FBI,” accuses the company of being in contact with the federal law enforcement agency, a charge Thomas denied. “We are not in contact with the FBI,” he wrote, falsely. “We are using this email account to protect our network from you. Protecting our company and property are our top priorities.”
Yamatough demanded that Symantec transfer the money via Liberty Reserve, a payment processor based in San Jose, Costa Rica. But Thomas appears reluctant, calling it “more complicated than we expected.” Thomas instead suggests using PayPal to transmit a $1,000 test as “a sign of good faith.” Yamatough rejects that offer, saying, “Do not send us any money (we do not use paypal period) do not send us any 1k etc. We can wait till we agree on final amount.”
Liberty Reserve did not immediately respond to a request for comment.
The posted thread ends with an exchange today with the subject line “10 minutes” that threatens to release the code immediately if Symantec doesn’t agree to use the payment processor to transfer the funds:“Since no code yet being released and our email communication wasnt also released we give you 10 minutes to decide which way you go after that two of your codes fly to the moon PCAnywhere and Norton Antivirus totaling 2350MB in size (rar) 10 minutes if no reply from you we consider it a START this time we’ve made mirrors so it will be hard for you to get rid of it.”
Thomas’ response, apparently the last of the discussion, is brief: “We can’t make a decision in ten minutes. We need more time.”
Symantec admitted in mid-January that a 2006 security breach of its networks led to the theft of the source code, backtracking on earlier statements that its network had not been hacked. The security software maker initially said a third party was responsible for allowing the theft of 2006-era source code for Norton Antivirus Corporate Edition, Norton Internet Security, Norton SystemWorks (Norton Utilities and Norton GoBack), and PCAnywhere.
Symantec said that most of it customers were not in any increased danger of cyberattacks as a result of the code’s theft but that users of its remote-access suite PCAnywhere may face a “slightly increased security risk.”
Symantec instructed its PCAnywhere users in late January to disable the product until the company could issue a software update to protect them against attacks that could result from the theft of the product’s source code.
The theft came to light in early January when hackers claimed that they had accessed the source code for certain Symantec products, which Symantec identified as Symantec Endpoint Protection (SEP) 11.0 and Symantec Antivirus 10.2. Evidence at the time suggested that hackers found the code after breaking into servers run by Indian military intelligence.
A hacker group calling itself Yama Tough and employing the mask of hacktivist group Anonymous in its Twitter avatar said in a tweet last month that it would release 1.7GB of source code for Norton Antivirus, but the group said in a later tweet that that it had decided to delay the release.
Here is the e-mail thread posted on Pastebin:
Update at 9:15 p.m.: A 1.2GB file labeled “Symantec’s pcAnywhere Leaked Source Code” has been posted to The Pirate Bay. CNET has asked Symantec whether the code is authentic. The story will be updated when Symantec responds.
Facebook’s URL scanner is vulnerable to cloaking attacks | ITworld
October 07, 2011, 2:39 PM — Members of a hacking think-tank called Blackhat Academy claim that Facebook’s URL scanning systems can be tricked into thinking malicious pages are clean by using simple content cloaking techniques.
Such attacks involve Web pages filtering out requests that come from specific clients and feeding them content that is different from what is displayed to regular users.
Attackers have been using this method to poison search results on Google for years now by serving keyword-filled pages to its indexing robot, but redirecting visitors to malware when they click on the links. However, it turns out that Facebook is also vulnerable to this type of content forging. “Hatter,” one of the Blackhat Academy members, provided a live demonstration, which involved posting the URL to a JPEG file on a wall.
Facebook crawled the URL and added a thumbnail image to the wall post, however, clicking on its corresponding link actually redirected users to YouTube. This happened because the destination page was able to identify Facebook’s original request and served a JPEG file.
“While most major sites that allow link submission are vulnerable to this method, sites including Websense, Google+ and Facebook make the requests easily identifiable,” the Blackhat Academy hackers said.
“These sites send an initial request to the link in order to store a mirror thumbnail of the image, or a snapshot of the website being linked to. In doing so, many use a custom user agent, or have IP addresses that resolve to a consistent domain name,” they explained.
Earlier this week, Facebook signed a partnership with Websense to use the security vendor’s cloud-based, real-time Web scanner for malicious URL detection. Blackhat Academy has now provided proof-of-concept code, which, according to its advisory, can be used to bypass it.
Websense doesn’t believe that to be the case. “This is nothing new. We use numerous methodologies and systems to ensure that our analysis of content (in real time) is not manipulated by malware authors, including using IP addresses not attributable to Websense so that malware authors are unaware that it is Websense analyzing the content,” the company said.
“Also, the Websense ThreatSeeker Network is fed via an opt-in feedback loop from tens of thousands of customers distributed globally. These IPs are also not attributable to Websense.com. It is because of technologies like this that Facebook chose Websense to provide protection for their growing user base of more than 750 million users,” it added.
That could well be true, but it’s worth keeping in mind that Websense primarily sells security solutions to businesses and Facebook is usually blocked on many corporate networks. It would be logical to assume that relying on its customers’ appliances to scan URLs on the social networking website might not have an immediate impact.
Hatter says that as a security research outfit Blackhat Academy follows responsible disclosure and notified Facebook of the content cloaking issue at the end of July. Despite this, the method still works.
“We’re well aware of the content forgery technique described and have built protections into our systems to account for it,” a Facebook spokesman said via email.
“The content returned when we crawl a shared link is only one of many signals we use to combat spam and abuse on Facebook. We know that this content can change between visits, and therefore can’t always be trusted, and our systems account for that,” he added.
Earlier this year, Facebook signed a partnership with Web of Trust (WOT), an organization that maintains a community-driven spam URL block list. However, it’s well-known that blacklisting is not very efficient and there can be a significant window of exposure between the time when a URL starts being spammed and the time when it’s flagged by such a system.
At the very least, content cloaking can be a powerful social engineering technique. A link with a .jpg termination accompanied by a thumbnail can look harmless enough to trick a lot of users into clicking on it.
Facebook and Websense are not the only ones with this problem. Google+ and Digg are also vulnerable to cloaking attacks, but other sites such as Twitter have developed strong protections against them.
Twitter Hacks Infographic
When good Twitter accounts go bad. Whether it’s malicious intent or simple human error, Twitter users are increasingly at risk when it comes to protecting their
privacy and reputation online. This infographic details several of the most recent and now infamous Twitter hacks, and examines common entry points for hackers, including weak passwords and malicious email attachments.
Mysql.com hacked, serving malware
Mysql.com has been hacked and is currently serving malware, Armorize warns.
The company has detected the compromise through its website malware monitoring platform HackAlert, and has analyzed how the compromise of the site’s visitors unfolds.
The mysql.com website is injected with a script that generates an iFrame that redirects the visitors to http://truruhfhqnviaosdpruejeslsuy.cx.cc/main.php, where the BlackHole exploit pack is hosted.
“It exploits the visitor’s browsing platform (the browser, the browser plugins like Adobe Flash, Adobe PDF, etc, Java, …), and upon successful exploitation, permanently installs a piece of malware into the visitor’s machine, without the visitor’s knowledge,” say the researchers. “The visitor doesn’t need to click or agree to anything; simply visiting mysql.com with a vulnerable browsing platform will result in an infection.”
What type of malware is served is still unknown, but the worrying thing is that currently only 9 percent of the AV solutions used by VirusTotal block it.
It is, of course, impossible to say who the attackers are. The domain reached through the iFrame is registered to one Christopher J Klein from Miami and is located in Berlin, Germany. The domain serving the exploit and the malware is located in Stockholm, Sweden.
The administrators of the mysql.com domain are being contacted, but the site is still up and compromised, say the researchers.
Trend Micro researchers add that they have recently discovered a denizen of a Russian underground forum selling root access to some of the cluster servers of mysql.com and its subdomains, asking at least $3,000 for each access, and that they have notified mysql.com administrators of their discovery a week ago.
China says to get tougher in fight against hacking | Reuters
BEIJING | Mon Aug 29, 2011 11:42am EDT(Reuters) - China’s Supreme Court and prosecutors office will step up the fight against computer hacking by toughening penalties for those caught doing it, state media said on Monday.
Under rules coming into effect from September 1, people who “knowingly purchase, sell or cover-up illegally obtained data or network control will be subject to criminal penalties,” the official Xinhua news agency cited a statement as saying.
“Such activities have become increasingly unrestrained, even giving rise to large online transaction platforms. Penalizing these violations helps sever the profit chain of hacking and other related crimes,” it added.
While the United States says many hacking attacks appear to come from China, often targeting human rights groups as well as U.S. companies, China says that it is one of the world’s biggest victims of hacking attacks.
“A crime endangering information network security poses a threat not only to network security but also to national security and public interests,” the news agency said, adding that the new rules were aimed at cracking down on such crimes with greater force.
In 2009, more than 42,000 Chinese websites were “distorted” by hackers, Xinhua said.
Data from the Ministry of Public Security shows that the number of viruses circulating on the internet has surged 80 percent from a year earlier in the past five years, Xinhua said. The ministry also estimates that eight out of 10 internet-connected computers are controlled by hackers, it added.
In its annual report to Congress on China’s military last Wednesday, the Pentagon warned that hacking attacks from China could one day be used for overt military means, rather than just trying to access data.
Last week, footage emerged online of a brief clip on Chinese state television of purported cyber hacking attacks launched by the country’s military, despite long-standing official denials that the government engages in such activity.
Google, the world’s largest search engine, partially pulled out of China last year after concerns of censorship and a serious hacking episode.
Google, who said the attacks originated from China, was one of the dozens of high profile companies targeted in an ultra-sophisticated cyberattack named “Operation Aurora” that took place in the second half of 2009. Yahoo, Adobe and Dow Chemical were also reportedly among the targets.
How did Feross Aboukhadijeh learn to program? - Quora
TL;DR: I learned how to program by building lots of websites.
And now, the full story:
I’ve been asked this question a lot lately, especially after I built.
I learned how to program by working on lots of different website projects starting from a pretty young age. What follows is a full account of all the major websites I’ve built, back to the very first site I made when I was 11 years old. What I hope the reader takes away from this full re-telling is the importance of doing lots of side projects if you want to learn to program well.
The best way to learn a new skill is to practice, practice, practice. All the best programmers that I know sincerely enjoy programming — it’s something that makes them absurdly happy to do. And, so they do it a lot. Often, an unhealthy amount. Learning how to program — and how to do it well — doesn’t take superhuman ability. It just takes a willingness to get your hands dirty and build stuff.
It doesn’t matter what you build, as long as you pick something and start. The good programmers who I know each had a different reason for initially learning how to program. Some learned so they could make video games. Some learned so they could solve their own computer problems, or work more productively. Some learned so they could build products that make people happy. Some (the true hackers) learned programming as part of a larger goal of learning how computers work at a really deep level; they want to understand the machine. Some programmers just do it because they enjoy solving difficult problems.
The single factor that unifies all these types of “good programmers” is that they all got obsessed with programming at some point in their lives, and subsequently spent a long time programming. Lots and lots of side projects.
So, without further ado, here is the story of how I learned to program:
My first website
When I was like 11 or 12 years old, I decided I wanted to make a website for myself. I can’t remember exactly why I wanted a website, I just remember that I did. So, I searched the Internet for free information about how web pages, web browsers, and HTML worked. A lot of the information I found was out-of-date, plain wrong, or advocated bad practices (like making separate websites for Internet Explorer and Netscape), but it was really interesting and I learned a lot of neat stuff.
Despite the shoddy information I found online, I was able to make a simple website, which I called “Feross’s Website”. I built it with Microsoft Frontpage, which had really cool side-by-side WYSIWYG and HTML editors. I could make changes using familiar commands like Bold, Italics, etc. and see how that affected the HTML code in realtime. A great way to learn.
Here are some screenshots of my first site. It’s no longer online.
You can’t see it in the above screenshot, but almost every element on the site blinked, flashed, moved, or made sound. I put a different MIDI song on every page of the site. They all played automatically and there was no way to stop the music, unless you muted your speakers. Ah, good old web design from the early 00’s :D
As I got older, I tried to make my site better by redesigning it. I used free website templates that I found online and modified their images in Microsoft Paint.
Even though I built heavily on existing templates, I think this was a pretty good way to learn how HTML and web browsers worked. “Feross’s Website” didn’t have a purpose other than to collect a few movies I made as a kid, so it got boring after a while.
My first real project
In 9th grade (14 years old), my friends and I were pretty obsessed with watching flash movies and videos on websites like Newgrounds and eBaumsWorld (this was before 2005, so YouTube didn’t exist yet). I spent lots of time on these sites so I knew about all the best videos and games. I thought it would be really cool to make a website that collected all my favorite flash animations, videos, and games from around the Web in one place. That’s where I got the idea for FreeTheFlash.com (http://www.freetheflash.com). Here is what it looked like:
I used all the HTML I learned from working on “Feross’s Website” and also got my hands on a copy of Macromedia (now Adobe) Dreamweaver, which helped me use templates for the repetitive parts of the site.
After a while, I realized that I should make the site dynamic (I remember hearing that buzzword a lot), which basically meant that the site would be powered by a programming language like PHP, instead of just static HTML. So, I bought a book called PHP and MySQL for Dynamic Websites for $20 on Amazon (http://www.amazon.com/gp/product…) and redesigned the site to use PHP and MySQL. I also gave it a fresh coat of paint:
I continued to work on FreeTheFlash for 2 years in high school. It was pretty successful for my first attempt at a “real” website — it had 600,000 visitors and 3 million page views in 2006. FreeTheFlash taught me how awesome it feels to make a product, stick it out there, and watch lots of people using it. It made me want to build a lot more websites.
My second website
In high school, I took pretty good notes for a few of my AP classes. So, in 11th grade, I decided to put my notes online for other students to use, if they didn’t feel like reading the textbook. I made a site called StudyNotes (http://apstudynotes.org) which I built with PHP and a content management system called Joomla. I also experimented around with Drupal, but found it to be too complicated.
That same year, I also made a website for my school’s Key Club chapter. It’s archived here: http://feross.org/orhskeyclub.com/
During this period, I spent a large amount of my free time reading WebmasterWorld (http://www.webmasterworld.com/), a forum for website publishers and SEO experts to speculate about the Google algorithm, discuss AdSense tricks, and debug website design issues.
Lots of studying and reading
After I got to Stanford, I took lots of great computer science classes likeand CS107, and I also started the CS106 classes.
What did I read? Lots of different stuff. But, mostly blogs by first-class designers and programmers who I admire a lot. Real badasses. For a sampling of some of these blogs, take a look at the “Respect Rollcall” in the sidebar of my blog, here: http://www.feross.org/
A viral hit
Then, in the summer of 2010, while interning at Facebook, I built http://ytinstant.com/) to settle a bet with a . It’s a video site that lets you search YouTube in real-time. The site went on to get 1 million visitors within 10 days of launch, and the YouTube CEO also . Read about the media frenzy here: http://www.feross.org/youtube-in…(
I know that YouTube Instant’s success was mostly due to chance good timing and a little luck. Read http://www.feross.org/none-of-us… for some more of my thoughts about that.
The beat goes on
I noticed that lots of people were using YouTube Instant to listen to music videos, and that got me thinking about other cool ways to use the YouTube API. So, my friend Instant.fm, a really easy way to share music playlists with your friends. We both learned a ton of new stuff during this project.and I decided to spend the first 3 months of 2011 building
Some things we mastered during this project:
- (and Modernizr and YepNope for cross-browser issues)
- Last.fm API
- YouTube API
- Working on a team
And some other things we learned how to use, too:
- Supervisor (http://supervisord.org/)
Read more about all the tech we learned here on my blog: http://www.feross.org/instant-fm…
TL;DR - Just start building stuff!
The point of this long expose on everything I’ve built since age 11 is that if you want to learn programming, then you need to start building stuff! Right now. No more excuses.
Doing something is the fastest way to learn it.
Reading a programming language book from front to back is boring and you’ll quit before you finish it. But, if you have a project in mind, you can learn what you need to know as you go along, which is more effective both in terms of speed and mastery of the content.
Computer science classes
Taking CS courses at a university is another great way to learn programming. Most good CS curriculums emphasize learning the important concepts and paradigms in the field of CS, as opposed to teaching a specific programming language. This can be an eye-opening experience for self-taught programmers who’ve never had any formal education.
I remember sitting in my first-ever CS class at Stanford (a class taught in C++) thinking “How on EARTH can they have variables that don’t start with dollar signs?” Up until that point, I’d only ever programmed in PHP! :) It took a while for me to drop the habit of $putting $dollar $signs before every variable name!
Work at a software company
Another way to get much better at programming is to work at a software company like Facebook or Quora, which I did over the last two summers. You’ll learn how to program from people way better than you, how to read and understand other people’s code, and how to work on large projects with a team.
Still — more than anything else — the very best way to learn programming is to do side projects. Have I repeated this enough times, yet? :)
How to learn programming:
- Do side projects.
- Buy and read programming books.
- Do side projects.
- Take computer science classes.
- Do side projects.
- Read programming blogs.
- Do side projects.
That’s the best advice I got.
Hackers Get Their Own Scoreboard and Rankings | SecurityWeek.Com
Sometimes hacking is about money; other times, it’s about competition, and when that happens, it is also about getting a little credit.
Enter RankMyHack.com. The site is described as the world’s “first elite hacker ranking system”, and invites people to submit proof of their Website hacks in exchange for points - the higher the points, the higher the place on the leader board.
“So far more than 1000 sites were hacked in this competition – including very high profile ones,” blogged Rob Rachwald, director of security strategy at Imperva.
“How do hackers get ranked? They need to prove they have indeed hacked a site – by inserting a predetermined text into the hacked site page,” Rachwald continued. “Rankmyhack scans for that text in the page – and gives score based on how popular the website is. Lower points are awarded for XSS attacks.”
There’s also a ‘Duel’ mode where hackers can compete against each other in hacking as many sites as possible in a given time, and there are bonus points for hacking racist or edu, mil, gov sites. Hackers can also check how many points hacking a site is worth by typing in a URL.
Assuming the site is real – and early reports indicate that it is – hackers can now see where their hacks stack up against those of their peers. Will this morph into a playground for hacktivists to hone their skills? Only time will tell.
Malware Secretly Attaches Stolen Data to Photos : Discovery News
Malware often gets delivered via fake emails or links, but now there’s a new way to steal data through your Facebook photos.
Called Stegobot, the malware was developed by researchers at the University of Illinois Champaign-Urbana and the Indraprastha Institute of Information Technology in New Delhi.
Stegobot steals data — passwords for example — and then insert the information into a photo. The technique is called steganography, and it’s not new to covert computer operations. Programs based on this technique work by secretly replacing bits of unused data in computer memory with digital bits of information desired by the theif. About 50 kilobytes of information can be hidden in a photo this way without altering its appearance or alerting the owner of the computer to any suspicious activity. More can be inserted if you don’t mind a stray pixel here and there.
The malware first gets on your computer the way any other malware does: one clicks on a fake link or opens up an email. The clever part of Stegobot is the use of social networks to send the data to the botmaster. When one of your friends looks at your profile, Stegobot takes whatever information it stole and adds it to a photo. Since Facebook downloads files in the background — no clicking on them required — the user won’t see it happening. The stolen data can then be retransmitted via the social network until it eventually reaches the botmaster.
Some computer scientists are skeptical, as something like Stegobot isn’t as efficient a data-stealing method as the usual malware that just sends information directly to a botmaster. But Stegobot’s activity is harder to detect because it isn’t using normal channels. That might make it (or something like it) more attractive to criminals.
Hacker Group Anonymous Vows To Destroy Facebook On November 5
This isn’t the first time Anonymous has spoken out against social networks.
After Google removed Anonymous’ Gmail and + accounts, Anonymous pledged to create its own social network, called AnonPlus.
DATE: November 5, 2011.
Attention citizens of the world,
We wish to get your attention, hoping you heed the warnings as follows:
Your medium of communication you all so dearly adore will be destroyed. If you are a willing hacktivist or a guy who just wants to protect the freedom of information then join the cause and kill facebook for the sake of your own privacy.
Facebook has been selling information to government agencies and giving clandestine access to information security firms so that they can spy on people from all around the world. Some of these so-called whitehat infosec firms are working for authoritarian governments, such as those of Egypt and Syria.
Everything you do on Facebook stays on Facebook regardless of your “privacy” settings, and deleting your account is impossible, even if you “delete” your account, all your personal info stays on Facebook and can be recovered at any time. Changing the privacy settings to make your Facebook account more “private” is also a delusion. Facebook knows more about you than your family. http://www.physorg.com/news170614271.htmlhttp://itgrunts.com/2010/10/07/facebook-steals-numbers-and-data-from-your-iph….
You cannot hide from the reality in which you, the people of the internet, live in. Facebook is the opposite of the Antisec cause. You are not safe from them nor from any government. One day you will look back on this and realise what we have done here is right, you will thank the rulers of the internet, we are not harming you but saving you.
The riots are underway. It is not a battle over the future of privacy and publicity. It is a battle for choice and informed consent. It’s unfolding because people are being raped, tickled, molested, and confused into doing things where they don’t understand the consequences. Facebook keeps saying that it gives users choices, but that is completely false. It gives users the illusion of and hides the details away from them “for their own good” while they then make millions off of you. When a service is “free,” it really means they’re making money off of you and your information.
Think for a while and prepare for a day that will go down in history. November 5 2011, #opfacebook . Engaged.
This is our world now. We exist without nationality, without religious bias. We have the right to not be surveilled, not be stalked, and not be used for profit. We have the right to not live as slaves.
We are anonymous
We are legion
We do not forgive
We do not forget