You know, this is a difficult and awkward post to make. But then I pretty much built what reputation I have on those two things - being difficult and awkward. So here goes. If you woke up on the 31st of October and checked out the news, you’d have seen this.
The text reads: “The bands’ MySpace pages have a transparent overlay that, when clicked, either links to a Web site that tries to start downloading malware disguised as a media codec or attempts to exploit a browser security flaw, said Chris Boyd, security research manager with FaceTime.
When a cursor passes over part of the overlay, the IP (Internet Protocol) address for a Web server in China is shown in some browsers. However, the fake media codec site is hosted in Russia, Boyd said. He posted screenshots of the problem on his blog Wednesday.”
Then, if you woke up this morning and checked out the same site, you’d have seen this:
The text reads:
“The MySpace pages for singer Alicia Keys and other musicians were hacked with a seemingly new type of hack, a security expert said Thursday.
Keys’ MySpace page and that of others, including a Scottish band and a French band, were flagged by users of Exploit Prevention Labs’ LinkScanner software, which blocks pages containing malicious code. The discovery came after users began reporting that Keys’ page was blocked, according to Roger Thompson, chief technology officer of LinkScanner.com.
“When we saw it was MySpace and Alicia Keys, we took a good look at it,” he said in an interview.”
A pity, perhaps, that they didn’t also bother to check any of the mainstream tech websites that already covered this story last week.
Seriously, I find it puzzling that, while researching this, nobody there thought to stop and check Google, or the news pages, or blogs (or anything else for that matter) that someone might have already done something with this or whatever. I mean, that’s what you do when you find something you think is new, right? To prevent everything going tits up further down the line when you jump up and down and say look what we have here.
Especially when (in a further blog entry on this), Roger Thompson writes:
(which had been hacked for at least three or four days earlier, because that’s when we first noticed it… and someone just reminded me that PaperGhost over at http://www.vitalsecurity.org/2007/11/myspace-band-hacks-continue_05.html had noticed it for some other bands separately at a similar time or even earlier time)
Or, as someone in my (increasingly angry comments section) noted:
“…wait, someone had to remind him that he forgot that you’d already written about it previously?”
So wait….someone over there knew (or knows) we already covered this after I found it - but the main blog entry (which from experience is the only thing anybody visiting for the hot new thing you found will read) doesn’t carry any sort of update / notice crediting FaceTime for the initial find?
Man, that sucks. Especially when Spywareguide, Vitalsecurity.org and all those news sites above have feeds and syndication galore, so it’s not like I’m just making this up or that information was hard to come by.
What’s particularly galling here is that once I made the initial find (and joined the dots that someone was specifically targetting Myspace band pages) I have spent hours….and hours….of spare time tracking down as many hacked bands as I could, have engaged in lengthy Email dialogue with them, helped them to fix up their pages, given advice on what to do next, warned other bands about the problem, assisted them in getting somewhere (hah!) with Myspace.
In addition to that, a handful of FaceTime researchers worked more than they should have on this while I tried to clean up as many hacked profiles as possible - and now, basically, all their hard work - and the work of anyone else involved - is erased, and cancelled out, and replaced by someone making the amazing discovery that Alicia Keys’ page was hacked.
For what it’s worth, finding her profile was hacked would likely have been a case of clicking into each of the top rated artists on the “top rated artists page” and then saying BINGO.
I mean, let’s stop for a second and run that back.
This is now super mainstream news, purely because Alicia Keys had her Myspace page hacked.
Question. How many people out there think Alicia Keys herself has ever logged into her Myspace profile?
Or, do you think it more likely that PR flaks and street team flunkies do that for her? I’m seeing headlines popping up with “Alicia Keys, victim!” all over the place.
Is that supposed to be a joke?
HERE are your victims, for Gods sake. You know, the bands who ACTUALLY USE MYSPACE and have lost all their contacts, music plays, pagecount and all the other random crap that proves they have worth in that social community - because apparently, Myspace will only undelete your page if you happen to be an extremely rich musician who has likely never used Myspace A DAY IN HER LIFE.
So yeah, I’m pretty annoyed. Annoyed at the lack….no, that’s not right….the removal of credit, annoyed because the real victims are now going to be forgotten about in a pile of SAVE ALICIA KEYS, OH GOD NO, and - more importantly - I’m extremely annoyed because Myspace have uttered their (completely useless) declaration that “the problem is now fixed”, when we can clearly see this is total and utter nonsense.
Meanwhile, a whole bunch of people are posting to my site and emailing me to say they’ve left comments on the Exploit Prevention Labs Blog to say “Chris Boyd found this”, Or “FaceTime discovered this a week ago” or whatever.
As of yet, I don’t see any of those posts appearing on the site, nor do I see any acknowledgement of where this was first discovered. Why am I so concerned here?
Well, look at it this way.
Sometimes, security companies - or researchers - or random individuals, or whoever - all find something interesting at the same time. Then it turns into a mad dash - who can blog it the quickest, who can put in their database the fastest, who can notify who the speediest. And if you get pipped at the post, then fine. That’s the way it goes, better luck next time.
It’s part of the excitement. That’s cool.
But here we have something that we discovered…..then blogged…..then put in a database…..then watched as it jumped all over mainstream tech websites while I continued to blog about it here, here, here, here, here and here.
And then NINE DAYS LATER from the original outing of this scam someone comes along with the exact same information as you, and the only thing that has changed is that a placeholder- subsitute page for a real human being has been hacked and now they’re happily claiming credit for finding this exploit?
No way, man. That’s some sort of revisionism stretched to the point of insanity. Are we to take it that someone can now write about something and then weeks later, someone else can turn up and say everything you said and wipe your part in the proceedings from the tale?
That can’t be right.
/ Addendum - Thanks.
Myspace Band hacks - STILL active!Spywareguide Roundup…..of doomMy Bloody Valentine to MyspaceTIME to face facts, MyspaceMore hacked band / music profiles. Why aren’t Myspace fixing this?
March 31st, 2008 at 12:01 pm
Send Us Your Wild tamifaiths.thaigossip.com/ clip & gallery!.