Learning From Gawker's Failure - Slashdot

Slashdot

Learning From Gawker's Failure 236

Posted by CmdrTaco on Wednesday December 15, 2010 @01:24PM
from the i-see-what-you-did-there dept.

Gunkerty Jeb writes "The Gawker hack has completely disenfranchised their users, not to mention the breach in trust that may well be impossible to regain. Users are demanding that they be allowed to delete their accounts immediately, and beyond implementing such a mechanism, it is likely that Gawker systems will have to be rebuilt from the ground up to avoid future hacks. So, what is to be learned from this perfect storm of bluster and bravado?"

This discussion has been archived. No new comments can be posted.

Learning From Gawker's Failure

Search 236 Comments Log In/Create an Account

Comments Filter:

Re:These lessons have been applied (Score:4, Informative)

by XorNand (517466) writes: on Wednesday December 15, 2010 @01:36PM (#34562990)

Slashdot is open source [slashcode.org]. Gawker's code is not.

Parent Share
twitter facebook linkedin
Salt your hashes (Score:4, Informative)

by iammani (1392285) writes: on Wednesday December 15, 2010 @01:39PM (#34563028)

See title

Share
twitter facebook linkedin
Gawker? Scadenfreude Central Hoist on own Petard! (Score:4, Informative)

by Jeremiah Cornelius (137) writes: on Wednesday December 15, 2010 @01:44PM (#34563108) Homepage Journal

Their MO is "Kick 'em when they're up, kick 'em when they're down". [lyricsfreak.com]
This hack couldn't have happened to a bigger bunch of self-involved, arrogant jerks. If there is a balance of justice in the universe, then it just inched another tiny notch towards equilibrium.
Really, the imperious attitude that is exhibited by the Gawker "editorial" stance is a smug and sarcastic condescension towards the foibles of others.

Parent Share
twitter facebook linkedin
Re:Salt your hashes (Score:4, Informative)

by darkmeridian (119044) writes: <william.chuang@[ ]il.com ['gma' in gap]> on Wednesday December 15, 2010 @01:58PM (#34563278) Homepage

From what I have read, the passwords were hashed but only with DES. Furthermore, there was salting and no password complexity requirement because rainbow tables were able to reveal a medley of Gawker passwords. Gawker's reaction to the first signs of a break in a month ago (complete indifference) was pretty nuts. It's user base is its biggest asset; the disrespect they show their users was ridiculous.

Parent Share
twitter facebook linkedin
Salting is merely a good start (Score:5, Informative)

by QuoteMstr (55051) writes: <dan.colascione@gmail.com> on Wednesday December 15, 2010 @01:58PM (#34563292)

Salting addresses some attacks, but as CPU time becomes cheaper [amazon.com], it becomes increasingly feasible to brute-force even salted hashes. To address this issue, you need key strengthening [wikimedia.org] as well.
Or, better yet, just use the system designed to store passwords: bcrypt [codahale.com].
*sigh* Then again, I'm confident that we'll see incompetent web application developers using unsalted MD5 for decades to come. People don't learn from others' mistakes it seems.

Parent Share
twitter facebook linkedin
Re:Why did they even need passwords? (Score:1, Informative)

by DCFusor (1763438) writes: on Wednesday December 15, 2010 @02:13PM (#34563518) Homepage

I run a small board, using PHPBB. I require real signons, and yes, it helps prevent spam. The user's email is collected, but I can't see it at all unless they also put it in their profile on purpose. It's actually a pain not to have my user's emails, not because I'd ever sell them (most are both cheapskates and too smart to fall for spam anyway) -- but because sometimes you want to ping on someone who hasn't signed on for a long time (also, to make sure they are real), and the private messaging obviously doesn't work if they don't log on. I can't see their passwords either, they are hashed before going into the database I believe. I don't allow anonymous cowards on my board. Anything someone has to say they can either say with their real name, or somewhere else. This also keeps the post quality higher. No astroturfing. I'm not saying it's hack proof, I really doubt it is. But in my case it seems good enough, and I do keep backups. Since it's a science discussion, there's not much to encourage hacking anyway.

Parent Share
twitter facebook linkedin
Re:Description of hack? (Score:4, Informative)

by oracleguy01 (1381327) writes: on Wednesday December 15, 2010 @02:56PM (#34564126)

That is a really good article. If they are using very out of date Linux kernels there are probably a lot of other out of date software on their systems. That combined with the fact that they don't have any internal password strength policy and are using cryptographically broken encryption shows they don't seem to have any competent server admins and web developers.
There is a lesson to learn here and it is a simple one: Don't be stupid.
Given their demonstrated lack of competence in handling this whole situation I don't have a ton of faith that they can competently check their systems for other damage and any modifications made by Gnosis.

Parent Share
twitter facebook linkedin

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

Related Links Top of the: day, week, month.

546 commentsChanging the Ratio of Women In Tech: How Etsy Did It
334 commentsLast Forking Warning For Bitcoin
274 commentsBotched Security Update Cripples Thousands of Computers
234 commentsFedora 19 To Stop Masking Passwords
211 commentsMitigating Password Re-Use From the Other End

QOTD: "When she hauled ass, it took three trips."