Learning From Gawker's Failure

Gunkerty Jeb writes "The Gawker hack has completely disenfranchised their users, not to mention the breach in trust that may well be impossible to regain. Users are demanding that they be allowed to delete their accounts immediately, and beyond implementing such a mechanism, it is likely that Gawker systems will have to be rebuilt from the ground up to avoid future hacks. So, what is to be learned from this perfect storm of bluster and bravado?"

Re:These lessons have been applied

[XorNand]

Slashdot is open source [slashcode.org]. Gawker's code is not.

Salt your hashes

[iammani]

See title

Gawker? Scadenfreude Central Hoist on own Petard!

[Jeremiah Cornelius]

Their MO is "Kick 'em when they're up, kick 'em when they're down". [lyricsfreak.com]

This hack couldn't have happened to a bigger bunch of self-involved, arrogant jerks. If there is a balance of justice in the universe, then it just inched another tiny notch towards equilibrium.

Really, the imperious attitude that is exhibited by the Gawker "editorial" stance is a smug and sarcastic condescension towards the foibles of others.

Re:Salt your hashes

[darkmeridian]

From what I have read, the passwords were hashed but only with DES. Furthermore, there was salting and no password complexity requirement because rainbow tables were able to reveal a medley of Gawker passwords. Gawker's reaction to the first signs of a break in a month ago (complete indifference) was pretty nuts. It's user base is its biggest asset; the disrespect they show their users was ridiculous.

Salting is merely a good start

[QuoteMstr]

Salting addresses some attacks, but as CPU time becomes cheaper [amazon.com], it becomes increasingly feasible to brute-force even salted hashes. To address this issue, you need key strengthening [wikimedia.org] as well.

Or, better yet, just use the system designed to store passwords: bcrypt [codahale.com].

*sigh* Then again, I'm confident that we'll see incompetent web application developers using unsalted MD5 for decades to come. People don't learn from others' mistakes it seems.

Re:Why did they even need passwords?

[DCFusor]

I run a small board, using PHPBB. I require real signons, and yes, it helps prevent spam. The user's email is collected, but I can't see it at all unless they also put it in their profile on purpose. It's actually a pain not to have my user's emails, not because I'd ever sell them (most are both cheapskates and too smart to fall for spam anyway) -- but because sometimes you want to ping on someone who hasn't signed on for a long time (also, to make sure they are real), and the private messaging obviously doesn't work if they don't log on. I can't see their passwords either, they are hashed before going into the database I believe. I don't allow anonymous cowards on my board. Anything someone has to say they can either say with their real name, or somewhere else. This also keeps the post quality higher. No astroturfing. I'm not saying it's hack proof, I really doubt it is. But in my case it seems good enough, and I do keep backups. Since it's a science discussion, there's not much to encourage hacking anyway.

Re:Description of hack?

[oracleguy01]

That is a really good article. If they are using very out of date Linux kernels there are probably a lot of other out of date software on their systems. That combined with the fact that they don't have any internal password strength policy and are using cryptographically broken encryption shows they don't seem to have any competent server admins and web developers.

There is a lesson to learn here and it is a simple one: Don't be stupid.

Given their demonstrated lack of competence in handling this whole situation I don't have a ton of faith that they can competently check their systems for other damage and any modifications made by Gnosis.