Learning From Gawker's Failure 236
Gunkerty Jeb writes "The Gawker hack has completely disenfranchised their users, not to mention the breach in trust that may well be impossible to regain. Users are demanding that they be allowed to delete their accounts immediately, and beyond implementing such a mechanism, it is likely that Gawker systems will have to be rebuilt from the ground up to avoid future hacks. So, what is to be learned from this perfect storm of bluster and bravado?"
Re:These lessons have been applied (Score:4, Informative)
Salt your hashes (Score:4, Informative)
See title
Gawker? Scadenfreude Central Hoist on own Petard! (Score:4, Informative)
Their MO is "Kick 'em when they're up, kick 'em when they're down". [lyricsfreak.com]
This hack couldn't have happened to a bigger bunch of self-involved, arrogant jerks. If there is a balance of justice in the universe, then it just inched another tiny notch towards equilibrium.
Really, the imperious attitude that is exhibited by the Gawker "editorial" stance is a smug and sarcastic condescension towards the foibles of others.
Re:Salt your hashes (Score:4, Informative)
From what I have read, the passwords were hashed but only with DES. Furthermore, there was salting and no password complexity requirement because rainbow tables were able to reveal a medley of Gawker passwords. Gawker's reaction to the first signs of a break in a month ago (complete indifference) was pretty nuts. It's user base is its biggest asset; the disrespect they show their users was ridiculous.
Salting is merely a good start (Score:5, Informative)
Salting addresses some attacks, but as CPU time becomes cheaper [amazon.com], it becomes increasingly feasible to brute-force even salted hashes. To address this issue, you need key strengthening [wikimedia.org] as well.
Or, better yet, just use the system designed to store passwords: bcrypt [codahale.com].
*sigh* Then again, I'm confident that we'll see incompetent web application developers using unsalted MD5 for decades to come. People don't learn from others' mistakes it seems.
Re:Why did they even need passwords? (Score:1, Informative)
Re:Description of hack? (Score:4, Informative)
That is a really good article. If they are using very out of date Linux kernels there are probably a lot of other out of date software on their systems. That combined with the fact that they don't have any internal password strength policy and are using cryptographically broken encryption shows they don't seem to have any competent server admins and web developers.
There is a lesson to learn here and it is a simple one: Don't be stupid.
Given their demonstrated lack of competence in handling this whole situation I don't have a ton of faith that they can competently check their systems for other damage and any modifications made by Gnosis.