Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Privacy Security The Media IT

Learning From Gawker's Failure 236

Gunkerty Jeb writes "The Gawker hack has completely disenfranchised their users, not to mention the breach in trust that may well be impossible to regain. Users are demanding that they be allowed to delete their accounts immediately, and beyond implementing such a mechanism, it is likely that Gawker systems will have to be rebuilt from the ground up to avoid future hacks. So, what is to be learned from this perfect storm of bluster and bravado?"
This discussion has been archived. No new comments can be posted.

Learning From Gawker's Failure

Comments Filter:
  • One lesson that comes to mind is that you shouldn't refer to your website's participants as "peasants".
  • And from what I hear, there is no way these clueless, juvenile script kiddies could EVER hack Slashdot.

  • by DJ Jones ( 997846 ) on Wednesday December 15, 2010 @12:33PM (#34562950) Homepage
    How about a detailed description of how the hack was performed? What hole was breached? That would be the first place to begin "learning".

    Until that's published there's really nothing to study.
    • by gklinger ( 571901 ) on Wednesday December 15, 2010 @12:39PM (#34563044)
      While it leaves many (mostly technical) questions unanswered, I found the this article [forbes.com] to be an interesting and informative description of what happened.
      • by oracleguy01 ( 1381327 ) on Wednesday December 15, 2010 @01:56PM (#34564126)

        That is a really good article. If they are using very out of date Linux kernels there are probably a lot of other out of date software on their systems. That combined with the fact that they don't have any internal password strength policy and are using cryptographically broken encryption shows they don't seem to have any competent server admins and web developers.

        There is a lesson to learn here and it is a simple one: Don't be stupid.

        Given their demonstrated lack of competence in handling this whole situation I don't have a ton of faith that they can competently check their systems for other damage and any modifications made by Gnosis.

        • they don't seem to have any competent server admins and web developers.

          Always with the blaming the admins and web developers. It's only 95% of them that give the other 5% a bad name, you know.

        • Just because the kernel version is 2.6.18 (in particular, don't know about 2.6.21) doesn't mean its out of date. 2.6.18 is the kernel used by Red Hat Enterprise Linux 5 and its derivatives, and Red Hat's version gets regular patches.

    • coding horror has a good writeup [codinghorror.com]
    • The attacker's release notes, hosted by Jeff Atwood : http://www.codinghorror.com/blog/gawker-hack-release-notes.html [codinghorror.com]

  • by GPLDAN ( 732269 ) on Wednesday December 15, 2010 @12:38PM (#34563006)
    I left Jalopnik over two years ago. It had very poor editorial control, and displayed the vast chasm between reputable automotive journalism in mags like Car & Driver and Road & Track and the interwebz. It had become Ray Wert's bully pulpit, and the commentariat IQ over there dropped down to double digits pretty quickly.


    IO9 and others really were not much better. And the problem really came down to not being able to drown out the idiots. I attribute Slashdot's long term success to the mod system and the whole way it handles contributions. It works. And the Gawker crap blog engine was badly coded, anybody who used it could see that. So it isn't a shock that it got 0wn3d. Amateur blog engine should be a sign of overall poor design and security.
    • by rwa2 ( 4391 ) *

      http://www.thetruthaboutcars.com/ [thetruthaboutcars.com] (AKA TTAC) is my current favourite auto rag, filled with TheRegister-esque satire dripping with sarcasm and some descriptive analogies worthy of PA's Jerry Holkins.

      Here's a decent writing sample that sticks in my memory: http://www.thetruthaboutcars.com/2009/01/comparison-2008-dodge-charger-v6-vs-1993-toyota-camry/ [thetruthaboutcars.com]

      Maybe I didn't notice it as a kid since I had the propensity to simply ignore all things politick, but C&D and some of the other auto mags seem to have very

    • It's nice to know I wasn't alone. Wert canned the real writers and brought in a bunch of talentless interns. From a business standpoint that's AOK, but they tried to use established Jalopnik references that they didn't fully understand and came off looking like clowns. "Look at me, I'm driving a Volvamino and doing double nickels on the dime!"

      And you are dead-on - the decline in the quality of commentariat was directly proportional to the quality of the writing. In this case, the shift in both was nea

  • I learned to always use the password "123456". Herd immunity.

    • by Archangel Michael ( 180766 ) on Wednesday December 15, 2010 @01:02PM (#34563360) Journal

      I have several passwords I use. Sites that require accounts for participation get one that I don't care if it gets out in the wild. No big loss. People posting as me is mildly amusing.

      I have another password for systems I'm in charge of, that function like those I participate in in the first example. It would suck if that got out. Those systems are few, and you'd have to personally know me to know what they were.

      I have secure passwords for each of the highly sensitive accounts (banks and such) that are not shared between accounts. IF one of those gets out, I'm screwed for that one institution, but nowhere else.

    • That's what I'm talking about, I think the fact that a large portion of gawker's users used common passwords that are part of every cracker's dictionary says more about the users than the platform.
  • Salt your hashes (Score:4, Informative)

    by iammani ( 1392285 ) on Wednesday December 15, 2010 @12:39PM (#34563028)

    See title

    • by Qzukk ( 229616 )

      Salting your hashes only protects you from rainbow tables (and then only if your hash isn't already in a rainbow table). The salt is included in the hash, so I can see if your password is a weak password like "password" or "PASSWORD" or... exactly what Gawker warned against.

      • by mlts ( 1038732 ) *

        Salting provides effective protection when combined with a number of rounds. Ideally, the client should do a number of rounds, then hand the 256 bit hash over to the server which will toss in the salt and do a few rounds. The reason for this is that trying to brute force guess a typeable password will become difficult. An additional bonus is that a client trying to guess a user's password is slowed down by an authentication mechanism before the guess goes to the machine.

        What would be ideal is a standard

    • by QuoteMstr ( 55051 ) <dan.colascione@gmail.com> on Wednesday December 15, 2010 @12:58PM (#34563292)

      Salting addresses some attacks, but as CPU time becomes cheaper [amazon.com], it becomes increasingly feasible to brute-force even salted hashes. To address this issue, you need key strengthening [wikimedia.org] as well.

      Or, better yet, just use the system designed to store passwords: bcrypt [codahale.com].

      *sigh* Then again, I'm confident that we'll see incompetent web application developers using unsalted MD5 for decades to come. People don't learn from others' mistakes it seems.

      • Then again, I'm confident that we'll see incompetent web application developers using unsalted MD5 for decades to come. People don't learn from others' mistakes it seems.

        Or even cleartext; yes, I have seen this on production websites, and it is unbelievable.

        • Or even cleartext; yes, I have seen this on production websites, and it is unbelievable.

          As have I, a good way to test this is to try and reset your password on said site. If they show you or email you your existing password and not a random new one, you know their security is crap and shouldn't be trusted.

          • by Chirs ( 87576 )

            Not necessarily. I've been on sites that will show you your existing password, but only after jumping through many hoops to prove your identity. The fact that they have access to your unencrypted password doesn't necessarily mean that they're using it for identification--it could easily be stored in a back-end database somewhere and used only to show to people that forget it.

  • The Gawker hack has completely disenfranchised [reference.com] their users

    That's quite a hack, depriving users of their right to vote...

    • Indeed, I think they were looking for "disenchanted".

  • by RzUpAnmsCwrds ( 262647 ) on Wednesday December 15, 2010 @12:39PM (#34563042)

    The big lesson here is not that you should never get breached, or that you should use some super-secure password, or that you should use a different password on every site (you should).

    No, the real lesson is that passwords themselves are faulty. No one is going to select and memorize a strong password for every website they use. They're going to either re-use passwords, or choose weak passwords, or write their passwords down (or use a password manager).

    None of these are good answers. The expectation is that users are going to choose strong passwords, that they will never re-use passwords, that hashes (even with salt) are an effective way to protect passwords, and that users will never be tricked into revealing their password.

    It's bullshit. It's always been bullshit. Users aren't careful with passwords, and why would we expect them to be - 99.9% of the time they get away with it. Humans are bad at evaluating the risk of things that are low frequency but high impact.

    The other thing that's bullshit is password reset. It doesn't make any sense: how can someone who forgot their password remember "security questions" that are actually secure. No, 99 times out of 100 these systems use some crap like "Where were you born", which is pretty damn trivial to find out for any attacker. My brokerage account has a secure password that I only use there, but resetting the password requires only my username, SSN, ZIP code, and last name. And there are far, far more people who know that stuff than people who know my password.

    It's time to get serious about replacing passwords. That's the lesson here.

    • by bl4nk ( 607569 ) on Wednesday December 15, 2010 @12:54PM (#34563224)
      The "security questions" weakness is exactly how Sarah Palin's email account was broken into.

      If they're not required for logging in I always fill the security question answers with a long string of random characters, effectively making them unusable for password recovery.
      • by ukyoCE ( 106879 )

        Careful - they don't always tell you they're required to login until afterwards.

        Best to keep a copy of the string of gibberish encrypted on a private machine in case you need it. That's the best solution for all passwords anyway, despite OP's claim that using password managers to save strong passwords is a bad idea.

    • by Moraelin ( 679338 ) on Wednesday December 15, 2010 @12:56PM (#34563242) Journal

      Well, some of us were more fortunate there.

      I was born in the quaint town of P5$+19"797q4. It's lovely in the spring. You should visit. My mother's maidens name was B192zve8p6; an ancient and distinguished family, if you must ask. My first pet was a cat named Ö8z~30+r.vd. We all loved her. And I went to ß8s8h,u:82 memorial school.

      Strangely enough, nobody ever guesses those ;)

    • As I see it, the best thing you can get is some fortified password manager. I'm not sure how secure the manager of Firefox is. After all, JS in Firefox can do pretty powerful things, you can do a plugins and whatnot, so I can imagine some JS exploit, either through JS engine failure, or making a plugin that claims to be something else than it actually is (e.g. Flash video downloader, or whatnot; just wait for the password manager to fill in the field and your evil script does an Ajax push in the background)

    • by horza ( 87255 )

      Why is a password manager not a good answer? I use KeePassX and generate a random string for each and every login. It's even easier than trying to remember more than one password. Simply copy and paste the password each time (also defeating any keylogger you may have installed).

      Phillip.

      • by Sigma 7 ( 266129 )

        Why is a password manager not a good answer?

        Allegedly, it's the same reason why you don't put stickys on the monitor. However, by the time someone has enough resources to crack into your encrypted password store, your other passwords would probably be compromised by now.

        A slightly better option is generating a password constructed from a hash, which basically means you need to carry around a mobile device at all times if you use computers at different places.

      • by zn0k ( 1082797 )

        Any application that could log your keystrokes can also monitor your clipboard. And - while we're at it - take screenshots periodically and record the coordinates of mouse clicks, potentially defeating on screen keyboards.

      • by Korin43 ( 881732 )

        The reason I don't use one is that you could lose your password database. I'd rather remember a bunch of passwords than rely on always having that file. Even backing it up I don't feel safe.

        • by Sancho ( 17056 ) *

          I back it up to a printout that I store in a safety deposit box. That way even if my data and all backups fail, I still have a human readable copy somewhere.

      • The issue with password managers are that you then run into the issue of accessing your accounts from different computers which aren't your own.
    • Nothing wrong with that. A piece of paper in my wallet is reasonably secure, and I'll notice fairly quickly if it's missing. Especially if I use an algorithmic password.

    • No, 99 times out of 100 these systems use some crap like "Where were you born", which is pretty damn trivial to find out for any attacker.

      Only if you're stupid enough to use the most obvious answer. In my case I could use the name of the city like pretty much everyone else - but I use something else that is technically correct, easily remembered by me, and non-obvious to the random hacker. (I.E. something that can't be found by searching public records and isn't something like 'a hospital'.)

    • ...resetting the password requires only my username, SSN, ZIP code, and last name. And there are far, far more people who know that stuff than people who know my password.

      Use a unique random string as a username.

    • This is why I like the "make your own security question" option some sites have. Things like, "who was your favorite teacher in High School", "What was the model of the first car you drove?", etc. are a lot harder for the average person to find out and tend to be easy to remember. I never liked the "what is your favorite book?" type question since that answer is mutable over time.
    • by geekoid ( 135745 )

      You can ahve strong passwords, and not nede to memorize one.

      Not what I use, but here is an example:

      Last three intiais of a middle name, the age you lost your virginity and the day of the week you where born and then add the sitenane backords with numbers:

      So John Doe on Slashdot could have a password:
      Doe16Wedt0dh5415

      Obviously, pick you own decision points.

      The site should hash them as an added layer.
      Also alerting a user when unusually activity happens is useful as well. Like when google alerted me someone fro

    • by ukemike ( 956477 )
      There have been more than a few cases where I wanted to participate in some online discussion. (for instance I need to know how to replace a part on a Tamiya RC car for my son) When I signed up for an "account" on that forum I got an email with my username and password in plaintext!

      The lesson I took away from those experiences and the gawker story is this: The negative consequences of someone stealing my ID on some forum about RC cars are basically nil, especially if my profile on that forum doesn't
    • My brokerage account requires me to enter that information and select a image from a list of about a hundred or so that I selected upon creating the account. I also must select this image every time I log in. You can't replace a password today completely, but if you're creative you can find ways to enhance security regardless.
  • by scrotch ( 605605 ) on Wednesday December 15, 2010 @12:49PM (#34563162)
    What I'm left wondering is why someone should need a username and password to comment on a blog post on their sites. Do they have a reputation system? Does it really prevent spam? Or is it just to gather a list of email addresses that they might sell later? There must be a better way to accomplish the little functionality that their login requirement provides. Especially now that they have to deal with the fact that their login system was not secure.
    • What I'm left wondering is why someone should need a username and password to comment on a blog post on their sites. Do they have a reputation system? Does it really prevent spam? Or is it just to gather a list of email addresses that they might sell later? There must be a better way to accomplish the little functionality that their login requirement provides. Especially now that they have to deal with the fact that their login system was not secure.

      There are two primary reasons to require logins:
      1) A registration system with a captcha is highly-effective at preventing spam on your blog comments or forum posts.
      2) To a greater or lesser degree, it prevents people from impersonating you. Sure there are ways to trick this (create a username that's one lookalike character off, etc.) but on the whole it makes it easier to recognize who you're talking to.

    • by mlts ( 1038732 ) *

      The more info they collect, the more they can sell to advertisers. This is why so many blog places demand so much info.

  • Meh, I'd always used Facebook Connect to post comments to their sites. Probably the first mildly useful thing Facebook has done for me.

    So at worst, I probably have my spam email address out there in that torrent. Big deal. It's posted all over the web already (including my personal contact page).

    But really, if anyone was adversely impacted by this, was it Gawker's failure, or their own for trusting some random website with a sensitive password? I don't use my good passwords for any of these "social netw

  • Why, why, WHY would a site think its ok to store users' passwords in the first place?
    • by geekoid ( 135745 )

      how else do you compare the password with what the user types to see if it's legit? or did you mean in cleartext?

    • by 1729 ( 581437 )

      Why, why, WHY would a site think its ok to store users' passwords in the first place?

      From what I've read, they didn't store the passwords, only hashes. The passwords that have been released were weak passwords that were easily brute-forced from the hashes.

      • Why, why, WHY would a site think its ok to store users' passwords in the first place?

        From what I've read, they didn't store the passwords, only hashes. The passwords that have been released were weak passwords that were easily brute-forced from the hashes.

        I should be more specific. They should have stored salted hashes. Regular hashes are susceptible to rainbow table attacks. Especially since they used an obselete DES encryption.

  • by Animats ( 122034 ) on Wednesday December 15, 2010 @01:33PM (#34563768) Homepage

    This is the trouble with "single login" systems. Now there's a single point of failure.

    Single login requires a trusted organization with a good reputation willing to contractually commit to paying for the damages if they screw up. But look who's in the business: Gawker. Facebook. Microsoft. Google. That's no good.

    If anyone were to do this well, it might be Amazon. Amazon is not an advertising-supported business. They take orders, accept payments, and ship real products. As a major credit card merchant selling physical objects for which they pay real money, they constantly have people trying to steal merchandise from them. So their management has to understand the risks of authentication failures. Amazon has a powerful and well-respected distributed computer infrastructure, which tends to stay up despite problems. So they could probably implement a single login system that could be trusted.

  • But they're "working on it." This from a company that has railed against Facebook and other sites for privacy violations. Here's an official Gawker response from a year and a half ago to give you an idea of their real attitude towards user privacy and account deletion:

    Requesting purge of accounts

    What a bunch of asshats.

"jackpot: you may have an unneccessary change record" -- message from "diff"

Working...