Slashdot Mirror
Gawker Source Code and Databases Compromised
An anonymous reader writes "Passwords and personal data for 1.3 million Gawker Media readers — this includes readers of sites like Gizmodo, Lifehacker, Kotaku, and io9 — have been released as a BitTorrent by a group of hackers called Gnosis, who also managed to gain access to both the Gawker CMS and Gizmodo's Twitter account. Gawker confirms and urges readers to change their passwords: 'Our user databases do indeed appear to have been compromised. The passwords were encrypted. But simple ones may be vulnerable to a brute-force attack. You should change the password on Gawker (GED/commenting system) and on any other sites on which you've used the same passwords. Out of an abundance of caution, you should also change your company email password and any passwords that may have appeared in your email messages. We're deeply embarrassed by this breach. We should not be in the position of relying on the goodwill of the hackers who identified the weakness in our systems.'"
Perhaps this should give them a lesson about going overkill on the whole "outsourcing" thing.
Twitter supports and protects racists - by smearing their critics with the "Hate Speech" label.
Pawned!
I appreciate taking this sort of thing with good nature, but that might be a bit generous. Goodwill stopped at the "released a torrent of all the users passwords and personal data". Now my email address is going to get spammed . . . .
..the future is the "cloud"?
On what planet?
... on their iPhone 4, which for some reason they appear to have left at the bar...
Go Gnosis, Information should be free and open!
...and instead use Facebook to protect my privacy. Wait, why are you laughing?
Not sure why anyone would register with any of the Gawker sites, but why on earth you would ever give your actual email address to half of these websites is beyond me. If they require you to provide an email address to register, use a throwaway address from something like mailinator or the other sites like it. Yes, someone could take over the account if the email address is posted, but for almost all of those sites the account serves no purpose outside of being able to post.
I'm not even sure why they require email addresses. Reddit is one of the few sites I've seen get it right. They don't require an email address to register, but warn you that if you don't include one there is no way to recover the password for the account.
Run, information!!! Run!!
http://thepiratebay.org/torrent/6034669
Can someone please tell me why sites and services like this are saving the passwords of their users, instead of saving some hashed version of them? As far as real life goes, encrypted passwords can be decrypted. Hashed passwords cannot be unhashed.
- Henrik
- when the Shadows descend -
We considered what action we would take, and decided that the Gawkmedia “empire” needs to be brought down a peg or two.
This is the major problem with the internet - we let children on it.
Really kids? Go play somewhere else and let the adults have peace and quiet. You don't need to piss on everything just to prove you're alive. The smell of your unwashed armpits is already ample demonstration.
Leaks of information are good.
I tried to take part in the discussions on those sites, I really did.
The mods are fucking idiots, and I am in no way suprised that they were too stupid to keep peoples personal data safe.
I used to have one password for all. Yeah, great idea huh. Then it became, 1 password for the important stuff, and 1 for the throwaways. Later on it was 1 for the really useless crap that I wouldn't care if they got hacked, 1 for the semi-important stuff, 1 for things I want to have secured, and 2 more levels, the last one being for "e-mails and personal profile use" (i.e. Facebook, oh nooo!).
So now I have 5 passwords (well, plus a few single-site ones for e.g. my bank), but I use them inconsistently. Slashdot, for example, is still on the 2nd weakest password. I read that morons were able to hack Twitter, so I used that 2nd weakest password too. And if I want to change them all, what sites am I registered in, and what level should they be in?
What time is it/will be over there? Check with my iPhone app!
Hmm. I've done okay so far with tiered emails, because lots of sites are hooked on the whole "sign in" thing. As for "not sure why they require email addresses", if you put on your techie hat, content they show to a logged in user gets marked with a different profile than a Noel Coward. Hulu is a lead example of this, hiding some "mature" shows behind the login wall. They also tweak the ad spread with it.
I'm dreading having to use a password manager to manage my 3-off visits all over the web.
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
and by "encrypted" do they mean "we're idiots and stored something other than a salt + hash of the passwords"?
from the article:
4chan people are as much hackers as my pet goldfish. Ignorant script kiddies more like it.
Am I the only one curious about the code in their CMS?
I find that message from Gawker amusing because they don't even secure their login form with SSL. They're concerned about the database getting stolen with unreadable passwords that might be cracked with enough time, but they turn a blind eye to the fact that authentication information is sent in the clear from the form...
Doesn't really change the fact that you should never provide these people with your real email address. Hulu obtaining your email address in no way proves that you're over 18 and anyone under 18 is most likely sophisticated enough to lie about their age if they want to see a nipple or hear some foul language. So if one needs to sign in because there's some type of wall for unauthenticated users, I don't see how that precludes the use of throwaway email accounts.
I can't see a good reason to give out your email address unless you want to receive emails from the site. Otherwise you're just exposing yourself to needless grief. Honestly, I don't even know why you display your email address on Slashdot. Anyone who becomes sufficiently annoyed with you or merely bored could send massive amounts of spam towards it.
I'm dreading having to use a password manager to manage my 3-off visits all over the web.
If you use throw-away email addresses that are derived from the site's address then you can use the same password at all sites and all you have to remember is the algorithm that converts the site's address into the throw-away email address.
When information is power, privacy is freedom.
They should provide a fast one stop cgi that their users can do go that will perform these steps, not 'visit our sites and figure shit out'.
Annoying.
members are seeing something, your seeing an ad
You don't even need to register a throwaway address for Hulu or sites like it. Enter bugmenot, savior of the net.
Why was this tagged with the wikileaks tag? Am I missing something?
I usually do smth like username-slashdot@mailinator.com (or one of its mirrors). Easy for someone else to figure out, but I wouldn't care anyway.
It really needs to be heard. God damn if Gawker aren't the largest group of idiots on the web.
The thing is that they make you "audition" to comment and will ban you at a moment's notice with no reason given. But if you actually read the starred comments and the posts they make, the people that are allowed to talk are a giant collection of idiots.
Easiest way to get banned from a Gawker site is to point out a glaring error in an article. Showing that an editor is an idiot is an instaban.
Making retarded comments and trolling, on the other hand, are encouraged.
From http://pastebin.com/9rRmf6W5:
"Gawker uses a really outdated hashing algorithm known as DES (Data Encryption Standard).
Because DES has a maximum of 8chars using a password like "abcdefgh1234" only the
first 8 characters "abcdefgh" are encrypted and stored in the database. If your
password is longer than 8 characters you only need to enter the first 8 characters
to log in! "
The LM hash generated two hashes using DES from two 7 byte parts of a 14 byte password.
Basically they use each individual 7 byte part as a DES key to encrypt a fixed string.
Repeat this twice for each 7 byte part, and concatenate the results, and you get the LM hash.
Mailinator was made for sites like this.
I use VERP on most of of the forced registration systems. Unless the spammers strip VERP stuff out, I'll know exactly which spammers got my address from Gawker's network. Not that it'll do much good except satisfy some curiosity...
The other side effect is that your account is a little harder to break into, in cases where the login ID is an email address. Obviously not the case here (username works fine too.)
What should be awesome: we'll get to see how many Gawker commentators are astroturfing. That should be extra special fun.
Please help metamoderate.
After looking through the package released through BitTorrent, not everybody's password has been compromised. Gawker does appear to store passwords in an encrypted form and only particularly weak passwords have been cracked. My username, for instance, does appear in their raw DB dump (with an encrypted form of my password) but not in a separate file which lists the passwords they were able to crack. I have a fairly strong password and I believe that's why. Real examples of passwords weak enough to be cracked include "may1404" and "122190". Nothing like, for instance, "STux_s7a" (an old password of mine) appears in unencrypted form, and that isn't even a very strong "strong" password.
If you want to make good passwords for sites, follow this simple, handy rule:
1) take the URL of the website, shift each letter right once, add that to the field
2) A sentence or word, make sure it isn't a generic dictionary word or popular quote, add to field. (in caps or small)
3) go back to the start of the field
4) think of a number important to you.
5) press right, enter first digit, right, 2nd, right, 3rd, and so on. If you reach the end of the number before you reach the end of the words, wrap and continue on till the end.
Optional
6) go back to the start again. choose another word of phrase and repeat the 5th rule on this word / phrase
Enjoy your stupidly complex password.
For those up to the task, you could convert the letters of the URL in to numbers (hex, ASCII, general, others) and use THAT as the number component. (or a 2nd number!)
The rule can be extended in any way you like, you don't need to go back and type every 2nd letter, you can do every 4th, or none at all and just append it to the end, you can have 3 sets of words, other numbers, it depends on how secure you want it to be.
The real value here is that we'll get to see who has been astroturfing one of the "most popular" blog networks...and dumb enough to use obvious personal or work email addresses. In fact, it wouldn't surprise me if Gawker copywriters were 'turfing their own stories too, given how much emphasis Gawker places on story viewcounts.
Please help metamoderate.
Why is it that we see and endless stream of these stories, from web break-ins to some moron losing a laptop with unencrypted data to who knows what, and yet there's virtually never any discussion of the company or organization being held responsible for their lousy security practices?
For example, recently the IT system of a supermarket chain in my city was compromised, which caused the name, SSN, bank account and credit card information, etc. for thousands of people to be stolen. This set off a mad rush of people trying to protect their money before the thieves could take the next step and raid their linked accounts. Yet not one report about it even suggested that the supermarket chain that was very easily cracked (reading between the lines of the news reports) was responsible or should pay the customers for the hassle.
It must be nice to be that sloppy in your business practices and not have to worry about it.
It's nice to see a bit of karmic justice after Gawker falsely accused EasyDNS of cutting off Wikileaks (it was EveryDNS), then acted like jackasses when called on it.
http://blogs.villagevoice.com/runninscared/2010/12/gawker_refuses.php
-- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
hdmoore: Gawker hacked, 1.3m passwords stolen, 540k w/email addresses, check this table for yours: http://bit.ly/gYMsr5
Simply monied international interests hacking popular technology sites to more directly reinforce the concept of "moral data integrity" as a psyops against future wikileaks style activity. who the hell knows, it's only information.
Anyone have any experience changing all their low priority passwords at once? Thoughts?
LOL
I just use different passwords everywhere, and track 'em in a database here. Most sites let you stay logged in, plus the browser remembers a lot of them, so it's really very little trouble. And the benefit - that a hack on one site doesn't compromise any other... that's worth a lot. Especially if you're doing *any* financial stuff on the net.
As for Gawker, I went and changed my password, but if they're using the same cheezy crypt routine, I dunno how much it's going to help. Any day now, someone might post "as me." Oh, heavens. :)
But yeah, if you're using the same password across the net... you might be about to learn a harsh lesson.
I've fallen off your lawn, and I can't get up.
Couldn't have happened to a nicer bunch of guys.
You don't even need to register a throwaway address for Hulu or sites like it. Enter bugmenot, savior of the net.
Bugmenot unfortunately lost their courage a few years ago when they changed the way they function. I suspect they were threatened by a lawsuit. Now, any domain or site owner can request that bugmenot exclude their site from participating, and I've found that so many of the popular ones do that it's lost all practical value for me.
I now use mailinator for all my throwaway registrations, then if I care in the least I change the password just in case someone else reads from the same random email name that I did. I usually don't. For more "durable" sites where I'm likely to participate over a longer time, I'll create a unique sneakemail address and keep them around forever. When something like the Gizmodo breach happens I simply flag them as spam, and they plonk all the email from them for me. I've had to do that a couple of times now. I find their service is well worth the $24/year.
John
...except when they receive a takedown notice.
"When information is power, privacy is freedom" - Jah-Wren Ryel
Worst of all, you need to sign in to Youtube now to tweak your resolution settings. Why is this a big deal? Because nowadays, by default, if you switch to full-screen mode Youtube reloads the video in a higher resolution, which is a big fucking problem if you don't have a blazing fast, uncapped connection. In fact I'd say this behavior could only be considered acceptable if you have a true-unlimited fiber connection. If you're unlucky enough to live somewhere with bandwidth even poorer than North America, it's like having to re-download a small movie because you switched to fuilscreen. And unless you log in there's nothing you can do about it.
"When information is power, privacy is freedom" - Jah-Wren Ryel
Don't you support transparency? Don't you support wikileaks? Information was made to be free. When will you stop supporting MPAA and RIAA and join the forces of openness and freedom on the internet!
Hyperbole? A bit, but only a bit.
Well.. maybe. Or Maybe not. But Definitely not sort of.
I now use mailinator for all my throwaway registrations, then if I care in the least I change the password just in case someone else reads from the same random email name that I did.
I put common e-mails @mailinator into the "forgot password" field when i need a login.
It works more often than not.
[Fuck Beta]
o0t!
I've recovered my password probably 5 times now. I'd have had to remake the account 5 times.
"Got a Gawker acct that shares a PW w/your Twitter acct? Change your Twitter PW. A current attack appears to be due to the Gawker compromise." http://twitter.com/delbius/status/14235293116792833
Acai Berry Twitter Worm Spreading Like Wildfire [WARNING]
http://mashable.com/2010/12/13/acai-berry-twitter-worm-warning/
Regarding bugmenot, what is worse is that a few years ago there appeared to be an organized movement to make it worthless. People would just type in random logins that didn't work. Some would type comments in the email address/password fields. It was a mess. Someone was trolling it and trolling it hard.
Could have been an organized thing by 4chan. Doubtful, even for the lulz. Bugmenot is anonymity and that would be attacking your allies.
Could have been unorganized by a bunch of childish people. But it seemed to be so prevalent. Why would masses of prepubescents all decide at once to wreck this site? There were kids who would use it just to grab a login and take that account as their own and lock it off from bugmenot. They seemed to not understand what bugmenot was for. They'd either change the fake name to their real name, or keep the fake name and troll their friends. Either way, a login that tons of people could use before was now owned by a single person.
I always lean more towards it being corporate involved. Bugmenot basically fucks up the data of marketing and advertising companies by making it invalid. Tons of people running around that can't be locked down into specific profiles to be marketed to. So they poisoned the well.
I also remember that at the time there seemed to be a meme going around in news cycles to not hide under a username and sign up with crap like myspace and facebook. Finally! an internets you can trust! with real names! and individually targeted advert- err...I mean, internets you can trust! yay!
Bugmenot was a noble idea, but there isn't room on the internet for stuff like that anymore.
Email addresses are not the problem, using the same password on more than one site is. My brain simply can't remember tens of different passwords so I use the same one for throw-away accounts sometimes. The Keepass client for Android is pretty good so there is no problem having complex passwords for accounts I want to use away from my main PC where Firefox remembers them.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
follow the above instructions for sjobs@apple.com and you will find a result!
No, seriously. Most major news sites have been covering Wikileaks, Assange and anonymous. But Gawker abandoned all pretense of any kind of impartial reporting. They insulted anonymous, mocked them and basically accused them of being malicious children.
Now, the individuals at Gawker are free to have any opinion they want. But when they are storing my personal information (Yes, I have a Gawker account) they are indirectly putting my material at risk for their own ends. That's like my bank putting out press releases saying "All you bank robber suck. We think so little of you that we're just going to pile our money outside the vault door. We're not even protecting it, we have such contempt for you." It didn't take a genius to figure out that eventually some of the 4channers were going to investigate, and then we quickly found out that Gawker is so behind on their security software, they use the same simple hash that my first year computer science teacher gave as an example of what not to do to secure anything.
Given the circumstances, I have no sympathy for Gawker.
I was thinking about the same thing earlier today and I remember this from last month: Facebook and Twitter score an F for Fail in online security test. No SSL auth for starters.
I'm wondering how far could a site go in security without automatic SSL for both auth and browsing? Does it make sense to have the browser encrypt username and password before sending them over to the server? Is there a suitably strong method for this that makes it hard enough to brute-force to make it secure enough to use?
If such a way would be viable, this would be good news for websites in terms of minimizing costs. Gawker, Facebook and so on don't have a problem for shelling out $500 for an SSL cert, which starting projects can hardly afford. But as the large user base makes the fixed-price cert more affordable, there comes another problem: hardware power. I don't remember what's the difference between CPU and memory requirements of HTTP and HTTPS, but it's huge.
A small startup project isn't maxing its hardware or can easily afford a few dollars a month for a better hosting. However for a big company the increase in hardware costs for added security is a lot more per month. The abovementioned alternative would instead decrease hardware requirements: instead of encrypting the password and comparing it to the encrypted password in the database, the server can skip the encryption as the browser did it already on client-side.
Better than having a few passwords is having a different password for every single site. Totally random, with numbers and upper/lowercase. Stick them all in a text file (protected in some way).
I'm not a lawyer, but I play one on the Internet. Blog
Just sayin
I recommend Spam Gourmet, personally. Its free, it has many domains you can use for forms in case one is blocked, and it is rather robust. I've been using it for years, and yet to have any serious problems with it (sometimes it has eaten something it shouldn't have, or has had a decent delay in resending, but this is rare, and I doubt your using it is a primary email address for things that are actually important
Your message stats: 3,789 forwarded, 224,298 eaten. You have 326 disposable address(es).
A patriot must always be ready to defend his country against his government. -edward abbey
that is in there. just sayin.
I never understood the logic of people hacking user accounts of innocent people to enact some sort of revenge on the owners of a web business. Isn't that sort of like Robin Hood killing the poor so the rich won't have anyone to mow their lawns?
I posted some basic password statistics and ranked prevalence graphs here, if anyone is interested in seeing what sorts of passwords people use in the wild.