Slashdot Mirror
Gawker Source Code and Databases Compromised
An anonymous reader writes "Passwords and personal data for 1.3 million Gawker Media readers — this includes readers of sites like Gizmodo, Lifehacker, Kotaku, and io9 — have been released as a BitTorrent by a group of hackers called Gnosis, who also managed to gain access to both the Gawker CMS and Gizmodo's Twitter account. Gawker confirms and urges readers to change their passwords: 'Our user databases do indeed appear to have been compromised. The passwords were encrypted. But simple ones may be vulnerable to a brute-force attack. You should change the password on Gawker (GED/commenting system) and on any other sites on which you've used the same passwords. Out of an abundance of caution, you should also change your company email password and any passwords that may have appeared in your email messages. We're deeply embarrassed by this breach. We should not be in the position of relying on the goodwill of the hackers who identified the weakness in our systems.'"
Perhaps this should give them a lesson about going overkill on the whole "outsourcing" thing.
Twitter supports and protects racists - by smearing their critics with the "Hate Speech" label.
Pawned!
I appreciate taking this sort of thing with good nature, but that might be a bit generous. Goodwill stopped at the "released a torrent of all the users passwords and personal data". Now my email address is going to get spammed . . . .
..the future is the "cloud"?
On what planet?
... on their iPhone 4, which for some reason they appear to have left at the bar...
...and instead use Facebook to protect my privacy. Wait, why are you laughing?
Not sure why anyone would register with any of the Gawker sites, but why on earth you would ever give your actual email address to half of these websites is beyond me. If they require you to provide an email address to register, use a throwaway address from something like mailinator or the other sites like it. Yes, someone could take over the account if the email address is posted, but for almost all of those sites the account serves no purpose outside of being able to post.
I'm not even sure why they require email addresses. Reddit is one of the few sites I've seen get it right. They don't require an email address to register, but warn you that if you don't include one there is no way to recover the password for the account.
http://thepiratebay.org/torrent/6034669
They probably did. It's a press release, and a one-way cryptographic hash is close enough to "encrypted" and a helluva lot shorter and more understandable to a non-pedantic audience.
This has all happened before, and it will all happen again.
Hashed passwords provide a degree of protection, so long as you salt the hash, and store a different salt for each password (for maximum protection).
Any programmer that doesn't understand salts, hashing, and encrypting should not bother making software that handles logins, period.
War isn't about who's right. It's about who's left.
They probably did. It's a press release, and a one-way cryptographic hash is close enough to "encrypted" and a helluva lot shorter and more understandable to a non-pedantic audience.
At least they didn't say "scrambled".
It is a miracle that curiosity survives formal education. - Einstein
My first thoughts exactly. I'm always taken aback when the recover password tool of a website sends me my password rather than resetting it to something new.
Yes, If you love something set free
It will return if meant to be
If not, hunt it down and kill it
For justice, we must go to Don Corleone
Leaks of information are good.
I tried to take part in the discussions on those sites, I really did.
The mods are fucking idiots, and I am in no way suprised that they were too stupid to keep peoples personal data safe.
I used to have one password for all. Yeah, great idea huh. Then it became, 1 password for the important stuff, and 1 for the throwaways. Later on it was 1 for the really useless crap that I wouldn't care if they got hacked, 1 for the semi-important stuff, 1 for things I want to have secured, and 2 more levels, the last one being for "e-mails and personal profile use" (i.e. Facebook, oh nooo!).
So now I have 5 passwords (well, plus a few single-site ones for e.g. my bank), but I use them inconsistently. Slashdot, for example, is still on the 2nd weakest password. I read that morons were able to hack Twitter, so I used that 2nd weakest password too. And if I want to change them all, what sites am I registered in, and what level should they be in?
What time is it/will be over there? Check with my iPhone app!
Hmm. I've done okay so far with tiered emails, because lots of sites are hooked on the whole "sign in" thing. As for "not sure why they require email addresses", if you put on your techie hat, content they show to a logged in user gets marked with a different profile than a Noel Coward. Hulu is a lead example of this, hiding some "mature" shows behind the login wall. They also tweak the ad spread with it.
I'm dreading having to use a password manager to manage my 3-off visits all over the web.
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
and by "encrypted" do they mean "we're idiots and stored something other than a salt + hash of the passwords"?
"The passwords have been flam-boozled and goofed up so the hackers on steroids can't them..."
Am I the only one curious about the code in their CMS?
We considered what action we would take, and decided that the Gawkmedia “empire” needs to be brought down a peg or two.
This is the major problem with the internet - we let children on it.
Really kids? Go play somewhere else and let the adults have peace and quiet. You don't need to piss on everything just to prove you're alive. The smell of your unwashed armpits is already ample demonstration.
There's no indication that the people who compromised Gawker were minors... but to respond to your larger sentiment...
People who have malicious intentions and do bad things exist. They exist in large numbers. It is simply not possible to identify and stop every last one of them. It's not even feasible to significantly reduce their numbers. Not even the power of law can accomplish that. Indeed, law is a tool for managing this fact of life and has no real power to completely prevent it. There's nothing anyone can do about this reality. It can only be acknowledged, accepted, and worked with. Denial and delusion are your only other options.
There's one thing we can do, however. We can harden the targets. We can secure the systems for which each of us is responsible. We can realize that compromises like this are preventable and then take steps to prevent them. We can learn from the example of those who failed to do so. At the end of the day, we can realize that we're not helpless victims completely at the mercy of random chance or luck, but rather, that there is a great deal we can do to become an extremely difficult target.
Posts like this one are written in the spirit of this understanding. It highlights that the owners of those systems acknowledge that they have failed, have accepted responsibility for that, and therefore have the fewest obstacles to learning from this experience and overcoming it. An attitude of blaming everything on "those evil hackers", though they truly have done wrong, would practically guarantee that nothing is learned and no skills are improved.
It is a miracle that curiosity survives formal education. - Einstein
I find that message from Gawker amusing because they don't even secure their login form with SSL. They're concerned about the database getting stolen with unreadable passwords that might be cracked with enough time, but they turn a blind eye to the fact that authentication information is sent in the clear from the form...
I didn't say minors. I said "children."
I chose that word carefully.
Your points are all very correct, of course. I am just screaming to an apathetic universe.
Waht? Smcrbalnig is a pfretlecy surece epoitrcyn mhtoed for prdsoaswss!
As others have replied a hash can be called a one way encryption; hashed passwords have no 1:1 relationship to inputs, usually a single hash can be the result of infinite different inputs to the hash-function of which many can coincide within the password restrictions. So if the process can be reversed by generating input from a hash you might not get your original password, but a password which will work all the same. That's why adding a random salt to the password is important, just makes it all the more unlikely it could be done (also makes it more unlikely that someone has your hash in a precalculated dictionary).
Why you shouldn't really use md5
Any programmer that doesn't understand salts, hashing, and encrypting should not bother making software that handles logins, period.
Why should they have to? How many times are we going to reinvent this particular wheel anyhow?
Literalism isn't a form of humor, it's you being irritating.
Doesn't really change the fact that you should never provide these people with your real email address. Hulu obtaining your email address in no way proves that you're over 18 and anyone under 18 is most likely sophisticated enough to lie about their age if they want to see a nipple or hear some foul language. So if one needs to sign in because there's some type of wall for unauthenticated users, I don't see how that precludes the use of throwaway email accounts.
I can't see a good reason to give out your email address unless you want to receive emails from the site. Otherwise you're just exposing yourself to needless grief. Honestly, I don't even know why you display your email address on Slashdot. Anyone who becomes sufficiently annoyed with you or merely bored could send massive amounts of spam towards it.
I didn't say minors. I said "children."
I chose that word carefully.
Your points are all very correct, of course. I am just screaming to an apathetic universe.
Point taken. In fact the biggest single reason why I am concerned about the long-term well-being of the USA is that most of its "adults" are petty, indulgent, overgrown children with short memories. In that spirit I can see why you had good reason to choose that word as you did.
I maintain that the more adult thing to do is to overcome such events by learning their lesson, rather than indulging in the "blame game" and making it into a 5-minute hate. Not only is that the constructive solution, it also limits the damage of this intrusion to computer systems only. The anger and hatred merely serves the intruder(s) by extending the damage into the personal realm of your own well-being.
It is a miracle that curiosity survives formal education. - Einstein
I'm dreading having to use a password manager to manage my 3-off visits all over the web.
If you use throw-away email addresses that are derived from the site's address then you can use the same password at all sites and all you have to remember is the algorithm that converts the site's address into the throw-away email address.
When information is power, privacy is freedom.
As many times as it takes, for common sense for basic security to actually win?
Om, nomnomnom...
They should provide a fast one stop cgi that their users can do go that will perform these steps, not 'visit our sites and figure shit out'.
Annoying.
members are seeing something, your seeing an ad
From http://pastebin.com/9rRmf6W5:
"Gawker uses a really outdated hashing algorithm known as DES (Data Encryption Standard).
Because DES has a maximum of 8chars using a password like "abcdefgh1234" only the
first 8 characters "abcdefgh" are encrypted and stored in the database. If your
password is longer than 8 characters you only need to enter the first 8 characters
to log in! "
The LM hash generated two hashes using DES from two 7 byte parts of a 14 byte password.
Basically they use each individual 7 byte part as a DES key to encrypt a fixed string.
Repeat this twice for each 7 byte part, and concatenate the results, and you get the LM hash.
Mailinator was made for sites like this.
I use VERP on most of of the forced registration systems. Unless the spammers strip VERP stuff out, I'll know exactly which spammers got my address from Gawker's network. Not that it'll do much good except satisfy some curiosity...
The other side effect is that your account is a little harder to break into, in cases where the login ID is an email address. Obviously not the case here (username works fine too.)
What should be awesome: we'll get to see how many Gawker commentators are astroturfing. That should be extra special fun.
Please help metamoderate.
According to the readme included in the torrent, they used DES (probably crypt(3)), and it only took into account the first 8 characters of the password.
After looking through the package released through BitTorrent, not everybody's password has been compromised. Gawker does appear to store passwords in an encrypted form and only particularly weak passwords have been cracked. My username, for instance, does appear in their raw DB dump (with an encrypted form of my password) but not in a separate file which lists the passwords they were able to crack. I have a fairly strong password and I believe that's why. Real examples of passwords weak enough to be cracked include "may1404" and "122190". Nothing like, for instance, "STux_s7a" (an old password of mine) appears in unencrypted form, and that isn't even a very strong "strong" password.
If you want to make good passwords for sites, follow this simple, handy rule:
1) take the URL of the website, shift each letter right once, add that to the field
2) A sentence or word, make sure it isn't a generic dictionary word or popular quote, add to field. (in caps or small)
3) go back to the start of the field
4) think of a number important to you.
5) press right, enter first digit, right, 2nd, right, 3rd, and so on. If you reach the end of the number before you reach the end of the words, wrap and continue on till the end.
Optional
6) go back to the start again. choose another word of phrase and repeat the 5th rule on this word / phrase
Enjoy your stupidly complex password.
For those up to the task, you could convert the letters of the URL in to numbers (hex, ASCII, general, others) and use THAT as the number component. (or a 2nd number!)
The rule can be extended in any way you like, you don't need to go back and type every 2nd letter, you can do every 4th, or none at all and just append it to the end, you can have 3 sets of words, other numbers, it depends on how secure you want it to be.
In cases where the pertinent part of the codebase/config was lifted as well, such as in the current example with the Gawker data, this doesn't help. At some point, the password algorithm has to have access to the salt. An attacker who has both the complete code and the database will also have access to the same salt, no matter how "secure" the individual hashes are computed.
At some point, adding complexity does very little to the actual security of software. There is always information supposedly internal to the system that is needed for decoding or verifying security info. Once that info gets out, it's out, and those logins can be reconstructed never mind how convoluted the hashing function behind them may (or may not) be. The only viable option for Gawker would be to set the entire password column to null and send out notifications with a confirmation code to all registered email addresses, prompting them for a new password.
The real value here is that we'll get to see who has been astroturfing one of the "most popular" blog networks...and dumb enough to use obvious personal or work email addresses. In fact, it wouldn't surprise me if Gawker copywriters were 'turfing their own stories too, given how much emphasis Gawker places on story viewcounts.
Please help metamoderate.
Having people reinvent it constantly is counterproductive to your goal. What we need are a few people who actually know what they're doing to design it, and for everybody else to use that.
Every CMS doing passwords their own way is a great way to ensure most of them are doing it wrong.
-- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
Actually they used DES, so calling it encryption is technically correct. (They encrypt a constant string with the password as the key, which is basically a poor mans hash).
Also apparently like LANMAN hashes they only use the first 8 characters of the password, which is just fucking mind blowingly stupid.
The salt just complicates the rainbowtable lookup method. It's not supposed to be super secret. It makes every password require a expensive brute force lookup rather than a O(1) operation.
It's nice to see a bit of karmic justice after Gawker falsely accused EasyDNS of cutting off Wikileaks (it was EveryDNS), then acted like jackasses when called on it.
http://blogs.villagevoice.com/runninscared/2010/12/gawker_refuses.php
-- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
While that is true, it just delays the inevitable. In fact, even with salt, any large scale leaks such as the Gawker crack will always contain a good number of stupid passwords that are easily brute-forceable even without a rainbow table. It will always be relatively easy to either crack a single account you're really interested in, or alternatively crack a huge number of accounts that are particularly low-hanging fruit, even if every single account was salted differently. Rainbow tables are nice for crackers on a budget of 0, but today everyone can rent dirt-cheap GPU-assisted brute force cracking power.
Anyone have any experience changing all their low priority passwords at once? Thoughts?
is there anyone else that didnt find their email address(s)/domain(s) on that table?
i searched my inbox for any emails from anything gawker and found none.
i logged into kotaku where i havent commented since forever, and surprisingly, my email address is not in my profile.
did i sign up at a time when they werent asking for email addresses?
even though i wont be logging into that site ever again, i changed the password to something i will never remember, and no one will likely crack in my lifetime, just to be safe.
I didn't find mine, either.
I just use different passwords everywhere, and track 'em in a database here. Most sites let you stay logged in, plus the browser remembers a lot of them, so it's really very little trouble. And the benefit - that a hack on one site doesn't compromise any other... that's worth a lot. Especially if you're doing *any* financial stuff on the net.
As for Gawker, I went and changed my password, but if they're using the same cheezy crypt routine, I dunno how much it's going to help. Any day now, someone might post "as me." Oh, heavens. :)
But yeah, if you're using the same password across the net... you might be about to learn a harsh lesson.
I've fallen off your lawn, and I can't get up.
Is it bad that I read that just fine, then realized that every word was messed up?
You don't even need to register a throwaway address for Hulu or sites like it. Enter bugmenot, savior of the net.
Bugmenot unfortunately lost their courage a few years ago when they changed the way they function. I suspect they were threatened by a lawsuit. Now, any domain or site owner can request that bugmenot exclude their site from participating, and I've found that so many of the popular ones do that it's lost all practical value for me.
I now use mailinator for all my throwaway registrations, then if I care in the least I change the password just in case someone else reads from the same random email name that I did. I usually don't. For more "durable" sites where I'm likely to participate over a longer time, I'll create a unique sneakemail address and keep them around forever. When something like the Gizmodo breach happens I simply flag them as spam, and they plonk all the email from them for me. I've had to do that a couple of times now. I find their service is well worth the $24/year.
John
...except when they receive a takedown notice.
"When information is power, privacy is freedom" - Jah-Wren Ryel
Worst of all, you need to sign in to Youtube now to tweak your resolution settings. Why is this a big deal? Because nowadays, by default, if you switch to full-screen mode Youtube reloads the video in a higher resolution, which is a big fucking problem if you don't have a blazing fast, uncapped connection. In fact I'd say this behavior could only be considered acceptable if you have a true-unlimited fiber connection. If you're unlucky enough to live somewhere with bandwidth even poorer than North America, it's like having to re-download a small movie because you switched to fuilscreen. And unless you log in there's nothing you can do about it.
"When information is power, privacy is freedom" - Jah-Wren Ryel
Having people reinvent it constantly is counterproductive to your goal. What we need are a few people who actually know what they're doing to design it, and for everybody else to use that.
How about Kerberos, versions 1-4? Oh, wait. Bad example.
My point is that MIT has the people who not only know what they're doing, but are the ones who often define the very security practices the rest of us rely on. And even they needed to get to version 5 before they got it right (for current definitions of "right").
I'm certainly not saying that ShmooCMS is going to do a better job than MIT did with kerberos at defining an unhackable protocol. They're not. I am saying to "be mindful of what you rely on", because even the best systems are not likely to remain secure forever.
John
Aren't Kerberos and the authentication Google Accounts and Facebooks Connect the same thing? They both rely on authenticating an individual and using a provided token for authorization, one is PAM based and the other is for Web properties.
Central authentication is the way to go, you just need to make your central authentication rock solid from both a security and reliability standpoint (i.e. properly implemented Kerberos).
Hashed passwords provide a degree of protection, so long as you salt the hash, and store a different salt for each password (for maximum protection).
True, but as far as websites are concerned, the weakest link is usually the login form where most of the time plaintext passwords get transferred over the net. Releasing a database dump is a big problem, whether passwords are hashed or not, but the gawker intruders might just as well have installed a hidden mechanism that grabs such unencrypted login info over time and for extra fun they could have invalidated all login sessions/cookies/whatever...
"I love my job, but I hate talking to people like you" (Freddie Mercury)
Can someone please tell me why sites and services like this are saving the passwords of their users, instead of saving some hashed version of them?
4 obvious reasons:
"I love my job, but I hate talking to people like you" (Freddie Mercury)
Don't you support transparency? Don't you support wikileaks? Information was made to be free. When will you stop supporting MPAA and RIAA and join the forces of openness and freedom on the internet!
Hyperbole? A bit, but only a bit.
Well.. maybe. Or Maybe not. But Definitely not sort of.
Hashed passwords provide a degree of protection, so long as you salt the hash, and store a different salt for each password (for maximum protection).
Any programmer that doesn't understand salts, hashing, and encrypting should not bother making software that handles logins, period.
Unless you were intending to be ironic, salted hashes (even with per-user salts) do not offer maximum protection. Use bcrypt instead: http://codahale.com/how-to-safely-store-a-password/
See this thread for additional discussion behind it: http://news.ycombinator.com/item?id=1091104
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
I now use mailinator for all my throwaway registrations, then if I care in the least I change the password just in case someone else reads from the same random email name that I did.
I put common e-mails @mailinator into the "forgot password" field when i need a login.
It works more often than not.
[Fuck Beta]
o0t!
I've recovered my password probably 5 times now. I'd have had to remake the account 5 times.
Is it bad that I read that just fine, then realized that every word was messed up?
No, you are just a victim of that fake study that claims that you can read scrambled texts as long as the first and last letter doesn't get changed.
If you never heard of that study, you couldn't have read that text without any problems!
UnNetHack: NetHack Improved!
Only if you have a very simplistic and very homogeneous view about information. Information isn't equal. All of it might want to be free, but not all of it should be. You can easily and coherently argue that certain kinds of government communication should be "liberated" -- particularly if it's an abusive government's information -- and that other kinds of personal information should remain confidential.
Switch back to Slashdot's D1 system.
Big meanie... =(
Someone flopped a steamer in the gene pool.
Email addresses are not the problem, using the same password on more than one site is. My brain simply can't remember tens of different passwords so I use the same one for throw-away accounts sometimes. The Keepass client for Android is pretty good so there is no problem having complex passwords for accounts I want to use away from my main PC where Firefox remembers them.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
No, seriously. Most major news sites have been covering Wikileaks, Assange and anonymous. But Gawker abandoned all pretense of any kind of impartial reporting. They insulted anonymous, mocked them and basically accused them of being malicious children.
Now, the individuals at Gawker are free to have any opinion they want. But when they are storing my personal information (Yes, I have a Gawker account) they are indirectly putting my material at risk for their own ends. That's like my bank putting out press releases saying "All you bank robber suck. We think so little of you that we're just going to pile our money outside the vault door. We're not even protecting it, we have such contempt for you." It didn't take a genius to figure out that eventually some of the 4channers were going to investigate, and then we quickly found out that Gawker is so behind on their security software, they use the same simple hash that my first year computer science teacher gave as an example of what not to do to secure anything.
Given the circumstances, I have no sympathy for Gawker.
I was thinking about the same thing earlier today and I remember this from last month: Facebook and Twitter score an F for Fail in online security test. No SSL auth for starters.
I'm wondering how far could a site go in security without automatic SSL for both auth and browsing? Does it make sense to have the browser encrypt username and password before sending them over to the server? Is there a suitably strong method for this that makes it hard enough to brute-force to make it secure enough to use?
If such a way would be viable, this would be good news for websites in terms of minimizing costs. Gawker, Facebook and so on don't have a problem for shelling out $500 for an SSL cert, which starting projects can hardly afford. But as the large user base makes the fixed-price cert more affordable, there comes another problem: hardware power. I don't remember what's the difference between CPU and memory requirements of HTTP and HTTPS, but it's huge.
A small startup project isn't maxing its hardware or can easily afford a few dollars a month for a better hosting. However for a big company the increase in hardware costs for added security is a lot more per month. The abovementioned alternative would instead decrease hardware requirements: instead of encrypting the password and comparing it to the encrypted password in the database, the server can skip the encryption as the browser did it already on client-side.
Better than having a few passwords is having a different password for every single site. Totally random, with numbers and upper/lowercase. Stick them all in a text file (protected in some way).
I'm not a lawyer, but I play one on the Internet. Blog
I recommend Spam Gourmet, personally. Its free, it has many domains you can use for forms in case one is blocked, and it is rather robust. I've been using it for years, and yet to have any serious problems with it (sometimes it has eaten something it shouldn't have, or has had a decent delay in resending, but this is rare, and I doubt your using it is a primary email address for things that are actually important
Your message stats: 3,789 forwarded, 224,298 eaten. You have 326 disposable address(es).
A patriot must always be ready to defend his country against his government. -edward abbey
Its a myth that hashed passwords cannot be unhashed. Yes, if the password is secure (lots of random alpha-numeric characters) it will be difficult to find the password that corresponds to a particular hash. However, if the password is not secure (e.g. password="password"), or if the keyspace is small (e.g. limiting passwords to 8 characters), then its fairly trivial to build a rainbow table of all possible passwords or all common passwords. Then, when you want to crack the password, you look at the hash, and then look at your rainbow table to figure out which password corresponds to that hash.
We all know what to do, but we don't know how to get re-elected once we have done it
What I'm saying is that "properly implemented Kerberos" (your words) is a strong assurance, but it is NOT a guarantee of "rock solid". The first four versions of Kerberos all had various weaknesses that weren't discovered until after they were in use.
If Kerberos 5 has an as-yet-undiscovered weakness, it no longer meets the definition of rock solid, and whatever secrets it was protecting may now be exposed at every site relying on it. Do I think V5 has such a weakness? Doubtful, but let me put it this way: I had absolute faith in the security of PGP, which was shattered by the discovery that someone could tack an almost invisible escrow decryption agent into unsigned data attached to someone's public key. Now, I maintain what I consider to be a healthy skepticism in the supposed perfection of any system.
And regardless of the strength of the underlying authenticating technology, I believe proper implementation is a myth. Some sites are very, very good at it today, but reality issues always seem to creep in. Someone outsources someone else's task; and the outgoing employees stop caring, or the incoming contractors never care. Spies break into a factory or two and steal their private CA signing root keys. The offline server is accidentally left online. Joe gets drunk and forgets his keycard in the bar. Or a surrogate Mary McDonnell hooks up with the lead security architect via an XSS hack at match.com and pulls some shenanigans.
Central authentication isn't a panacea, it's just better than anything else we are willing to put up with at the moment.
John
I posted some basic password statistics and ranked prevalence graphs here, if anyone is interested in seeing what sorts of passwords people use in the wild.