Slashdot Mirror
Learning From Gawker's Failure
Gunkerty Jeb writes "The Gawker hack has completely disenfranchised their users, not to mention the breach in trust that may well be impossible to regain. Users are demanding that they be allowed to delete their accounts immediately, and beyond implementing such a mechanism, it is likely that Gawker systems will have to be rebuilt from the ground up to avoid future hacks. So, what is to be learned from this perfect storm of bluster and bravado?"
Nice use of the apostrophe on a plural form.
One lesson that comes to mind is that you shouldn't refer to your website's participants as "peasants".
And from what I hear, there is no way these clueless, juvenile script kiddies could EVER hack Slashdot.
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
How about a detailed description of how the hack was performed? What hole was breached? That would be the first place to begin "learning".
Until that's published there's really nothing to study.
Thinking any password sacrosanct on this here interwebs is ridiculous. The self-satisfied Gawker-enthusiast is the very type of person who should know better.
I left Jalopnik over two years ago. It had very poor editorial control, and displayed the vast chasm between reputable automotive journalism in mags like Car & Driver and Road & Track and the interwebz. It had become Ray Wert's bully pulpit, and the commentariat IQ over there dropped down to double digits pretty quickly.
IO9 and others really were not much better. And the problem really came down to not being able to drown out the idiots. I attribute Slashdot's long term success to the mod system and the whole way it handles contributions. It works. And the Gawker crap blog engine was badly coded, anybody who used it could see that. So it isn't a shock that it got 0wn3d. Amateur blog engine should be a sign of overall poor design and security.
I learned to always use the password "123456". Herd immunity.
If Slashdot were chemistry it would look like this:Cadaverine
Scum loving snoops don't like being snooped on themselves.
See title
The Gawker hack has completely disenfranchised their users
That's quite a hack, depriving users of their right to vote...
"In a 32-bit world, you're a 2-bit user. You've got your own newsgroup, alt.total.loser." -Weird Al
The big lesson here is not that you should never get breached, or that you should use some super-secure password, or that you should use a different password on every site (you should).
No, the real lesson is that passwords themselves are faulty. No one is going to select and memorize a strong password for every website they use. They're going to either re-use passwords, or choose weak passwords, or write their passwords down (or use a password manager).
None of these are good answers. The expectation is that users are going to choose strong passwords, that they will never re-use passwords, that hashes (even with salt) are an effective way to protect passwords, and that users will never be tricked into revealing their password.
It's bullshit. It's always been bullshit. Users aren't careful with passwords, and why would we expect them to be - 99.9% of the time they get away with it. Humans are bad at evaluating the risk of things that are low frequency but high impact.
The other thing that's bullshit is password reset. It doesn't make any sense: how can someone who forgot their password remember "security questions" that are actually secure. No, 99 times out of 100 these systems use some crap like "Where were you born", which is pretty damn trivial to find out for any attacker. My brokerage account has a secure password that I only use there, but resetting the password requires only my username, SSN, ZIP code, and last name. And there are far, far more people who know that stuff than people who know my password.
It's time to get serious about replacing passwords. That's the lesson here.
If Gawker had any sense, they would hire the hackers to do their security.
Their MO is "Kick 'em when they're up, kick 'em when they're down".
This hack couldn't have happened to a bigger bunch of self-involved, arrogant jerks. If there is a balance of justice in the universe, then it just inched another tiny notch towards equilibrium.
Really, the imperious attitude that is exhibited by the Gawker "editorial" stance is a smug and sarcastic condescension towards the foibles of others.
"Flyin' in just a sweet place,
Never been known to fail..."
Don't fucking store the original unsalted password in your database? Muppets.
Consider user's revised to users and disenfranchised revised to discouraged. I'll try to be less of an animal in the future.
What I'm left wondering is why someone should need a username and password to comment on a blog post on their sites. Do they have a reputation system? Does it really prevent spam? Or is it just to gather a list of email addresses that they might sell later? There must be a better way to accomplish the little functionality that their login requirement provides. Especially now that they have to deal with the fact that their login system was not secure.
Well, some of us were more fortunate there.
I was born in the quaint town of P5$+19"797q4. It's lovely in the spring. You should visit. My mother's maidens name was B192zve8p6; an ancient and distinguished family, if you must ask. My first pet was a cat named Ö8z~30+r.vd. We all loved her. And I went to ß8s8h,u:82 memorial school.
Strangely enough, nobody ever guesses those ;)
A polar bear is a cartesian bear after a coordinate transform.
Meh, I'd always used Facebook Connect to post comments to their sites. Probably the first mildly useful thing Facebook has done for me.
So at worst, I probably have my spam email address out there in that torrent. Big deal. It's posted all over the web already (including my personal contact page).
But really, if anyone was adversely impacted by this, was it Gawker's failure, or their own for trusting some random website with a sensitive password? I don't use my good passwords for any of these "social networking" sites.... I don't care WHAT their reputation or privacy policy says :P
It's not like CmdrTaco isn't free to break into my /. account and start OMG I LIKE TURTLES HAMSTER HAVOC RULEZ!
Salting addresses some attacks, but as CPU time becomes cheaper, it becomes increasingly feasible to brute-force even salted hashes. To address this issue, you need key strengthening as well.
Or, better yet, just use the system designed to store passwords: bcrypt.
*sigh* Then again, I'm confident that we'll see incompetent web application developers using unsalted MD5 for decades to come. People don't learn from others' mistakes it seems.
They should toss out their own lousy system and switch to Wordpress with Disqus for commenting. They should switch to use OpenID instead of passwords. They should at the very least hash passwords not encrypt them.
If you want it to be posessive, it's just 'I-T-S.'
But, if it's supposed to be a contraction then it's 'I-T-apostrophe-S'.
Scalawag.
Why, why, WHY would a site think its ok to store users' passwords in the first place?
Don't poke the bear. You have be stupid or cocky to taunt hackers.
http://theoatmeal.com/comics/apostrophe
Nothing wrong with that. A piece of paper in my wallet is reasonably secure, and I'll notice fairly quickly if it's missing. Especially if I use an algorithmic password.
Best Slashdot Co
This is the trouble with "single login" systems. Now there's a single point of failure.
Single login requires a trusted organization with a good reputation willing to contractually commit to paying for the damages if they screw up. But look who's in the business: Gawker. Facebook. Microsoft. Google. That's no good.
If anyone were to do this well, it might be Amazon. Amazon is not an advertising-supported business. They take orders, accept payments, and ship real products. As a major credit card merchant selling physical objects for which they pay real money, they constantly have people trying to steal merchandise from them. So their management has to understand the risks of authentication failures. Amazon has a powerful and well-respected distributed computer infrastructure, which tends to stay up despite problems. So they could probably implement a single login system that could be trusted.
Foolish and arrogant to badmouth 4chan, or any other potentially damaging organization, especially if you have an online commodity you wish to protect. Gawker shows itself to be no more mature than 4chan when it does.
Gwaker was hacked by another punk genius billionaire, who inadvertently invented something or rather and then called all gwakers F* this or or F* that. The manner in which he accomplished this consisted of looking at an existing script kiddie's work and implemented it on gwaker. His genius comes from that fact that one one has ever hacked a gwaker before! the end.
I really liked yesterday where IO9 was making fun of their users for using scf-fi names for passwords.
You know from the data that was leaked from farking IO9 because their masters blew the security.
But they're "working on it." This from a company that has railed against Facebook and other sites for privacy violations. Here's an official Gawker response from a year and a half ago to give you an idea of their real attitude towards user privacy and account deletion:
Requesting purge of accounts
What a bunch of asshats.
Sent from my iPhone
...they would put their knowledge to use in a job. However, instead of creating, they'd rather destroy. And you can't even reliably hire them for that, as you couldn't depend on them to finish jobs.
I've started to use public keys with github and gitorious and I'm really impressed with the ease of use of that system. It would guard against this kind of problem and a password reset will never be required. The only issue is if my computer gets compromised but that vulnerability is pretty much the same as in a world where browsers store passwords for convenience. Public/private keys being in use in more situations can only be a good thing.
I have several passwords I use. Sites that require accounts for participation get one that I don't care if it gets out in the wild. No big loss. People posting as me is mildly amusing.
This isn't meant as an advert, but I use a password manager that works on all my devices (autofill on Win/Mac), and now ALL my passwords are at least decent. Mind you, I don't create 30char+ passphrases for anything but my most secure items, but, say a 12-14 character generated password with spaces or dashes and single syllable "words" like "boy oft-rong" is both memorable, not easily guessable, and long enough to avoid small-midsize rainbow tables.
I worry that even breaches of sites like slashdot can eventually reveal enough information about me that could lead to social engineering attacks or physical theft (ie, posting about my impending vacation while believing I'm anonymous)
There is a level of trust required, but I'd rather trust the maker of my password manager than some disreputable site like Gawker.
Make sure everyone's vote counts: Verified Voting
Yea, well it happened to the "customers" of those jerks, too.
I had a registered account on Gizmodo, mostly to write posts telling an author how full of shit they were, or to correct silicon/silicone errors, etc., but that's immaterial.
What is material is that I've been getting emails from hosts of hosts upon which I've used that same email address to register, telling me I need to change my password, even though my password is not the same from site to site.
Worse, in a fit of idiocy, battle.net decided that, since my battle.net account is identified with an email address that they found on the leaked Gawker database, that they'd go ahead and reset my password. Yes, unsolicited. Despite the facts that a) my password does not hash to the string associated with the address in the database, b) I have an authenticator attached to the account, and c) it's not their fucking business to reset my password without asking first.
So what happened next? After getting the email from battle.net, I went to their account management page, and entered a new password -- and am then unable to login using those credentials. They broke my access for 36 hours. For no valid reason.
If I had actually held a desire to play during that time, I'd have been royally pissed. As it is, I'm just royally irritated at their stupidity, and at the subsequent neutronium density of their CS group to be completely unable to parse my simple request: "your password reset broke my login, please fix it," and instead treated me as if I had reported my account hacked. So now my WoW account is locked down while they review whatever they think they need to review.
Mass idiocy all around, yes, but precipitated by the arrogant idiocy of Gawker.
And of course, just for safety, I've had to go and change accounts everywhere to be registered with a new email address - or where not possible, rotate passwords... which I usually do, but not all at fucking once. I spent three hours last night going over my list of accounts and passwords and updating everything, including my home network, which caused things to break for other family members who are now calling me with "I can't use the web; I can't get to pokemon.com; why isn't Miro working?" etc.
So, long screed made short: The pain, there's more than enough to go around, even for the undeserving.
Or, in the the now immortal, um... expression, of an anonymous /b/tard: Fuuuuuuuuuuuuuu...!!
I can see the fnords!
The problem isn't that Gawker got hacked, although that's bad enough (serious loss of geek cred there, kiddies). The real issue is Gawker's slow and ineffectual reaction to it. Why did we hear about the hack on Slashdot before we heard about it from Gawker? And has Gawker taken any real responsibility for the incident? Have they even apologized?
Well. At least you weren't on Fleshbot...
"Flyin' in just a sweet place,
Never been known to fail..."
They have "disenfranchised their users" and caused a big "breach in trust that may well be impossible to regain"?? Really?
I thought the hacked sites were all glorified blog sites. I had a gizmodo username and I just don't care if someone hacked it. I changed my password when I heard about th ehack, but really, its not like they stole my credit card, or for that matter, not even any true identifying data about myself. The email address was the same email address I give out to all such sites that exists just so I can receive the registration verification emails.
Did some people have something of real value stolen? I have had my credit card number stolen (Thanks Nashbar!) and that was more of a pain, I had to get a new card and move some recurring payments to the new card. But I really find it hard to get worked up about someone stealing my gizmodo identity.
Actually XKCD predicted this only a few months back:
http://www.xkcd.com/792/
I understand your pain. I didn't even realize I an email of mine was in the Gawker database until I got an email from them advising me that my email password might have been compromised. It turned out I did register for LifeHacker long time before it got bought out by Gawker. I couldn't even remember the password I used for that account so just to be safe changed all the passwords I had on various sites. Took me almost half a day to complete... what a pain in the rear.
Using the db of passwords as dictionary, I do not think any password system still secure!
Totally agree, they get hacked and suddenly sites I did not think had anything to do with gawker media or the sites mentioned in the article, are demanding that I change my passwords. I chose my passwords because they meant something to me I could remember so I would not have to consult the password TOME I would require so I an log into some stupid site I forgot the password for. Many dozens of times I find I am not able to log into sites because of so called incorrect log in info, and I go consult the stupid database only to find that my info is correct, and they are wrong. In view of this, I think gawker media has been hacked probably a number of times, but this is either the first time they noticed, or the first time someone said something about it so the public finds out. I'm so pissed at all this that I almost wish I had a gawker account so I could ask for it to be deleted!
www.Migrainesoft.com - Computer giving you a headache? We can fix that!
it's not their fucking business to reset my password without asking first.
Actually it.. it is their business. You're a customer. They provide the service. Their TOS pretty much give them carte blanche. And changing your password is much cheaper for them than having to deal with your support call if the account were compromised. Yes it's a bit retarded that you have a token and they still require a password change but to be honest if it were me, I'd do the same thing because to put it bluntly: shifting costs onto consumers is better than carrying them as a business if you can. Sucks but that's life.
"Hey, I don't believe that any system is totally secure." -Lightman
As it is, I'm just royally irritated at their stupidity, and at the subsequent neutronium density of their CS group to be completely unable to parse my simple request: "your password reset broke my login, please fix it,"
Wow, if that's really all you said to them, no wonder it took a while. They had to go figure out whether you were part of one of their bulk resets (the Gawker reset isn't even the first bulk one this month for them, I bet) or whether you requested a reset using a form, and then it broke, etc. You could have explained what they did and what you did in response, instead of being a douchebag.
I received a similar email from Blizzard. Here it is:
We've received a request to reset the password for this Battle.net account. Please click this link to reset your password: (link omitted)
If you no longer wish to make the above change, or if you did not initiate this request, please disregard and/or delete this e-mail.
You didn't have to change it. They just thought they'd do the right thing and offer to help protect their customers before it was needed. An ounce of prevention and all that.
yeah.. just about every one of their publications happen to suck.
my only regret is not noticing that trend fast enough before registering as commenter, iirc the registration process had some frustration to it too - not to mention that almost all articles there give you that nagging feeling that you should comment to correct some obvious flaw in the logic of the article.
nowadays I just don't follow to sites I know to be from them.
world was created 5 seconds before this post as it is.
I was forced to change it. They reset it. I didn't.
I received two emails, the first was a notice that a reset request occured:
We've received a request to reset the password for this Battle.net account. Please click this link to reset your password:
https://us.battle.net/account/support/password-reset-confirm.xml?ticket=OBFUSCATED
If you no longer wish to make the above change, or if you did not initiate this request, please disregard and/or delete this e-mail.
If you have any questions regarding your Battle.net account, click here for answers to frequently asked questions and contact information for the Blizzard Billing & Account Services team.
Sincerely,
The Battle.net Account Team
The second was this friendly notice, confirming that they decided to do this on their own:
Greetings!
We’ve recently been informed that several Gawker Media websites have been compromised. These websites include Gawker, Gizmodo, Kotaku, Lifehacker, Jezebel, io9, Jalopnik, Deadspin, and Fleshbot. To help minimize the effects of this compromise and help keep your Battle.net account safe and secure, we’ve reset your account password. To complete the password reset, please log into Battle.net Account Management (https://us.battle.net/account/management) and follow the provided instructions.
If you are a registered commenter for any of these sites and used your Battle.net email address to sign up with Gawker Media, we also recommend that you update your Battle.net address as soon as possible via Account Management. If you are unable to complete this step or the password reset on your own and believe your account may be compromised, please contact our customer support staff by using the Account Recovery form (https://us.battle.net/account/support/account-recovery.html) and be sure to check out our Account Security Awareness guide (http://us.battle.net/en/security/) for additional security tips and suggestions.
For more information about this situation, please visit Gawker Media’s official announcement (http://gawker.com/5713056/gawker-security-breach-were-here-to-help) or Lifehacker’s comprehensive FAQ (http://lifehacker.com/5712785/faq-compromised-commenting-accounts-on-gawker-media).
Regards,
Blizzard Entertainment
So I navigated to battle.net using a trusted means, and completed the password reset. This appeared to work; I received no error notices. But when I attempted to actually log in to my battle.net account, I got a LOGIN FAILED result every time.
It was NOT necessary, or polite, or even really their business to do this without asking first . Especially when they can easily determine that I am using an authenticator.
I've been dealing with Blizzard customer service for 12 years, now, and they've continuously grown worse and worse and worse. About the time Wrath came out, it was pretty clear that their 'A' team had left for greener pastures/advanced projects and the 'B' team remained behind for the customers to deal with.
My latest correspondence with them over this issue was the worst yet. If the interaction I had with this 'person' that I dealt with was any indication, then he couldn't even pass a Turing test. Even the words "PLEASE ELEVATE" just got me another canned response to perform a password reset.
I swear, i was dealing with a script, and a half-assed one at that.
At some point, sometime between 36 and 48 hours later, someone behind the scenes untangled the mess that had been created, and the login began working again.
I suspect it was a "nested reset" condition. Blizzard initiated a reset, and sent me a link to complete the reset. But being a good phish-proof customer, I ignored the link and used a trusted bookmark to navigate to battle.net, and initiated another reset, without completing the first one. They should have anticipated this, though, because they've been telling us for years "do not follow links in emails to pages that request your password."
I can see the fnords!
gawker lost all credibility with me when they blamed easyDNS for pulling the plug on Wikileaks (actual culprit was everyDNS). Shit happens, it's an easily made typo. My problem is when they basically told the easyDNS owner that they would edit the original press release without acknolwedging that any edit had been made, let alone apologize. They basically told easyDNS to fuck off and quit whining after gawkers error almost got easyDNS DDOS'd into oblivion. Even the National Enquirer has more spine (at least when they admit fault)
When all of your wishes have been granted, many of your dreams will be destroyed - Marilyn Manson