Slashdot Mirror

← Back to Stories (view on slashdot.org)

Learning From Gawker's Failure

Posted by CmdrTaco on from the i-see-what-you-did-there dept.

Gunkerty Jeb writes "The Gawker hack has completely disenfranchised their users, not to mention the breach in trust that may well be impossible to regain. Users are demanding that they be allowed to delete their accounts immediately, and beyond implementing such a mechanism, it is likely that Gawker systems will have to be rebuilt from the ground up to avoid future hacks. So, what is to be learned from this perfect storm of bluster and bravado?"

5 of 236 comments (clear)

  1. Apostrophe's by Anonymous Coward · · Score: 1, Insightful

    Nice use of the apostrophe on a plural form.

  2. Description of hack? by DJ+Jones · · Score: 4, Insightful

    How about a detailed description of how the hack was performed? What hole was breached? That would be the first place to begin "learning".

    Until that's published there's really nothing to study.

  3. Jalopnik sucked anyhow... by GPLDAN · · Score: 4, Insightful

    I left Jalopnik over two years ago. It had very poor editorial control, and displayed the vast chasm between reputable automotive journalism in mags like Car & Driver and Road & Track and the interwebz. It had become Ray Wert's bully pulpit, and the commentariat IQ over there dropped down to double digits pretty quickly.


    IO9 and others really were not much better. And the problem really came down to not being able to drown out the idiots. I attribute Slashdot's long term success to the mod system and the whole way it handles contributions. It works. And the Gawker crap blog engine was badly coded, anybody who used it could see that. So it isn't a shock that it got 0wn3d. Amateur blog engine should be a sign of overall poor design and security.

  4. Passwords are a failure by RzUpAnmsCwrds · · Score: 4, Insightful

    The big lesson here is not that you should never get breached, or that you should use some super-secure password, or that you should use a different password on every site (you should).

    No, the real lesson is that passwords themselves are faulty. No one is going to select and memorize a strong password for every website they use. They're going to either re-use passwords, or choose weak passwords, or write their passwords down (or use a password manager).

    None of these are good answers. The expectation is that users are going to choose strong passwords, that they will never re-use passwords, that hashes (even with salt) are an effective way to protect passwords, and that users will never be tricked into revealing their password.

    It's bullshit. It's always been bullshit. Users aren't careful with passwords, and why would we expect them to be - 99.9% of the time they get away with it. Humans are bad at evaluating the risk of things that are low frequency but high impact.

    The other thing that's bullshit is password reset. It doesn't make any sense: how can someone who forgot their password remember "security questions" that are actually secure. No, 99 times out of 100 these systems use some crap like "Where were you born", which is pretty damn trivial to find out for any attacker. My brokerage account has a secure password that I only use there, but resetting the password requires only my username, SSN, ZIP code, and last name. And there are far, far more people who know that stuff than people who know my password.

    It's time to get serious about replacing passwords. That's the lesson here.

  5. Re:These lessons have been applied by hairyfeet · · Score: 1, Insightful

    Like that 6 year old x server bug? Lets be honest here folks: The whole "lots of eyes makes bugs shallow" bit is a case of magical thinking, no different than "we have XYZ which makes us secure" (insert complex password, firewall, particular OS for XYZ).

    The reason the whole "bugs & eyes" bit is magical thinking is because everyone assumes someone else is checking it and because the vast majority are simply unqualified to know a vulnerability even if they were staring at the code. Bugs today are usually in the form of buffer overflows or privilege escalation, which depend on complex interactions failing in one manner or another for them to work. Unless you know and understand all the ways a particular piece of code is gonna interact you can stare at it until the cows come home and not find the bugs.

    I figured the six year old X server bug would have finally laid this bit of magical thinking to rest, apparently not. Can't we just agree that real security comes from a best practices, top to bottom least privileges design and execution, and not on "Oh I'm sure someone with leet skillz is checking all the boring bits for me to ensure my safety".

    --
    ACs don't waste your time replying, your posts are never seen by me.