Slashdot Mirror

← Back to Stories (view on slashdot.org)

Learning From Gawker's Failure

Posted by CmdrTaco on from the i-see-what-you-did-there dept.

Gunkerty Jeb writes "The Gawker hack has completely disenfranchised their users, not to mention the breach in trust that may well be impossible to regain. Users are demanding that they be allowed to delete their accounts immediately, and beyond implementing such a mechanism, it is likely that Gawker systems will have to be rebuilt from the ground up to avoid future hacks. So, what is to be learned from this perfect storm of bluster and bravado?"

3 of 236 comments (clear)

  1. Description of hack? by DJ+Jones · · Score: 4, Insightful

    How about a detailed description of how the hack was performed? What hole was breached? That would be the first place to begin "learning".

    Until that's published there's really nothing to study.

  2. Jalopnik sucked anyhow... by GPLDAN · · Score: 4, Insightful

    I left Jalopnik over two years ago. It had very poor editorial control, and displayed the vast chasm between reputable automotive journalism in mags like Car & Driver and Road & Track and the interwebz. It had become Ray Wert's bully pulpit, and the commentariat IQ over there dropped down to double digits pretty quickly.


    IO9 and others really were not much better. And the problem really came down to not being able to drown out the idiots. I attribute Slashdot's long term success to the mod system and the whole way it handles contributions. It works. And the Gawker crap blog engine was badly coded, anybody who used it could see that. So it isn't a shock that it got 0wn3d. Amateur blog engine should be a sign of overall poor design and security.

  3. Passwords are a failure by RzUpAnmsCwrds · · Score: 4, Insightful

    The big lesson here is not that you should never get breached, or that you should use some super-secure password, or that you should use a different password on every site (you should).

    No, the real lesson is that passwords themselves are faulty. No one is going to select and memorize a strong password for every website they use. They're going to either re-use passwords, or choose weak passwords, or write their passwords down (or use a password manager).

    None of these are good answers. The expectation is that users are going to choose strong passwords, that they will never re-use passwords, that hashes (even with salt) are an effective way to protect passwords, and that users will never be tricked into revealing their password.

    It's bullshit. It's always been bullshit. Users aren't careful with passwords, and why would we expect them to be - 99.9% of the time they get away with it. Humans are bad at evaluating the risk of things that are low frequency but high impact.

    The other thing that's bullshit is password reset. It doesn't make any sense: how can someone who forgot their password remember "security questions" that are actually secure. No, 99 times out of 100 these systems use some crap like "Where were you born", which is pretty damn trivial to find out for any attacker. My brokerage account has a secure password that I only use there, but resetting the password requires only my username, SSN, ZIP code, and last name. And there are far, far more people who know that stuff than people who know my password.

    It's time to get serious about replacing passwords. That's the lesson here.