Slashdot Mirror

← Back to Stories (view on slashdot.org)

Learning From Gawker's Failure

Posted by CmdrTaco on from the i-see-what-you-did-there dept.

Gunkerty Jeb writes "The Gawker hack has completely disenfranchised their users, not to mention the breach in trust that may well be impossible to regain. Users are demanding that they be allowed to delete their accounts immediately, and beyond implementing such a mechanism, it is likely that Gawker systems will have to be rebuilt from the ground up to avoid future hacks. So, what is to be learned from this perfect storm of bluster and bravado?"

5 of 236 comments (clear)

  1. Re:Description of hack? by gklinger · · Score: 5, Interesting

    While it leaves many (mostly technical) questions unanswered, I found the this article to be an interesting and informative description of what happened.

  2. Why did they even need passwords? by scrotch · · Score: 3, Interesting

    What I'm left wondering is why someone should need a username and password to comment on a blog post on their sites. Do they have a reputation system? Does it really prevent spam? Or is it just to gather a list of email addresses that they might sell later? There must be a better way to accomplish the little functionality that their login requirement provides. Especially now that they have to deal with the fact that their login system was not secure.

  3. Re:Passwords are a failure by bl4nk · · Score: 4, Interesting

    The "security questions" weakness is exactly how Sarah Palin's email account was broken into.

    If they're not required for logging in I always fill the security question answers with a long string of random characters, effectively making them unusable for password recovery.

  4. Re:I know what I learned by Archangel+Michael · · Score: 3, Interesting

    I have several passwords I use. Sites that require accounts for participation get one that I don't care if it gets out in the wild. No big loss. People posting as me is mildly amusing.

    I have another password for systems I'm in charge of, that function like those I participate in in the first example. It would suck if that got out. Those systems are few, and you'd have to personally know me to know what they were.

    I have secure passwords for each of the highly sensitive accounts (banks and such) that are not shared between accounts. IF one of those gets out, I'm screwed for that one institution, but nowhere else.

    --
    Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
  5. Re:Gawker? Scadenfreude Central Hoist on own Petar by bughunter · · Score: 4, Interesting

    Yea, well it happened to the "customers" of those jerks, too.

    I had a registered account on Gizmodo, mostly to write posts telling an author how full of shit they were, or to correct silicon/silicone errors, etc., but that's immaterial.

    What is material is that I've been getting emails from hosts of hosts upon which I've used that same email address to register, telling me I need to change my password, even though my password is not the same from site to site.

    Worse, in a fit of idiocy, battle.net decided that, since my battle.net account is identified with an email address that they found on the leaked Gawker database, that they'd go ahead and reset my password. Yes, unsolicited. Despite the facts that a) my password does not hash to the string associated with the address in the database, b) I have an authenticator attached to the account, and c) it's not their fucking business to reset my password without asking first.

    So what happened next? After getting the email from battle.net, I went to their account management page, and entered a new password -- and am then unable to login using those credentials. They broke my access for 36 hours. For no valid reason.

    If I had actually held a desire to play during that time, I'd have been royally pissed. As it is, I'm just royally irritated at their stupidity, and at the subsequent neutronium density of their CS group to be completely unable to parse my simple request: "your password reset broke my login, please fix it," and instead treated me as if I had reported my account hacked. So now my WoW account is locked down while they review whatever they think they need to review.

    Mass idiocy all around, yes, but precipitated by the arrogant idiocy of Gawker.

    And of course, just for safety, I've had to go and change accounts everywhere to be registered with a new email address - or where not possible, rotate passwords... which I usually do, but not all at fucking once. I spent three hours last night going over my list of accounts and passwords and updating everything, including my home network, which caused things to break for other family members who are now calling me with "I can't use the web; I can't get to pokemon.com; why isn't Miro working?" etc.

    So, long screed made short: The pain, there's more than enough to go around, even for the undeserving.

    Or, in the the now immortal, um... expression, of an anonymous /b/tard: Fuuuuuuuuuuuuuu...!!

    --
    I can see the fnords!