Slashdot Mirror
Learning From Gawker's Failure
Gunkerty Jeb writes "The Gawker hack has completely disenfranchised their users, not to mention the breach in trust that may well be impossible to regain. Users are demanding that they be allowed to delete their accounts immediately, and beyond implementing such a mechanism, it is likely that Gawker systems will have to be rebuilt from the ground up to avoid future hacks. So, what is to be learned from this perfect storm of bluster and bravado?"
Nice use of the apostrophe on a plural form.
One lesson that comes to mind is that you shouldn't refer to your website's participants as "peasants".
And from what I hear, there is no way these clueless, juvenile script kiddies could EVER hack Slashdot.
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
How about a detailed description of how the hack was performed? What hole was breached? That would be the first place to begin "learning".
Until that's published there's really nothing to study.
Thinking any password sacrosanct on this here interwebs is ridiculous. The self-satisfied Gawker-enthusiast is the very type of person who should know better.
I left Jalopnik over two years ago. It had very poor editorial control, and displayed the vast chasm between reputable automotive journalism in mags like Car & Driver and Road & Track and the interwebz. It had become Ray Wert's bully pulpit, and the commentariat IQ over there dropped down to double digits pretty quickly.
IO9 and others really were not much better. And the problem really came down to not being able to drown out the idiots. I attribute Slashdot's long term success to the mod system and the whole way it handles contributions. It works. And the Gawker crap blog engine was badly coded, anybody who used it could see that. So it isn't a shock that it got 0wn3d. Amateur blog engine should be a sign of overall poor design and security.
I learned to always use the password "123456". Herd immunity.
If Slashdot were chemistry it would look like this:Cadaverine
See title
The Gawker hack has completely disenfranchised their users
That's quite a hack, depriving users of their right to vote...
"In a 32-bit world, you're a 2-bit user. You've got your own newsgroup, alt.total.loser." -Weird Al
The big lesson here is not that you should never get breached, or that you should use some super-secure password, or that you should use a different password on every site (you should).
No, the real lesson is that passwords themselves are faulty. No one is going to select and memorize a strong password for every website they use. They're going to either re-use passwords, or choose weak passwords, or write their passwords down (or use a password manager).
None of these are good answers. The expectation is that users are going to choose strong passwords, that they will never re-use passwords, that hashes (even with salt) are an effective way to protect passwords, and that users will never be tricked into revealing their password.
It's bullshit. It's always been bullshit. Users aren't careful with passwords, and why would we expect them to be - 99.9% of the time they get away with it. Humans are bad at evaluating the risk of things that are low frequency but high impact.
The other thing that's bullshit is password reset. It doesn't make any sense: how can someone who forgot their password remember "security questions" that are actually secure. No, 99 times out of 100 these systems use some crap like "Where were you born", which is pretty damn trivial to find out for any attacker. My brokerage account has a secure password that I only use there, but resetting the password requires only my username, SSN, ZIP code, and last name. And there are far, far more people who know that stuff than people who know my password.
It's time to get serious about replacing passwords. That's the lesson here.
Their MO is "Kick 'em when they're up, kick 'em when they're down".
This hack couldn't have happened to a bigger bunch of self-involved, arrogant jerks. If there is a balance of justice in the universe, then it just inched another tiny notch towards equilibrium.
Really, the imperious attitude that is exhibited by the Gawker "editorial" stance is a smug and sarcastic condescension towards the foibles of others.
"Flyin' in just a sweet place,
Never been known to fail..."
Consider user's revised to users and disenfranchised revised to discouraged. I'll try to be less of an animal in the future.
What I'm left wondering is why someone should need a username and password to comment on a blog post on their sites. Do they have a reputation system? Does it really prevent spam? Or is it just to gather a list of email addresses that they might sell later? There must be a better way to accomplish the little functionality that their login requirement provides. Especially now that they have to deal with the fact that their login system was not secure.
Well, some of us were more fortunate there.
I was born in the quaint town of P5$+19"797q4. It's lovely in the spring. You should visit. My mother's maidens name was B192zve8p6; an ancient and distinguished family, if you must ask. My first pet was a cat named Ö8z~30+r.vd. We all loved her. And I went to ß8s8h,u:82 memorial school.
Strangely enough, nobody ever guesses those ;)
A polar bear is a cartesian bear after a coordinate transform.
Meh, I'd always used Facebook Connect to post comments to their sites. Probably the first mildly useful thing Facebook has done for me.
So at worst, I probably have my spam email address out there in that torrent. Big deal. It's posted all over the web already (including my personal contact page).
But really, if anyone was adversely impacted by this, was it Gawker's failure, or their own for trusting some random website with a sensitive password? I don't use my good passwords for any of these "social networking" sites.... I don't care WHAT their reputation or privacy policy says :P
It's not like CmdrTaco isn't free to break into my /. account and start OMG I LIKE TURTLES HAMSTER HAVOC RULEZ!
Salting addresses some attacks, but as CPU time becomes cheaper, it becomes increasingly feasible to brute-force even salted hashes. To address this issue, you need key strengthening as well.
Or, better yet, just use the system designed to store passwords: bcrypt.
*sigh* Then again, I'm confident that we'll see incompetent web application developers using unsalted MD5 for decades to come. People don't learn from others' mistakes it seems.
They should toss out their own lousy system and switch to Wordpress with Disqus for commenting. They should switch to use OpenID instead of passwords. They should at the very least hash passwords not encrypt them.
Neither of which apply to the case in question.
Why, why, WHY would a site think its ok to store users' passwords in the first place?
http://theoatmeal.com/comics/apostrophe
Nothing wrong with that. A piece of paper in my wallet is reasonably secure, and I'll notice fairly quickly if it's missing. Especially if I use an algorithmic password.
Best Slashdot Co
This is the trouble with "single login" systems. Now there's a single point of failure.
Single login requires a trusted organization with a good reputation willing to contractually commit to paying for the damages if they screw up. But look who's in the business: Gawker. Facebook. Microsoft. Google. That's no good.
If anyone were to do this well, it might be Amazon. Amazon is not an advertising-supported business. They take orders, accept payments, and ship real products. As a major credit card merchant selling physical objects for which they pay real money, they constantly have people trying to steal merchandise from them. So their management has to understand the risks of authentication failures. Amazon has a powerful and well-respected distributed computer infrastructure, which tends to stay up despite problems. So they could probably implement a single login system that could be trusted.
Foolish and arrogant to badmouth 4chan, or any other potentially damaging organization, especially if you have an online commodity you wish to protect. Gawker shows itself to be no more mature than 4chan when it does.
I really liked yesterday where IO9 was making fun of their users for using scf-fi names for passwords.
You know from the data that was leaked from farking IO9 because their masters blew the security.
Mmmmmmm... unsalted passwords.
This is the NSA, we're gonna geet U h@x0r5! Also, what is a h@x0r5?
I think of it as more like dancing in a rattlesnake pit. It's a funny dance, but it does not last very long.
I also like to say my scripts are as awesome as a unicorn that shits out Milk Duds.
Analogies are fun, aren't they!
This is the NSA, we're gonna geet U h@x0r5! Also, what is a h@x0r5?
But they're "working on it." This from a company that has railed against Facebook and other sites for privacy violations. Here's an official Gawker response from a year and a half ago to give you an idea of their real attitude towards user privacy and account deletion:
Requesting purge of accounts
What a bunch of asshats.
Sent from my iPhone
Epic fail.
His, hers, its. Those aren't true posessives and don't take apostrophes. Bob's, Sally's, and the computer's are and do.
Free Martian Whores!
Pretty sure they are possessive adjectives. What isn't "true" about them?
Mod points: Guaranteed to remove your sense of humor.
Side effects may include gullibility and temporary retardation
Steve's ball.
Dog's ball.
It's ball.
The problem with grammar nazi attempts to correct people's apostrophe abuse is that hardly anyone explains why "the ball belonging to it" isn't contracted as "the ball belonging to Steve".
If Gawker had any sense, they'd hire professional programmers to design their system instead of letting it grow organically from what the "programming guy" originally came up with. Their comment system is THE WORST ever implemented.
by Mike Buddha -- Someday the mountain might get him, but the law never will.
Think of "its" as the gender neutral version of "his" and "hers" and everything just magically falls into place.
You wouldn't use "hi's ball" to mean "the ball belonging to him", so you shouldn't use "it's ball" either.
At least I hope to god you wouldn't use "hi's ball".
The Old English genitive is -es; an "e" is what the apostrophe in the possessive form represents. The possessive pronouns "his", "hers", and "its" lost this "e" before the contraction became common-place.
Bio questions? Ask me to start a Q&A journal. Computer analogies available for most topics!
I have several passwords I use. Sites that require accounts for participation get one that I don't care if it gets out in the wild. No big loss. People posting as me is mildly amusing.
This isn't meant as an advert, but I use a password manager that works on all my devices (autofill on Win/Mac), and now ALL my passwords are at least decent. Mind you, I don't create 30char+ passphrases for anything but my most secure items, but, say a 12-14 character generated password with spaces or dashes and single syllable "words" like "boy oft-rong" is both memorable, not easily guessable, and long enough to avoid small-midsize rainbow tables.
I worry that even breaches of sites like slashdot can eventually reveal enough information about me that could lead to social engineering attacks or physical theft (ie, posting about my impending vacation while believing I'm anonymous)
There is a level of trust required, but I'd rather trust the maker of my password manager than some disreputable site like Gawker.
Make sure everyone's vote counts: Verified Voting
No, "its ball" is not equivalent to "dog's ball".
The ball belonging to Steve is his ball. The ball belonging to Sally is her ball. The ball belonging to Dog is its ball."
The ball belonging to Steve is Steve's ball. The ball belonging to Sally is Sally's ball. The ball belonging to Dog is Dog's ball."
Free Martian Whores!
Yea, well it happened to the "customers" of those jerks, too.
I had a registered account on Gizmodo, mostly to write posts telling an author how full of shit they were, or to correct silicon/silicone errors, etc., but that's immaterial.
What is material is that I've been getting emails from hosts of hosts upon which I've used that same email address to register, telling me I need to change my password, even though my password is not the same from site to site.
Worse, in a fit of idiocy, battle.net decided that, since my battle.net account is identified with an email address that they found on the leaked Gawker database, that they'd go ahead and reset my password. Yes, unsolicited. Despite the facts that a) my password does not hash to the string associated with the address in the database, b) I have an authenticator attached to the account, and c) it's not their fucking business to reset my password without asking first.
So what happened next? After getting the email from battle.net, I went to their account management page, and entered a new password -- and am then unable to login using those credentials. They broke my access for 36 hours. For no valid reason.
If I had actually held a desire to play during that time, I'd have been royally pissed. As it is, I'm just royally irritated at their stupidity, and at the subsequent neutronium density of their CS group to be completely unable to parse my simple request: "your password reset broke my login, please fix it," and instead treated me as if I had reported my account hacked. So now my WoW account is locked down while they review whatever they think they need to review.
Mass idiocy all around, yes, but precipitated by the arrogant idiocy of Gawker.
And of course, just for safety, I've had to go and change accounts everywhere to be registered with a new email address - or where not possible, rotate passwords... which I usually do, but not all at fucking once. I spent three hours last night going over my list of accounts and passwords and updating everything, including my home network, which caused things to break for other family members who are now calling me with "I can't use the web; I can't get to pokemon.com; why isn't Miro working?" etc.
So, long screed made short: The pain, there's more than enough to go around, even for the undeserving.
Or, in the the now immortal, um... expression, of an anonymous /b/tard: Fuuuuuuuuuuuuuu...!!
I can see the fnords!
The problem isn't that Gawker got hacked, although that's bad enough (serious loss of geek cred there, kiddies). The real issue is Gawker's slow and ineffectual reaction to it. Why did we hear about the hack on Slashdot before we heard about it from Gawker? And has Gawker taken any real responsibility for the incident? Have they even apologized?
Well. At least you weren't on Fleshbot...
"Flyin' in just a sweet place,
Never been known to fail..."
Not a thing. Despite the implications of replying, my post didn't attempt to defend such a strange idea.
Bio questions? Ask me to start a Q&A journal. Computer analogies available for most topics!
Sorry, didn't read your reply well, so I find that I was addressing a straw man. But it seems the point stands: They are still true possessives, contra mcgrew who appears to have been taking issue with Scalawag's calling them possessives.
Mod points: Guaranteed to remove your sense of humor.
Side effects may include gullibility and temporary retardation
Apologies.
Mod points: Guaranteed to remove your sense of humor.
Side effects may include gullibility and temporary retardation
I think it comes down to most people not giving a rats ass about the King's English when posting anything online, because English is a very flexible language that can be correctly intrepreted even when it's horribly mangled. Writing perfect English is something most people realized turns out to be mostly a waste of time in terms of how much meaning one gets across. Plus it gives all the lemon suckers something to bitch about.
Degaussing scares the bad magnetism out of the monitor and fills it with good karma.
You still haven't explained why the ball "belonging to dog" is written "dog's ball" but the ball "belonging to it" isn't written "it's ball".
This thread is full of dog's balls!
...the future crusty old bastards are already drinking the Kool-Aid.
They have "disenfranchised their users" and caused a big "breach in trust that may well be impossible to regain"?? Really?
I thought the hacked sites were all glorified blog sites. I had a gizmodo username and I just don't care if someone hacked it. I changed my password when I heard about th ehack, but really, its not like they stole my credit card, or for that matter, not even any true identifying data about myself. The email address was the same email address I give out to all such sites that exists just so I can receive the registration verification emails.
Did some people have something of real value stolen? I have had my credit card number stolen (Thanks Nashbar!) and that was more of a pain, I had to get a new card and move some recurring payments to the new card. But I really find it hard to get worked up about someone stealing my gizmodo identity.
With https://certifi.ca/ you can use public key authentication for OpenID enabled websites.
Dilbert RSS feed
Actually XKCD predicted this only a few months back:
http://www.xkcd.com/792/
I understand your pain. I didn't even realize I an email of mine was in the Gawker database until I got an email from them advising me that my email password might have been compromised. It turned out I did register for LifeHacker long time before it got bought out by Gawker. I couldn't even remember the password I used for that account so just to be safe changed all the passwords I had on various sites. Took me almost half a day to complete... what a pain in the rear.
Using the db of passwords as dictionary, I do not think any password system still secure!
Totally agree, they get hacked and suddenly sites I did not think had anything to do with gawker media or the sites mentioned in the article, are demanding that I change my passwords. I chose my passwords because they meant something to me I could remember so I would not have to consult the password TOME I would require so I an log into some stupid site I forgot the password for. Many dozens of times I find I am not able to log into sites because of so called incorrect log in info, and I go consult the stupid database only to find that my info is correct, and they are wrong. In view of this, I think gawker media has been hacked probably a number of times, but this is either the first time they noticed, or the first time someone said something about it so the public finds out. I'm so pissed at all this that I almost wish I had a gawker account so I could ask for it to be deleted!
www.Migrainesoft.com - Computer giving you a headache? We can fix that!
"You still haven't explained why the ball "belonging to dog" is written "dog's ball" but the ball "belonging to it" isn't written "it's ball"."
Yeah, yeah, whatever...
Now for the really interesting question: Who's on first?
I received a similar email from Blizzard. Here it is:
We've received a request to reset the password for this Battle.net account. Please click this link to reset your password: (link omitted)
If you no longer wish to make the above change, or if you did not initiate this request, please disregard and/or delete this e-mail.
You didn't have to change it. They just thought they'd do the right thing and offer to help protect their customers before it was needed. An ounce of prevention and all that.
yeah.. just about every one of their publications happen to suck.
my only regret is not noticing that trend fast enough before registering as commenter, iirc the registration process had some frustration to it too - not to mention that almost all articles there give you that nagging feeling that you should comment to correct some obvious flaw in the logic of the article.
nowadays I just don't follow to sites I know to be from them.
world was created 5 seconds before this post as it is.
Written language can convey meaning more precicely than the spoken word, but only if it's used correctly. One would assume a nerd site's denizens would be not only be literate, but would have read a lot of books.
An example of the ambiguity of the spoken word is a radio commercial for a sex toy shop here in Springfield, Pricilla's. The tag line is "Where fun and fantasy meet." It occurred to me that they may in fact be saying "We're fun and fantasy meat".
Another example is in my sig.
Free Martian Whores!
If "the ball belonging to it" was "it's ball", then "the ball belonging to him is hi's ball".
I don't understand why some cand seem to understan this -- it's dirt simple.
Free Martian Whores!
Yes.
Free Martian Whores!
The nominative form of "dog" is "dog". The nominative form of "it" is "it". For regular nouns we form possessive from the nominative by adding "'s". It is therefore logical to expect that "it's dog" means "the dog belonging to it".
Your explanation doesn't really reveal any understanding. "His" is already not nominative, thus irrelevant to the argument.
The correct explanation is that personal pronouns have a different genitive/possessive form to regular nouns. "Its" is an exception to a rule; naive grammarians tend not to grasp this, making it difficult for them to explain why it's "its", not "it's". Tits.
I was forced to change it. They reset it. I didn't.
I received two emails, the first was a notice that a reset request occured:
We've received a request to reset the password for this Battle.net account. Please click this link to reset your password:
https://us.battle.net/account/support/password-reset-confirm.xml?ticket=OBFUSCATED
If you no longer wish to make the above change, or if you did not initiate this request, please disregard and/or delete this e-mail.
If you have any questions regarding your Battle.net account, click here for answers to frequently asked questions and contact information for the Blizzard Billing & Account Services team.
Sincerely,
The Battle.net Account Team
The second was this friendly notice, confirming that they decided to do this on their own:
Greetings!
We’ve recently been informed that several Gawker Media websites have been compromised. These websites include Gawker, Gizmodo, Kotaku, Lifehacker, Jezebel, io9, Jalopnik, Deadspin, and Fleshbot. To help minimize the effects of this compromise and help keep your Battle.net account safe and secure, we’ve reset your account password. To complete the password reset, please log into Battle.net Account Management (https://us.battle.net/account/management) and follow the provided instructions.
If you are a registered commenter for any of these sites and used your Battle.net email address to sign up with Gawker Media, we also recommend that you update your Battle.net address as soon as possible via Account Management. If you are unable to complete this step or the password reset on your own and believe your account may be compromised, please contact our customer support staff by using the Account Recovery form (https://us.battle.net/account/support/account-recovery.html) and be sure to check out our Account Security Awareness guide (http://us.battle.net/en/security/) for additional security tips and suggestions.
For more information about this situation, please visit Gawker Media’s official announcement (http://gawker.com/5713056/gawker-security-breach-were-here-to-help) or Lifehacker’s comprehensive FAQ (http://lifehacker.com/5712785/faq-compromised-commenting-accounts-on-gawker-media).
Regards,
Blizzard Entertainment
So I navigated to battle.net using a trusted means, and completed the password reset. This appeared to work; I received no error notices. But when I attempted to actually log in to my battle.net account, I got a LOGIN FAILED result every time.
It was NOT necessary, or polite, or even really their business to do this without asking first . Especially when they can easily determine that I am using an authenticator.
I've been dealing with Blizzard customer service for 12 years, now, and they've continuously grown worse and worse and worse. About the time Wrath came out, it was pretty clear that their 'A' team had left for greener pastures/advanced projects and the 'B' team remained behind for the customers to deal with.
My latest correspondence with them over this issue was the worst yet. If the interaction I had with this 'person' that I dealt with was any indication, then he couldn't even pass a Turing test. Even the words "PLEASE ELEVATE" just got me another canned response to perform a password reset.
I swear, i was dealing with a script, and a half-assed one at that.
At some point, sometime between 36 and 48 hours later, someone behind the scenes untangled the mess that had been created, and the login began working again.
I suspect it was a "nested reset" condition. Blizzard initiated a reset, and sent me a link to complete the reset. But being a good phish-proof customer, I ignored the link and used a trusted bookmark to navigate to battle.net, and initiated another reset, without completing the first one. They should have anticipated this, though, because they've been telling us for years "do not follow links in emails to pages that request your password."
I can see the fnords!
gawker lost all credibility with me when they blamed easyDNS for pulling the plug on Wikileaks (actual culprit was everyDNS). Shit happens, it's an easily made typo. My problem is when they basically told the easyDNS owner that they would edit the original press release without acknolwedging that any edit had been made, let alone apologize. They basically told easyDNS to fuck off and quit whining after gawkers error almost got easyDNS DDOS'd into oblivion. Even the National Enquirer has more spine (at least when they admit fault)
When all of your wishes have been granted, many of your dreams will be destroyed - Marilyn Manson