Slashdot Mirror

← Back to Stories (view on slashdot.org)

Learning From Gawker's Failure

Posted by CmdrTaco on from the i-see-what-you-did-there dept.

Gunkerty Jeb writes "The Gawker hack has completely disenfranchised their users, not to mention the breach in trust that may well be impossible to regain. Users are demanding that they be allowed to delete their accounts immediately, and beyond implementing such a mechanism, it is likely that Gawker systems will have to be rebuilt from the ground up to avoid future hacks. So, what is to be learned from this perfect storm of bluster and bravado?"

27 of 236 comments (clear)

  1. Description of hack? by DJ+Jones · · Score: 4, Insightful

    How about a detailed description of how the hack was performed? What hole was breached? That would be the first place to begin "learning".

    Until that's published there's really nothing to study.

    1. Re:Description of hack? by gklinger · · Score: 5, Interesting

      While it leaves many (mostly technical) questions unanswered, I found the this article to be an interesting and informative description of what happened.

    2. Re:Description of hack? by Jeremy+Erwin · · Score: 2

      Actually, Gawker owns and manages several websites: deadspin (sports), kotaku (computer gaming), jezebel (feminism, and other girly stuff), io9 (sci-fi) gizmodo (consumer electronics), lifehacker (computers), and jalopnik (cars). All of the accounts on those websites have been compromised, to some degree.

    3. Re:Description of hack? by oracleguy01 · · Score: 3, Informative

      That is a really good article. If they are using very out of date Linux kernels there are probably a lot of other out of date software on their systems. That combined with the fact that they don't have any internal password strength policy and are using cryptographically broken encryption shows they don't seem to have any competent server admins and web developers.

      There is a lesson to learn here and it is a simple one: Don't be stupid.

      Given their demonstrated lack of competence in handling this whole situation I don't have a ton of faith that they can competently check their systems for other damage and any modifications made by Gnosis.

    4. Re:Description of hack? by yincrash · · Score: 2

      coding horror has a good writeup

    5. Re:Description of hack? by hawaiian717 · · Score: 2

      Just because the kernel version is 2.6.18 (in particular, don't know about 2.6.21) doesn't mean its out of date. 2.6.18 is the kernel used by Red Hat Enterprise Linux 5 and its derivatives, and Red Hat's version gets regular patches.

      --
      End of Line.
  2. Re:These lessons have been applied by XorNand · · Score: 3, Informative

    Slashdot is open source. Gawker's code is not.

    --
    Entrepreneur : (noun), French for "unemployed"
  3. Jalopnik sucked anyhow... by GPLDAN · · Score: 4, Insightful

    I left Jalopnik over two years ago. It had very poor editorial control, and displayed the vast chasm between reputable automotive journalism in mags like Car & Driver and Road & Track and the interwebz. It had become Ray Wert's bully pulpit, and the commentariat IQ over there dropped down to double digits pretty quickly.


    IO9 and others really were not much better. And the problem really came down to not being able to drown out the idiots. I attribute Slashdot's long term success to the mod system and the whole way it handles contributions. It works. And the Gawker crap blog engine was badly coded, anybody who used it could see that. So it isn't a shock that it got 0wn3d. Amateur blog engine should be a sign of overall poor design and security.

  4. Salt your hashes by iammani · · Score: 3, Informative

    See title

    1. Re:Salt your hashes by darkmeridian · · Score: 3, Informative

      From what I have read, the passwords were hashed but only with DES. Furthermore, there was salting and no password complexity requirement because rainbow tables were able to reveal a medley of Gawker passwords. Gawker's reaction to the first signs of a break in a month ago (complete indifference) was pretty nuts. It's user base is its biggest asset; the disrespect they show their users was ridiculous.

      --
      A NYC lawyer blogs. http://www.chuangblog.com/
  5. With big words come big responsibility by Jonboy+X · · Score: 3, Funny

    The Gawker hack has completely disenfranchised their users

    That's quite a hack, depriving users of their right to vote...

    --

    "In a 32-bit world, you're a 2-bit user. You've got your own newsgroup, alt.total.loser." -Weird Al
  6. Passwords are a failure by RzUpAnmsCwrds · · Score: 4, Insightful

    The big lesson here is not that you should never get breached, or that you should use some super-secure password, or that you should use a different password on every site (you should).

    No, the real lesson is that passwords themselves are faulty. No one is going to select and memorize a strong password for every website they use. They're going to either re-use passwords, or choose weak passwords, or write their passwords down (or use a password manager).

    None of these are good answers. The expectation is that users are going to choose strong passwords, that they will never re-use passwords, that hashes (even with salt) are an effective way to protect passwords, and that users will never be tricked into revealing their password.

    It's bullshit. It's always been bullshit. Users aren't careful with passwords, and why would we expect them to be - 99.9% of the time they get away with it. Humans are bad at evaluating the risk of things that are low frequency but high impact.

    The other thing that's bullshit is password reset. It doesn't make any sense: how can someone who forgot their password remember "security questions" that are actually secure. No, 99 times out of 100 these systems use some crap like "Where were you born", which is pretty damn trivial to find out for any attacker. My brokerage account has a secure password that I only use there, but resetting the password requires only my username, SSN, ZIP code, and last name. And there are far, far more people who know that stuff than people who know my password.

    It's time to get serious about replacing passwords. That's the lesson here.

    1. Re:Passwords are a failure by bl4nk · · Score: 4, Interesting

      The "security questions" weakness is exactly how Sarah Palin's email account was broken into.

      If they're not required for logging in I always fill the security question answers with a long string of random characters, effectively making them unusable for password recovery.

  7. Re:These lessons have been applied by Sigma+7 · · Score: 2

    http://news.slashdot.org/article.pl?sid=00/09/29/0231248&tid=99

  8. Gawker? Scadenfreude Central Hoist on own Petard! by Jeremiah+Cornelius · · Score: 3, Informative

    Their MO is "Kick 'em when they're up, kick 'em when they're down".

    This hack couldn't have happened to a bigger bunch of self-involved, arrogant jerks. If there is a balance of justice in the universe, then it just inched another tiny notch towards equilibrium.

    Really, the imperious attitude that is exhibited by the Gawker "editorial" stance is a smug and sarcastic condescension towards the foibles of others.

    --
    "Flyin' in just a sweet place,
    Never been known to fail..."
  9. Why did they even need passwords? by scrotch · · Score: 3, Interesting

    What I'm left wondering is why someone should need a username and password to comment on a blog post on their sites. Do they have a reputation system? Does it really prevent spam? Or is it just to gather a list of email addresses that they might sell later? There must be a better way to accomplish the little functionality that their login requirement provides. Especially now that they have to deal with the fact that their login system was not secure.

  10. Some of us are more fortunate by Moraelin · · Score: 4, Funny

    Well, some of us were more fortunate there.

    I was born in the quaint town of P5$+19"797q4. It's lovely in the spring. You should visit. My mother's maidens name was B192zve8p6; an ancient and distinguished family, if you must ask. My first pet was a cat named Ö8z~30+r.vd. We all loved her. And I went to ß8s8h,u:82 memorial school.

    Strangely enough, nobody ever guesses those ;)

    --
    A polar bear is a cartesian bear after a coordinate transform.
    1. Re:Some of us are more fortunate by glodime · · Score: 5, Funny

      That's strange. All I see is ********** for the names of your cat, school, hometown, and mother's maiden name.

  11. Salting is merely a good start by QuoteMstr · · Score: 4, Informative

    Salting addresses some attacks, but as CPU time becomes cheaper, it becomes increasingly feasible to brute-force even salted hashes. To address this issue, you need key strengthening as well.

    Or, better yet, just use the system designed to store passwords: bcrypt.

    *sigh* Then again, I'm confident that we'll see incompetent web application developers using unsalted MD5 for decades to come. People don't learn from others' mistakes it seems.

  12. Re:These lessons have been applied by TheRaven64 · · Score: 5, Funny

    Being open does not make Slashdot easier to hack, because it's written in Perl and so even access to the source code does not make it possible for an attacker to understand what it's doing.

    --
    I am TheRaven on Soylent News
  13. Re:I know what I learned by Archangel+Michael · · Score: 3, Interesting

    I have several passwords I use. Sites that require accounts for participation get one that I don't care if it gets out in the wild. No big loss. People posting as me is mildly amusing.

    I have another password for systems I'm in charge of, that function like those I participate in in the first example. It would suck if that got out. Those systems are few, and you'd have to personally know me to know what they were.

    I have secure passwords for each of the highly sensitive accounts (banks and such) that are not shared between accounts. IF one of those gets out, I'm screwed for that one institution, but nowhere else.

    --
    Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
  14. Single login = single point of failure by Animats · · Score: 2

    This is the trouble with "single login" systems. Now there's a single point of failure.

    Single login requires a trusted organization with a good reputation willing to contractually commit to paying for the damages if they screw up. But look who's in the business: Gawker. Facebook. Microsoft. Google. That's no good.

    If anyone were to do this well, it might be Amazon. Amazon is not an advertising-supported business. They take orders, accept payments, and ship real products. As a major credit card merchant selling physical objects for which they pay real money, they constantly have people trying to steal merchandise from them. So their management has to understand the risks of authentication failures. Amazon has a powerful and well-respected distributed computer infrastructure, which tends to stay up despite problems. So they could probably implement a single login system that could be trusted.

  15. Re:Apostrophe's by maxume · · Score: 2

    Userseresss's'ss''''sss.

    --
    Nerd rage is the funniest rage.
  16. Re:These lessons have been applied by Ecuador · · Score: 3, Funny

    My biggest gripe on the other hand is that my browsers don't understand the html that Slashdot's Perl code produces...

    --
    Violence is the last refuge of the incompetent. Polar Scope Align for iOS
  17. Re:These lessons have been applied by geekoid · · Score: 2

    IT's not magical thing it work. This has been shown many times. The issue is with implementation. Locks are worthless if they aren't locked.

    --
    The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
  18. Re:Gawker? Scadenfreude Central Hoist on own Petar by bughunter · · Score: 4, Interesting

    Yea, well it happened to the "customers" of those jerks, too.

    I had a registered account on Gizmodo, mostly to write posts telling an author how full of shit they were, or to correct silicon/silicone errors, etc., but that's immaterial.

    What is material is that I've been getting emails from hosts of hosts upon which I've used that same email address to register, telling me I need to change my password, even though my password is not the same from site to site.

    Worse, in a fit of idiocy, battle.net decided that, since my battle.net account is identified with an email address that they found on the leaked Gawker database, that they'd go ahead and reset my password. Yes, unsolicited. Despite the facts that a) my password does not hash to the string associated with the address in the database, b) I have an authenticator attached to the account, and c) it's not their fucking business to reset my password without asking first.

    So what happened next? After getting the email from battle.net, I went to their account management page, and entered a new password -- and am then unable to login using those credentials. They broke my access for 36 hours. For no valid reason.

    If I had actually held a desire to play during that time, I'd have been royally pissed. As it is, I'm just royally irritated at their stupidity, and at the subsequent neutronium density of their CS group to be completely unable to parse my simple request: "your password reset broke my login, please fix it," and instead treated me as if I had reported my account hacked. So now my WoW account is locked down while they review whatever they think they need to review.

    Mass idiocy all around, yes, but precipitated by the arrogant idiocy of Gawker.

    And of course, just for safety, I've had to go and change accounts everywhere to be registered with a new email address - or where not possible, rotate passwords... which I usually do, but not all at fucking once. I spent three hours last night going over my list of accounts and passwords and updating everything, including my home network, which caused things to break for other family members who are now calling me with "I can't use the web; I can't get to pokemon.com; why isn't Miro working?" etc.

    So, long screed made short: The pain, there's more than enough to go around, even for the undeserving.

    Or, in the the now immortal, um... expression, of an anonymous /b/tard: Fuuuuuuuuuuuuuu...!!

    --
    I can see the fnords!
  19. Re:Gawker? Scadenfreude Central Hoist on own Petar by Supurcell · · Score: 2
    Why did you change your password if it wasn't the same one that you used for your Gawker network account?

    I received a similar email from Blizzard. Here it is:

    We've received a request to reset the password for this Battle.net account. Please click this link to reset your password: (link omitted)

    If you no longer wish to make the above change, or if you did not initiate this request, please disregard and/or delete this e-mail.

    You didn't have to change it. They just thought they'd do the right thing and offer to help protect their customers before it was needed. An ounce of prevention and all that.