Slashdot Mirror

← Back to Stories (view on slashdot.org)

Memo Details Gawker Security Strategy

Posted by Soulskill on from the barn-doors-and-horses dept.

Trailrunner7 writes "After a hack of systems belonging to online publishing giant Gawker Media that yielded more than one million passwords, the online media company's chief technology officer has announced new defense strategies aimed at placating their users and preventing further humiliating data breaches. Thomas Plunkett issued a company-wide memo on Friday that lays out the new security measures and suggests the company overlooked security concerns in the rush to develop new features."

20 of 76 comments (clear)

  1. Not gonna work.. by Anonymous Coward · · Score: 5, Funny

    I read it, but nowhere it mentions not being douchebags. Not gonna work.

    1. Re:Not gonna work.. by PatPending · · Score: 3, Insightful

      Plunkett should be sacked because he is ultimately responsible for his team.

      --
      What one fool can do, another can. (Ancient Simian Proverb)
    2. Re:Not gonna work.. by BrowserCapsGuy · · Score: 2

      Plunkett should be sacked because he is ultimately responsible for his team.

      Right now Gawker needs him because he (probably) knows more about their systems than anyone. I'm sure in time there will be an announcement that he's decided to resign to spend more time with his family.

      --
      Alright! I know I'm in there! If I don't come out, I'll have to come in after me!
    3. Re:Not gonna work.. by E+IS+mC(Square) · · Score: 5, Informative

      * That douchbag Prank at CES (http://gizmodo.com/343348/confessions-the-meanest-thing-gizmodo-did-at-ces)
      * Then Brian Lam being complete ass (http://gizmodo.com/303223/halo-3-swag-rebagging-plus-apology)
      * Classy!! "if you're a twerpy little internet chump", " Especially not when we own the fucking podium." - (http://gizmodo.com/5687692/you-write-bias-journalism-and-i-read-derp)
      * Adam Frucci's post on telling off all Apple haters to go fuck themselves - can't find the origina post (which was modified few times when it backfired)
      * Banning any critical commentator (http://gizmodo.com/tag/phantomzone)
      * Being complete douch for the iphone prototype thingy and getting banged in the ass by Jesus Steve Jobs himself
      * Too much hurt? Wow! (http://gizmodo.com/5461485/ipad-snivelers-put-up-or-shut-up)
      * Banning users, creating fake ones, deliberately dissing Nokia and it's users (http://play-this.org/2010/10/nokia-uses-social-pr-tactics-to-battle-gizmodo/)

      The list is endless..

    4. Re:Not gonna work.. by Reaperducer · · Score: 3, Interesting

      Wow. I may be in the minority, but I'm certainly glad I've never heard of Gawker. Though it takes the joy out of deliberately avoiding the web site.

      --
      -- I'm old enough to have lived through six different meanings of the word "hacker."
    5. Re:Not gonna work.. by Mashiki · · Score: 2

      I always likened it to the place where all the douchebags of the internet liked to congregate. 4chan has it's moments, but even they have some semblance of class.

      --
      Om, nomnomnom...
  2. Absolutely fascinating! by BitHive · · Score: 4, Insightful

    I've been dying to know whether the no-name CTO of some joke of a blog franchise has had any thoughts since his incompetence was made public.

    I, for one, will be eagerly perusing his recommendations to see if there's anything I've missed.

  3. Users by MrQuacker · · Score: 2

    Their whole strategy so far has been to blame the users: "Its not Gawkers fault your passwords are so weak."

    1. Re:Users by tpstigers · · Score: 2
      While Gawker has thus far avoided accepting any real responsibility for the incident (not so much as an apology yet), they haven't actually been blaming users. Lifehacker has run a succession of posts on good password practices, but they haven't been criticizing anyone. And they certainly haven't reprimanded their users for 'weak' passwords. The truth of the matter is that users who had passwords that were unique to their Gawker account (a practice we all know is the smart way to go, right?) only had to fear for their Gawker account. Which means that all someone could do with their data would be to post comments on Gawker sites. Hardly a big problem.

      What Gawker users have learned here (and Lifehacker, at least, has been driving home) is the inadvisability of having a global password (a frighteningly common practice).

    2. Re:Users by Jawnn · · Score: 2

      While Gawker has thus far avoided accepting any real responsibility for the incident (not so much as an apology yet), they haven't actually been blaming users. Lifehacker has run a succession of posts on good password practices, but they haven't been criticizing anyone.

      This is the same bullshit, "We can't actually say this, but we will hint at, imply, and suggest it in every possible way until you believe it" strategy that Fox News has mastered so well. The plain fact, of course, is that Gawker is to blame for the breach of their users' passwords, weak and strong alike. They want desperately to have those users start thinking along different lines and sadly, it appears to be working.

  4. "The online publishing giant"... by pongo000 · · Score: 2

    ...no one has heard of!

    Seriously, was Gawker on anyone /.ers' radar before this news broke? Or am I the only one who never leaves the cave?

    1. Re:"The online publishing giant"... by Anonymous Coward · · Score: 2, Insightful

      Posting anonymously because my email was in the leaked info.

      Lifehacker has some useful tips; Linux, Mac and Windows. Including their mobile variants and smartphones.

      Gizmodo is another, which I used to read often but I got sick of reading so many commercials (that's the idea of the site, they didn't do anything wrong).

      Give them a look over. At the bottom of Lifehacker.com pages there are links to the other sites (fleshbot.com is missing, maybe because it's NSFW).

    2. Re:"The online publishing giant"... by MoonBuggy · · Score: 4, Insightful

      They are a giant precisely because they are the force behind a fairly diverse range of sites, all of which are big names in their respective fields. You may not have heard the name 'Gawker Media', and I don't expect valleywag or Jezebel to come up on most Slashdotters' daily rotation, but Gizmodo gets linked here (either in stories or comments) fairly regularly.

    3. Re:"The online publishing giant"... by PhrostyMcByte · · Score: 5, Insightful

      There's a good chance you've been to one of their sites before. Gizmodo, Kotaku, Lifehacker, and io9 are their bigger ones I can recall -- I'm sure there are others. I personally read Gizmodo and io9 quite often, though I've never made an account with them.

  5. They still don't get it. by 140Mandak262Jamuna · · Score: 5, Insightful

    In recent weeks, intruders were able to gain access to our web servers by exploiting a vulnerability in our source code, allowing them to gain access to user data and passwords.

    They are still blaming bugs in code. Pretending to be mistakes made by low level programming flunkies. The problem was using an unsalted hash that allowed them to do a simple dictionary attack. Further even the top guys were using very simple passwords. Used the same password for multiple accounts. Continued to leave other accounts and usernames unlocked even after knowing one account using that password has been compromised.

    No. The real problem was that the managers and the top dogs drawing top salaries were clueless idiots. Pretending that it was some kind of stupid bug left in code by some low level programmer shows how disconnected these bozos are from reality.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    1. Re:They still don't get it. by OnePumpChump · · Score: 2

      Did you read the readmes in the torrent? The attackers claim that they took DAYS to download those passwords. That traffic didn't look unusual to anyone? Should any system anywhere that isn't either migrating that database or backing it up be looking at more than a couple of passwords in any short span of time? Regardless, this didn't draw any attention. Bug or not, there's not really any excuse here.

    2. Re:They still don't get it. by magamiako1 · · Score: 2

      The problem usually comes down to this:

      A) Pay a decent, well reputable, knowledgeable coder $$$$ for his time to develop a website.

      or

      B) Pay some outsourced company $$ for their time to develop a website.

      Most management usually goes for B. It generally makes them "look better" because it can "get the job done", they can "save money". Security is an afterthought to almost all management levels. The only reason that Gawker's management is even anything close to concerned now is because it's going to cut into ad revenue. But they, like any major company, skate on that thin ice until eventually it breaks.

      This isn't surprising in the least bit. Companies don't give two shits about security until it bites them in the ass. Further more, I don't really expect them to make major strides in security, but "just enough" to make sure the "previous situation" doesn't happen again.

      That said, there is something called "defense in depth", and it's something they should have implemented from the start. It was a failure at all levels of monitoring and management.

  6. password expiry by Exclamation+mark! · · Score: 2

    Is part of the strategy to force users to change their password every month so they can write it down or reuse it and make it just secure enough to pass validation? This kind of crap is happening at work and forces me to use crappy passwords! Thanks security consultants!

    --
    I'm a wanker.... and loving it!
  7. Wanted: New CTO by rudy_wayne · · Score: 2

    It turns out that Gawker has a "Chief Technology Officer". However, if you read this article from Forbes, it makes you wonder what this guy actually did, other than show up and collect a paycheck.

  8. Re:Memo by chimpo13 · · Score: 2

    It would've been more secure for employees to write them down. Then they only have to worry about their spouse, kids, plumber and people who get to see the house office. If they have a real office, it's still limited to employees and finding out who the Evil One is after something like this shouldn't be that hard. Writing down passwords on post-its isn't that big of a problem.

    --
    riding round the world on an old motorcycle