×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Learning From Gawker's Failure

CmdrTaco posted more than 3 years ago | from the i-see-what-you-did-there dept.

Privacy 236

Gunkerty Jeb writes "The Gawker hack has completely disenfranchised their users, not to mention the breach in trust that may well be impossible to regain. Users are demanding that they be allowed to delete their accounts immediately, and beyond implementing such a mechanism, it is likely that Gawker systems will have to be rebuilt from the ground up to avoid future hacks. So, what is to be learned from this perfect storm of bluster and bravado?"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

236 comments

Anna Ashmore (-1)

Anonymous Coward | more than 3 years ago | (#34562838)

Nice Reading. Thanks.
LRQA helps bring integrity, independence and world-renowned recognition to your assurance claims.

Quality-ISO 9001 Training [lrqausa.com]
Environmental-ISO 14001 Training [lrqausa.com]
Information Security Management Training [lrqausa.com]
Food & Beverage Industry Management Training [lrqausa.com]
Business Assurance Management Training [lrqausa.com]

Gawker? Scadenfreude Central Hoist on own Petard! (3, Informative)

Jeremiah Cornelius (137) | more than 3 years ago | (#34563108)

Their MO is "Kick 'em when they're up, kick 'em when they're down". [lyricsfreak.com]

This hack couldn't have happened to a bigger bunch of self-involved, arrogant jerks. If there is a balance of justice in the universe, then it just inched another tiny notch towards equilibrium.

Really, the imperious attitude that is exhibited by the Gawker "editorial" stance is a smug and sarcastic condescension towards the foibles of others.

Re:Gawker? Scadenfreude Central Hoist on own Petar (1)

Wyatt Earp (1029) | more than 3 years ago | (#34563830)

I really liked yesterday where IO9 was making fun of their users for using scf-fi names for passwords.

You know from the data that was leaked from farking IO9 because their masters blew the security.

Apostrophe's (1, Insightful)

Anonymous Coward | more than 3 years ago | (#34562842)

Nice use of the apostrophe on a plural form.

Re:Apostrophe's (0)

Anonymous Coward | more than 3 years ago | (#34563046)

An angry guide to the apostrophe. [angryflower.com]

Where do people 'learn' to use apostrophes for plural's? I don't even...

Strong Bad said it best. (0)

Anonymous Coward | more than 3 years ago | (#34563354)

If you want it to be posessive, it's just 'I-T-S.'

But, if it's supposed to be a contraction then it's 'I-T-apostrophe-S'.

Scalawag.

Re:Apostrophe's (0)

Anonymous Coward | more than 3 years ago | (#34563506)

Also: very imaginative use of the word "disenfranchise."

Re:Apostrophe's (-1)

Anonymous Coward | more than 3 years ago | (#34563648)

who cares.

if you cant add to the discussion, stfu.

What's to be learned? (1)

gklinger (571901) | more than 3 years ago | (#34562862)

One lesson that comes to mind is that you shouldn't refer to your website's participants as "peasants".

Re:What's to be learned? (0)

Anonymous Coward | more than 3 years ago | (#34562910)

Also, if you dare a rival group to "bring it on", keep in mind that they might actually do so.

Re:What's to be learned? (0)

Anonymous Coward | more than 3 years ago | (#34563132)

And that the "4Chan" like groups need to be hunted down and exterminated.

Re:What's to be learned? (0)

Anonymous Coward | more than 3 years ago | (#34563636)

Basically, don't be Nick Denton, Brian Lam or any other editor on Gizmodo team.

These lessons have been applied (1)

spun (1352) | more than 3 years ago | (#34562918)

And from what I hear, there is no way these clueless, juvenile script kiddies could EVER hack Slashdot.

Re:These lessons have been applied (3, Informative)

XorNand (517466) | more than 3 years ago | (#34562990)

Slashdot is open source [slashcode.org] . Gawker's code is not.

Re:These lessons have been applied (1)

rtaylor (70602) | more than 3 years ago | (#34563022)

So it's easier to hack?

How is Slashdot being opensource reassuring? I certainly cannot fix the code on the server where it is running.

Re:These lessons have been applied (1)

zellfaze (1884982) | more than 3 years ago | (#34563202)

No, but if you point it out it will get fixed. Having many eyes on a piece of code encourages it to be fixed faster.

Re:These lessons have been applied (5, Funny)

TheRaven64 (641858) | more than 3 years ago | (#34563320)

Being open does not make Slashdot easier to hack, because it's written in Perl and so even access to the source code does not make it possible for an attacker to understand what it's doing.

Re:These lessons have been applied (1)

tha_mink (518151) | more than 3 years ago | (#34563522)

Being open does not make Slashdot easier to hack, because it's written in Perl and so even access to the source code does not make it possible for an attacker to understand what it's doing.

I have not read a truthier statement all day. Explosion at the punctuation factory.

Re:These lessons have been applied (0)

Anonymous Coward | more than 3 years ago | (#34563696)

As someone who used to write (and decipher) Perl all day, I wholeheartedly agree. Whitespace is easier to understand most of the time. Malbolge is maybe a little more difficult, depending on who wrote it.

Re:These lessons have been applied (0)

Anonymous Coward | more than 3 years ago | (#34563550)

The point you're missing about this particular aspect of Open Source is third parties who know what they are doing can and often do look at the code for other projects. Just because you cannot is irrelevant in this matter. In contrast, examining code for closed source, proprietary software is, in a general sense, not permissible.

Re:These lessons have been applied (2)

Sigma 7 (266129) | more than 3 years ago | (#34563076)

Re:These lessons have been applied (1)

spun (1352) | more than 3 years ago | (#34563134)

Whoosh.

Re:These lessons have been applied (1)

Java Pimp (98454) | more than 3 years ago | (#34563436)

What whoosh? That hack was from like 10 years ago... about the time the alleged BSD backdoor was allegedly inserted. Coincidence? I think not!

Re:These lessons have been applied (1)

spun (1352) | more than 3 years ago | (#34563542)

My original post was a (lame) joke. The first lesson in the linked article is "don't poke the bear" so I was poking the bear.

Re:These lessons have been applied (1)

Anonymous Coward | more than 3 years ago | (#34563104)

Ha! Shows what you know n00b! I hacked Anonymous Coward's account in no time flat!

Re:These lessons have been applied (1)

ackthpt (218170) | more than 3 years ago | (#34563578)

And from what I hear, there is no way these clueless, juvenile script kiddies could EVER hack Slashdot.

How you talk.

BTW, after successfully tricking CommodoreTaco into running my PostScan 2010 script (to check his posts for virii) I now have the entire suite, user data and cheat codes to dozens of 1980's C64 games.

Description of hack? (4, Insightful)

DJ Jones (997846) | more than 3 years ago | (#34562950)

How about a detailed description of how the hack was performed? What hole was breached? That would be the first place to begin "learning".

Until that's published there's really nothing to study.

Re:Description of hack? (1)

Anonymous Coward | more than 3 years ago | (#34563014)

How about a brief description of what Gawker is?

Re:Description of hack? (1)

countSudoku() (1047544) | more than 3 years ago | (#34563758)

My point exactly! WTF was this awful website anyway?

We can learn from the Wikipedia that it was:
Gawker is a blog based in New York City that bills itself as "the source for daily Manhattan media news and gossip" and focuses on celebrities and the media industry.

So, good, I was RIGHT in not giving two shits about this hack or the dozens of shitheads who bothered to create logins on a fucking useless blog site of nonsense and shitheadery(a word I had to make up to convey my lack of concern for those asshat users and their moronic blog hosts).

Let the douchery commence!

Re:Description of hack? (1)

heckler95 (1140369) | more than 3 years ago | (#34563868)

Gawker Media is a company with a number of sites including Gizmodo and Lifehacker, both of which (I would guess) are pretty popular with the Slashdot crowd.

Re:Description of hack? (2)

Jeremy Erwin (2054) | more than 3 years ago | (#34564058)

Actually, Gawker owns and manages several websites: deadspin (sports), kotaku (computer gaming), jezebel (feminism, and other girly stuff), io9 (sci-fi) gizmodo (consumer electronics), lifehacker (computers), and jalopnik (cars). All of the accounts on those websites have been compromised, to some degree.

Re:Description of hack? (5, Interesting)

gklinger (571901) | more than 3 years ago | (#34563044)

While it leaves many (mostly technical) questions unanswered, I found the this article [forbes.com] to be an interesting and informative description of what happened.

Re:Description of hack? (0)

Anonymous Coward | more than 3 years ago | (#34563090)

My guess is they are imbarised to do so. I'm one of the ones that asked them to delete my account actually. If I can't trust a company to keep my data private when they say they will do so, then our relationship is over.

Re:Description of hack? (0)

Anonymous Coward | more than 3 years ago | (#34563118)

If that was supposed to say embarrassed, you should probably kill yourself right now.

Re:Description of hack? (0)

Anonymous Coward | more than 3 years ago | (#34564038)

Who is this darn troll named "Anonymous Coward"? Maybe you could tell him to "learn to spell", but "kill yourself"? Over a spelling error? What the hell? And why is this Anonymous Coward person taking credit for my posts now too?

Re:Description of hack? (0)

Anonymous Coward | more than 3 years ago | (#34563220)

Oh the imbarisment!!!

Re:Description of hack? (1, Redundant)

Jonboy X (319895) | more than 3 years ago | (#34563148)

oh puleeze (1)

Essequemodeia (1030028) | more than 3 years ago | (#34562956)

Thinking any password sacrosanct on this here interwebs is ridiculous. The self-satisfied Gawker-enthusiast is the very type of person who should know better.

Jalopnik sucked anyhow... (4, Insightful)

GPLDAN (732269) | more than 3 years ago | (#34563006)

I left Jalopnik over two years ago. It had very poor editorial control, and displayed the vast chasm between reputable automotive journalism in mags like Car & Driver and Road & Track and the interwebz. It had become Ray Wert's bully pulpit, and the commentariat IQ over there dropped down to double digits pretty quickly.


IO9 and others really were not much better. And the problem really came down to not being able to drown out the idiots. I attribute Slashdot's long term success to the mod system and the whole way it handles contributions. It works. And the Gawker crap blog engine was badly coded, anybody who used it could see that. So it isn't a shock that it got 0wn3d. Amateur blog engine should be a sign of overall poor design and security.

Re:Jalopnik sucked anyhow... (0)

Anonymous Coward | more than 3 years ago | (#34563052)

I used to hang around on consumerist, but when it left Gawker, it got worse.

Re:Jalopnik sucked anyhow... (0)

Anonymous Coward | more than 3 years ago | (#34563350)

I left Jalopnik over two years ago. It had very poor editorial control, and displayed the vast chasm between reputable automotive journalism in mags like Car & Driver and Road & Track and the interwebz. It had become Ray Wert's bully pulpit, and the commentariat IQ over there dropped down to double digits pretty quickly.

Ditto. I dig Clunkbucket [clunkbucket.com] , but nobody reads it.

Biggest dealbreaker for me and any Gawker Media property was the commenting system. Forced pagination, few comments per page, forced reverse chronological order, and slow-to-load/page Javascript required to view any comments at all. That's like four dealbreakers at once. I stopped reading, and about a week or two later, stopped missing it.

Re:Jalopnik sucked anyhow... (1)

rwa2 (4391) | more than 3 years ago | (#34563534)

http://www.thetruthaboutcars.com/ [thetruthaboutcars.com] (AKA TTAC) is my current favourite auto rag, filled with TheRegister-esque satire dripping with sarcasm and some descriptive analogies worthy of PA's Jerry Holkins.

Here's a decent writing sample that sticks in my memory: http://www.thetruthaboutcars.com/2009/01/comparison-2008-dodge-charger-v6-vs-1993-toyota-camry/ [thetruthaboutcars.com]

Maybe I didn't notice it as a kid since I had the propensity to simply ignore all things politick, but C&D and some of the other auto mags seem to have very right-wing editorials these days, that kind of give the thing a different flavour. Anyway, don't really find them as intellectually stimulating anymore, but I guess they're mostly for the pictures. :-P

Re:Jalopnik sucked anyhow... (1)

Wyatt Earp (1029) | more than 3 years ago | (#34563952)

I stuck it out on Jalopnik until a couple months ago. Left because half the stories were cross posted from IO9 or Gizmodo, if I wanted to read about sci-fi vehicles I'd be on IO9, or hell a website that knows what the hell they are talking about.

Gawker Media's editorial standards went to hell over the last year or so.

Funny, the day that the WoW 4.0 patch went live Kotaku had a post about this big 4.0 patch that was coming soon, early next month probably! And it's going to be so cool!
I wrote the guy and said "way to be late, it came out today, servers are up already", he called me an asshole.

I know what I learned (1)

paiute (550198) | more than 3 years ago | (#34563018)

I learned to always use the password "123456". Herd immunity.

Re:I know what I learned (3, Interesting)

Archangel Michael (180766) | more than 3 years ago | (#34563360)

I have several passwords I use. Sites that require accounts for participation get one that I don't care if it gets out in the wild. No big loss. People posting as me is mildly amusing.

I have another password for systems I'm in charge of, that function like those I participate in in the first example. It would suck if that got out. Those systems are few, and you'd have to personally know me to know what they were.

I have secure passwords for each of the highly sensitive accounts (banks and such) that are not shared between accounts. IF one of those gets out, I'm screwed for that one institution, but nowhere else.

Re:I know what I learned (1)

interval1066 (668936) | more than 3 years ago | (#34563634)

That's what I'm talking about, I think the fact that a large portion of gawker's users used common passwords that are part of every cracker's dictionary says more about the users than the platform.

Gawker Scum (0)

Anonymous Coward | more than 3 years ago | (#34563020)

Scum loving snoops don't like being snooped on themselves.

Salt your hashes (3, Informative)

iammani (1392285) | more than 3 years ago | (#34563028)

See title

Re:Salt your hashes (1)

Qzukk (229616) | more than 3 years ago | (#34563078)

Salting your hashes only protects you from rainbow tables (and then only if your hash isn't already in a rainbow table). The salt is included in the hash, so I can see if your password is a weak password like "password" or "PASSWORD" or... exactly what Gawker warned against.

Re:Salt your hashes (0)

Anonymous Coward | more than 3 years ago | (#34563092)

I keep seeing this comment, but has anyone established that the passwords were even hashed?

It seems more likely that they were storing them plaintext than the hashes were brute-forced after the theft.

Re:Salt your hashes (3, Informative)

darkmeridian (119044) | more than 3 years ago | (#34563278)

From what I have read, the passwords were hashed but only with DES. Furthermore, there was salting and no password complexity requirement because rainbow tables were able to reveal a medley of Gawker passwords. Gawker's reaction to the first signs of a break in a month ago (complete indifference) was pretty nuts. It's user base is its biggest asset; the disrespect they show their users was ridiculous.

Re:Salt your hashes (1)

TheRaven64 (641858) | more than 3 years ago | (#34563376)

the passwords were hashed but only with DES

DES is an encryption algorithm, not a hashing algorithm. The difference is that encryption is reversible. If you use encryption as weak as single DES then someone can crack it pretty quickly and then generate a list of unencrypted passwords. If the passwords are hashed, even with a weak algorithm, then they can generate a list of possible passwords, but if someone has used the same password in two places then you won't necessarily get the same one that they used in the other place.

Re:Salt your hashes (1)

nedlohs (1335013) | more than 3 years ago | (#34563806)

DES is the standard unix hash algorithm (like ed is the standard unix text editor).

Here's the first paragraph of "man crypt"

crypt is the password encryption function. It is based on the Data Encryption Standard algorithm with variations intended (among other things) to discourage use of hardware implementations of a key search.

of course you would have to be borderline retarded to actually use it now.

Salting is merely a good start (4, Informative)

QuoteMstr (55051) | more than 3 years ago | (#34563292)

Salting addresses some attacks, but as CPU time becomes cheaper [amazon.com] , it becomes increasingly feasible to brute-force even salted hashes. To address this issue, you need key strengthening [wikimedia.org] as well.

Or, better yet, just use the system designed to store passwords: bcrypt [codahale.com] .

*sigh* Then again, I'm confident that we'll see incompetent web application developers using unsalted MD5 for decades to come. People don't learn from others' mistakes it seems.

Re:Salting is merely a good start (1)

betterunixthanunix (980855) | more than 3 years ago | (#34563514)

Then again, I'm confident that we'll see incompetent web application developers using unsalted MD5 for decades to come. People don't learn from others' mistakes it seems.

Or even cleartext; yes, I have seen this on production websites, and it is unbelievable.

Re:Salting is merely a good start (1)

oracleguy01 (1381327) | more than 3 years ago | (#34563982)

Or even cleartext; yes, I have seen this on production websites, and it is unbelievable.

As have I, a good way to test this is to try and reset your password on said site. If they show you or email you your existing password and not a random new one, you know their security is crap and shouldn't be trusted.

With big words come big responsibility (3, Funny)

Jonboy X (319895) | more than 3 years ago | (#34563036)

The Gawker hack has completely disenfranchised [reference.com] their users

That's quite a hack, depriving users of their right to vote...

Re:With big words come big responsibility (1)

MozeeToby (1163751) | more than 3 years ago | (#34563298)

Indeed, I think they were looking for "disenchanted".

Re:With big words come big responsibility (0)

Anonymous Coward | more than 3 years ago | (#34563926)

They've been reduced to magical dust?

Re:With big words come big responsibility (1)

BradleyUffner (103496) | more than 3 years ago | (#34563340)

The Gawker hack has completely disenfranchised [reference.com] their users

That's quite a hack, depriving users of their right to vote...

disenfranchise
verb \dis-in-fran-chz\
Definition of DISENFRANCHISE
transitive verb
: to deprive of a franchise, of a legal right, or of some privilege or immunity

Passwords are a failure (4, Insightful)

RzUpAnmsCwrds (262647) | more than 3 years ago | (#34563042)

The big lesson here is not that you should never get breached, or that you should use some super-secure password, or that you should use a different password on every site (you should).

No, the real lesson is that passwords themselves are faulty. No one is going to select and memorize a strong password for every website they use. They're going to either re-use passwords, or choose weak passwords, or write their passwords down (or use a password manager).

None of these are good answers. The expectation is that users are going to choose strong passwords, that they will never re-use passwords, that hashes (even with salt) are an effective way to protect passwords, and that users will never be tricked into revealing their password.

It's bullshit. It's always been bullshit. Users aren't careful with passwords, and why would we expect them to be - 99.9% of the time they get away with it. Humans are bad at evaluating the risk of things that are low frequency but high impact.

The other thing that's bullshit is password reset. It doesn't make any sense: how can someone who forgot their password remember "security questions" that are actually secure. No, 99 times out of 100 these systems use some crap like "Where were you born", which is pretty damn trivial to find out for any attacker. My brokerage account has a secure password that I only use there, but resetting the password requires only my username, SSN, ZIP code, and last name. And there are far, far more people who know that stuff than people who know my password.

It's time to get serious about replacing passwords. That's the lesson here.

Re:Passwords are a failure (4, Interesting)

bl4nk (607569) | more than 3 years ago | (#34563224)

The "security questions" weakness is exactly how Sarah Palin's email account was broken into.

If they're not required for logging in I always fill the security question answers with a long string of random characters, effectively making them unusable for password recovery.

Some of us are more fortunate (4, Funny)

Moraelin (679338) | more than 3 years ago | (#34563242)

Well, some of us were more fortunate there.

I was born in the quaint town of P5$+19"797q4. It's lovely in the spring. You should visit. My mother's maidens name was B192zve8p6; an ancient and distinguished family, if you must ask. My first pet was a cat named Ö8z~30+r.vd. We all loved her. And I went to ß8s8h,u:82 memorial school.

Strangely enough, nobody ever guesses those ;)

Re:Some of us are more fortunate (5, Funny)

glodime (1015179) | more than 3 years ago | (#34563610)

That's strange. All I see is ********** for the names of your cat, school, hometown, and mother's maiden name.

Re:Some of us are more fortunate (1)

RzUpAnmsCwrds (262647) | more than 3 years ago | (#34564072)

I do that too, but sometimes it bites you in the ass - my credit card bank, for example, occasionally asks one of those questions in addition to the password.

Re:Passwords are a failure (1)

sourcerror (1718066) | more than 3 years ago | (#34563286)

As I see it, the best thing you can get is some fortified password manager. I'm not sure how secure the manager of Firefox is. After all, JS in Firefox can do pretty powerful things, you can do a plugins and whatnot, so I can imagine some JS exploit, either through JS engine failure, or making a plugin that claims to be something else than it actually is (e.g. Flash video downloader, or whatnot; just wait for the password manager to fill in the field and your evil script does an Ajax push in the background). But of course this is mere speculation. I'm not really familiar with Firefox internals.

Re:Passwords are a failure (0)

Anonymous Coward | more than 3 years ago | (#34563572)

It all depends what you are trying to protect. In this case, passwords were only protecting somebody's ability to post a comment, not launch nuclear missiles.

Re:Passwords are a failure (1)

asvravi (1236558) | more than 3 years ago | (#34563576)

My brokerage account has a secure password that I only use there, but resetting the password requires only my username, SSN, ZIP code, and last name.

Well I just checked and your brokerage account doesn't seem to have much funds in it anyway.. so relax. By the way, your new password is "0wned". Dont mention it.

Re:Passwords are a failure (1)

horza (87255) | more than 3 years ago | (#34563748)

Why is a password manager not a good answer? I use KeePassX and generate a random string for each and every login. It's even easier than trying to remember more than one password. Simply copy and paste the password each time (also defeating any keylogger you may have installed).

Phillip.

write passwords down or use a password manager (1)

wiredog (43288) | more than 3 years ago | (#34563762)

Nothing wrong with that. A piece of paper in my wallet is reasonably secure, and I'll notice fairly quickly if it's missing. Especially if I use an algorithmic password.

Re:Passwords are a failure (1)

DerekLyons (302214) | more than 3 years ago | (#34564010)

No, 99 times out of 100 these systems use some crap like "Where were you born", which is pretty damn trivial to find out for any attacker.

Only if you're stupid enough to use the most obvious answer. In my case I could use the name of the city like pretty much everyone else - but I use something else that is technically correct, easily remembered by me, and non-obvious to the random hacker. (I.E. something that can't be found by searching public records and isn't something like 'a hospital'.)

Re:Passwords are a failure (1)

John Hasler (414242) | more than 3 years ago | (#34564018)

...resetting the password requires only my username, SSN, ZIP code, and last name. And there are far, far more people who know that stuff than people who know my password.

Use a unique random string as a username.

hire the hackers (0)

Anonymous Coward | more than 3 years ago | (#34563102)

If Gawker had any sense, they would hire the hackers to do their security.

Gee I don't know - how about (0)

Anonymous Coward | more than 3 years ago | (#34563124)

Don't fucking store the original unsalted password in your database? Muppets.

Whoops (1)

Gunkerty Jeb (1950964) | more than 3 years ago | (#34563158)

Consider user's revised to users and disenfranchised revised to discouraged. I'll try to be less of an animal in the future.

Why did they even need passwords? (3, Interesting)

scrotch (605605) | more than 3 years ago | (#34563162)

What I'm left wondering is why someone should need a username and password to comment on a blog post on their sites. Do they have a reputation system? Does it really prevent spam? Or is it just to gather a list of email addresses that they might sell later? There must be a better way to accomplish the little functionality that their login requirement provides. Especially now that they have to deal with the fact that their login system was not secure.

Re:Why did they even need passwords? (1, Informative)

DCFusor (1763438) | more than 3 years ago | (#34563518)

I run a small board, using PHPBB. I require real signons, and yes, it helps prevent spam. The user's email is collected, but I can't see it at all unless they also put it in their profile on purpose. It's actually a pain not to have my user's emails, not because I'd ever sell them (most are both cheapskates and too smart to fall for spam anyway) -- but because sometimes you want to ping on someone who hasn't signed on for a long time (also, to make sure they are real), and the private messaging obviously doesn't work if they don't log on. I can't see their passwords either, they are hashed before going into the database I believe. I don't allow anonymous cowards on my board. Anything someone has to say they can either say with their real name, or somewhere else. This also keeps the post quality higher. No astroturfing. I'm not saying it's hack proof, I really doubt it is. But in my case it seems good enough, and I do keep backups. Since it's a science discussion, there's not much to encourage hacking anyway.

Re:Why did they even need passwords? (1)

Karrde712 (125745) | more than 3 years ago | (#34563914)

What I'm left wondering is why someone should need a username and password to comment on a blog post on their sites. Do they have a reputation system? Does it really prevent spam? Or is it just to gather a list of email addresses that they might sell later? There must be a better way to accomplish the little functionality that their login requirement provides. Especially now that they have to deal with the fact that their login system was not secure.

There are two primary reasons to require logins:
1) A registration system with a captcha is highly-effective at preventing spam on your blog comments or forum posts.
2) To a greater or lesser degree, it prevents people from impersonating you. Sure there are ways to trick this (create a username that's one lookalike character off, etc.) but on the whole it makes it easier to recognize who you're talking to.

Re:Why did they even need passwords? (1)

Anonymous Coward | more than 3 years ago | (#34564064)

What I'm left wondering is why someone should need a username and password to comment on a blog post on their sites. Do they have a reputation system? Does it really prevent spam? Or is it just to gather a list of email addresses that they might sell later? There must be a better way to accomplish the little functionality that their login requirement provides. Especially now that they have to deal with the fact that their login system was not secure.

As someone that runs a site (not a blog), I can tell you that spammers are a PITA. Not having any registration would've meant the site would have been quickly overrun with spam, and I'd have no way to stop it. For registered users, deleting a user also deletes all of their posts, so the cleanup is somewhat easier. Even with registration and catchpas, I still had problems, so I disallowed self-registration in favor of manually creating new accounts. Slower, yes. But the spam situation is much better since then; I no longer spend hours each day cleaning up the mess.

Gawker's failure? (1)

rwa2 (4391) | more than 3 years ago | (#34563264)

Meh, I'd always used Facebook Connect to post comments to their sites. Probably the first mildly useful thing Facebook has done for me.

So at worst, I probably have my spam email address out there in that torrent. Big deal. It's posted all over the web already (including my personal contact page).

But really, if anyone was adversely impacted by this, was it Gawker's failure, or their own for trusting some random website with a sensitive password? I don't use my good passwords for any of these "social networking" sites.... I don't care WHAT their reputation or privacy policy says :P

It's not like CmdrTaco isn't free to break into my /. account and start OMG I LIKE TURTLES HAMSTER HAVOC RULEZ!

What Gawker should do (1)

GeneralSecretary (1959616) | more than 3 years ago | (#34563296)

They should toss out their own lousy system and switch to Wordpress with Disqus for commenting. They should switch to use OpenID instead of passwords. They should at the very least hash passwords not encrypt them.

My Favorite Lessson (1)

cdoggyd (1118901) | more than 3 years ago | (#34563528)

Don't poke the bear. You have be stupid or cocky to taunt hackers.

Re:My Favorite Lessson (1)

countSudoku() (1047544) | more than 3 years ago | (#34563878)

I think of it as more like dancing in a rattlesnake pit. It's a funny dance, but it does not last very long.

I also like to say my scripts are as awesome as a unicorn that shits out Milk Duds.

Analogies are fun, aren't they!

Single login = single point of failure (2)

Animats (122034) | more than 3 years ago | (#34563768)

This is the trouble with "single login" systems. Now there's a single point of failure.

Single login requires a trusted organization with a good reputation willing to contractually commit to paying for the damages if they screw up. But look who's in the business: Gawker. Facebook. Microsoft. Google. That's no good.

If anyone were to do this well, it might be Amazon. Amazon is not an advertising-supported business. They take orders, accept payments, and ship real products. As a major credit card merchant selling physical objects for which they pay real money, they constantly have people trying to steal merchandise from them. So their management has to understand the risks of authentication failures. Amazon has a powerful and well-respected distributed computer infrastructure, which tends to stay up despite problems. So they could probably implement a single login system that could be trusted.

Why mess with 4chan? (1)

stumblingblock (409645) | more than 3 years ago | (#34563774)

Foolish and arrogant to badmouth 4chan, or any other potentially damaging organization, especially if you have an online commodity you wish to protect. Gawker shows itself to be no more mature than 4chan when it does.

Gwaker (0)

Anonymous Coward | more than 3 years ago | (#34563814)

Gwaker was hacked by another punk genius billionaire, who inadvertently invented something or rather and then called all gwakers F* this or or F* that. The manner in which he accomplished this consisted of looking at an existing script kiddie's work and implemented it on gwaker. His genius comes from that fact that one one has ever hacked a gwaker before! the end.

Even email they sent to everyone looked fake (0)

Anonymous Coward | more than 3 years ago | (#34563924)

Even the email they sent to everyone about their account being compromised looked fake. Links to three different domains? Come on guys! Link to your own site (you know, gawker.com), not something that looks like a URL redirection service.

Subject: Gawker Comment Accounts Compromised -- Important
From: "Gawker Media"
Date: Mon, 13 Dec 2010

This weekend we discovered that Gawker Media's servers were compromised,
resulting in a security breach at Lifehacker, Gizmodo, Gawker, Jezebel,
io9, Jalopnik, Kotaku, Deadspin, and Fleshbot. As a result, the user name
and password associated with your comment account were released on the
internet. If you're a commenter on any of our sites, you probably have
several questions.

We understand how important trust is on the internet, and we're deeply
sorry for and embarrassed about this breach of security. Right now we
are working around the clock to improve security moving forward. We're
also committed to communicating openly and frequently with you to make
sure you understand what has happened, how it may or may not affect you,
and what we're doing to fix things.

This is what you should do immediately: Try to change your password in
the Gawker Media Commenting System. If you used your Gawker Media
password on any other web site, you should change the password on those
sites as well, particularly if you used the same username or email with
that site. To be safe, however, you should change the password on those
accounts whether or not you were using the same username.

We're continually updating an FAQ (http://lifehac.kr/eUBjVf) with more
information and will continue to do so in the coming days and weeks.

Gawker Media

=========
You are receiving this email because your email
address was associated with a Gawker Media user
account. We are using this list only for the
purpose of sending you this important notification.

Unsubscribe [deleted]@[deleted] from this list:
http://gawkermedia.us2.list-manage.com/unsubscribe?u=%5Bdeleted%5D [list-manage.com]

Our mailing address is:
Gawker Media
210 Elizabeth St
Floor 4
New York, New York 10012

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...