T/S: Defamer v. Gawker

Due to the leak of the GANJA framework from within our company

GANJA

This story is somewhat entertaining. It’s also a legendary clusterfuck.

BTW: Gawker still hasn’t notified users. WTF.

The discussion on Hacker News that's a worthwhile read:

http://news.ycombinator.com/item?id=1998642

Some choice quotes:

This is serious. I just checked out the torrent with the text file of the 200,000 cracked passwords. I searched for @me.com account and logged into someone's apple account. It was possible for me to order stuff via their account. I quickly emailed the guy to let him know to change his password. Gawker needs to take responsibility of this situation and email everyone in their database.

Edit 2: Wow: I know a lot of people on this list. I'm letting them know, and recommend that others scan on behalf of friends and family as well. I've been told that there has not been active communication; wish gawker would confirm either way.

A quick search shows staff email addresses at techcrunch, apple, microsoft, google, goldman sachs, etc.

All the usernames and passwords for users with ✧@lifehac✧✧✧.c✧✧, @gawker.com, etc.} email addresses in the torrent (plaintext, not hashed). The torrent claims Nick Denton’s password was an 8-character sequence of even numbers, and that he used it everywhere. (Edit in reply: The hackers used this on e.g. his Twitter account IIRC so it wasn’t truncated to 8 characters.) Some of them are even '11223344' or a substring of the author’s username!

obv this will be seen more seriously than a simple ddos attack & might lead to some prosecution down the road

nice for max to have a night off, tho

For Gawker? Or “Gnosis”?

I suspect it won’t be “Gnosis” since it’s evident from this dump that Gawker’s engineering and I.T. department is shockingly amateurish (e.g. using DES hashes and running everything off of an individual DB schema). Is Gawker liable for their incompetence and bizarrely deficient security practices?

We protect our data with UNIX Standard hash encryption method crypt(3), which is absolutely 100% impossible to crack.

LOLZ. Goodnight.

FYI: http://undertow.jedsmith.org/gawker/

Is Gawker liable for their incompetence and bizarrely deficient security practices?

maybe? i don't know the law about this kinda thing, but i suspect if a bank leaves $100,000 lying out on its tables, it's still not okay for you to steal it

http://pastebin.com/9rRmf6W5

I think the real mistake was in creating a gawker account

lol good luck w/ the "prosecution"

we need to find max

He's probably out posting tweets about acai berries.

not really supposed to talk abt this but uh wed notified users by 3:30 pm yesterday, before the torrent was even released

not really supposed to talk abt this but uh wed notified users by 3:30 pm yesterday, before the torrent was even released

My e-mail was included and I wasn't notified. I also haven't heard anyone claim that they've been contacted by Gawker. However, this morning I received an e-mail from hint.io (???) informing me about the hack and recommending that I change my password.

BTW: Supposedly, there's going to be another dump this afternoon.

http://25.media.tumblr.com/tumblr_ldd2j0jWOT1qdyc51o1_500.png

From Felix Salmon:

Update: Gawker Media now has a FAQ up, which stops short of an apology. What Gawker didn’t do — but what the good people at Hint did do — is email everybody whose email and password were made public, to inform them of that fact. “In situations like this, time is of the essence, which is why we were surprised & shocked to find that Gawker Media hadn’t taken the initiative to notify you of this privacy breach immediately,” they wrote. I’m with them: Gawker should have done what Hint did. But, thankfully, now they don’t need to. And if you haven’t received an email from Hint, there’s a good chance that your email and password have not been made public.

http://blogs.reuters.com/felix-salmon/2010/12/13/gawker-media-gets-hacked/

I hacked my mates facebook account so I could right stuff in his status. His password was his surname. When he discovered that someone had hacked it he changed his password.... to password. When his staus's started changing again he just started commenting on them saying "WHO ARE YOU!!!" instead of changing his password again because he thought it was impossible someone could have guessed it twice.

I suspect it won’t be “Gnosis” since it’s evident from this dump that Gawker’s engineering and I.T. department is shockingly amateurish (e.g. using DES hashes and running everything off of an individual DB schema). Is Gawker liable for their incompetence and bizarrely deficient security practices?

I think it's pretty obvious that Gawker got hardpwned because of some pretty egregious security practices on the part of administrators who should know better, but if you leave your house key under the doormat, people are still criminals if they use them to come in and steal your shit.

That said, Gawker Media is still waaaay understating the risk here, and should be contacting all users via email. It's true that there was some level of obfuscation on user email addresses/passwords, but someone had access to the full database, the source code, and root access on the server. There's nothing in that database that's completely safe.

XD

i think max should write each user individually

For that personal touch, yes.

Man, that reminds me of some guy we interviewed for a job at work who sent a handwritten thank you card to each person who interviewed him. He seemed like a nice dude, but was way desperate and had no ability to answer technical questions in an interview. I left that damn card unopened on my desk for two weeks because I didn't need a guilt complex.

^^^are you UK or US? this is apparently more of a thing in the US but it bO_Oggled my mind when they were discussing it in the dole thread

http://www.zarcrom.com/users/yeartorem/awards/gawking.jpg

yeah why the hell did i make a gawker account

http://rlv.zcache.com/gawk_all_you_want_tshirt-p235327177861775555qiuw_400.jpg

I got what I thought was a spam email abt this. What do I need to do?

Is it the reason my laptop was afflicted w/ System Tool virus for 4 hours Saturday?

http://www.macobserver.com/images/newreviews/99/991022nortonutilities5/num50bp.gif

NYC goin' down

morbs if you use the same pw on any other site, change em

http://blogs.forbes.com/firewall/2010/12/13/the-lessons-of-gawkers-security-mess/

oh, like I remember what my Gawker password is!

try qwerty or 12341234

metsfan

or password

filmbuff

pa$$word

gawker

sizemore

I usually use the same unguessable password whenever I can

also, waiting for one funny one

http://stevelundeberg.mvourtown.com/files/2010/06/password.jpg

pw: unguessable

On November 11, Dr. Morbius received a notice that he had set up a new username and password at Gawker chat rooms. Because he knew he did not request this, and also had been told by someone else that he had been logged into Campfire (but also knew he had not), he asked members of his team to investigate. He did not however bother to change any of his other accounts that used the same password as his Campfire account.

Can I do the old "I tried using 'penis' as my password but it told me it was too short" gag now, please?

not really trying to zing morbz. I work for a website and can peer in at user pw's. I'm just amazed at how little thought goes into them. hogsfan, gohogs, f00tball, thurman94.

And that's not just the pa$$words, birthdays and us3rnames typed with numbers. If I ever get drunk with power, I could probably have a field day reading email at AOL.com.

the ultimate power trip

http://farm1.static.flickr.com/27/39038706_6313b6b178.jpg

that forbes blog post is interesting but is weirdly written, like it's been google-translated or somethign

Maybe written by a Polish hacker trying to throw everyone off the scent.

sh0ts0frum