
Gawker Hack Release Note - DanielRibeiro
http://www.codinghorror.com/blog/gawker-hack-release-notes.html
======
jsdalton
drivingmenuts used the word "burn" in a comment in this thread, which for some
reason brought an apt metaphor for this whole debacle to my mind.

It seems to me that the group behind this are not much different from
arsonists: They light a torch to someone's property for the sole pleasure of
watching it burn.

A lot of the commentary around this incident has focused on Gawker's poor
security practices (and rightly slow, there really isn't an excuse for many of
them). But how many buildings in real life are totally immune from being
burned to the ground by someone with a match and a can of gasoline and the
will to use them?

What prevents arsonists from running amuck in our society is not technology
for 100% fireproofing every last building, but rather astute law enforcement
and effective legal system.

It's interesting to me to observe that many people seem to think the fault
lies with the victim, when perhaps the "fault" lies with a law enforcement
system that is seemingly incapable of investigating and prosecuting people for
these kinds of crimes.

~~~
Xk
That's a nice metaphore, but I think it is wrong wrong at a very critical
level. If these crackers had went after a single user and decided to trash his
webpage, release his emails, and ruin his life, then yes, I would agree with
you -- they would be like a bunch of arsonists.

Let's assume a different metaphor. LargeBank offers people the option of
storing their personal antique items there -- items which have significant
emotional value to them. One day, the bank is robbed because the robbers
smashed through glass doors to get in, encountered no security guards, and the
bank never changed the default pin on the bank vault. Yes, it is the fault of
the bank robbers for taking the money. But seriously, these people had
entrusted the bank with their property. It is the banks fault for not doing
even attempting to secure it properly.

EDIT: I do agree that by releasing their passwords, they have opened their
users up to possible attacks which release their emails and trash their
websites. And in this way I agree with you: the attackers have done this for
the joy of attacking. However, I still place a large portion of the blame on
Gawker.

~~~
mixmax
What you're basically saying is, to stay with the arsonist metaphor, that if
an arsonist burns a house down to the ground he should be prosecuted but if he
burns down the whole village it's as much the villages fault as it is the
arsonists - they should have fireproofed the thing.

I strongly disagree. Crackers should be prosecuted, whether they had an easy
job or not.

~~~
Xk
I am not disagreeing. I believe these crackers should serve jail time just as
much as you do. I am just stating that I do not lift blame from Gawkers.

~~~
hugh3
So it's the old short-skirt-leads-to-rape argument again? On one hand, rape is
entirely the fault of the rapist. On the other hand, it's still not a good
idea to walk alone down a dodgy alley late at night wearing a short skirt or
to go back to Julian Assange's hotel room. Discussing one point shouldn't
detract from the other.

~~~
Xk
No, I'm not trying to argue that at all. That case is entirely the rapist's
fault.

The difference I am trying to make is people have trusted (maybe wrongly)
Gawker to protect their information. Gawker failed to do so.

------
wccrawford
I don't endorse 4chan's actions in any way, but a little common sense should
tell you:

Don't ---- with 4chan! They will retaliate. Brutally.

It's like walking up to the biggest kid in school and spitting on his shoes.
The teachers will not save you in time. Yeah, eventually the bully will get
his... But by then, the damage to you is already done.

After reading the logs they posted, I'm amazed at how much smack they talked
about 4chan. Not bright.

~~~
genieyclo
This was not 4chan. Not affliated with 4chan either. Reading the dump shows
this is a group calling themselves "Gnosis".

------
citricsquid
I don't get it, this was posted here days ago and we all discussed it then?
Why has it been uploaded to codinghorror now? heh.

~~~
DanielRibeiro
Jeff Atwood directed linked it from his recent blog post on the issue:
[http://www.codinghorror.com/blog/2010/12/the-dirty-truth-
abo...](http://www.codinghorror.com/blog/2010/12/the-dirty-truth-about-web-
passwords.html)

------
matwood
I'm assuming that the emails *@gawker.com are people who work for gawker. Do
they not enforce ANY password standards??

------
drivingmenuts
Sad. Some people just want to watch the world burn.

------
bobx11
It's sad that they took it to this level, but Gawker hopefully learned a
lesson from this and in the process and so did pretty much every other big
content publishing site. I would say this is an overall good event so that
people know they have to change their passwords to something more secure and
hopefully more sites implement a single sign on solution. I'm going to change
my twitter password to something way more secure and use that as my passport
for sites like this in the future and probably will push my sites to move in
that direction too.

------
aeurielesn

      Gawker uses a really outdated hashing algorithm known as DES
      (Data Encryption Standard)[...] Because DES has a maximum of
      8chars [...] If your password is longer than 8 characters you 
      only need to enter the first 8 characters to log in! 
      [...] 
      PEOPLE USING PASSWORD AS THEIR PASS!!!!!
    

I never saw the DES' 8-character-limitation and the 8-character-password
password so clear before.

