
Gawker Media hacked - zeedotme
http://thenextweb.com/media/2010/12/12/gawker-media-is-compromised-the-responsible-parties-reach-out-to-tnw/
======
redthrowaway
Gah... The problem here is that this likely won't hurt Gawker very much. It
will, however, hurt the people whose accounts were compromised. Gawker was
asking for it; they weren't.

I don't support the crackers here, but I do have to admit to a little
schadenfreude at seeing Gawker get taken down a peg. Not only are they a
worthless tabloid, but they're dicks about it, too.

~~~
brown9-2
How were they "asking for it"?

~~~
redthrowaway
Directly, by taunting and baiting and saying they were unhackable, not afraid
of 4chan, etc. Granted, 4chan had nothing to do with this, but it doesn't
matter. They were cocky and they got burned.

~~~
cmelbye
Yeah, they were literally asking for it.

------
netaddict
Here is the list of Gawker passwords along with MySQL, FTP accounts
<http://pastebin.com/9rRmf6W5>

Thousands of people still use "password" as their password.

~~~
Qz
Is this gawker.com only? I have accounts on related sites like kotaku and
jezebel, but I don't see any of them in that list.

~~~
tsigo
The list on that pastebin is only a sample of what they bothered to crack
themselves (easy passwords like "password" and "qwerty"). The torrent posted
in another comment contains the entire database.

------
wallflower
Holy page views, Batman!

Screenshot from Quantcast showing 409M page views, 31.4M visitors a month in
aggregate for all Gawker Media properties

"My job was to write twelve posts a day about 'media gossip,' which meant
anything unpleasant or otherwise intriguing about anyone who had power in any
Manhattan culture industry. There had to be enough posts so that whoever was
sitting at my old desk at the publishing house, and everyone in Manhattan like
her, could read something new when boredom struck."

Excerpt from book by Emily Gould, ex-Gawker, infamous blogger

------
tenaciousJk
And now it's been released on TPB
<http://news.ycombinator.com/item?id=1998642>

------
citricsquid
<http://gawker.com/5712646/advisory-notice-no-action-required>

is this a joke or what? I never do understand gawker.

~~~
wigginus
Doesn't look like a joke:
<http://twitter.com/Adrianchen/status/14069191178985472>

------
tptacek
Contrary to Gawker's claim, the Unix standard hash function crypt(3) has been
crackable since at least 1990. It is salted, by the way.

~~~
shortformblog
It's not Gawker's claim. It's the hacker's. Adrian Chen didn't write that
post.

~~~
tptacek
Contrary to some hacker's claim, the Unix standard hash function crypt(3) has
been crackable since at least 1990. It is salted, by the way.

~~~
citricsquid
Contrary to some hacker's humorous remark intended to mock gawker, the Unix
standard hash function crypt(3) has been crackable since at least 1990. It is
salted, by the way.

~~~
tptacek
I'm just making fun of salting. Is that OK with you? :P

------
shortformblog
Whoever attacked threw up a torrent of Gawker's stuff. On one hand, Gawker
Media has been asking for something like this with their somewhat arrogant
coverage of late (iPhone 4, Brett Favre, Christine O'Donnell, etc.). On the
other … a million users getting their passwords hacked is VERY bad form.

~~~
upisdown
Oh come on its not destroyed - the site is still up. They are hardly a news
organization. If anything they are a tabloid.

They were making incredibly stupid mistakes while convincing people they were
a responsible and knowledgeable. I was hearing their bullshit on NPR like it
was tech gospel.

Now they are exposed for the frauds they are.

~~~
shortformblog
I missed the part where I said that the site was destroyed.

They ARE a news organization, however. And they get it right more often than
not. Which is why people read them. Do those people (who honestly suffered
more due to this hack than Gawker ever will) deserve this? No.

They aren't frauds; they're provocative. There's a difference. They weren't
claiming to be tech gods. And to trash them as "frauds" for their weak
security is like trashing an athlete for not being a good writer. There are
two different standards here.

And do you know how many newspapers make stupid mistakes? A lot of them.
Gawker has a staff the tenth of the size of your average national newspaper
yet pulls in a similar number of viewers. Making stupid mistakes comes with
the territory with journalism. Even the big boys screw up.

Dislike Gawker because they're arrogant. Don't read them if you think they
are. Don't suggest they're "frauds" though.

------
nhangen
Amazing how quickly the comments on that post degraded, especially over a
question that deserved to be asked.

------
carbocation
So I take it they just hashed and didn't HMAC. Was it just plain old
MD5(password)?

Unrelatedly, does HN HMAC?

~~~
updog
Are you confusing HMAC with salting?

~~~
tptacek
Can I preempt a really boring recap of a discussion that happens on HN at
least 3 times per fiscal quarter with:

<http://news.ycombinator.com/item?id=1091104>

Short answer: the acceptable password hashes are bcrypt, scrypt, or PBKDF2. In
all likelihood, anything that isn't one of those three gets you in the news
for losing passwords when your site gets hacked.

~~~
yuhong
To be more precise, any secure _iterated_ hash using a sufficient number of
iterations and a salt.

