Hacker News new | past | comments | ask | show | jobs | submit login
Gawker Media hacked (thenextweb.com)
42 points by zeedotme on Dec 12, 2010 | hide | past | favorite | 34 comments

Gah... The problem here is that this likely won't hurt Gawker very much. It will, however, hurt the people whose accounts were compromised. Gawker was asking for it; they weren't.

I don't support the crackers here, but I do have to admit to a little schadenfreude at seeing Gawker get taken down a peg. Not only are they a worthless tabloid, but they're dicks about it, too.

How were they "asking for it"?

Directly, by taunting and baiting and saying they were unhackable, not afraid of 4chan, etc. Granted, 4chan had nothing to do with this, but it doesn't matter. They were cocky and they got burned.

Yeah, they were literally asking for it.

Here is the list of Gawker passwords along with MySQL, FTP accounts http://pastebin.com/9rRmf6W5

Thousands of people still use "password" as their password.

How many people really care about the security of their Gawker account though? They just want comment on a blog post; in order to do that, they must remember a password. "password" achieves that admirably. Now, if they are using "password" as the password for their bank account...they could have a real problem.

It would be great for people if tools like 1Password were more prevalent, even built in to browsers. It becomes trivial both to create and maintain an unlimited number of secure passwords.

And if you read that file, you will read that they used DES for hashing. Reminds me of the LM hash. The LM hash generated two hashes using DES from two 7 byte parts of a 14 byte password. Basically they use each individual 7 byte part as a DES key to encrypt a fixed string. Repeat this twice for each 7 byte part, and concatenate the results, and you get the LM hash.

Is this gawker.com only? I have accounts on related sites like kotaku and jezebel, but I don't see any of them in that list.

The list on that pastebin is only a sample of what they bothered to crack themselves (easy passwords like "password" and "qwerty"). The torrent posted in another comment contains the entire database.

Their entire database was stolen. So you should change your password to be safe.

Holy page views, Batman!

Screenshot from Quantcast showing 409M page views, 31.4M visitors a month in aggregate for all Gawker Media properties

"My job was to write twelve posts a day about 'media gossip,' which meant anything unpleasant or otherwise intriguing about anyone who had power in any Manhattan culture industry. There had to be enough posts so that whoever was sitting at my old desk at the publishing house, and everyone in Manhattan like her, could read something new when boredom struck."

Excerpt from book by Emily Gould, ex-Gawker, infamous blogger

And now it's been released on TPB http://news.ycombinator.com/item?id=1998642


is this a joke or what? I never do understand gawker.

Contrary to Gawker's claim, the Unix standard hash function crypt(3) has been crackable since at least 1990. It is salted, by the way.

It's not Gawker's claim. It's the hacker's. Adrian Chen didn't write that post.

Contrary to some hacker's claim, the Unix standard hash function crypt(3) has been crackable since at least 1990. It is salted, by the way.

Contrary to some hacker's humorous remark intended to mock gawker, the Unix standard hash function crypt(3) has been crackable since at least 1990. It is salted, by the way.

I'm just making fun of salting. Is that OK with you? :P

Yep, you probably got confused that the site got defaced.

Whoever attacked threw up a torrent of Gawker's stuff. On one hand, Gawker Media has been asking for something like this with their somewhat arrogant coverage of late (iPhone 4, Brett Favre, Christine O'Donnell, etc.). On the other … a million users getting their passwords hacked is VERY bad form.

Here's the torrent he's referring to: http://thepiratebay.org/torrent/6034669

Oh come on its not destroyed - the site is still up. They are hardly a news organization. If anything they are a tabloid.

They were making incredibly stupid mistakes while convincing people they were a responsible and knowledgeable. I was hearing their bullshit on NPR like it was tech gospel.

Now they are exposed for the frauds they are.

I missed the part where I said that the site was destroyed.

They ARE a news organization, however. And they get it right more often than not. Which is why people read them. Do those people (who honestly suffered more due to this hack than Gawker ever will) deserve this? No.

They aren't frauds; they're provocative. There's a difference. They weren't claiming to be tech gods. And to trash them as "frauds" for their weak security is like trashing an athlete for not being a good writer. There are two different standards here.

And do you know how many newspapers make stupid mistakes? A lot of them. Gawker has a staff the tenth of the size of your average national newspaper yet pulls in a similar number of viewers. Making stupid mistakes comes with the territory with journalism. Even the big boys screw up.

Dislike Gawker because they're arrogant. Don't read them if you think they are. Don't suggest they're "frauds" though.

If I don't like it, I ignore it and do not read it, I don't destroy it.

Amazing how quickly the comments on that post degraded, especially over a question that deserved to be asked.

So I take it they just hashed and didn't HMAC. Was it just plain old MD5(password)?

Unrelatedly, does HN HMAC?

Are you confusing HMAC with salting?

Can I preempt a really boring recap of a discussion that happens on HN at least 3 times per fiscal quarter with:


Short answer: the acceptable password hashes are bcrypt, scrypt, or PBKDF2. In all likelihood, anything that isn't one of those three gets you in the news for losing passwords when your site gets hacked.

To be more precise, any secure iterated hash using a sufficient number of iterations and a salt.

I'm no security expert by any means, but my understanding is that HMAC is preferable to hash+salt.

That's kind of liking saying quinces are preferable to hoop skirts.

HMAC is a construction that takes a hash (like SHA1), data, and a secret key (like "ff79f2fbe108a68c34a66004058fcfdb988dbc43") and applies the hash twice, each with a special tweak, to create a digest that only someone who knows the key can recreate from the same data. It's how two parties who share a key can prove to each other that their messages haven't been tampered with.

Hash+salt is a construction that takes a hash (like SHA1), a password (like "gobears") and a random public value (like "$4jdle$") and creates a password hash out of it that can't be precomputed.

People do (ab)use HMAC as a password hash. Those people should know that HMAC is as easy to precompute as naked SHA1 is; you can "rainbow-table" HMAC. People who have misunderstood HMAC tend to stick up for it by saying "yeah, but people will have to find my secret key first", to which a response that ends that silly argument is "once they get your key, they can attack all your hashes in parallel and that's bad".

All of these schemes are demonstrably inferior to any adaptive hashing scheme, like bcrypt or scrypt or PBKDF2, all of which can be tuned so that a single password attempt takes 500ms (or any other time); they in effect require password crackers to complete a "proof of work" that can't be sped up without a breakthrough in cryptanalysis.

This is probably the clearest explanation of the distinction that I've read so far; thank you.



Some day, and that day may never come, I'll call upon you to explain cellular respiration to me.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact