Bring It On.
December 12, 2010 6:55 PM   Subscribe

An anonymous hacking outfit called "Gnosis" has infiltrated Gawker Media, hijacking the front page and leaking the company's internal chat logs, source code, and content databases along with the usernames, email addresses, and passwords of over 1.3 million users (including Gawker staff). The attack, which was motivated by what the group describes as the "outright arrogance" with which the company's bloggers taunted anonymous imageboard 4chan (semi-previously), affects every site in the Gawker network, including Gizmodo, Kotaku, Lifehacker, Jezebel, Deadspin, Jalopnik, and io9. While most of the leaked passwords are encrypted, more than 200,000 of the simpler ones in the torrent file have been cracked, and the links between account names and email addresses are in plaintext for all to see. Since the integrity of Gawker's encryption methods remains in doubt, it is recommended that anyone who has ever registered an account on any Gawker property change their passwords immediately, especially if the same log-in information is used for other services.
posted by Rhaomi (312 comments total) 44 users marked this as a favorite

 
Don't taunt 4chan.
posted by phrontist at 7:01 PM on December 12, 2010 [10 favorites]


And it was only noticed by the improved quality of the writing.
posted by gomichild at 7:02 PM on December 12, 2010 [64 favorites]


You know how *not* to convince the world at large that you aren't a bunch of pitiful twits? Well, this would be pretty high on the list.

Seriously, if you want to convince people you are serious and worthwhile and not idiots, punishing a bunch of complete innocents just to show off how you use (computerized) violence as a replacement for being able to solve problems with social skills is not a good way.

It's like going into a store you got bad service from and punching random customers to get back at them. I don't know who on earth would think that was really a good plan.
posted by gracedissolved at 7:03 PM on December 12, 2010 [16 favorites]


Come on, surely we here at Metafilter have the kind of power to make people fear us, quake in their boots, be scared to pick a fight with us, right? Right? No? Well, OK.
posted by ThePinkSuperhero at 7:05 PM on December 12, 2010 [4 favorites]


I don't know who on earth would think that was really a good plan.

But what if you just did it for the lulz?
posted by Despondent_Monkey at 7:06 PM on December 12, 2010 [12 favorites]


(computerized) violence

Um, no.

Anyway know why the torrent isn't working?
posted by enn at 7:07 PM on December 12, 2010 [3 favorites]


You are looking at the Gizmodo source code. It was found lost in a bar in the Internet, camouflaged to look like a secure media network. We got it. We disassembled it. It's the real thing, and here are all the details.
posted by furiousxgeorge at 7:08 PM on December 12, 2010 [57 favorites]


*Anyone.
posted by enn at 7:08 PM on December 12, 2010


I don't know who on earth would think that was really a good plan.

Wait, wait, did you somehow miss the references to 4chan?
posted by brennen at 7:08 PM on December 12, 2010 [10 favorites]


An anonymous hacking outfit called "Gnosis"

You know why so much of this sounds like something from a shitty sci-fi novel? Because so much of this is being acted out by people who would otherwise be writing shitty sci-fi novels.

On the other hand, they hacked Gawker. *snicker.*
posted by octobersurprise at 7:10 PM on December 12, 2010 [18 favorites]


If you're the kind of news org that uses a TV begone during some dude's major conference demo, shutting off the display again and again, well ... I'm sure it couldn't have happened to nicer guys.
posted by zippy at 7:11 PM on December 12, 2010 [8 favorites]


Thus spake ThePinkSuperhero: "Come on, surely we here at Metafilter have the kind of power to make people fear us, quake in their boots, be scared to pick a fight with us, right? Right? No? Well, OK"

Well, I'm afraid to post anything derogatory about Apple here...

I feel bad for the Gawker admins, what a rotten Sunday night. Brings back bad memories. I'm so glad I'm out of that business.
posted by sidereal at 7:12 PM on December 12, 2010


I approve of this message.
posted by anigbrowl at 7:12 PM on December 12, 2010


Personally, I just love all the trashtalk in this release by the group.
posted by azarbayejani at 7:13 PM on December 12, 2010 [2 favorites]


ANYHOW, if we're gonna talk about trollish, tasteless, and generally irresponsible collective entities on the web, well, pot, kettle, black, eh Gawker?
posted by brennen at 7:14 PM on December 12, 2010 [3 favorites]


While they were out hacking life Lifehacker got, well, actually hacked. Isn't that ironic, don't you think?
posted by diogenetic at 7:14 PM on December 12, 2010 [11 favorites]


You must note that many social skills are diluted or obliterated when reasonably complete anonymity takes hold. Ant hives can work with reasonable anonymity- we cannot. These crackers have handles, unlike Anonymous, but to the rest of the world they are basically anonymous. That is why they couldn't use social skills to solve their problems in the persona that they take. That is why they must use cracking, if they are to be truly heard. So what if a few Anonymous take to the streets and protest in Guy Fawkes masks? Nobody knows them, and thus they must be fundamentally voiceless. But violence always gets noticed and usually understood, even if it never changes a single mind.
posted by curuinor at 7:16 PM on December 12, 2010


Why is (some of) MetaFilter seemingly obsessed with expanding the definition of violence?


Also, the part of me that loathes Gawker is amused by this super leet craxoring.
posted by defenestration at 7:23 PM on December 12, 2010 [15 favorites]


Joe Lieberman just came his depends. Someone's dreaming of Internet kill switches tonight!
posted by codacorolla at 7:24 PM on December 12, 2010 [7 favorites]


Doh not using a salt makes it trivial to look up the hashed for the plaintext. I actually recognize common words ( such as password) hashed with MD6
posted by Ad hominem at 7:25 PM on December 12, 2010 [2 favorites]


Off to change my passwords.
posted by mecran01 at 7:26 PM on December 12, 2010 [2 favorites]


Come on, surely we here at Metafilter have the kind of power to make people fear us, quake in their boots, be scared to pick a fight with us, right? Right? No? Well, OK.

GiveWell.
posted by Astro Zombie at 7:26 PM on December 12, 2010 [6 favorites]


"If you and your moronic colleagues continue to email us, we'll be happy to write about your company's harassment tactics and explain to readers why they should avoid doing business with you at all costs."

- Editor-in-Chief Remy Stern threatens EasyDNS following their own screwup in wrongly accusing EasyDNS of cutting off Wikileaks DNS.

Sleep tight, Remy.
posted by mhoye at 7:27 PM on December 12, 2010 [48 favorites]


Nick Denton from Gawker once bought me a beer. I don't think anybody at 4chan has, so I guess that decides it for me.
posted by jonmc at 7:27 PM on December 12, 2010 [6 favorites]


But violence always gets noticed and usually understood, even if it never changes a single mind.

Those who take an instrumental view of terrorism (as opposed to just thinking them crazy) call this an agenda setting function, as Martha Chrenshaw says you can reject their demands but not ignore them.
posted by shothotbot at 7:28 PM on December 12, 2010


Nick Denton from Gawker once bought me a beer. I don't think anybody at 4chan has, so I guess that decides it for me.

Oh really?
posted by ThePinkSuperhero at 7:31 PM on December 12, 2010 [14 favorites]


Any sympathy I had for the Gawker staff was pretty well obliterated by this chat exchange uncovered by one of the hackers as information was first being leaked:
Brian Moylan: Uh oh....3chan is apparently posting usernames and passwords
[link]

Richard Lawson: I'm not clicking on that
whose usernames and passwords?

Hamilton Nolan: that seems bad, right
if it's ours, that's a problem

Jim Newell: they were not ours. I couldn't really tell what was going on

Brian Moylan: gawker users

Hamilton Nolan: oh, well. unimportant.

Richard Lawson: just the peasants?
It's too bad more-or-less innocent sites like Lifehacker had to get caught in the crossfire as part of the Gawker network. At least Wonkette escaped unscathed by going independent awhile back. (And I'm glad cool-in-my-book Jim Newell was the one not being annoyingly flippant in that chat log.)
posted by Rhaomi at 7:32 PM on December 12, 2010 [20 favorites]


Um, an anonymous hacking outfit called, "Gnosis," is the first sentence in this post. If they're called Gnosis, they're not anonymous...WTF?
posted by Chuffy at 7:32 PM on December 12, 2010 [2 favorites]


Why is (some of) MetaFilter seemingly obsessed with expanding the definition of violence?

I agree that this isn't really violence. However, while things like this aren't equivalent to blowing up a building or punching random people in the face, they're still a huge violation of other people's rights, and it IS harmful to them.

It's disingenuous when people think something like releasing a bunch of usernames and passwords doesn't matter because it's all the internet, because the internet? Full of real people. So it might not be outright violence but it's still a pretty fucked up, sociopathic thing to do.
posted by girih knot at 7:34 PM on December 12, 2010 [4 favorites]


It would be kind of cool if we agreed, planetwide, to throw away all our nukes and fight our future wars via hacking. Whoever loses doesn't get to look at the internet anymore and has to go outside and do things like farm and build playgrounds.
posted by angrycat at 7:42 PM on December 12, 2010 [20 favorites]


Let's say someone went and tried the passwords people used for their @me.com and @gmail.com email addresses to see if they matched the ones they used on Gawker.com and sent themselves an email saying that they should change their passwords. Would that someone be acting ethically? I personally think Gawker is doing a terrible job handling this, and should send some kind of mass email to their users, rather than just having a small article about it (which on Gizmodo is halfway down the page).
posted by azarbayejani at 7:42 PM on December 12, 2010 [3 favorites]


People seem to confuse "pseudonymous" and "anonymous" a lot, Chuffy. If that even is your real name.
posted by Sidhedevil at 7:42 PM on December 12, 2010 [4 favorites]


I don't know who on earth would think that was really a good plan.

Wait, wait, did you somehow miss the references to 4chan?


But...this isn't 4chan doing anything. 4chan is still just sitting around posting pictures of themselves, chatting, and occasionally finding ways to harness collective effort to track down cat-abusers. This is a separate group of people that says it found Gawker an entertaining target due to its arrogance when posting about 4chan.
posted by dreamyshade at 7:43 PM on December 12, 2010


They dun goofed!
posted by killdevil at 7:43 PM on December 12, 2010 [1 favorite]


At first I was worried, because I think I may have made a login for LifeHacker to make a comment a few years ago.

Then I remembered my comment was either deleted or not approved.

Conflicting.
posted by Alvy Ampersand at 7:45 PM on December 12, 2010 [3 favorites]


It couldn't have happened to a nicer media empire, really.
posted by vidur at 7:49 PM on December 12, 2010 [2 favorites]


Fuck both sides for making me change my password at Gawker.

Also, snarky comment about Andrea Peyser.
posted by Joey Michaels at 7:49 PM on December 12, 2010


"PEOPLE USING PASSWORD AS THEIR PASS!!!!!"

There's... so many of them.
posted by boo_radley at 7:52 PM on December 12, 2010


Um, an anonymous hacking outfit called, "Gnosis," is the first sentence in this post. If they're called Gnosis, they're not anonymous...WTF?

I imagine this either means that the members are anonymous or they're affiliated with capital-a Anonymous
posted by p3on at 7:52 PM on December 12, 2010


You laugh you lose
posted by Ad hominem at 7:54 PM on December 12, 2010 [2 favorites]


Obligatory xkcd on harvesting passwords.
posted by AsYouKnow Bob at 7:54 PM on December 12, 2010 [5 favorites]


Yeah, I had an account at Lifehacker (till I was muted because those dildos didn't like hearing that they were wrong about something) so I went through the sites I use and changed any password that might belong to a similar username. Good job, Gawker. ಠ_ಠ
posted by Inspector.Gadget at 7:55 PM on December 12, 2010


At first I was worried, because I think I may have made a login for LifeHacker to make a comment a few years ago. Then I remembered my comment was either deleted or not approved.

Yeah, I had an account at Lifehacker (till I was muted because those dildos didn't like hearing that they were wrong about something)


I think I had a Gawker account at one time (this was before you were able to just sign up for one- or is that still true?), but at some point years, I stopped being able to post comments. E-mails asking what happened went unanswered. The whole thing was totally bizarre. So, I'm really not sure if i have a Gawker account or not. Maybe this list will shed light on the issue.
posted by ThePinkSuperhero at 7:59 PM on December 12, 2010 [2 favorites]


And epic lulz were had by all! Good on ya Gnosis!
posted by MikeMc at 8:00 PM on December 12, 2010 [1 favorite]


I have an account, but haven't used it in so long that I have NO IDEA what the password might have been, or if it's similar to ones I might be using elsewhere. Ugh.
posted by statolith at 8:06 PM on December 12, 2010


I don't

a) have a Gawker account or
b) use "password" as my password anywhere

but if ever I were going to do b), it would be in the context of a). It's just Gawker?
posted by two or three cars parked under the stars at 8:07 PM on December 12, 2010 [1 favorite]


Via reddit. see if your password has been leaked
posted by Ad hominem at 8:09 PM on December 12, 2010 [33 favorites]


In Cupertino, a lone iPhone engineer sits in bar with a huge smile on his face while wiping his laptop hard drive.
posted by benzenedream at 8:15 PM on December 12, 2010 [40 favorites]


So close.
posted by dobbs at 8:16 PM on December 12, 2010


Alvy Ampersand: "At first I was worried, because I think I may have made a login for LifeHacker to make a comment a few years ago.

Then I remembered my comment was either deleted or not approved.

Conflicting
"

Yeah that's my main concern, so I have no idea how to fucking check whether I even have an account at any of those sites. I guess try to do a password reset?
posted by symbioid at 8:16 PM on December 12, 2010


So, the leaked file has ~200,000 cracked username/email/password combos shown in plain text, all of which are simple, common passwords like "123" and "qwerty."

There's also a longer list of over a million plaintext username/email combos with the associated password encrypted as an eight-character alphanumeric string.

Searching the torrent file, I see an account I set up years ago in the latter list. So it has my email address, a pretty unique username I might have used on some other non-crucial sites, and an encrypted password.

If that password, unencrypted, is eight characters and one digit (and nothing that appears in a dictionary), what are the odds of it being cracked? Is that considered a weak password? And does Gawker's encryption scheme offer decent protection? I'm reading all this talk about MD5 and hashes and salted vs. unsalted, but it's all over my head.

I use much stronger passwords for email, banking, etc., so nothing critical is at stake. I just don't want to try to hunt down every place I've used that username/password combo if there's little chance of it being cracked. (Likewise, I don't want to end up with some channer defacing my defunct MySpace page or what have you six months down the line in the event that the passwords are trivially easy to crack.)

Basically, what are the risks for the encrypted passwords in the torrent file?
posted by Rhaomi at 8:18 PM on December 12, 2010 [2 favorites]


I trust the 13 year olds who take over my ancient Kotaku account will use it to make appropriately droll comments on FleshBot.
posted by ecurtz at 8:18 PM on December 12, 2010 [10 favorites]


Rhaomi: "If that password, unencrypted, is eight characters and one digit..."

Er, make that seven letters and one digit.
posted by Rhaomi at 8:19 PM on December 12, 2010


This is why you use bcrypt.
posted by ryoshu at 8:20 PM on December 12, 2010 [2 favorites]


Editor-in-Chief Remy Stern threatens EasyDNS following their own screwup in wrongly accusing EasyDNS of cutting off Wikileaks DNS

Yeah, it was the "You do not get a tweet or correction" with the threat that was the last straw for me. I couldn't fucking believe Gawker folks would make *that* their response when it was so clearly their own mistake. I wouldn't wish this kind of attack on anyone, but my first thought was wondering if it had something to do how completely shitty Gawker's response was to last week's EasyDNS fuckup. Maybe it was the last straw for some other folks, too.
posted by mediareport at 8:25 PM on December 12, 2010 [8 favorites]


I wonder if I can bill Nick Denton for buying a copy of 1password and having to change all my passwords everywhere tonight.

Thanks, Nick!
posted by mathowie at 8:25 PM on December 12, 2010 [20 favorites]


Rhaomi, since the passwords weren't salted, it's pretty much guaranteed that someone will crack the whole list and post it. The decrypted password will most likely show up if someone searches for that username or password.
posted by ryanrs at 8:26 PM on December 12, 2010 [4 favorites]


My sister's cat is named Gnosis. At least, she says it's a cat. I've never met him.

Hmm.

I gotta make a call.
posted by That's Numberwang! at 8:26 PM on December 12, 2010 [11 favorites]


Ah one more piece of the puzzle. They were using Lan Manager hashes, a technique from windows NT 3.5, so pre CIFS,as mentioned there is no salt so it should vulnerable to rainbow lookups such as ophcrack
LM hash
ophcrach

Bottom line is it will be "cracked"( actually just looked up in a table) very quickly. It is trivial to just select the hash for password or querty from mysql. If yours is different they would have to focus on your account but there is no doubt in my mind it would be cracked in minutes if not seconds due to the Lack of salt.
posted by Ad hominem at 8:28 PM on December 12, 2010 [1 favorite]


So lulzy.
posted by Marla Singer at 8:29 PM on December 12, 2010


Probably a dumb question (but it's honest)-- in theory what is the worst case scenario for an account holder if someone gains access to your account on Gawker?
posted by Hoopo at 8:30 PM on December 12, 2010


Ask Nick Denton...
posted by ryanrs at 8:32 PM on December 12, 2010


Oh, fuck. And they had my primary email address, as well - something I only realised after digging through my Gawker account.
posted by Nice Guy Mike at 8:35 PM on December 12, 2010


Everyone, everywhere has access to your account at any website where you used the same email address and password.
posted by ecurtz at 8:36 PM on December 12, 2010 [5 favorites]


in theory what is the worst case scenario for an account holder if someone gains access to your account on Gawker? -- It depends. If you're smart, and you don't reuse your passwords on multiple sites, then the worst you have to worry about is someone posting stuff as you. If you're not smart, and you use the same password on multiple sites ... well, I'd say the odds are low in either case.

But if you want to use this as a wake-up call, and you'd like to start using unique and secure passwords, I suggest lastpass.
posted by crunchland at 8:36 PM on December 12, 2010 [5 favorites]


Yeah, great, I may have an account on one of their sites, but I've tried to reset my password and the email isn't showing up.
posted by MegoSteve at 8:37 PM on December 12, 2010


I love me some passwordsafe for storing passwords securely.
posted by rmd1023 at 8:41 PM on December 12, 2010 [4 favorites]


1958 people used "password" as their password? Another 681 used "qwerty"?
BWAAHAAAHAHAHAAAAAAAAAA!
posted by Marla Singer at 8:44 PM on December 12, 2010 [1 favorite]


...So, I think I signed up for something on Jezebel once upon a time -- but I don't remember whether I did, or just lurked.

How do I search one of those "here's where you can check if your password was leaked" documents?
posted by EmpressCallipygos at 8:45 PM on December 12, 2010


I'm thinking mine isn't easily guessed since it's not a dictionary word, but I'm going to go ahead and reset my passwords just to be safe.

For Firefox users who want to do the same, here's a shortcut that might help if you let the browser remember your log-in information:

In the Menu bar, go to Tools -> Options..., and then click on the "Security" tab. Click on the "Saved Passwords" button, then "Show Passwords." You'll get a list of every website/username/password combo Firefox knows, which can be sorted alphabetically using the bars at the top. Just sort by username and find the sites using the handle you registered on Gawker. If it uses the same password, too, then go ahead and change it.

And if your Gawker username isn't too generic, you can use a site like NameChk to find every site with an account registered under that name, finding smaller sites you might have forgotten about.
posted by Rhaomi at 8:45 PM on December 12, 2010 [22 favorites]


1. A Gizmodo editor purposefully posted Tubgirl to the Kotaku front page a few years back. That editor, Brian Lam, apologized and was allowed to keep his job. In my opinion, he should have been fired.

2. A Gizmodo-affiliated individual ran around CES a few years ago, switching televisions off in the middle of sales presentations with a TV-B-Gone device, and documenting the effects with video. Apologies in this case were half-hearted at best.

3. That Gizmodo purchased property that had been stolen from an Apple employee is undisputed. What happened next is disputed, but Apple claims that Gizmodo then attempted to blackmail them for scoops, and "broke" the iPhone 4 story only when this failed.

4. Gawker posted a Wikileaks-related story with an error (EasyDNS vs. EveryDNS) that caused real harm to an innocent party, and when confronted with that error refused to do what one would expect of any legitimate journalistic source, and correct it and apologize publicly.

5. This.

I've been known to visit Gawker-linked sites in the past... Kotaku especially. As gaming "portals" like IGN and GameSpot became heavier with media and advertising, I found that its streamlined blog format appealed more to me, and I appreciated that they were often more critical than the competing Joystiq blog.

I should have quit 'em the first time they shit on me (pun, quite unfortunately, intended), but it's better late than never.

I'm off to edit my "hosts" file...

And then I'll start changing my passwords.
posted by The Confessor at 8:47 PM on December 12, 2010 [19 favorites]


You know, I'm kind of conflicted about this story. I mean, according to the text files, the guys at Gawker did apparently say "bring it on," but I also think this hacker's impulse to publish all of that stuff, just for lulz, seems needlessly destructive (not to mention criminal), when he could have proven his actions without divulging all of the information.

I've said it before -- the penchant for people to go nuclear on the internet with the slightest provocation may be the undoing of us all.
posted by crunchland at 8:48 PM on December 12, 2010 [1 favorite]


Heh heh heh. I find this hilarious.

The thing is, I can't really think of much of a reason why to target Gawker. I mean. They've been mostly pro-wikileaks. The only thing was the way they refused to issue a correction on the EasyDNS/EveryDNS -- plus the threat.

So the only real reason to do this is for the lulz. That said, I find this pretty lulzy.
posted by delmoi at 8:51 PM on December 12, 2010 [3 favorites]


Never have I ever been so glad I didn't qualify to comment at any Gawker site before I got wise enough to know better than to bother. My poor husband is off checking whether he has an account and has to change his passwords. (Probably not, but why take chances?)
posted by immlass at 8:53 PM on December 12, 2010


1958 people used "password" as their password?

"Wait, you changed my password to "password"? That has to be the best password ever!"
posted by mlis at 8:54 PM on December 12, 2010 [5 favorites]


> I've said it before -- the penchant for people to go nuclear on the internet with the slightest provocation may be the undoing of us all.

It is a statistical certainty that 4channers would one day be Presidents of countries around the world. I take comfort in the fact that I'd be dead by then.
posted by vidur at 8:56 PM on December 12, 2010


As a computer programmer with a life, I'd just like to say that hackers tend to be wusses who need a beat down. Sorry, it's true.
posted by freecellwizard at 9:00 PM on December 12, 2010 [1 favorite]


Interesting to see the comments from everyone who made an account as is worried about their passwords.

I used to use the same password for everything, but a couple of years ago I got kind of paranoid and started using different passwords for everything, especially after reading a Bruce Schneier article telling people write down their passwords, because writing down a list of different passwords is safer then having one or two passwords used promiscuously.

So my paranoia paid off! At least. It would have. Actually I never signed up for a Gawker account.
posted by delmoi at 9:01 PM on December 12, 2010 [2 favorites]


It is a statistical certainty that 4channers would one day be Presidents of countries around the world. I take comfort in the fact that I'd be dead by then.
How old are you? And do you mean regular posters, people who have posted one comment, or everyone who browses the site?
posted by delmoi at 9:03 PM on December 12, 2010


Just sort by username and find the sites using the handle you registered on Gawker. If it uses the same password, too, then go ahead and change it.

What about sites where you don't use the same handle as your Gawker login, but do use the same email address you used when you registered at Gawker? Just as bad, right?
posted by mediareport at 9:03 PM on December 12, 2010


freecellwizard: "As a computer programmer with a life, I'd just like to say that hackers tend to be wusses who need a beat down. Sorry, it's true"

You take that back or I'll crack you one!
posted by boo_radley at 9:04 PM on December 12, 2010 [2 favorites]


I should have quit 'em the first time they shit on me (pun, quite unfortunately, intended), but it's better late than never.

Well, it's knocking them while they're down, but for what it's worth: after swearing off Gawker sites when the EasyDNS story hit, I've found it pretty easy to get everything I was getting from Denton from other sites. For one example, no longer relying lazily on io9 has slammed me back into the world of science- and comics-blogs in a really enjoyable way.
posted by mediareport at 9:08 PM on December 12, 2010 [1 favorite]


This is not the last time this will happen.

What is really annoing is that to do anything on many websites you have to create an account. That means having, in my case, probably a hundred or moe accounts on websites throughout the years, accross the internet. No one can keep track of that many separate passwords. Even now half the time I go to a site I havent used in months, I have to send a password reset link.
posted by JHarris at 9:08 PM on December 12, 2010 [5 favorites]


127.0.0.1       gawker.com
127.0.0.1       www.gawker.com
127.0.0.1       gizmodo.com
127.0.0.1       www.gizmodo.com
127.0.0.1       kotaku.com
127.0.0.1       www.kotaku.com
127.0.0.1       jalopnik.com
127.0.0.1       www.jalopnik.com
127.0.0.1       lifehacker.com
127.0.0.1       www.lifehacker.com
127.0.0.1       deadspin.com
127.0.0.1       www.deadspin.com
127.0.0.1       jezebel.com
127.0.0.1       www.jezebel.com
127.0.0.1       io9.com
127.0.0.1       www.io9.com
127.0.0.1       fleshbot.com
127.0.0.1       www.fleshbot.com
127.0.0.1       gawker.tv
127.0.0.1       www.gawker.tv
127.0.0.1       cityfile.com
127.0.0.1       www.cityfile.com
127.0.0.1       valleywag.com
127.0.0.1       www.valleywag.com
127.0.0.1       defamer.com
127.0.0.1       www.defamer.com
127.0.0.1       sploid.com
127.0.0.1       www.sploid.com
(I doubt anyone else here is as angry and vindictive as I am, but if you are, this might save you some time.)
posted by The Confessor at 9:10 PM on December 12, 2010 [16 favorites]


Even though my previous comment was unfairly deleted, I'd still note that even though Gawker's management deserves whatever comes their way over the next few days, its users do not.
posted by Blazecock Pileon at 9:13 PM on December 12, 2010 [1 favorite]


anyone who has ever registered an account on any Gawker property change their passwords immediately, especially if the same log-in information is used for other services.

4chan are acting as blackhat hackers, showing the lack of concern sites take with passwords and personal data. They're jerks, but Gawker are jerks for not taking better care of user data. So, to steal from Terry Pratchett, it's jerks all the way down.
posted by theora55 at 9:16 PM on December 12, 2010 [1 favorite]


Okay, wait a minute... looking at the file again, I see two kinds of entries in the encrypted password list:

[username] ::: [13-character alphanumeric string] ::: [60-character alphanumeric string with special characters] ::: [email address]

and

[username] ::: [13-character alphanumeric string] ::: NULL ::: [email address]

The majority of the entries, including mine, have that "NULL" in place of the long string of characters. Does the lack of the 60-digit-string (the hash?) make it any harder to decrypt the password?
posted by Rhaomi at 9:16 PM on December 12, 2010


I wonder how long until somebody decides that 4chan, after having spawned Anonymous and Gnosis, is some kind of nest for hackers and tries to have it shut down?
posted by empatterson at 9:17 PM on December 12, 2010 [1 favorite]


Hochmut kommt vor dem Fall.

Denton had it coming.
posted by krautland at 9:18 PM on December 12, 2010


mathowie: "I wonder if I can bill Nick Denton for buying a copy of 1password and having to change all my passwords everywhere tonight.
"

and you tweeted this to the man as well. I love you.
posted by boo_radley at 9:19 PM on December 12, 2010


So, so conflicted. Gawker the parent publishing company clearly deserves everythign they get and then some for being such horrible douchebags...but I do love Lifehacker and io9.

Soylent green is so wrong...but so tasty. So very tasty.
posted by T.D. Strange at 9:20 PM on December 12, 2010 [3 favorites]


Wow. Office moms are going to be upset come Monday morning.
posted by Arthur Phillips Jones Jr at 9:20 PM on December 12, 2010


affects every site in the Gawker network, including Gizmodo, Kotaku, Lifehacker, Jezebel, Deadspin, Jalopnik, and io9.
Is this a complete list? Is there a complete list?
posted by Flunkie at 9:21 PM on December 12, 2010


What is really annoing is that to do anything on many websites you have to create an account.

It's a difficult problem. I remember when it was rare (and annoying) to find a blog where you had to sign up to comment - when I came across one, I rarely returned. But comment-spamming quickly make registrations the norm. The whole Facebook / Twitter / Google / OpenID log in thing that's happening now is extremely convenient, and I admit to taking advantage of it, but the idea of a massive monolithic corporation managing your access to dozens of sites you visit is understandably concerning to many people.

Maybe the 4channers are onto something with their Anonymous forum structure...
posted by Jimbob at 9:22 PM on December 12, 2010 [1 favorite]


Huh. How weird is it that my username is in that database (strong password) but they don't have an e-mail for me?

Oh, well. Changed the password anyway.
posted by Dipsomaniac at 9:28 PM on December 12, 2010


I use the same garbage password on every single blog I comment on and i could care less if anyone figures it out.
posted by empath at 9:28 PM on December 12, 2010 [4 favorites]


So, is the reddit list all-inclusive? I converted my e-mail (the username part, not the domain) that was registered on Jezebel to MD5 as instructed, searched the document for it and came up with nothing. Does that mean I'm good, or? I have no idea what password I used on Jezebel, but the e-mail address I registered with is my entire name. In the meantime I guess I'll hope for the best.

I do have to agree with the sentiment expressed by many others--couldn't have happened to a nicer media "empire."
posted by nonmerci at 9:33 PM on December 12, 2010


WTF - Hasbro MyFirstEncryption playset!?

¡¿ Are you high?
posted by Jeremy at 9:33 PM on December 12, 2010 [1 favorite]


PBS NewsHour: Gawker Data Breach Could Lead to Attacks on Government Agencies
"PBS NewsHour has learned that a select sub-list of what appear to be e-mail addresses and passwords of employees from federal, state and local government agencies were parsed separately for potential future attacks.......The list appears to include a wide range of government agencies from King County in Washington State to mission controllers at NASA to a chief of staff for a member of Congress."
posted by prinado at 9:41 PM on December 12, 2010 [2 favorites]


Flunkie: "Is this a complete list? Is there a complete list?"

see the host file entries above (the 127.0.0.1 stuffs)
posted by boo_radley at 9:45 PM on December 12, 2010


Good news, everyone! After searching the the full_ and parsed_db files I'm pretty sure that I am unaffected!
posted by Alvy Ampersand at 9:50 PM on December 12, 2010 [4 favorites]


"I converted my e-mail (the username part, not the domain) that was registered on Jezebel to MD5 as instructed, searched the document for it and came up with nothing."

You need to put your full email into the MD5 hash, and search for that.
posted by CrayDrygu at 9:51 PM on December 12, 2010


I wonder how long until somebody decides that 4chan, after having spawned Anonymous and Gnosis, is some kind of nest for hackers and tries to have it shut down?

Yeah, I've been thinking for the past week or so that moot is basically fucked.
posted by mr_roboto at 9:53 PM on December 12, 2010 [1 favorite]


Yeah, regarding using "password" or "qwerty" on a site like Gawker? Why not, if you're not a serious user? The vast majority of those users might have signed up to make one comment, or perhaps access some other feature on the site only available to signed in users. (I think I signed up at reddit, for example, in order to control the comment view.) If somebody "cracks" their account, big whoop; they can leave some inane comment by CasualUser.

The poor people who use one password for everything are screwed, but "password" and "qwerty" aren't being used on Paypal, etc. It's "MyCatsName1984" type passwords that will stand out.

I don't use the same password for anything, but I'm trying to figure out if I signed up at Jezebel. I remember that I wanted to see the (moved) comments criticizing Jezebel for publishing the Duke sex ratings story. That's when I discovered that Jezebel dumps opposing or critical comments from regular users (non-regulars are just deleted/not approved) in some kind of comment purgatory, and why I don't visit Jezebel anymore. But did I have to sign up to see them? I don't remember. Firefox doesn't remember, either, so probably not, but hmm.
posted by taz at 9:56 PM on December 12, 2010 [3 favorites]


You know this has happened to most websites, yes? The ONLY reason you've heard about this particular crack is because the crackers wanted to embarrass gawker, not just harvest passwords. Do you really think Nick Denton would have warned you about this if you didn't already know? You think Ebay would, or Amazon, or your bank?
posted by ryanrs at 9:56 PM on December 12, 2010 [7 favorites]


> How old are you? And do you mean regular posters, people who have posted one comment, or everyone who browses the site?

I wasn't being serious, delmoi. It was a take on "penchant for people to go nuclear".
posted by vidur at 9:57 PM on December 12, 2010


Yes, amazon, etc sure as he'll would tell you, if they don't want to get sued out of existence.
posted by empath at 10:04 PM on December 12, 2010 [2 favorites]


Yeah, I've been thinking for the past week or so that moot is basically fucked.

Somehow I don't think that will slow down the likes of this Gnosis group, or people like them. I imagine that there is... another... Sky... walker -- er, I mean an alternative waiting to deploy in the event 4chan goes down, and that in fact it wouldn't even be much of a loss to the l33t haxors, although the low level /b/tards may cry salty tears.
posted by Marla Singer at 10:04 PM on December 12, 2010


Again, if a full entry in the torrent looks like this:
[username] ::: [13-character alphanumeric string] ::: [60-character alphanumeric string with special characters] ::: [email address]
...what parts are needed to theoretically recover a password? Some entries have "NULL" for the second field, or the third field, or the email field, or some combination of the three. I think the second is the DES, and the third is some kind of hash. If a "NULL" in the right place(s) means the data is safe, that'll give a lot of people (including me) some peace of mind, since a lot of the entries in the file don't have information in all four fields.
posted by Rhaomi at 10:05 PM on December 12, 2010


Check to see if your email was compromised. You don't need to enter your email, just the MD5 hash of it (which you can calculate here using just JS.
posted by delmoi at 10:06 PM on December 12, 2010 [19 favorites]


Oh, and if you're on windows here's my tip: use keepass to generate your passwords. There's versions for iProducts, android and other platforms, so you can have relatively secure-to-very secure and anonymous passwords on your mobiles as well. See How does keepass generate passwords? for details.
posted by boo_radley at 10:09 PM on December 12, 2010 [3 favorites]


*cries salty tears*
posted by Marla Singer at 10:11 PM on December 12, 2010


Rhaomi: Either the 13 or 60 character string. I would GUESS the 13 character key. DES uses a 64 bit block size, which is 8 bytes. Pad that out using base 64 and you would get around 11 bytes. If you look at a UNIX password file, you'll see pretty short encoded passwords.

I have no idea what the 60 byte string might be. You don't need that many to store a password hash

(And DES as a hash? WTF?)
posted by delmoi at 10:15 PM on December 12, 2010


Interesting point, ryanrs. I think it's not so much "Would they tell you?" as "Would they know?" Sometimes the big red You Have Been Hacked message pops up on your screen when you're away from your desk.
posted by theora55 at 10:16 PM on December 12, 2010


Alvy Ampersand: "Good news, everyone! After searching the the full_ and parsed_db files I'm pretty sure that I am unaffected!"

Just how the heck are you supposed search that link? It looks like an enormous Google doc to me.
posted by pjern at 10:19 PM on December 12, 2010


The MeFite who said "it couldn't happen to a nicer bunch of guys" .... so true so true...

Can anyone suggest a good science fiction site so I can get off io9 and rid myself of having to read a gawker media site forever?
posted by Poet_Lariat at 10:21 PM on December 12, 2010


I agree, this could be a turning point for /b/. Even if not directly related, just the association with these latest attacks may convince some people, perhaps even moot, that /b/ is just too unruly and dangerous to allow it to continue to operate in the way it does.

And the demise of /b/ would really be a sad thing. I don't visit there much, and when I do I usually find it disgusting, but I like the culture of insane chaos and the extraordinary silliness it inspires (when it's harmless), and I'd hate to see it killed. It's truly a very unique place, unlike anything we've ever seen before, and I don't think it could be recreated again.
posted by Kraftmatic Adjustable Cheese at 10:21 PM on December 12, 2010 [1 favorite]


I cannot believe how many people apparently use password managers. Seriously, I am in awe of this. Just, wow.
posted by Marla Singer at 10:21 PM on December 12, 2010


Marla Singer writes "1958 people used 'password' as their password? Another 681 used 'qwerty'?"

This really isn't as insane as it seems. Sure numerous regular commenters probably have that as their password; however, I'd bet that most of those "password" passwords were entered by people who planned to make a single comment and were forced to create an account to do so. I know I've done similar things on other sites.
posted by Mitheral at 10:22 PM on December 12, 2010


Just how the heck are you supposed search that link?

Yeah, could somebody please post a step-by-step on how to search for one's info there?
posted by Kraftmatic Adjustable Cheese at 10:22 PM on December 12, 2010


BTW, hackerz can haz grocers apostrophe's?

Your empire has been compromised, Your servers, Your database’s, Online accounts and source

Where does one apply for the GNOSIS proofreader position? If I sign up at Gawker as heyGNOSIScallMe with password CheapRatesForProofingManifestos, will that work?
posted by taz at 10:27 PM on December 12, 2010 [7 favorites]


The whole Facebook / Twitter / Google / OpenID log in thing that's happening now is extremely convenient
I find it (OpenID aside) annoying. Why should I have to tell all these sites "who I am"? What if the one account gets compromised, or blocked, or something?

I run my own OpenID "server" (well, actually just a PHP file) that I control, but more and more sites are not allowing you to enter an arbitrary URL as your OpenID. You HAVE to pick from the providers they offer.

I find it irksome.
posted by delmoi at 10:30 PM on December 12, 2010 [4 favorites]


Man, if I was working for Agile's sales guys, there would *so* be a "find your MD5 hash in that Google doc? 50% off 1Password for YOU!" sale this week.
posted by fairytale of los angeles at 10:31 PM on December 12, 2010 [3 favorites]


Kraftmatic Adjustable Cheese: "Yeah, could somebody please post a step-by-step on how to search for one's info there?"

Go to the MD5 hasher and enter your email address in the little form ("myname@gmail.com", for example), click "MD5," and copy the result.
Go to the MD5 Google Doc Dump:
  1. click on "Show Options" at the top
  2. Select "MD5" from the first drop down and "=" from the second one.
  3. Paste the MD5 into the text box and click "Apply."
If your email was hacked, it should be listed at the bottom.
If your email was not hacked, all the rows should disappear.
posted by yaymukund at 10:32 PM on December 12, 2010 [24 favorites]


Yeah, I've been thinking for the past week or so that moot is basically fucked.

Moots okay... he just signed with Lerer Ventures
posted by valkane at 10:33 PM on December 12, 2010


Is it wrong for me to be a little delighted that this happened to Gawker? The bullshit stunts and egregious mistakes they've made in the past year alone has earned them my undisguised loathing. In all honesty I hope this spells the end of that company of creeps and jerks.
posted by five fresh fish at 10:34 PM on December 12, 2010 [2 favorites]


Yes, amazon, etc sure as he'll would tell you [if their password database was hacked], if they don't want to get sued out of existence.

I don't see anything about that in their privacy policies. However, there's a bunch of stuff about never being liable for anything, ever. Perhaps you could find the section that promises to warn you?
Amazon Privacy Policies
posted by ryanrs at 10:34 PM on December 12, 2010 [1 favorite]


Oh, and when you enter your email in the MD5 Hasher, make sure it's in all lowercase.
posted by yaymukund at 10:36 PM on December 12, 2010


Just how the heck are you supposed search that link?
Yeah, could somebody please post a step-by-step on how to search for one's info there?
Assuming that you are talking about this link:

(1) Get an MD5 hash of your email address. If this is Greek to you, then:

(1A) Open up http://pajhome.org.uk/crypt/md5/
(1B) Enter your email address, all lowercase, in the "Input" box (in the "Demonstration" section)
(1C) Click the "MD5" button
(1D) The MD5 hash of your email address is what appears in the "Result" box.

(2) On the Google document, click on the "Show Options" link. Two dropdown boxes and a text box will appear when you do that.

(3) The first dropdown box will say "Domain". Change it to the "MD5" entry.

(4) Leave the second dropdown box alone (set to "=").

(5) Paste the MD5 hash of your email address into the textbox.

(6) Click the "Apply" button.

If your email address is in the database, an entry will be listed after you click "Apply"; otherwise, none will.
posted by Flunkie at 10:37 PM on December 12, 2010 [8 favorites]


I once commented on Lifehacker years ago. All my attempts to search for that sign up email from Lifehacker failed. I just now realized that I should search for email from @gawker.com (in case anyone is having the same issue).

Thankfully I reset my password a year ago in an attempt to point out how wrong a Lifehacker article was (I never did). phew.
posted by special-k at 10:37 PM on December 12, 2010


I was on the list with a BS password. Like boo_radley, I use KeePass to track/generate stupidly long random string passwords for anything I care about.
Haven't been near Gawker in years, so I couldn't really care. But that "peasants" comment from the staff isn't exactly flattering.
posted by arcticseal at 10:46 PM on December 12, 2010 [1 favorite]


I cannot believe how many people apparently use password managers. Seriously, I am in awe of this. Just, wow.

It makes life easier as well as more secure.

And fuck Gawker.
posted by rodgerd at 10:47 PM on December 12, 2010


Well, given how easy it is to buy stuff on Amazon (one click purchasing), they would have to do something if their database was compromised - they would lose millions of dollars from false purchases, chargebacks, returns, customer service calls, and the media frenzy.

Fake comments on Gawker? Doesn't even compare.
posted by meowzilla at 10:50 PM on December 12, 2010



yaymukund: "Kraftmatic Adjustable Cheese: "Yeah, could somebody please post a step-by-step on how to search for one's info there?"

Go to the MD5 hasher and enter your email address in the little form ("myname@gmail.com", for example), click "MD5," and copy the result.
Go to the MD5 Google Doc Dump:
  1. click on "Show Options" at the top
  2. Select "MD5" from the first drop down and "=" from the second one.
  3. Paste the MD5 into the text box and click "Apply."
If your email was hacked, it should be listed at the bottom.
If your email was not hacked, all the rows should disappear
"

Thank you for that. I can't think of anything much more opaque to Joe User than that procedure.
posted by pjern at 10:51 PM on December 12, 2010 [1 favorite]


Thanks yaymukund
posted by Kraftmatic Adjustable Cheese at 10:53 PM on December 12, 2010


It looks like Steve Jobs may have had a Gawker account
posted by spork at 10:54 PM on December 12, 2010 [2 favorites]


>I cannot believe how many people apparently use password managers. Seriously, I am in awe of this. Just, wow.

It makes life easier as well as more secure.

And fuck Gawker.


Easy I get. But secure? I have no trouble coming up with strong passwords myself, and I always use a unique password for every account. There are all kinds of ways to do this. Mnemonics are great - think of a sentence and use the first letter of every word. Add some numbers that were meaningful to you as a child for whatever reason, and maybe some that are meaningful to you now (but nothing obvious or predictable). Sprinkle liberally but in a way you can remember. Actually use your passwords by typing them in each time you need them and you will find that you will remember them eventually. But no, that's work, nevermind.
posted by Marla Singer at 11:00 PM on December 12, 2010 [1 favorite]


Easy I get. But secure? I have no trouble coming up with strong passwords myself, and I always use a unique password for every account. There are all kinds of ways to do this. Mnemonics are great - think of a sentence and use the first letter of every word. Add some numbers that were meaningful to you as a child for whatever reason, and maybe some that are meaningful to you now (but nothing obvious or predictable). Sprinkle liberally but in a way you can remember. Actually use your passwords by typing them in each time you need them and you will find that you will remember them eventually. But no, that's work, nevermind.
I have literally hundreds of accounts, each of which has its own unique password, each looking something like:

!<qa5yFOqM@9GPdpAhyf9e+$W6&~//

Along with this data, I have recorded the URLs that they are for, the email addresses that were used to sign up for them (which are in many cases unique to that particular account), the last date and time at which the password was changed, and often associated information such as the answers to "security questions" for the account (which are, again, some random gibberish).

Many of these hundreds of accounts I use only exceedingly rarely.

I do actually remember a handful of them - perhaps ten. They're all ones that I have had need to type in directly (for some strange reason) rather than copy and pasting, and which I use very, very frequently. But I cannot come anywhere close to remembering all of them, and I can't imagine why I would want to do so. If you can, though, kudos.
posted by Flunkie at 11:09 PM on December 12, 2010 [9 favorites]


Easy I get. But secure?

1Password generated this just now: vo9wrel4hav7gej7shosh9jef5jog5vog5bek8man7led

I have no trouble coming up with strong passwords myself, and I always use a unique password for every account. There are all kinds of ways to do this. Mnemonics are great - think of a sentence and use the first letter of every word. Add some numbers that were meaningful to you as a child for whatever reason, and maybe some that are meaningful to you now (but nothing obvious or predictable). Sprinkle liberally but in a way you can remember. Actually use your passwords by typing them in each time you need them and you will find that you will remember them eventually. But no, that's work, nevermind.

The rest of us have jobs. and lives.
posted by special-k at 11:09 PM on December 12, 2010 [3 favorites]


For those curious: This won't come back on moot because the organisation, planning, etc. don't actually happen on 4chan itself. There's a bunch of IRC channels and other boards (mostly but not completely of the form #chan) where the actual planning and coordination go on. 4chan is just where they go to brag about it because it's got the largest audience.
posted by Pseudoephedrine at 11:10 PM on December 12, 2010


For those curious: This won't come back on moot because the organisation, planning, etc. don't actually happen on 4chan itself.

Yeah, but there are government actors that may get involved here. Their actions, we should recognize, have little to do with reality.
posted by mr_roboto at 11:13 PM on December 12, 2010 [1 favorite]


1Password generated this just now: vo9wrel4hav7gej7shosh9jef5jog5vog5bek8man7led

oops, that's because I set the password generator to pronounceable.

This is better: p8iJL[9Wed2.7:oC6fN3%zhPFvrjuRnqXK4yb${m?gE=M
posted by special-k at 11:14 PM on December 12, 2010 [1 favorite]


Mnemonics are great - think of a sentence and use the first letter of every word.

Yeah, if you can remember your passwords, they're either too weak or too few.

That's a good rule of thumb, I think.
posted by mr_roboto at 11:14 PM on December 12, 2010 [3 favorites]


Well, I only have a couple of dozen accounts to keep track of, unlike you important people. Carry on.

Although I still don't get how your secure password is so secure if you somehow have to spend three hours changing all passwords everywhere because *one* account was hacked.
posted by Marla Singer at 11:16 PM on December 12, 2010


Although I still don't get how your secure password is so secure if you somehow have to spend three hours changing all passwords everywhere because *one* account was hacked.

Many of us did not have to change passwords.
posted by special-k at 11:18 PM on December 12, 2010


mr_roboto, that was step one of several, just FYI. It was meant to be combined with the steps that followed.
posted by Marla Singer at 11:19 PM on December 12, 2010


Although I still don't get how your secure password is so secure if you somehow have to spend three hours changing all passwords everywhere because *one* account was hacked.
Why do you think that we would have to do this?

You'd only have to do that if you reuse passwords. Or if you use some sort of too-predictable mnemonic, for example one trivially based upon the website name.
posted by Flunkie at 11:19 PM on December 12, 2010


Let's say someone went and tried the passwords people used for their @me.com and @gmail.com email addresses to see if they matched the ones they used on Gawker.com and sent themselves an email saying that they should change their passwords. Would that someone be acting ethically? I personally think Gawker is doing a terrible job handling this, and should send some kind of mass email to their users, rather than just having a small article about it (which on Gizmodo is halfway down the page).

Someone DID do this, actually. I got an email from Hint.io that I was compromised, which I appreciated. Fortunately, I just used a stupid password for only Gawker and nothing's at risk, but damn. (And yes, I did find it, decrypted, in the file.)
posted by disillusioned at 11:23 PM on December 12, 2010


Why do you think that we would have to do this?

I don't know.

I have to be going now. Please continue, and sorry for interrupting your regularly scheduled programming.
posted by Marla Singer at 11:26 PM on December 12, 2010


Because someone who purchased a copy of a password manager in response to this spent hours changing his passwords?
posted by Flunkie at 11:29 PM on December 12, 2010


Actually use your passwords by typing them in each time you need them and you will find that you will remember them eventually.

"Each time I need them" may be once a month. Or even once a year. You're telling me you have 24+ pseudo-random passwords memorized such that once a year you can come up with them on the fly? If so, bravo. You have a much better memory than the mere mortal.

I am a mere mortal. Thus, I must reuse passwords and write down the ones I can't reuse. Realize that people like me are in the vast majority when designing your security systems.

(FWIW, I don't have a Gawker account, and if I did, it would have used one of my useless passwords)
posted by dirigibleman at 11:32 PM on December 12, 2010 [1 favorite]


You'd only have to do that if you reuse passwords. Or if you use some sort of too-predictable mnemonic, for example one trivially based upon the website name.

You don't say?

Whoa, whoa, whoa, fences are failing all over the place!
posted by pracowity at 11:33 PM on December 12, 2010


> The majority of the entries, including mine, have that "NULL" in place of the long string of characters. Does the lack of the 60-digit-string (the hash?) make it any harder to decrypt the password?

I'm no hacker, but it looks to me like the 13 character string alone appears to be sufficient to recover any password less than 8 characters long, as well as the first 8 characters of longer ones. I ran some of the 13 character hashes corresponding to the easier passwords released in the torrent file ("password", "qwerty", etc) through John The Ripper using the DES hash format and it cracked them immediately. I haven't tried it with a random one.
posted by wam at 11:38 PM on December 12, 2010


Releasing the passwords was a jerk move that affects people who have done nothing wrong.
posted by wuwei at 11:49 PM on December 12, 2010 [2 favorites]


Great advice on creating secure passwords from, ahem, LifeHacker Choose (and remember) great passwords

I use a variation of this - base password with a couple of parts that are modified with characters from the site's name or URL.

I also have a couple of different 'base' passwords I use depending on the sensitivity of the site.
posted by sycophant at 12:03 AM on December 13, 2010 [1 favorite]


I got an email from Hint.io that I was compromised, which I appreciated.

I got that email too and it looked suspiciously like phishing. I do have a gawker account and I did go and change all my passwords, but mystery meat url params in the links in the message body don't exactly inspire confidence.
posted by juv3nal at 12:04 AM on December 13, 2010 [1 favorite]


I don't see anything about that in their privacy policies. However, there's a bunch of stuff about never being liable for anything, ever. Perhaps you could find the section that promises to warn you?
It doesn't matter what their policies are, they're required by law to inform you of a data breech. (the law was put in place in part because hackers would blackmail companies to prevent the release of stolen data).

I don't know about Gawker, I don't know what the requirements are when all you have is an email address, and you don't have a financial relationship.

Also, as far as screwing up /b/, I think the risk is overstated. Gnosis claimed not to be "affiliated" (whatever that would mean) but shutting down /b/ would just cause people to move somewhere else.

Hmm... actually I just realized you could code up a clientside "imageboard" that just used twitter and some image host like twitpic
posted by delmoi at 12:18 AM on December 13, 2010


This is why I use mailinator and/or bugmenot for one time commenting accounts.

On the subject of password security, some government agencies require people to keep 32+ character password and change them often.Many peoplem especially the IT guys, memorize a random string and move the first character to the end at every mandatory change. That way it's all muscle memry after you remember the current first letter.
posted by beardlace at 12:26 AM on December 13, 2010 [2 favorites]


Hmmm, wonder how the frequency of the easily-cracked passwords compares to the myspace password hack a few years ago?

Myspace popular passwords: password1, abc123, myspace1, password, blink182, qwerty1, fuckyou, 123abc, baseball1, football1, 123456, soccer, monkey1, liverpool1, princess1, jordan23, slipknot1, superman1, iloveyou1 and monkey.

Password -- # Instances
================
123456 -- 3057
password -- 1955
12345678 -- 1119
lifehack -- 661
qwerty -- 418
abc123 -- 333
111111 -- 311
monkey -- 300
consumer -- 273
12345 -- 253
letmein -- 247
trustno1 -- 241
dragon -- 233
baseball -- 213
superman -- 208
iloveyou -- 202
1234567 -- 202
gizmodo -- 199
sunshine -- 196
1234 -- 194
princess -- 187
starwars -- 184
whatever -- 179
shadow -- 175
000000 -- 158
cheese -- 157
123123 -- 156
nintendo -- 149
football -- 149
computer -- 148
fuckyou -- 141
654321 -- 135
blahblah -- 134
passw0rd -- 132
master -- 132
soccer -- 126
michael -- 124
666666 -- 120
jennifer -- 118
gawker -- 115

This cracked password file doesn't contain passwords longer than 8 characters, so I'm assuming old faves like password1 and superman1 are still in the full db. I guess there are more X-files fans on gawker sites than on myspace. blink182 only had 58 users.
posted by benzenedream at 12:33 AM on December 13, 2010 [7 favorites]


I didn't get an email from hint.io, but am definitely compromised - my email hash is there and I was able to crack my password with John the Ripper in less than a second (it's pretty fast if your password list has the likely culprits, heh). Not a big deal because I gave them my "I don't trust this site" password, but still - wanted to pass on a warning that just because you didn't get a hint.io email doesn't mean you're not "on the list." Maybe the hash hasn't been cracked *yet*, but it will be, just a matter of time.

Disappointed that a third party is emailing people about it and not Gawker Media itself - everyone knows that a lot of users use the same password everywhere. It sucks, and people shouldn't do it, but they do and you can't stop it. It's like kids picking their noses or something. You should do what you can to educate, protect, and when those steps have failed, at least warn your users ASAP that they've been compromised. 1.5 million Denton site commenters are not going to load the page after 9pm EST on a Sunday, if ever.

The second Gawker found out about the breach AND that the data was all over the Internet, they should have dispensed of the "apparently compromised" crap and notified everyone via email immediately.
posted by jenh at 12:37 AM on December 13, 2010


Funny. I specifically didn't trust Gawker enough to even change the auto-generated password to my normal low-security don't-really-care password! So, no extra hassle for me.
posted by dickasso at 12:42 AM on December 13, 2010


Hey, I just got the hint.io email!

But I have no recollection of ever signing up to a Gawker account...
posted by pharm at 1:11 AM on December 13, 2010


Rhaomi: "I'm reading all this talk about MD5 and hashes and salted vs. unsalted, but it's all over my head."

There are people here better qualified to answer this, but let me give it a shot:

First, websites stored passwords in plaintext ("password"). This is pretty unsafe because anybody who gains access to the database will have the password immediately.

Then they came up with the MD5 hash. Given a password, the MD5 algorithm will spit out a 128-bit hash (5f4dcc3b5aa765d61d8327deb882cf99— this is in hexadecimal, so there are 32 characters). You can generate the MD5 hash for any password pretty easily. There are two things you basically need to know about MD5 hashes:
  1. If you have an MD5 hash, it's very difficult to retrieve a password.
  2. Since it's 128-bit, there are 2127 MD5 hashes (a lot, even for very fast computers).
Because of property 1, a hacker with an MD5 hash shouldn't be able to reverse it easily. If I tell you 5f4dcc3b5aa765d61d8327deb882cf99, you shouldn't be able to figure out that it says "password".

Enter rainbow tables. Rainbow Tables are "enormous, pre-computed hash values for every possible combination of characters." (cite, and great article) If the hacker has a hash, they look for it in the rainbow table to find a password with the same hash. This works pretty well for short (< 14ish characters) and simple (alphanumeric) passwords. By doing this, they can reverse engineer your password using the hash.

But rainbow tables only work for short strings. Adding a single character to your password makes it exponentially more difficult to decipher. Rainbow tables are already very large and difficult to search through— a table for 14-character passwords can be around 9 gigabytes. Since there are 2127 different MD5 hashes, it would be infeasible to try every possible hash.

Salting is just the process of adding some characters to a password before hashing it to make it immune to rainbow table attacks. Sometimes, this is the unique ID of a user or a secret string, or some combination of the two. When a user enters their password, just apply the salt before comparing it to the (salted) hash stored in the database. You can think of it as artificially lengthening the password for users who have short passwords.

I seem to be getting into GYOB territory but that's basically why Gawker is stupid.
posted by yaymukund at 1:12 AM on December 13, 2010 [61 favorites]


Rhaomi: Basically, what are the risks for the encrypted passwords in the torrent file?

I haven't looked at the file and don't plan to, but much is related to the length of the hashes versus the length of the stored passwords. If the hashes are very long, they have a lot of uniqueness, and it's quite likely that any successful decryption will actually get the correct password. If the hashes are short, the passwords are long, or both, the 'decryption' has a higher chance of resulting in a random string that happens to hash to the same value as your password. (a "hash collision".)

The first scenario obviously gives a bad guy access anywhere you used the password.... the second means they can only get into Gawker sites, and any others using precisely the same hash function (probably none).

It sounds like your specific password isn't very long, so even with short hashes, they'll probably get the correct one if they crack it. But for those that used passwords that are substantially longer than the hash, the chance of the bad guys getting the actual correct password is much lower. Don't rely on this, and change your passwords no matter what, but a long password is partially protective against this kind of attack. Might be useful for the ones you don't hear about.
posted by Malor at 1:15 AM on December 13, 2010


Nor is it one of my usual throwaway ones. Sigh: reset the thing & move on.
posted by pharm at 1:15 AM on December 13, 2010


Thank you yaymukund for your instructions on how to use the database and also your explanation of what salted vs. unsalted, rainbow tables, etc. all means. Very clear and useful information, and I really appreciate it.
posted by hurdy gurdy girl at 1:24 AM on December 13, 2010 [3 favorites]


Just to follow up on boo_radley's excellent recommendation for KeePass, Mac users have their own open source option called KeePassX. It isn't as pretty as the windows program, but it gets the job done. Also, there is an app on the iphone/ipad that is KeePassX compatible.
posted by boubelium at 1:39 AM on December 13, 2010 [1 favorite]


It is worth noting that really the only thing most people use their Gawker account for is posting comments, which doesn't really require user attribution for the great majority of users. So, if someone used a password like "123456", there is a very good chance they just created a throwaway account to make comments because Gawker isn't important enough to them to care about.
posted by JHarris at 2:47 AM on December 13, 2010


Yeah, I've been thinking for the past week or so that moot is basically fucked.

Attempting to take down /b/ would be shortsighted. As long as it exists, you have a (small) window into what the hive mind is currently thinking, assuming you can handle the porn, gore and cp that comes with it.
posted by Mooski at 3:11 AM on December 13, 2010


Mocking 4chan is just asking for trouble. That said, I think the "Anonymous" group are actually doing some really good things, even though they are completely overwhelmed with their recent projects.
posted by novenator at 3:13 AM on December 13, 2010


This operation reminds me of any other sort of direct action. Because that's what this is, really - a concerted effort to throw a wrench in the gears of a perceived threat. Outside the internet, this might mean chaining yourselves to the axles of logging trucks, or handcuffing yourselves in a ring in front of a nuclear power plant. Operations like that are effective in shutting down operations, but more importantly, are also effective in gaining public sympathy - you're being passive in the face of cops lifting you up and/or dragging you away, while the cameras roll. It brings attention to your cause, yes, but limiting your target to the perceived threat also has the added effect of making it more likely for people to sympathize with you, and to support your cause.

However, there are also direct action operations like we had here in Iceland a couple years back: truckers protesting a proposed raise in the price of fuel would do things like take to the highway in convoys and then purposefully slow down to 15 KpH, or simply park their trucks across busy intersections. This, too, was effective in bringing attention to their cause, but who suffered for it? Not parliament, primarily, but the hundreds of commuters who may have sympathized with these truckers until they decided to make everyone the target of their grievances.

We see the same principle apply to direct action used on the internet. If Gnosis had hacked Gawker and limited their operations to digging up staff passwords and inter-office convos, then their mission to take Gawker down a peg and expose their arrogance - for the reasons The Confessor aptly listed - would have my full support. Instead, they decided to expand operations to included everyone who has ever posted a comment on Gawker and related sites.

This, to me, is a mistake on their part, and will end up biting them on the ass as far as public sympathy goes. And invoking 4chan, man, what a mistake that is. Anonymous is right now trying to convince the public that they're a "human rights organization", fighting the good fight for Wikileaks, and aren't the same guys who regularly post IRL info on girls who flash on Stickam. Gnosis and Anonymous could be two totally separate animals, and if that's the case, I'm not sure the latter should associate with the former.
posted by Marisa Stole the Precious Thing at 3:33 AM on December 13, 2010 [4 favorites]


the company's bloggers taunted anonymous imageboard 4chan

Nick Denton I am disappoint.
posted by fire&wings at 3:56 AM on December 13, 2010 [1 favorite]


Considering the insane proliferation of chan sites, and the ease in which associated messages and memes travel from their originators to audience, would it even matter if moot or anyone else shut down /b/ or the entire 4chan site?

Hell what with the constant whingeing about cancer mayhaps shutting down /b/ would be a period of chemo until /b/ reestablishes itself in some other misbegotten corner of the internet.
posted by fido~depravo at 4:08 AM on December 13, 2010


Right.

I tested the Md5 I got for my email address against the spreadsheet, and I got a hit. Apparently, I did sign up for a Jezebel account at one time.

However, now I'm confused what the risks are. Because:

If the hashes are very long, they have a lot of uniqueness, and it's quite likely that any successful decryption will actually get the correct password. If the hashes are short, the passwords are long, or both, the 'decryption' has a higher chance of resulting in a random string that happens to hash to the same value as your password. (a "hash collision".)

I got a long string of numbers and letters from that Md5 thing. I have no idea whether this is "very long" or "short".

My password is one I use a lot for other accounts. It is an English word, but it's a word that many people haven't heard of. It is shorter than that Md5/hash/thing. However, it is NOT the same password I use for Livejournal, my bank accounts, or my email.

What the hell should I do?
posted by EmpressCallipygos at 4:39 AM on December 13, 2010


Change your password anyway, and keep unique ones for all your separate accounts.

One thing I do is I use the same numbers and characters for all my passwords of different sites - just in different combinations of order and case. If the password is long enough, is not an English word, and combines letters, numbers and different cases, you'll have a very strong password, and varying it slightly from site to site will keep it easy to remember for you, while keeping it secure against cracking.
posted by Marisa Stole the Precious Thing at 5:00 AM on December 13, 2010


EmpressCallipygos: Stop using that password on the sites where you currently do? Anywhere with the same email address or username and the same password, you'll want to change the latter. Where the password isn't the same, obviously this has no impact.
posted by Dysk at 5:01 AM on December 13, 2010


EmpressCallipygos: "I got a long string of numbers and letters from that Md5 thing. "

That's irrelevant to what the poster you're quoting was talking about. (MD5 hashes are always the same length.) I think they were talking about the hashes in the original database dump, which apparently vary.

The question you should be asking yourself is: "Do I care if someone logs in as me on the accounts in question?"

I'd say that even for commenting accounts the answer might be yes if the account is traceable to you personally. For throwaway accounts which were only registered in order to comment on a website the answer is probably no. If you have a commenting history on any of the sites in question that you value, then change the passwords to protect that. If someone impersonating you on a site could do damage to your reputation, then change the password.

Don't use an english word as a password, even if it is a rare one. Password crackers have access to extensive dictionaries of likely passwords: a dictionary word of any sort will get cracked if the password hashes are ever leaked.
posted by pharm at 5:06 AM on December 13, 2010


Can someone explain why there are still websites that don't allow you to use special characters in your password? Like some banks, for example?
posted by bardophile at 5:21 AM on December 13, 2010 [6 favorites]


Alright, as much as I hate most of Gawker. I really like their car centric site Jalopnik, it's pretty low-key, there isn't much (if any) scummy seo stuff going on, the editors are actually car people and not a bunch of web 2.0 social networking jerkoffs passing as tech journalists. It's a great little site, I'm sad that they're associated with Gawker. Maybe if I have enough cash I can just buy it and run it on it's own. The fact that they cover grassroots motersports alongside professional racing and industry news is really great. Plus the commenter are typically pretty nice.

But that's the only site, really. And their association with gawker saddens me.

(Ps, I checked to see if I had a gawker account by searching my email for a "you've registered" email from gawker, there was none, so I'm good for now.)
posted by hellojed at 5:23 AM on December 13, 2010 [1 favorite]


I really hope that The Consumerist covers this story after Gawker decided to get rid of them. Im a little disappointed that Lifehacker got grouped in with it, that was my one go to stop to get news about software and android updates.
posted by lilkeith07 at 5:37 AM on December 13, 2010 [1 favorite]


Is it wrong for me to be a little delighted that this happened to Gawker? The bullshit stunts and egregious mistakes they've made in the past year alone has earned them my undisguised loathing. --- I would have been happier to see it happen to Drudge, but it never would, because he doesn't allow comments. The only voice allowed on Drudge Report is Drudge's.
posted by crunchland at 5:38 AM on December 13, 2010


It couldn't have happened to a nicer bunch of people.
posted by indubitable at 5:46 AM on December 13, 2010 [1 favorite]


It's been 7 and half years and I just changed my Metafilter password, just in case.
posted by blue_beetle at 5:51 AM on December 13, 2010


Helpfully, Gawker didn't even inform Wonkette about this.
posted by dirigibleman at 5:58 AM on December 13, 2010


So I've been thinking about jumping on the KeePass etc. bandwagon for a while, but I keep putting it off, largely because I'm worried about what happens if KeePass gets hacked, or if my computer crashes and I need to rebuild from scratch, or whatnot.

Satisfied password-manager-users: should I be worried about this stuff?
posted by Shepherd at 6:03 AM on December 13, 2010


I would have been happier to see it happen to Drudge, but it never would, because he doesn't allow comments. The only voice allowed on Drudge Report is Drudge's.
If this had happened to Drudge, come January, we would have a Congressional act to disallow people from writing open source computer programs, such as were certainly used in this attack.
posted by Flunkie at 6:04 AM on December 13, 2010 [1 favorite]


Lucky me-- I got an account at io9 this week, using (I believe) one of my Regular Passwords. But I checked the google spreadsheet, using the MD5 technique kindly detailed by Yaymukund, and I came up with nothing. So... does this mean I dodged a bullet here?
posted by suburbanbeatnik at 6:13 AM on December 13, 2010


So I've been thinking about jumping on the KeePass etc. bandwagon for a while, but I keep putting it off, largely because I'm worried about what happens if KeePass gets hacked, or if my computer crashes and I need to rebuild from scratch, or whatnot.

Satisfied password-manager-users: should I be worried about this stuff?
Yes, you should.

I back up my password database (among other things) to lots of different computers, and lots of different disk drives, in several different physical locations. This pretty much resolves the "my computer crashes" part of it, except in extreme cases like nuclear attack, in which case I'm extremely lucky if I thereafter find myself concerned that I can't log on to some website.

If KeePass (or whatever) gets hacked, well, yeah, you're screwed. There's nothing you can really do about this except things like making the master password phenomenally complex and long, and not using the password manager on any computer that you don't have some degree of confidence in (to avoid key loggers).
posted by Flunkie at 6:17 AM on December 13, 2010


So I've been thinking about jumping on the KeePass etc. bandwagon for a while, but I keep putting it off, largely because I'm worried about what happens if KeePass gets hacked, or if my computer crashes and I need to rebuild from scratch, or whatnot.

Satisfied password-manager-users: should I be worried about this stuff?


I copy my keypass file to drop-box, so it's accessible anywhere I'm at a computer. As long as you have a secure password on keypass, that should be okay.
posted by empath at 6:19 AM on December 13, 2010


With LastPass, you strongly encrypt your password database locally, and then store it in the cloud. You can access it with many devices, so if you add or update a password on your iPhone, it'll convey to your desktop, etc. You can also store either a secure or insecure copy of your password database locally. It'll detect and prompt you whenever it sees a password field to log you in, or generate it for you if you've never been there before. I think it's the best password manager I've ever used. Oh, and it's also free.
posted by crunchland at 6:22 AM on December 13, 2010 [1 favorite]


Was there a way, in 2008 or so, to comment on the Gawker sites without linking it to an email? I did comment on Jezebel a handful of times in 2007-08, but I can't remember a username and there's no record of my md5 to my email address in the csv file.
posted by anniecat at 6:23 AM on December 13, 2010


fido~depravo: "Hell what with the constant whingeing about cancer mayhaps shutting down /b/ would be a period of chemo until /b/ reestablishes itself in some other misbegotten corner of the internet."

PUDDIPUDDIPUDDI
posted by benzo8 at 6:26 AM on December 13, 2010 [2 favorites]


Date: Tue, 24 Nov 2009 03:14:32 GMT

The Consumerist has moved! In order to post comments on the new site using your current account, you'll need to log in with your username and the temporary password below. After logging in, you can reset your password.  You will have immediate access to your profile and can start commenting on the new site.

Current Username:
Current Password: (random junk)
For those of us who haven't visited Consumerist or some of the other related sites in the past year, this is a big relief -- though our e-mail addresses are still outed.
posted by crapmatic at 6:53 AM on December 13, 2010


Felix Salmon:

Gawker Media now has a FAQ up, which stops short of an apology. What Gawker didn’t do — but what the good people at Hint did do — is email everybody whose email and password were made public, to inform them of that fact. “In situations like this, time is of the essence, which is why we were surprised & shocked to find that Gawker Media hadn’t taken the initiative to notify you of this privacy breach immediately,” they wrote. I’m with them: Gawker should have done what Hint did. But, thankfully, now they don’t need to. And if you haven’t received an email from Hint, there’s a good chance that your email and password have not been made public.
posted by mediareport at 6:56 AM on December 13, 2010 [3 favorites]


So I've been thinking about jumping on the KeePass etc. bandwagon for a while, but I keep putting it off, largely because I'm worried about what happens if KeePass gets hacked, or if my computer crashes and I need to rebuild from scratch, or whatnot.

This is not a problem. First, KeePass and most other password manager apps (Password Safe, eWallet, etc) run locally, so they really can't be "hacked" as long as your computer is secure. They simply open a locally-stored encrypted file that contains all of your passwords.

Second, you can easily back up your password files, online using Dropbox or something similar, or to a USB drive, or both. I have my password files on about five computers, my phone, my pocket USB drive and online - it would take a lot of bad things happening for me to lose those files.

Finally, all you have to do is have a single strong password/pass phrase for your password files themselves. If you're afraid that you might get amnesia, you can write that pass phrase down and store it somewhere at home.

I've been using password managers for many years now, and I simply couldn't do without them.
posted by me & my monkey at 6:56 AM on December 13, 2010


(Actually I see Consumerist was sold in 2008, and I'm not on Gawker's other blogs.. so I don't really know why I am in their leak)
posted by crapmatic at 6:57 AM on December 13, 2010


Okay, that was awesome. So I find my domain in the list and go about trying to figure out when I ever made a Gawker account. I pore through my old emails for any gawker related site title, nothing. I try every combination of handle I've used in the past ten odd years, nothing.

*ding* Hint.IO email comes in. Huh! When did I make an account on that site, and why don't I have a record of it?

Hrmn. I have no idea what that password is. Oh well, I'll recover my password I guess. click. click. Oh, here's the email! Okay, well, I'll see what comments if any I had on the account...

This account has been banned by.

Whaa? OHHH. Xeni. Violet Blue. Valleywag. It all comes back to me now, this is where I called them shitty and a bunch of other things! Hmph! All this mystery for... that...
posted by cavalier at 6:59 AM on December 13, 2010 [2 favorites]


Enough with the password stuff--everyone start digging through those gchats to figure out if Jezebel actually does hate women or if theyre just confused.
posted by Potomac Avenue at 7:02 AM on December 13, 2010 [3 favorites]


Any password manager worth its salt will encrypt your password file with a standard algorithm like AES. Strictly speaking, there's no way to prove that AES is secure, but the US military uses it, so it's about as good as you can get.

If you use a password manager, then, you have three potential weakpoints: the passwords you store with it, the program's implementation of the algorithm, and the strength of your master password.

You should generate all your passwords with something like apg. It lets you input random data to seed your password; if the password is for something important, I roll some dice and input the results.

Insist on a password manager that is open-source. That way, if there's something wrong with the implementation, it's possible to tell. Even if you personally can't read the code, a lot of übernerds are just dying to find something wrong with it and then tell everyone what they found. You'll want to hear of it when that happens; subscribe to whatever news feeds about your password manager you can find. Perhaps subscribe to the changelog as well; it's been known to happen that ill-advised changes to the code base may break a previously secure encryption scheme.

The master password must be iron-clad. I suggest generating it with Diceware. This is not a software program, it's a random table that you choose from with dice. Dice are very hard to hack into.
posted by LogicalDash at 7:10 AM on December 13, 2010


diceware
posted by LogicalDash at 7:10 AM on December 13, 2010


Gawker appears to have resumed posting without even giving commenters a forum to ask questions or vent about this. Seems like a very very bad public relations move.
posted by orville sash at 7:13 AM on December 13, 2010 [2 favorites]


This account has been banned by.

Just logged in after getting my new password early this morning, and same deal- the account was banned. Last comment on a Consumerist site back in October 2007. Who the heck knows!
posted by ThePinkSuperhero at 7:18 AM on December 13, 2010 [1 favorite]


AWWW! I thought I rankled someone with witty anti-Xeni bashing wit. Now you're saying they just banned all the compromised accounts. Meh!
posted by cavalier at 7:25 AM on December 13, 2010


Did anyone actually get their hands on the Gnosis torrent? I'd really love to know what the heck the password was on that account. I assume it was a throwaway, but, well, the more you know!
posted by cavalier at 7:26 AM on December 13, 2010


haha this morning Lifehacker thought it would be a good time to tell people to use LastPass. Maybe this will provide a little bit of a forum to talk about the incident.
posted by lilkeith07 at 7:28 AM on December 13, 2010


Oh thank god! Without those chat logs, we might never have known what Gawker staffers thought about the last episode of The Real Housewives of #Location!

Oh wait.

Serious note: Jesus, Lord Jesus, I hope my work chats are never released. Man, would I be fucked.
posted by evidenceofabsence at 7:34 AM on December 13, 2010


So I've been thinking about jumping on the KeePass etc. bandwagon for a while, but I keep putting it off, largely because I'm worried about what happens if KeePass gets hacked, or if my computer crashes and I need to rebuild from scratch, or whatnot.

OK, so there are two main risks here:

(1) Password manager gets compromised. This is unlikely (but not impossible). Someone might get hold of your database file and you might have a weak password. There might be a backdoor in the code. (yes, there have been backdoors in open source code, albeit shortlived) Someone might have a spycam aimed at your screen. You might leave your password manager open when you leave the room for a few minutes. Most of these attacks can be mitigated by a 'personal hash'. Thus, the passwords stored in your manager are 'apple', 'pear' and 'kumquat'. However, the actual passwords you use are 'lemonapple', 'lemonpear' and 'lemonkumquat'. (obviously, you should replace names of fruits with something longer / more complex in reality) This is not foolproof, but it does reduce the risk of a compromise.

(2) Password file is lost. As others have said, redundancy is the way to go here. Dropbox is an excellent solution, since it means there's a copy of your latest password file on every computer you use plus one in the cloud. It doesn't hurt to archive older copies as part of your regular backup regime as well.
posted by Busy Old Fool at 7:44 AM on December 13, 2010


Can anyone suggest a good science fiction site so I can get off io9 and rid myself of having to read a gawker media site forever?

Depends what you like most about io9, but it was a good aggregator so you'll probably have to replace it with at least a handful of other sites. All of the film-related news at io9, e.g., is easily available at dozens of places around the web; the studios send those trailers and announcements to everyone. Try Slashfilm. For science news, Scientopia, Wired's Science Blogs and keeping an eye on a few traveling blog carnivals has been fun (Scienceblogs, too, if the Great Pepsi Scandal didn't put you off).

It's very do-able. Once you decide not to visit a site anymore, other sites don't take long to fill in the gap. Yay for the oozing, seeping, shifting worldwide web, I guess.
posted by mediareport at 7:49 AM on December 13, 2010 [3 favorites]


I got the email from Hint this morning (see here for the text).
Are hint good guys or bad guys, or just trolling for pageviews?
posted by SPUTNIK at 7:54 AM on December 13, 2010


Can someone explain why there are still websites that don't allow you to use special characters in your password? Like some banks, for example?

Legacy systems and lazy programmers who didn't make the extra effort to go beyond the basics of a password, to allow for the possibility that punctuation marks, for example, could be part of the password proper, instead of being a delimiter between fields.
posted by ZeusHumms at 7:58 AM on December 13, 2010


Just how the heck are you supposed search that link? It looks like an enormous Google doc to me.

I just dLed the torrent and did a find in Notepad for my emails or any likely names I would have used. Probably downloaded something evil in there and now all my base are belong to Gnosis or am eligible to be sued in a class action lawsuit or something.

The MD5 thing is way simpler, thanks for the walkthrough!
posted by Alvy Ampersand at 8:01 AM on December 13, 2010


I'm torn over whether I should feel bad for the prolific gawker commenter named cunninglinguist, who always annoyed me by using the same idiotic screen name as I did here.



Re Keepass - does it work on mobiles too? I read the web now on so many different devices over the course of the day. Can I create a keepass and dropbox combo that would supply my passwords to my various work desktops and itouch and netbook? Do you have to cut and paste long strings of gobbledygook?
posted by CunningLinguist at 8:28 AM on December 13, 2010


I wonder if this is related to someone trying to hack into my gmail account early this morning (I comment at jezebel, my email is presumably linked to the one-time password I use for that site). Haha fuckers, my passwords are slightly stronger than "using the same one for everything!"

Gosh, is it terrorism if I have a moment of fear that bragging about my passwords will cause some asshole to try and break all of them?
posted by muddgirl at 8:32 AM on December 13, 2010


I got the hint e-mail, but it went straight to my spam folder. Luckily I'd already done the checks mentioned above and already knew I was compromised. Also luckily I used a password unique to Gawker sites.
posted by Lentrohamsanin at 8:43 AM on December 13, 2010


CunningLinguist

I chose 1Password off of Mathowie's endorsement, and currently have it syncing seamlessly between my computer and my iPod Touch using Dropbox.

Everyone

A party that may or may not have been responsible for the leaks claimed that the weak link was Gawker boss Nick Denton's password. I will not reproduce it here (because, y'know, leaking passwords is bad), but seeing it brings to mind this classic movie excerpt.

Rule of thumb: If I can implement your computer password on my briefcase, you're doing it wrong.
posted by The Confessor at 8:49 AM on December 13, 2010 [2 favorites]


Seems like Hacker News is also sending out emails, also WTF is an acai berry.
posted by Ad hominem at 8:59 AM on December 13, 2010


> My password is one I use a lot for other accounts. It is an English word, but it's a word that many people haven't heard of. It is shorter than that Md5/hash/thing. However, it is NOT the same password I use for Livejournal, my bank accounts, or my email. What the hell should I do?

Here is the simple test to determine whether you should change your passwords on other websites
  1. Do you/did you have a Gawker account? If yes, continue. If no, continuing is optional.
  2. Did you reuse the email address and password on Gawker and some other website? If yes, continue. If no, continuing is optional.
  3. Is that email address and password used for anything other than commenting on blogs? If yes, people can use the data from the Gawker spreadsheet to compromise your account on those other sites. Change your passwords. If no, the worst that can happen is somebody can comment on another blog pretending they're you. But that might not be so cool. Change your passwords anyway.

posted by ardgedee at 9:02 AM on December 13, 2010 [1 favorite]


KeePass is available for Droid (Called KeePassDroid, amazingly), but it only supports KeePass v2 databases (kdbx?) in read-only mode at the moment. Full read-write support is available for KeePass v1 databases (kdb).
posted by Nice Guy Mike at 9:02 AM on December 13, 2010


Re Keepass - does it work on mobiles too?

Yes. That's specifically why I switched to it - on Android, the relevant port is called KeePassDroid. I'm pretty sure there's a port for iOS too.

Can I create a keepass and dropbox combo that would supply my passwords to my various work desktops and itouch and netbook?

Yes.

Do you have to cut and paste long strings of gobbledygook?

Yes, but KeePass ports, while they do vary from platform to platform, tend to make this pretty easy. For example, the Windows version lets you open the URL directly with the username and password already entered (well, you actually install a plugin for this called KeeForm, but it works very well). On Android, you get copy options for username and password in your notification bar. KeePassX on OS X doesn't appear to have these options, but it's easy enough to just right-click (or whatever the right-click alternative is called with the multitouch trackpad) and copy the password to the clipboard.
posted by me & my monkey at 9:07 AM on December 13, 2010


Anyone using LastPass on a machine that is accessed by a couple people? How good at it is keeping other people from accessing my accounts, or trying to interfere with them accessing theirs?
posted by rollbiz at 9:40 AM on December 13, 2010


Just to follow up on boo_radley's excellent recommendation for KeePass, Mac users have their own open source option called KeePassX. It isn't as pretty as the windows program, but it gets the job done. Also, there is an app on the iphone/ipad that is KeePassX compatible.

KeePass has been the most cross-platform tool available that I've been able to find, with Mac/Linux/Windows/iOS/Android implementations.
posted by rodgerd at 9:52 AM on December 13, 2010


If anybody still has an account or is intrested they are now having an open Q&A sessions on two of their sites.

Lifehacker

Gizmodo
posted by lilkeith07 at 9:52 AM on December 13, 2010


My password is one I use a lot for other accounts. It is an English word, but it's a word that many people haven't heard of. It is shorter than that Md5/hash/thing. However, it is NOT the same password I use for Livejournal, my bank accounts, or my email.

What the hell should I do?
If it's an English word, it will be in some dictionary file somewhere. Pretty much every English word, plus common and uncommon variations, misspellings, abbreviations, etc will be tested. So, what you should do is find every site you do use that password and change it. And for 'cheap' security (as in, would fool spammers, but not someone who had personally taken an interest in you, like an ex-bf or something) you can use a modified version for each site.

So for example, if your word is 'Flother', you could use 'fl0ther4fb' for facebook, 'fl0ther4mefi' for Metafilter, and so on. Ideally would throw another number on there to be safe. That's almost as easy to remember as a single password.

You can also write your passwords down on paper and keep them in a filing cabinet or something like that.
Can someone explain why there are still websites that don't allow you to use special characters in your password? Like some banks, for example?
Really, really bad programmers? Or perhaps they want to be able to read the password over the phone while talking with a phone-rep who might not know the names of the symbols.
Lucky me-- I got an account at io9 this week, using (I believe) one of my Regular Passwords. But I checked the google spreadsheet, using the MD5 technique kindly detailed by Yaymukund, and I came up with nothing. So... does this mean I dodged a bullet here?
Well, it wouldn't hurt to change your passwords just to be safe. And honestly, this really rises how important it is not to re-use the exact same (as opposed to similar) passwords. Even if you totally trust the guys running the site, can you trust that their security is top notch and unhackable?
Any password manager worth its salt will encrypt your password file with a standard algorithm like AES.
It's the same crypto that Wikileaks uses for it's insurance file :)
posted by delmoi at 10:07 AM on December 13, 2010


rollbiz : I use it on a laptop my wife and I share. All she sees is a greyed out icon on the toolbar, and it doesn't interact with her surfing at all. When I click on it and log in, it activates and comes to life and retrieves all my passwords.
posted by crunchland at 10:07 AM on December 13, 2010 [1 favorite]


Is there any reason OS X users shouldn't use Keychain Access, which comes with the OS?
posted by five fresh fish at 10:25 AM on December 13, 2010


The only Gawker site I've ever considered joining was Deadspin because a friend was featured in an article...

I'm glad that I resisted the urge now. Not through some sort of superiority complex but more of a *whew* glad I don't have to worry about all this BS.
posted by schyler523 at 10:32 AM on December 13, 2010


I woke up to my Gmail account informing me that my credentials were incorrect, which is strange because the password in the dump file is nowhere near my real gmail password. I'm assuming someone tried, several dozen times, to log in with it, and it locked things up. I reset it and changed the password using the phone option, and haven't encountered any other issues, so hopefully that's dealt with.

Fuck.
posted by disillusioned at 10:36 AM on December 13, 2010 [1 favorite]


Is there any place that has put up the passwords that have been deciphered? I ask b/c I didn't ever really use my Gawker account once Idolator left, and so I don't remember the password that it had. I'd like to know so that I know whether or not to be scrambling all over the accounts I have had for the last 5 years. If these kiddies could actually tell me what it was, that would actually help.
posted by statolith at 10:42 AM on December 13, 2010


Well, at least I like that they've used this picture.
posted by Artw at 10:42 AM on December 13, 2010


disillusioned, there seems to be a lot of gmail hacking going on recently - it might be unconnected. Not that that will make you feel better.
posted by CunningLinguist at 10:45 AM on December 13, 2010


Over the last few months I've seen a bunch couple of people with Google and Hotmail accounts get compromised - in all cases they've been using a pretty weak password, so it's possible that there's just a perpetual series of brute force attack going on against hotmail and gmail addresses.
posted by Artw at 10:55 AM on December 13, 2010


A possible alternative to to encrypted password stores are cryptographic-hash password generators. These use MD5 or SHA to combine a strong password with the domain name of the site, creating a new strong password for each site:

Nicwolf's SHA1 generator
Supergenpass
PwdHash for Firefox
posted by KirkJobSluder at 10:58 AM on December 13, 2010


What is really annoing is that to do anything on many websites you have to create an account. That means having, in my case, probably a hundred or moe accounts on websites throughout the years, accross the internet. No one can keep track of that many separate passwords.

I would disagree. As delmoi has mentioned, it's easy to write them down on a piece of paper. Even if you have 100s, it still works OK.

If you want to get semi-tricky, it seems simple encrypt your written list in a way that would be hard to break. It just has to be a unique system you can memorize (i.e. sub Q for 6, ! for 9, then reverse it, etc.)

Password managers are great, but for me, paper (with simple substitution/transposing rules) is easier and soothes my inner paranoid. I don't usually worry about strength--8-12 characters with a few letters numbers and symbols *seems* strong enough - zEp3l1n%artm, etc. --- I suppose if I had any money or credibility, I might worry more.

And then yeah, I write it down and store it in a file cabinet on the back of a financial sheet in a folder, or somewhere else innocuously inconspicuous.

Many peoplem especially the IT guys, memorize a random string and move the first character to the end at every mandatory change.

I thought I was smart, but apparently everyone is. Sure speeds up logins.

Is there any place that has put up the passwords that have been deciphered?

I'm not totally sure what you're asking, but www.gawkercheck.com
posted by mrgrimm at 11:10 AM on December 13, 2010


disillusioned, there seems to be a lot of gmail hacking going on recently - it might be unconnected.

A secondary account of mine was accessed from China a few months ago, it had a definitely brute-forceable password. FWIW.
posted by rollbiz at 11:11 AM on December 13, 2010


Forbes' Firewall blog has a good review of the incident, and is not kind about Gawker's lack of policy and response:

The Real Lessons Of Gawker’s Security Mess
And when they have finished hiring a real security person and drafting an incident response plan, they can create a password composition and management policy, a policy on not writing passwords in chat logs, a patch management policy, and maybe for kicks a policy against bad mouthing their own users internally, users that they themselves put in harm’s way.
posted by We had a deal, Kyle at 11:16 AM on December 13, 2010 [5 favorites]


Or for a command-line version of the sha1 bookmarklet described above:
echo -n "password:metafilter.com" | openssl dgst -sha1 -binary | openssl enc -base64
posted by KirkJobSluder at 11:21 AM on December 13, 2010 [1 favorite]


Well, I guess I was about due for a password audit anyway, and now that my MD5 turned up in the database, I've spent the morning cleaning up, changing passwords, and implementing Lastpass. Was a bit alarmed to notice after the Lastpass audit that I had somehow decided to use my generic low-security password on at least two sites with which I had financial transactions. And that's while knowing completely better about password security

Now that I've cleaned up the Gawker damage and instituted Lastpass, I guess I get to switch my worries from balancing "memorable" and "hard to guess" password qualities to worrying about not forgetting the One Password To Rule Them All.

...and what happens to the little grey cells once I stop tying in passwords in favor of auto-fill and auto-generate. If anyone notices me gibbering and wandering headfirst into walls, that'll probably be why.
posted by badgermushroomSNAKE at 11:24 AM on December 13, 2010


Is there any place that has put up the passwords that have been deciphered?

I'm not totally sure what you're asking, but www.gawkercheck.com


I think the question being asked is if there is anywhere to actually see the actual plaintext of the hacked passwords themselves, because people can't remember which of a few regularly used passwords were used in this case and are not sure which ones need to be changed.
posted by elizardbits at 11:24 AM on December 13, 2010


What a debacle. The Atlantic points out this outs many anonymous Gawker accounts, too. Be interesting to see what astroturfing has been going on.

Passwords are bad user design. We need to eliminate them, and replace them with federated login like OpenID (or, sadly, Facebook Connect). StackExchange has proven this can work for a large user base. But that's a technological shift for the whole web. In the meantime the best we poor users can do is use a password agent like 1Password or LastPass.
posted by Nelson at 11:32 AM on December 13, 2010


I think the question being asked is if there is anywhere to actually see the actual plaintext of the hacked passwords themselves, because people can't remember which of a few regularly used passwords were used in this case and are not sure which ones need to be changed.

Yes. I mean, surely the kiddies are distributing this info. At this point, I'd actually like to see what my password was, so that I can know whether or not to be concerned. I realize that's down to my laziness in setting up the account, but that's where we are.

But, in the meantime I am changing my passwords for things I use daily, but certainly there are other accounts out there that I just haven't thought of in a while.
posted by statolith at 11:53 AM on December 13, 2010


Weirdly when I've commented on io9 they never asked me to sign up, they just asked for an email addy and had me click on a confirmation. However this whole thing has had the side effect of inspiring me to change out some of my weaker passwords on things like Twitter, so, hey, that's good.
posted by Artw at 11:59 AM on December 13, 2010


I use my SSH key. Should I be concerned?
posted by verb at 12:01 PM on December 13, 2010 [1 favorite]


The torrent is gone from The Pirate Bay. While I understand why they'd want to remove it, it seems a bit hypocritical.
posted by ymgve at 12:08 PM on December 13, 2010


We need to eliminate them, and replace them with federated login like OpenID (or, sadly, Facebook Connect).

I would like to retain the option of at least superficially presenting different faces on different websites.
posted by kenko at 12:18 PM on December 13, 2010 [1 favorite]


kenko, nothing prevents you from using multiple OpenID accounts for different personas. The key is that you would be keeping track of your personas, not all of the random web sites you've used your credentials to sign into.

OpenID isn't perfect, but it's a hell of a lot better than forcing people to maintain a crap password for every random blog they comment on.
posted by verb at 12:30 PM on December 13, 2010 [1 favorite]


My password is one I use a lot for other accounts. It is an English word, but it's a word that many people haven't heard of...

delmoi : If it's an English word, it will be in some dictionary file somewhere. Pretty much every English word, plus common and uncommon variations, misspellings, abbreviations, etc will be tested.

Yep. One of my responsibilities at a previous employer was to run a pass of aforementioned John the Ripper on the corporate password file and alert anyone who's security could be passed in the dictionary attack.

Our dictionary file was a piece of artwork, including words from every language dictionary we could get our hands on, as well as sci-fi terms and names (lots and lots of these), sports teams, children's names, and intentionally mis-spelled variations of all of the most common ones.

No single correctly spelled word would last more than a few seconds.

The easiest way to instantly make any password vastly more secure is to throw a !, or a @ (or any non-alphanumeric) in there somewhere.
posted by quin at 12:32 PM on December 13, 2010


The easiest way to instantly make any password vastly more secure is to throw a !, or a @ (or any non-alphanumeric) in there somewhere.

Isn't this no longer the case given that most substitutions are predictable and easy to algorithmically cover?
posted by KirkJobSluder at 12:35 PM on December 13, 2010


From Forbes:

An organizations source code can be a key enabler of identifying weaknesses in their applications, and is valuable to have if you are planning such an attack. It’s not clear that there is anything left for someone to take at Gawker now though.

Epic pwn.
posted by Potomac Avenue at 12:45 PM on December 13, 2010 [2 favorites]


Do Not Taunt Happy Fun Imageboard.
posted by Gator at 12:55 PM on December 13, 2010 [3 favorites]


The easiest way to instantly make any password vastly more secure is to throw a !, or a @ (or any non-alphanumeric) in there somewhere.
Isn't this no longer the case given that most substitutions are predictable and easy to algorithmically cover?
If you change "password" to "p@ssword", yeah, that's probably not going to help you much, but quin didn't specifically say to make a substitution like that. Changing "password" to "pas@sword" might actually help.

Disclaimer: I don't know how much. But I would bet significantly more than "password" to "p@ssword".
posted by Flunkie at 1:04 PM on December 13, 2010 [1 favorite]


LM hashes are especially bad. Every character combination up to 14 chars is avalable so it doesn't matter how many non-alpha chars you put.

Even back in the olden days people quickly stopped running /usr/dict/words against /etc/password and started appending/prepending/substituting non alpha chars into their word list. so p@ssw0rd is just as useless as password.
posted by Ad hominem at 1:07 PM on December 13, 2010


0f c0urs3 h4ck3rz pr0b4bly kn0w h0w to sp34k in l33t...
posted by Artw at 1:07 PM on December 13, 2010 [1 favorite]


If you look at the ophcrack tables it seems that all combinations up to 14 chars are available for LM hashes.
posted by Ad hominem at 1:10 PM on December 13, 2010


Banking passwords seem ridiculously simple, as you're often limited to numbers only, or numbers and letters, up to 8 characters. So what added security do banks use? Stronger encryption?
posted by rosebuddy at 1:19 PM on December 13, 2010


So what added security do banks use? Stronger encryption?

They just spread the pain around and whine to congress about how they're not making enough money. For minor fraud, it's easier to just reverse the charges, and pass the costs on to the consumer.

For people who care, most banks offer two-factor authentication using something like digipass combining a password with a time-sensitive cryptographic token. This apparently has been broken via a good man-in-the-middle attack but there's more than enough low-hanging fruit from fishing to make that uncommon so far.
posted by KirkJobSluder at 1:26 PM on December 13, 2010


Some banks require you set a cookie on your machine, when a new machine with no cookie connects they send a key via email or text message that you then have to enter in. Kind of a half assed two-factor "what you have-what you know" authentication scheme.

In addition there will be pretty beefy internal security measures way beyond what these guys were doing. 3 tiers between public facing internet and internal systems seperated by whitelist chokepoints. Each protocol/port/machine/user is reviewed on an individual basis by the internal security team. Each internal connection in those three zones will use IPSEC or SSL, so if you break into a public facing machine you won't see any other traffic. Nessus/Snort/Tripwire used proactively, if nessus takes down your app you are SOL. This is 10,000 foot overview since I am not a security guy but I am responsibily for following the guidelines in my own apps.


Yeah digipass and RSA SecureId are susceptible to MITM attacks.
posted by Ad hominem at 2:00 PM on December 13, 2010


I never really understood Bank of America's scheme, which is to send me a little Site Key image and phrase of my choice, at which time I can supposedly feel safe enough to type in my password.

I guess it's to assure people that they are actually visiting Bank of America and not a phishing page? but couldn't a phishing site just query Bank of America's website with my User ID and then serve my Site Key back to me (aka Man in the Middle)?
posted by muddgirl at 2:05 PM on December 13, 2010


I do think that two-factor authentication is better than passwords alone right now.
posted by KirkJobSluder at 2:06 PM on December 13, 2010


US banks were required a few years ago to beef up login security. That's when they started all adding the silly "do you recognize this image?" thing. It's a modest help against phishing attacks, but it's not terribly strong.

For some reason US banks are loathe to offer two factor authentication, which I understand is common in Europe. I insisted at my bank and got some sort of token generator. Yeah, it might be vulnerable to a quick MITM attack, but that's about 1% of the risk of not having it at all.

A couple of security experts I know have founded Duo Security. They make it easy for sites to offer two factor authentication using a cell phone along with a password. I think they could be very successful.
posted by Nelson at 2:11 PM on December 13, 2010


That Forbes link is fascinating in its clarity.

The evidence also suggests the attackers have had access to Gawker’s internal systems for a period of time that is at least a month, and that they gained root level access to servers the Gawker Media web properties are hosted on...

They have lost their source code, leaked an upcoming redesign, had to restore data on at least one server, and have to sweep for any shells the attackers may have left behind. And there is an element of reputation damage in that they experienced a breach of their user’s data.

Despite this, they do not really seem to be acknowledging the scale of what happened. They still try to put some blame back on users, suggesting that if they had a weak password they might be compromised. Well, that really does not make much of a difference when you expose the entire database table and have way too much faith in the 34 year old encryption algorithm reported to be used to safeguard the data. In truth, they had over a month to find this problem but diagnosed the early warning signs in November improperly, were very obviously breached (and told they were breach by others) on Saturday, and it still took until Monday afternoon to say anything to their user base. And in the meantime their representatives were releasing statements via Twitter up until Saturday evening that were either partially or totally incorrect.

posted by mediareport at 3:03 PM on December 13, 2010 [6 favorites]


Isn't this no longer the case given that most substitutions are predictable and easy to algorithmically cover?

I believe John the Ripper t(a standard unix cracker program) tries random 3133t-$p3@k substitutions in dictionary words in an early run of the cracker.

Here are some representative comments from john the ripper's default configuration file (/etc/john.conf). I believe these are in the order that JtR tries passwords (first to last), which correlate pretty well with how difficult a password is to remember:

# Try words as they are
# Lowercase every pure alphanumeric word
# Capitalize every pure alphanumeric word
# Lowercase and pluralize pure alphabetic words
# Lowercase pure alphabetic words and append '1'
# Capitalize pure alphabetic words and append '1'
# Duplicate reasonably short pure alphabetic words (fred -> fredfred)
# Lowercase and reverse pure alphabetic words
# Prefix pure alphabetic words with '1'
# Uppercase pure alphanumeric words
# Lowercase pure alphabetic words and append a digit or simple punctuation
# Words containing punctuation, which is then squeezed out, lowercase
# Words with vowels removed, lowercase
# Words containing whitespace, which is then squeezed out, lowercase
# Capitalize and duplicate short pure alphabetic words (fred -> FredFred)
# Capitalize and reverse pure alphabetic words (fred -> derF)
# Reverse and capitalize pure alphabetic words (fred -> Derf)
# Lowercase and reflect pure alphabetic words (fred -> fredderf)
# Uppercase the last letter of pure alphabetic words (fred -> freD)
# Prefix pure alphabetic words with '2' or '4'
# Capitalize pure alphabetic words and append a digit or simple punctuation
# Prefix pure alphabetic words with digits
# Capitalize and pluralize pure alphabetic words of reasonable length
# Lowercase/capitalize pure alphabetic words of reasonable length and convert:
# crack -> cracked, crack -> cracking
# Try sequences of adjacent keys on a keyboard as candidate passwords


Other portions of the conf file detail l33t-sp3@k substitutions. If you were doing a custom crack, it would be obvious to try dictionaries specific to the language, geography, or knowledge domain (e.g. finance, taxes, medical, nerd culture, etc.) that are likely base passwords.
posted by benzenedream at 4:02 PM on December 13, 2010 [3 favorites]


Did I get Gawkered? A very simple site for testing if an email address is in the stolen password database. No manual hashing nonsense required.
posted by Nelson at 5:14 PM on December 13, 2010 [1 favorite]


The big sites I was worried about when it came to my password were Livejournal, ebay, my webmail, my bank account, facebook, and here.

However, I just checked them all, and only ebay has the same password as the one I used for Jezebel that one time. I've changed that, and also changed Amazon (that was a minor thing to my mind).

Everything else is random blog stuff that I rarely comment on, so meh.
posted by EmpressCallipygos at 5:28 PM on December 13, 2010


Thanks to the gross incompetence and arrogance of Gawker Media and to the irresponsible decision by Gnosis to release all of that user data, I've finally dealt with the password laziness that has plagued me for years and become a LastPass customer.

I feel pretty confident that it's the nicest thing that either organization has ever done for me...
posted by rollbiz at 6:02 PM on December 13, 2010


Perhaps rather than Anonymous, the instigators are actually the Hollywood Gawker-Stalked set.
posted by eegphalanges at 6:03 PM on December 13, 2010


24 hours after I freshened up all my passwords and 13 hours after getting notice from hint.io, I finally get an email from Gawker Media:

Subject: Gawker Comment Accounts Compromised -- Important

This weekend we discovered that Gawker Media's servers were compromised,
resulting in a security breach at Lifehacker, Gizmodo, Gawker, Jezebel,
io9, Jalopnik, Kotaku, Deadspin, and Fleshbot. As a result, the user name
and password associated with your comment account were released on the
internet. If you're a commenter on any of our sites, you probably have
several questions.

We understand how important trust is on the internet, and we're deeply
sorry for and embarrassed about this breach of security. Right now we
are working around the clock to improve security moving forward. We're
also committed to communicating openly and frequently with you to make
sure you understand what has happened, how it may or may not affect you,
and what we're doing to fix things.

This is what you should do immediately: Try to change your password in
the Gawker Media Commenting System. If you used your Gawker Media
password on any other web site, you should change the password on those
sites as well, particularly if you used the same username or email with
that site. To be safe, however, you should change the password on those
accounts whether or not you were using the same username.

We're continually updating an FAQ (http://lifehac.kr/eUBjVf) with more
information and will continue to do so in the coming days and weeks.

Gawker Media


I guess it took a while to run that masterpiece past the lawyers and the PR experts.
posted by rosebuddy at 6:14 PM on December 13, 2010


I just got an e-mail from Gawker saying that my password was compromised and I should change it. Earlier I had an e-mail from Hint saying the same. And I followed the steps in this thread to ascertain that, yes, my thingee on whatever the hell it was Gawker site I registered for was compromised. But I don't remember what password I used. So maybe I'm safe from nasty people posting comments in my name. (This is a genuine comment of course by the real person not a scumbag hacker.)
posted by CCBC at 6:22 PM on December 13, 2010


I must say, I'm more than a little surprised that boingboing hasn't made any mention about the security breach. There are references to it in the "Sumbitterator," but nothing on their front page at this point. Professional courtesy?
posted by crunchland at 6:31 PM on December 13, 2010 [1 favorite]


Huh. So it turns out I have an account at Gawker. Thing is, I have no idea what username or password I used. Luckily, I used a throwaway email address, so at least the hackers don't have that.
posted by dirigibleman at 6:36 PM on December 13, 2010


Hmm, just got an e-mail from Linked-In saying they've disabled my account and I need to get a new password. Wonder if they're getting so much backwash with this problem that they're automatically shutting down everybody just to be safe.
posted by ThePinkSuperhero at 6:39 PM on December 13, 2010 [1 favorite]


I got the same email from LinkedIn. Basically, I switched all my important stuff to a password manager and I'm adding the non-important stuff as they report problems.

Except Jezebel. I unsubscribed from their RSS a few weeks ago, and I'll be glad to forget my password.
posted by muddgirl at 6:43 PM on December 13, 2010


Also, can we talk about hint.io here?
hint's founders include veterans from WSJ.com and Heyzap - the same people who architected the infrastructure for their ecommerce & authentication systems to scale to 200,000,000 Pageviews per month & $100 MM per year and who have unique insight into best practices for virality, monetization, and user acquisition/ retention.
Emphasis mine.

Does "unique insight into best practices for virality" include using a list of hacked emails as an excuse to spam your "private" beta website? I mean, yeah, cheers for letting some people know, but also jeers for the self-link.
posted by muddgirl at 6:50 PM on December 13, 2010


krautland: "Denton had it coming."

Did millions of others? Comments like that show the pernicious nature of Schadenfreude. It seems harmless to think of a random corporate jerk getting some comeuppance, but what's also happening is a desensitization to the fact that a whole whack of other humans got a small dose of pain in the bargain.

This incident is a good example why delight in the misforturne of others is just not a worthwhile emotional habit.
posted by Hardcore Poser at 8:16 PM on December 13, 2010


1958 people used "password" as their password? Another 681 used "qwerty"?
BWAAHAAAHAHAHAAAAAAAAAA!


I knew idiots at a previous job who used "strong" passwords like 1qaz2wsx (first two columns on the keyboard) thinking this was effective. I couldn't get across to them how much this was definitely not the case, since password lookup tables know keyboard layouts like this.
posted by odinsdream at 8:24 PM on December 13, 2010


Twitter is getting heavily spammed by compromised accounts, presumed linked to the gawker hack - i.e. people using the same login and password at both sites.

I'm so looking forward to dealing with the extra deluge of spam from compromised email accounts because gawker used a security system roughly equivalent in effectiveness to a chocolate teapot.
posted by ArkhanJG at 12:03 AM on December 14, 2010 [1 favorite]


"Any password manager worth its salt will encrypt your password file with a standard algorithm like AES."

Heh.
posted by iamkimiam at 12:21 AM on December 14, 2010


Hmm. Logged into my Yahoo account for the first time in ages and it informs me that it believes it has been compromised and could I please change the password.
posted by Artw at 1:02 AM on December 14, 2010


"The NYC novelist gathers her news not from Poets & Writers but from the Observer and Gawker; not from the academic grapevine but from publishing parties, where she drinks with agents and editors and publicists."

Better keep that typewriter handy.
posted by clavdivs at 1:08 AM on December 14, 2010


A couple of security experts I know have founded Duo Security. They make it easy for sites to offer two factor authentication using a cell phone along with a password. I think they could be very successful.

My last bank used SMS as the second factor, which I really liked; they had a nicely fine-grained model that allowed me to set second factor policies, as well, so I could, e.g., login with a password, but bill payments required a 2FA challenge.

My current bank uses a battleship card (card with a 2D challenge-response grid), which is much less convenient. All the NZ banks I can think of have at least some sort of 2FA by now, I believe.

A lot of it is driven (speaking as someone who's worked in banking during the uptake of Internet banking as a service) by customer perceptions. One place i used to contract had a system that required an x509 cert to be carried around by the customer, used a Java applet with a pop-up keyboard for authentication, and a Java applet for the banking - that was back in the day when it was all shiny and new, customers were terrified of being compromised, and browsers were still shipping low-quality encryption due to export controls.

The whole lot was thrown away and replaced with a vanilla, single-factor web app once a critical mass of customers found the inconvenience outweighed their fear of fraud. 2FA was introduced by the same bank once enough headlines about phishing scams and whatnot stampeded customers back in the other direction.
posted by rodgerd at 1:18 AM on December 14, 2010


Although I still don't get how your secure password is so secure if you somehow have to spend three hours changing all passwords everywhere because *one* account was hacked.

I've been forced to reset passwords on several sites unrelated to the gawker empire, because those sites have either proactively scanned the list and recognized the usage of same email address (not same password), or else have already gotten enough failed attempts to trigger their security systems.
posted by nomisxid at 2:29 AM on December 14, 2010


Hmm, just got an e-mail from Linked-In saying they've disabled my account and I need to get a new password. Wonder if they're getting so much backwash with this problem that they're automatically shutting down everybody just to be safe.

Same here. In their shoes I might do the same: Linked in sets great store by their "professional" image. They really can't afford for it to be overrun by spammers. Since they've no idea whether you've set a strong password or not, nor whether you use a different password for every account it's safer just to disable your current account & have you reset the password (which is a very low impact affair, so long as you still have access to the email address registered with LinkedIn).

I always use different secure passwords for every account (generated with pwgen -n 10 -y under Linux usually) so my LinkedIn account couldn't have been compromised, but with something like this I don't blame LinkedIn for using the "nuke them from orbit, it's the only way to be sure" approach.
posted by pharm at 2:58 AM on December 14, 2010


5) How can I delete my account?
We understand how important trust is on the web, and some of you may wish to delete your Gawker Media account. Currently account deletion is not available. We will, however, give you this option as soon as possible.


Jackasses.
posted by crunchland at 3:52 AM on December 14, 2010 [4 favorites]


As a followup, I cracked my own password using a brute force attack that took only 25% of my CPU over roughly 2 hours. It was only six characters long, with letters and numbers, and no special dictionary was used. It was a throwaway password, sure, but I doubt that many of the encrypted passwords are much more complex.
posted by cavalier at 5:18 AM on December 14, 2010


Battle.net set me an email telling me to reset my password due to the Gawker breach. I'm having quite a bit of fun (not) wondering how much Gawker's negligence will inconvenience me, or worse. Looking forward to the legal types doing what legal types do.
posted by litnerd at 5:49 AM on December 14, 2010


On the hint.io front, I had never interacted with them (or even heard of them, for that matter). Checking my junk mail folder this morning, I noticed that I got an email from them.

Did they seriously do a mass mailing from a list of hacked emails and send unsolicited mail to all of them? I'm really not too sure how I feel about that...
posted by rollbiz at 5:57 AM on December 14, 2010



Did they seriously do a mass mailing from a list of hacked emails and send unsolicited mail to all of them? I'm really not too sure how I feel about that...


On the one hand, yeah, it was weird and maybe a bit self-promoting. On the other hand, I didn't get an email from Gawker informing me that my login and password's been made public until 9pm last night. Which is way more than disappointing. Hint.io sent me a message yesterday morning, and though it looked suspicious/phishing-ish, it got me Twitter searching for the real story long before Gawker thought of oh, I don't know, emailing their users about what happened.
posted by litnerd at 6:03 AM on December 14, 2010


So the score for me seems to be:

+1 Hint.io email (yesterday morning)
+1 Linkedin "disabled for security" warning (yesterday night)
+1 Official Gawker notification to secondary email account that has a Gawker account that hasn't been active for years and that I forgot existed (yesterday night)
+0 Official Gawker notification to main email, which has my semi-active (which is to say, at least I remember this one exists) Gawker account that I have confirmed to be in the hacked list.

Um...Gawker, this does not really inspire confidence.
posted by badgermushroomSNAKE at 6:05 AM on December 14, 2010


On the one hand, yeah, it was weird and maybe a bit self-promoting. On the other hand, I didn't get an email from Gawker informing me that my login and password's been made public until 9pm last night.

Yeah, like I said I really don't know how I feel about it. It wasn't overly promotion-ish, but it was an unsolicited mass email. Gawker was nice enough to inform me of the breach at 2:13 this morning, after Hint.io's email and after LinkedIn had informed me that they disabled my account, which would've been really confusing if I didn't know why. I hadn't been to a Gawker site in at least six months, and hadn't commented in so long I couldn't even remember what my login info was, but I will not be going back to any sites under their umbrella. No huge loss there anyway...
posted by rollbiz at 6:14 AM on December 14, 2010


Like others, I wish there were a way I could see what password I used. I made one comment with the account I had, nearly three years ago. Being able to see what I actually used would go a long way towards peace of mind; I've changed all of the passwords that are popping up in my head as "OMG IMPORTANT", but that doesn't mean I've actually thought of them all.
posted by menschlich at 6:47 AM on December 14, 2010


LinkedIn's latest tweet:
sorry for the inconvenience, as a proactive measure we've reached out to users potentially affected by the gawker breach regarding password

Well that makes me feel better. The four notices I recieved about my account being disabled freaked me out a bit.
posted by Big_B at 8:36 AM on December 14, 2010


For those of you who got the torrent and want to figure out if it's one of your common passwords or a disposable password, the 2nd column is just the result of crypt(plaintext,first two chars of cryptpw);, so something like this will decrypt it for you:

#!/usr/bin/perl
print crypt($ARGV[0], $ARGV[1]) . "\n";

usage is just plaintext password and the first 2 characters of the encrypted password, so "script.pl password R4" and confirm that the result is the same as the second column in the database dump. John the Ripper wasn't having much luck with mine, but it was the second disposable password in my arsenal, which makes me feel better. I'm fairly sure the second crypted section (starting with $2a$) is just the Blowfish version of the DES crypt for compatibility with passwords longer than 8 characters, but I can't whip up a quick decrypter to confirm.
posted by Kyol at 9:42 AM on December 14, 2010


This claims to be Gnosis' hacking notes.
posted by five fresh fish at 9:55 AM on December 14, 2010


Or use this: Online DES Encryption Tool - password is the plaintext password and salt is the first 2 characters of the encrypted password.
posted by Kyol at 10:07 AM on December 14, 2010


This claims to be Gnosis' hacking notes.

Hackers, long content with garnering in-group accolades by hacking banks and government servers, have now realized the one true path to fame and notoriety: Bring down a blog empire dedicated to celebrity gossip, pictures of kitties, and misuse of the word 'hack'."

OMG, I think I just figured out their real goal in all of this.
posted by muddgirl at 10:17 AM on December 14, 2010


Marla Singer: “1958 people used "password" as their password?”

Good for them. "password" is my password on my accounts on at least five different websites. It's fucking Gawker, man. 'Oh no! Security breach! Somebody might post comments on Gawker in my name! THE WORLD WILL END!' Seriously, nowadays who doesn't have three hundred different usernames and passwords for different accounts across the internet, using three or four different computers? I'm sorry, Captain Security, but even though www.this-is-just-a-fucking-message-board-about-poop.com requires me to sign in with a password, I am not gonna go to the trouble of thinking up a fancy secure password string using some arcane algorithm derived from patterns hidden in the Tibetan Book of the Dead.

The stupid people are not the people who have a proper perspective on Gawker's extreme unimportance in the world and choose "password" as a password. So their Gawker accounts are taken over -- who gives a crap. The stupid people are the people who used the same passwords for Gawker and for their email and bank accounts. And I'm willing to bet there are more of those, sadly.
posted by koeselitz at 10:30 AM on December 14, 2010 [8 favorites]


Also, surprisingly, some 4channers don't seem to have any sense of humor, and take themselves quite seriously.
posted by muddgirl at 10:42 AM on December 14, 2010


This exactly.

Gawker is the very definition of the kind of place where a throwaway password is perfect.
posted by schyler523 at 10:50 AM on December 14, 2010


This is why you use bcrypt.


Sure nuff.
posted by These Premises Are Alarmed at 10:59 AM on December 14, 2010


The hitch is I _had_ a throwaway password, but some disposable sites started requiring more and more secure passwords on them, which led to a slow escalation. *sigh*
posted by Kyol at 11:15 AM on December 14, 2010 [1 favorite]


I just logged in as Koeselitz to write that. For my next trick I will make him praise Fall Out Boy for 6 paragraphs.
posted by Potomac Avenue at 11:25 AM on December 14, 2010 [4 favorites]


I agree that it's a bit infuriating that websites ask for huge amounts of information for trivial purposes. But password managers make it just as trivial to come up with a secure password, and then remember it for you. Problem solved.
posted by crunchland at 1:03 PM on December 14, 2010


I'm loving Keepass, especially the CTRL-ALT-A trick to make it fill in forms with your username and password. It's almost as easy as Firefox filling it in for you, but safer, and I can make it generate and remember crazy passwords.
posted by CunningLinguist at 1:27 PM on December 14, 2010


Heh. io9 just fed Hackerpocalypse back into itself. It;s a way to keep the quota beats at bay fro 15 minutes, I guess.
posted by Artw at 2:26 PM on December 14, 2010


An Interview with Gnosis, the group behind the Gawker hacking:

=====
What motivated you to hack Gawker? Did you have something against Denton, Gawker or the its writers? Or all of them?

T: We were motivated by the sheer arrogance of the Gawker group of bloggers. We are a technologically minded group of people, and we enjoy a challenge. When we got in, we were shocked by the apparent lack of any layers of security, setting off a chain, leading to compromise.

N: As for the question about if this is a thing against its writers, I personally have nothing against them, they have built what they call an “empire” and I respect that. So no, it is nothing personal.

So this had nothing to do with the 4chan/Gawker spat many months ago? Are you saying it’s unrelated?


N: Completely.

What do you say to the people who had their details compromised? Aren’t they just unwitting pawns in the crossfire?

I: We apologize that you were caught in the crossfire of this attack, if you have a sufficiently good password over 8 characters then you are most likely not at risk, anyone could have did what we did, it was wide open for everyone to exploit, we just got there first.

Why did you release user data?

I: TBH, they would rather it was us, than some Russian spammer who would sell their databases, or use them for more malicious uses.

T: Release is the safest path, as it allows lessons to be learned.

Can’t you argue that a spammer would be able to use this data anyway?

N: A spammer could easily use this, but the true value lies with the passwords. Someone clever could have extracted this information and then bruteforced the hashes to get the passwords, and slowly and maliciously exploited them. Now they are out in the open the people effected will be able to change.

In the short term yes, they could be used maliciously, but long term we would hope that the majority would change their passwords. We don’t want to condone what we did as right, because it will cause damage to the people caught in the “crossfire” but it should be a reminder to everyone that security does matter and that big sites take unacceptable liberties with users’ data.

T: Additionally, we let users know their data was compromised, as we didnt look for other tracks, but it doesn’t mean to say they were not there. As we have repeated, _anyone_ could have gotten their hands on this info.

N: (Anyone with some skill that is)

T: Indeed.
=====
posted by mediareport at 3:48 PM on December 14, 2010 [2 favorites]


Curiosity is their only crime! That and kind of being a bunch of dicks.
posted by Artw at 3:52 PM on December 14, 2010


Aww, it was all just a big object lesson on internet security! How thoughtful.
posted by Marisa Stole the Precious Thing at 3:53 PM on December 14, 2010


McDonald's and Walmart: email addresses, birth dates stolen by hackers

From McD's faq about the incident (they don't bother to tell anyone when the breach happened, which makes me wonder if the company is using the Gawker incident to provide cover for its own announcement):

2. What information was contained in McDonald’s customer database that was improperly accessed?

The information contained in the database is limited to your email address and potentially also your name, postal address, home or cell phone number, birth date, gender, and certain information about your promotional preferences or web information interests...

13. What should I do now that someone else has my information?

The information in the database alone, would not allow someone to engage in identity theft.


Yeah, but combined with other databases that do include SSN or credit card info, name/address/birthdate/phone could be very useful indeed.
posted by mediareport at 4:05 PM on December 14, 2010 [1 favorite]


We don’t want to condone what we did as right

I'm not sure one usually even has the option of condoning one's own actions, grammatically speaking.
posted by cortex at 5:15 PM on December 14, 2010 [2 favorites]


Well, I don't know about you guys, but the spam has started - from zero items since setting up the account 3+ years ago, to five items by the time I got up this morning. And that's just what got past the spam filter into my inbox.
posted by Nice Guy Mike at 5:29 AM on December 15, 2010


I miss the days when Anon was honest about their amorality.
posted by Marisa Stole the Precious Thing at 5:36 AM on December 15, 2010


I haven't noticed any increased spam (although while browsing my spam folder I did locate the hint.io email that everyone else got - I'm actually pretty glad that gmail successfully identified it as spam).
posted by muddgirl at 7:06 AM on December 15, 2010


I'm not sure one usually even has the option of condoning one's own actions, grammatically speaking.

Of course you can. I condone my reprehensible behavior all the time.
posted by mrgrimm at 11:00 AM on December 15, 2010


« Older Porky in Wackyland vs Dough for the Do-Do...  |  Dr. Seuss does Star Wars. Tran... Newer »


This thread has been archived and is closed to new comments