A band of anonymous hackers has rooted the servers of Gawker Media – turning the tables on one of the internet's most ruthless gossip rags by leaking half a gigabyte's worth of its private laundry. Known as Gnosis, the band gave props to 4chan and last week's Operation Payback, which targeted PayPal, MasterCard, Visa, and other …
4chan immature babies
4chan would love to convince people they're on some kind of moral crusade. The reality is most of them are just a bunch of immature kiddies using any political / legal issue as a springboard to launch a DDOS attack. It's childish and utterly misguided.
For this kind of thing, you mostly mean /b/, and it's very rare that any /b/tards try to convince anyone about morals.
The exception is problem with their "defence" of wikileaks.
Things like attacking Gawker are normally for the lulz, or cats.
But there is no "4chan" per se.
It's just a collection of diverging special interest groups with the Times Man of The Year as figurehead. Not unlike a roving Circus Collective.
Pedobear icon replaced by Teh Paris.
"We're deeply embarrassed by this breach,”
You absolutely should be.
Just to let ya know. Anon didn't do this. I heard it's GCCC. Could be wrong though.
>Anon didn't do this.
[Sigh] Therein lies the problem with childish names and the semi-literate.
The headline said anonymous, small a. In coventional english that denotes an adjective: that the script kiddies who attacked the sites didn't report their names. It doesn't mean it as a group with the proper name of Anonymous, which in conventional english would have a capital to denote that arrengement of letters is being used as a proper name, not as the adjective. Of course when the semi literate are involved all this goes out of the window, confusion ensues, and silly people make themselves look foolish...
Gold Coast City Council? Darn, that's it. I'm not paying my rates next year
(Queensland Australia, South of Brisbane)
"The reality is most of them are just a bunch of immature kiddies "
Quite. And while in the past these sorts of kids would have limited their trouble making to a fight in a school playground and ultimately been given a slap by their teacher or parents, they can now cause trouble to major organisations anonymously on the internet backed up by nothing more than the typical teenage mix of self righteousnous, narcissism and naivity with there being little chance of any punishment coming their way for it. By the time they've grown up enough to realise how foolish they've been they'll have caused a huge overeaction by governments and corporations and will have precipitated a massive online crackdown leading to everyones online freedom being curtailed.
Unfortunately the old saying of you can't put an old head on young shoulders has never been more appropriate. When I see what groups like anonymous and the like are doing I just want to weep - they just dont' see the ultimate consequences of their actions.
@you can't put an old head on young shoulders
Well, after a fashion. I did it once, it just didn't work. I got some fucking exponential peace and quiet afterwards though!
"And while in the past these sorts of kids would have limited their trouble making to a fight in a school playground and ultimately been given a slap by their teacher or parents, they can now cause trouble to major organisations anonymously on the internet backed up by nothing more than the typical teenage mix of self righteousnous, narcissism and naivity with there being little chance of any punishment coming their way for it."
True. But the kids don't deserve all the blame for it.
The fact of the matter is, nearly all major organizations--certainly all the major organizations, and all the minor organizations, that I have worked for--barely even consider IT security.
Web programmers write awful code without even thinking about security issues, much less actively working toward writing secure code. Computer science graduates can make it through four years of secondary school and come out the other end with a degree without even once having been introduced to basic security ideas, much less having been deeply schooled in security. Programmers tend to look at you blankly when you discuss security issues.
You absolutely, positively would not BELIEVE some of the Web code I've seen and had to work on. It's the equivalent of securing a bank vault with a glass door that has nothing more than a cheap dollar-store padlock on the front, glued in place with Elmer's glue. (And not even the good yellow kind, I mean the cheap white stuff you use in primary school.)
Is it the fault of the kiddies attacking sites? You bet. But those sites are vulnerable because the folks who should know better, and who should know how to secure them, don't.
A cautionary tale..
“You would think a site that likes to mock people, such as gawker, would have better security and actually have a clue what they are doing,”
Perhaps a cautionary tale to all internet media?
I would not be impressed if my passwords were in thier disclosure.. why do sites store passwords anyway? have they never heard of hashing? obviously not.
Perhaps it is a case of the site being split into those who write and those who run the website. Where one side is more experienced than the other.. of course el reg would never act so lax as to operate a forum that was coded by monkeys.. oh no they would never run a database where you were the underlying procedure allowed you to say upvote your own posts, but operate a security by obscurity method of not displaying the buttons...url+ /vote/up/ anyone?
Security knowledge <> practice.
> upvote your own posts
or, bearing in mind that the admins can surely see in the server system who has upvoted their own posts, perhaps they just like laughing at the people who are so sad and so devoid of a life that they would want to do so... Hiding the buttons is good manners because it saves you doing it without thinking.
Does the server not check that the post wasn't written by you? On the forum I'm making I hide the Delete and Edit links for posts that aren't yours purely out of UI/usability concerns, but even if you fiddle with the request URL in an attempt to edit someone else's posts or what have you, the server-side code will just tell you to get stuffed because you don't have permission.
They were hashed but poorly, only the first 8 characters were used and with access to the site's source code the crackers could easily do dictionary attacks on the very poor passwords chosen by the entire Gawker editorial staff. Also they generated a funny list of shame of the users who had "password" for their password.
Upvote your own posts
...who cares? I don't think it's a huge secret to tell you that the folk at El Reg don't pay too much attention to the up and down votes on a post. Removing the buttons was a convenience, probably designed to stop people whinging that "you can upvote your own post!" Why oh why is it remotely worth it to folks at El Reg to put the time and effort into making it “truly impossible” to upvote your own post?
Many of the people here are sysadmins. They control multiple IP addresses. They could sign up for many accounts, and use them to upvote/downvote troll if they wanted. You can’t go banning IPs or other such nonsense because many of us reader types do so from the same IP. As a random example, my household contains three El Reg readers, two of which are avid commenttards. My work has at least five readers. We all of us access El Reg from our mobiles…but our operator NATs anything on the mobile network. Potentially thousands of El Reg readers could appear to come from the same IP address through that route.
No, upvoting and downvoting simply don’t matter that much. Excepting of course to the weak of ego…
the server-side code will just tell you to get stuffed because you don't have permission.
no it doesn't thats the point, it should as you expect but it doesn't.
anyone worth thier salt starts at the server then does the interface. unfortunatly for this change the server was left as it was. that = poor practice.
Have you never heard of good practice? shortcuts here and there, means all you get is a tangled mess. by taking shortcuts and not doing things properly is what makes for lazy poor coders, and is what leads to vulnerabilities and exploits.
Who cares if you care?
I have had the chance to exchange a few e-mails with one of the web guys, (and his predecessor.) He is a really nice guy. There may (?) be a second coder that pokes about from time to time. That’s about it. I would rather they focus on actual security issues - like password protection - than pointless ego crap like "upvoting your own posts." The man has a feature request list as long as a city block. I say let him worry about securing things that can actually lead to data compromise and information loss, as well as implementing new features.
I don’t care if the code is “pure.” I care that it works, that El Reg remains a great place to comment, with interesting things to read and that my e-mail doesn’t leak out to spammers.
That said, all professionals take pride in their work. I am sure if you actually took your suggestion for how to improve the code, put it into an e-mail and sent it to email@example.com, El Reg’s very small web team would deal with it as quickly as they can. Let the web team know – as a suggestion rather than a complaint – that they overlooked something and they will probably be quite happy to fix it.
Assuming of course that such fixes are within the realm of possibility. (You should hear my roommate rant on that subject!) Tell a sysadmin for a small business they need an HP server-room-in-a-sea-can in order to run their network “properly” and they will probably tell you to jump in a lake. Tell a doctor in a small African town that you need a fully equipped hospital to set a bone “properly” and they will also tell you to go jump in a lake.
Give a suggestion “here is a small change you could make that would not cost you much time, or is a better use of the resources you already have” and you will receive a much better response. In this case; I see that allowing you to upvote yourself can be annoying to some people who really, really care about their upvote/downvote ratios. They types who lie awake at night wondering how much the internet hates or loves them. Perhaps it was even left in for a larf…I don’t know the answer to that and neither do you.
To extend the fact that a feature exists in a manner you personally disapprove of all the way to “well he’s obviously a shitty programmer, his code is impure and the entire website is probably riddled with bugs” is one hell of a leap of logic. Quite the opposite: I think that rather than castigation for a PERCIEVED (but quite possibly not ACUTAL) hole in the coding, we should be thanking these individuals for putting in the hard work that gives us the website we all enjoy.
We might even – were we both concerned with bugs on this site and remotely decent human beings – try something like rallying El Reg’s enormous and technical reader base to do a bug hunt. If you really care about the security and “purity” of the website code that much, then convince the powers that be around here to post an article calling for a complete external security review of the site, with all information being sent in to El Reg. That would – I have no doubts whatsoever – produce a fairly comprehensive list of all the things that the very human programmers have missed.
From El Reg's kind and generous Interblag Guru:
> Being (un)able vote on your own posts should now be fixed.
> The multitude of other, more important things ... I'm still working on ;)
Hope that keeps folk happy and merry Christmas to all!
Terrible Password equals Terrible Consequences
Wow that password was certainly a joke.
To be used more than once?!
Even an idiot like me could do some small scale luring trolling damage. What say the odds of getting Him to use his same 10 character passcode on a website set to stock and honeypot up a fool. I know the mentality, probably has a black book with 3 to 10 or so "MAIN" passwords used everywhere for everything. email, ftp, cPanel, pgp, IRC.
I wonder what keepass is?
Et tu, Brute?
I assume that El Reg is conducting a password review as we speak?
So do I root for the spider or
BOOBIES (it said I needed a title, Sarah, thats what you get for demanding!
Anyone want to bet that its his PIN code repeated twice?
Take a look at your numeric keypad if you have one
Or your phone, or any other numeric keypad. You'll see why he chose that password.
..how you open his house then...
how should one manage passwords then?
interested to see what peoples systems for managing passwords are...
I am very lazy, and have a handful of passwords in my head that I use regularly for different sites, low level ones for less important sites with crappy data and complex ones for banking..
However I feel like I should be more rigorous and my system is a mess due to the amount of variation between sites having differing rules on passwords
Who are you talking about?
In this case the term "miscreants" is applicable to both hackers and hacked.
Personally, I use a single low security password, a separate password for my TrueCrypted folders and a nice password file in that for the rather large variety of passwords I use for the higher security things. No fancy software, just a ridiculously high encrypted plaintext file with padding.
If someone manages to gain access to the TrueCrypt folder, they'd have access to all my passwords and the usernames for the websites I use are mostly fairly easy to guess (The banking site being the exception to the rule, I keep that username as hardcopy but it isn't stored digitally by me).
So I'm quite well secured against compromises of various websites.
My account was breached
I received an email from the hackers letting me know it had happened and that until then Gawker hadn't revealed the hack to anyone. I guess the cat's out of the bag now. Can't stand Gawker anyway, considering they own that rag Kotaku.
...The email wasn't from the hackers; it was from a third party that grabbed the file and decided to send the warnings since gawker wouldn't.
In other news, has any major web site -ever- taunted 4chan and gotten away with it? What kind of utter nitwit do you have to be to -dare- 4chan to come after you?!
What kind of nit-wit?
Web 2.0 Fail
More web 2.0 lame security! SSL please and MD5 hashing. Secure your server as well.
MD5 has a flaw in the design. It's broken you shouldn't be using it.
So, if you're going to bang on about security, do your research. Any site that proclaims its use of MD5 as the hashing algorithm may as well have used crypt().
We aren't having the final round of SHA-3 just for fun you know.
"The 486 MB file claimed that 1.5 million passwords were protected with DES, or Data Encryption Standard, a feeble enough hashing algorithm that the attackers were able to recover the first eight characters of the corresponding password."
Anyone using anything DES related is an idiot and deserves to be 0wn3d pretty hard. DES has been rumored to be insecure since its inception, and fully proven to be insecure with Deep Crack. Yet some people insist on encrypting 'harmless' stuff like passwords and config files with DES, and this is excellent proof on why this is bad.
Hell, I'm even distrustful of 3DES, the "secure" version of DES. I expect it to be as easily cracked, and it has probably been already cracked as well. Want secure? AES128 at a minimum, AES256 preferred.
Just because you can...
...doesn't mean you should.
"Anyone using anything DES related is an idiot and deserves to be 0wn3d pretty hard"
So, you have a moral obligation to break into things that are easy to break into?
You might want to have a word with your MP about the Theft Acts. I'm pretty sure they've been labouring under the crazy idea that people shouldn't be breaking and entering.
Oh, and check your door and window locks are strong, in case there are any burglars out there with the same moral code as you. After all we should be patting them on the back rather than locking them up.
Come to think of it, it's quite easy to avoid paying on public transport - be sure not to buy anymore tickets.
Oh and of course, babies are often left in control of candy, weak security if I ever saw it, you might want to swipe that as well.
If some arsehole really wants to get in your house, then they are getting into your house. There is absolutely nothing you can do about a sledgehammer and enough determined effort.
However, if you have decent hashing algorithms you can actually do something about even the most determined of invaders. Short of physically breaking into the server room, that is.
The analogies between burglars and hackers are as piss poor as the ones between computers and cars, or access points and houses. Personally I'd rather a white hat send me a polite email warning showing me where and how I'm at risk, than wait for the black hats to take advantage of a weakness that I didn't know was there.