back to article Gawker tech boss admits site security was crap

Gawker Media plans to overhaul its web infrastructure and require employees to use two-factor authentication when accessing sensitive documents stored online, following an embarrassing attack that completely rooted the publisher's servers. The publisher of Gawker, Gizmodo, and seven other popular websites also plans to, gasp, …

COMMENTS

This topic is closed for new posts.
  1. raving angry loony

    honesty?

    They can't be a very large business with honesty like that. Kudos for owning up to being crap. Brickbats for being crap in the first place.

  2. Lars Silver badge
    Happy

    Good

    In my experience, as a systems analyst and programmer, it is always better to tell a customer "sorry this was my fault" in stead of blaming the OS or the programming language or the hardware or anything else. Works better that way, very well in fact, but in order to stay employed your boss has to understand that too. And it hurts sometimes, and it works only if you know the problem can be fixed. (soon)

  3. Anonymous Coward
    Anonymous Coward

    Management and security woes

    We did a bunch of development work for two major universities in the UK. We were told that they just wanted the system to work, but didn't have the commitment to make any effort to invest in any security. We pushed back as hard as hell, they overruled us. Very strongly in fact!

    There's two universities (at least) out there in the UK who's core systems are completely open to the most basic injection attacks, which would expose a lot of confidential data. I'm afraid I blame short-term thinking and a basic lack of managerial understanding for this. I cannot believe how hard we tried to tell them what the risks were, and how patronising and over-ruling they were in response. We were 'banned' from putting in any kind of security measures!

    Does anyone else in IT recognise this? Third party managers with little or no understanding of the situation, arrogantly defending a position with little or no understanding of the repercussions?

    1. Bristol Dave
      Flame

      Yes

      But then who gets the blame when it all goes wrong? Even if you point out that they were warned at the time, it's considered irrelevant.

    2. MikeSM
      FAIL

      show me the money

      You (or your company) seem to be just as culpable for failing to walk away from a contract that opens you up to major liability.

      1. Anonymous Coward
        Anonymous Coward

        Mike

        Mike, that's nonsense. You cannot force an employer to take your concerns with the seriousness they deserve, you can only strongly and professionally advise them. If they choose to ignore you, that's their mistake.

    3. breakfast
      WTF?

      But...

      Surely mitigating potential SQL injections is a basic behind the scenes task on the part of developers- surely it's our job to make sure we're only ever using paramterised queries and never trusting any user data to be sane? Unless they were mandating urls with complete SQL queries in them, how is this a problem for a developer?

    4. Spartacus
      Grenade

      security woes

      Thats what wikileaks is for, Publish the correspondance.

      anyhoo a job that is not done properly is not worth doing. If you are asked to build a house you should always start with the foundations, you do not just build a house on the bare ground. I have to say its your fail, for just doing "what you are told" not what everyone (including those people whose data is at risk) expects of you. If you are going to do systems work do it properly.

  4. Dennis Wilson
    FAIL

    Crap.

    I would have blamed the pope

  5. Ian McNee
    FAIL

    They *weren't* using SSL??

    OK...I need help people...my jaw dropped so far that it's locked open and if it weren't the middle of winter with four inches of snow on the ground I'd be in danger of swallowing flies. Someone get round here with a crow-bar or something.

    However it is nice to have one's prejudices about the technical illiteracy of these worthless web2.0rhea w@nkers confirmed :-)

  6. smeddy
    Thumb Down

    Still not happy

    Screw them still, I hate the fact my details are out there because of them.

    1. Anonymous Coward
      Grenade

      Yes, that's terrible

      BTW, how's that rash?

  7. David Francis
    FAIL

    too late

    Another case of bolting the stable door after the horse has already bolted.

  8. Jacqui

    minimal cost development

    Companies focus upon the end result which is functionality, look and feel etc.

    Security and stability only become issues *after* the fact. This is how lots of web businesses operate.

    And from performance reviews of existing (current) live web apps, they are not the only company in this position - or worse.

    Jacqui

  9. Elmer Phud Silver badge
    Thumb Up

    Blue moon?

    "Nothing short of a full site rewrite is going to keep Gawker online at this point,"

    Refreshing to see a refusal to blame everyone else.

  10. Doug Glass
    Go

    It's ALL Crap!

    Given the proliferation of breeches in security, it's all just smoke and mirrors trying to make the common user FEEL secure.

    1. Ru
      Boffin

      Re: It's ALL Crap

      Just because breeches are nowadays considered antique trouser technology, the basic manufacturing principles have not greatly changed and indeed many modern trousers may not be as secure as some designs of breeches.

  11. Vincent Ballard
    WTF?

    DES isn't a hash

    DES isn't a hashing algorithm. If they were using it to protect passwords, then that's an even worse idea than using MD5.

    1. Daniel B.
      Boffin

      Hash-ish

      DES is an encryption algorithm indeed... crackable by 5 year old kids using 10 year old hardware. Yet you would be terrified to know how many organizations use it to "secure" passwords and such sensitive things.

      Then there's that stupid idea called 3DES, which seems to be the cheap VPN standard, and is also used in some SSL connections. I keep myself away from anything bearing the "DES" name.

      Now that I think about it, DES is probably as "secure" as a bad hashing algorithm...

  12. hitmouse
    FAIL

    It's the syndrome, stupid

    They've had shitty login code for a long time as well. Of course complaining about it through official channels make no difference when the retarded foxes are minding the coop.

    How many companies have management unaware of how crap their sites are and how difficult it is for customers to tell them so?

  13. Anonymous Coward
    Anonymous Coward

    It's easy to blame the programmers...

    but how much did they pay for the website in the first place?

    Was there any budget for security enhancement, or security requirement, in this project?

    I mean, What you Pay Is What You Get (WYPIWYG).

    1. Doug Glass
      Go

      So?

      Doing the wrong thing is excusable just so long as it was cheap?

      1. Anonymous Coward
        Flame

        YES IT IS RIGHT, IF YOU GET A DIRECT ORDER.

        In most companies management is a bunch of ignorants when it comes to security and quality. I could tell examples of a major stock exchange, a financial transaction (retail) software company and all of you can monitor what kind of security show Adobe and Microsoft are.

        If I am making management aware of a security risk and I am being told to ignore it, the blame lays fully with management.

        Maybe somebody can try to own one of the largest derivatives exchanges ? It's just a matter of exploiting Firefox 3.0 (yes !!) or using some old Flash exploits or some old Java Webstart Exploits. All Desktop machines are WIDE OPEN.

        Before we don't see a major business crash and burn because of crappy security, there will be done exactly nothing to improve the situation. A major CEO needs to be fired very publicly because of neglecting IT security. Before this doesn't happen, nothing is going to change.

        All the pointy-haireds always consider asking lawyers for guidance, but an IT security professional is only a smelly, long-haired underling to be ignored.

    2. Mike Richards Silver badge

      What you Pay Is What You Get (WYPIWYG)

      Unless you're in government when you pay several hundred times more than what you get.

  14. Eddy Ito Silver badge
    Flame

    So?

    Am I the only person who uses throwaway addresses with nothing behind them when signing on the sites that I'm not absolutely certain about doing business with? Sure, this one "got" me but all I did was walk away from another free webmail account with no links to my "inner me". Oh no, now a bunch of gawker crackers know my middle name thinking it's my first and that my favorite color on that account was medium rare neoprene. Yeah, good luck with that guys. Perhaps it's time for a university course titled, "iCYA, tell the web data scrapers to kiss your arse".

  15. Rogerborg
    IT Angle

    What the huffing fell is Gawker, and why would I care?

    Did some webtards get pwnd? Are they crying an iRiver? Does it effect anybody who's not a total hipster spanner? No, thought not.

    1. hitmouse
      WTF?

      Really

      I'm amazed that you're in that select crowd of Daily Telegraph readers who can comment on something they know nothing about, taking more time to do so than looking up the references.

  16. Anonymous Coward
    Thumb Down

    ...and this is the fault of the company hiring you?

    "We did a bunch of development work for two major universities in the UK. We were told that they just wanted the system to work, but didn't have the commitment to make any effort to invest in any security. We pushed back as hard as hell, they overruled us. Very strongly in fact!"

    Couldn't you have just written it properly in the first place?

    "There's two universities (at least) out there in the UK who's core systems are completely open to the most basic injection attacks, which would expose a lot of confidential data."

    You make it sound like you knew about these but chose to leave them in during development. If you know your code sucks this much, maybe you shouldn't be writing software.

    Anonymous because this post is quite insulting.

    1. Evan Essence
      Thumb Up

      Quite so

      Writing in a secure way should be the norm, not something to bolt on later.

    2. Ru
      Troll

      It might well be their fault

      In the interests of integrating with existing systems, many utterly retarded compromises may have to be made. As a contrived example; if you're being paid to build a service which accepts SQL queries over an unauthenticated, unencrypted HTTP connection, your avenues of sensible implementation are limited.

      Although its a safe assumption that every coder other than yourself is an unprincipled incompetent cowboy (and indeed experience often bears this out) it isn't always the case.

      And to those saying 'walk away'; we all have bills to pay. If you've clearly stated in writing that the system will be broken as specified, you may as well finish the job. You can always pad the costs to include arse-covering legal advice.

  17. Anonymous Coward
    Gates Halo

    if the site ran on Windows Server...

    ...everyone would be blaming Microsoft.

    1. kissingthecarpet
      WTF?

      Not if it was *still*

      written in clearly insecure PHP. And as everyone knows PHP is TRWTF, unless its VB6

  18. RJ
    Go

    Personally...

    ...I hope this ruins them and bankrupts them after they are unable to get the subscriber base back and advertising revenue falls through the floor.

    Nothing personal, I don't use any of their sites and don't really care much about them in particular but hopefully if they crash and burn other companies will take note and actually spend some cash on their security and infrastructure which leaders to a generally stronger website ecosystem.

    To Paraphrase Sir Humphry. The principles of good business sometime requires a human/company sacrifice.

  19. TeeCee Gold badge
    Happy

    Or, put another way:

    "We're shit and we know we are

    we're shit and we know we are

    we're shit and we know we are

    we're shit and we know we are"

    <Repeat ad nauseum>

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019