Gawker Password Theft a Wake-Up Call
Analysis: Underestimating your own vulnerability is a recipe for disaster.Well, my holiday plans saw a new item move to the top of the to-do List. I found myself with the pleasant task of sweeping through my password collection, because I was lazy and Gawker Media was sloppy. It's a lesson for anyone whose livelihood depends on secure systems remaining that way. The big story was that over the weekend of Dec. 11-12, Gawker admitted in a post on its various sites- which include Deadspin, Fleshbot, Gizmodo, io9, Jalopnik, Jezebel, Kotaku and Lifehacker, as well as Gawker itself-that its central password database had been compromised. It seems that the Gawker IT organization had used the long-obsolete DES to encrypt the password store, had ignored at least a month's worth of warnings that something fishy was going on, and had let its production servers get about three years behind on kernel patches. In short, the company's IT crew had utterly failed at its job.
This would amount to dereliction of duty in any IT organization with pretenses to credibility. But since the editors of the main Gawker site have in effect dared anti-organizations such as Anonymous and 4chan to come after it, one has to compare the behavior of Gawker Media's editorial and IT staff to the kind of idiot who climbs into the lion pen at the zoo and is surprised by the extent of the resulting injuries. As of the afternoon of Dec. 13, the company seemed to be placing as much of the responsibility on those users who chose weak passwords-which included Gawker founder Nick Denton's "24682468," or "password," used by almost 2,000 accounts-as it did on its IT staff, who created the conditions that were so easily exploited.