Gawker Source Code and Databases Compromised 207
An anonymous reader writes "Passwords and personal data for 1.3 million Gawker Media readers — this includes readers of sites like Gizmodo, Lifehacker, Kotaku, and io9 — have been released as a BitTorrent by a group of hackers called Gnosis, who also managed to gain access to both the Gawker CMS and Gizmodo's Twitter account. Gawker confirms and urges readers to change their passwords: 'Our user databases do indeed appear to have been compromised. The passwords were encrypted. But simple ones may be vulnerable to a brute-force attack. You should change the password on Gawker (GED/commenting system) and on any other sites on which you've used the same passwords. Out of an abundance of caution, you should also change your company email password and any passwords that may have appeared in your email messages. We're deeply embarrassed by this breach. We should not be in the position of relying on the goodwill of the hackers who identified the weakness in our systems.'"
So much for offloading infrastructure outside. (Score:4, Insightful)
Perhaps this should give them a lesson about going overkill on the whole "outsourcing" thing.
Re: (Score:3, Insightful)
I can tell you for certain that some companies that are Outsourced do not follow the same security standards that we do. Even if they say they do.
Bad part? These companies have access to our finances and/or medical records. Outsourcing tech jobs to India was bad enough, think about outsourcing to communist run countries... where they dont give a shit about privacy.
Re: (Score:2, Insightful)
Not entirely sure why communism means privacy is ignored. America seems fairly hell bent on removing the expectation of privacy itself.
Re:So much for offloading infrastructure outside. (Score:5, Insightful)
I'm vaguely surprised that companies aren't held legally liable if their outsourcing companies don't adhere to certain security standards. It shouldn't be any different if a company you outsource to in India or a division of your company in Idaho leave your clients information unsecured.
Re: (Score:2)
Communist-run countries usually aren't bursting at the seams with (semi-)skilled consultants looking for outsourced work.
The real issue is that when you're paying someone a tiny fraction of the North American rate for a piece of work, the data becomes the more valuable part of the equation. In some cases it can be very attractive to sell that data to a 3rd party for what we might consider peanuts, but might represent a month's salary to someone else.
Goodwill? (Score:4, Insightful)
I appreciate taking this sort of thing with good nature, but that might be a bit generous. Goodwill stopped at the "released a torrent of all the users passwords and personal data". Now my email address is going to get spammed . . . .
Further Lessons (Score:5, Insightful)
I'm not even sure why they require email addresses. Reddit is one of the few sites I've seen get it right. They don't require an email address to register, but warn you that if you don't include one there is no way to recover the password for the account.
Re:Throwaway Email (Score:2)
Hmm. I've done okay so far with tiered emails, because lots of sites are hooked on the whole "sign in" thing. As for "not sure why they require email addresses", if you put on your techie hat, content they show to a logged in user gets marked with a different profile than a Noel Coward. Hulu is a lead example of this, hiding some "mature" shows behind the login wall. They also tweak the ad spread with it.
I'm dreading having to use a password manager to manage my 3-off visits all over the web.
Re: (Score:2)
I can't see a good reason to give out your
Re: (Score:2)
Worst of all, you need to sign in to Youtube now to tweak your resolution settings. Why is this a big deal? Because nowadays, by default, if you switch to full-screen mode Youtube reloads the video in a higher resolution, which is a big fucking problem if you don't have a blazing fast, uncapped connection. In fact I'd say this behavior could only be considered acceptable if you have a true-unlimited fiber connection. If you're unlucky enough to live somewhere with bandwidth even poorer than North America, i
Re: (Score:2)
I've recovered my password probably 5 times now. I'd have had to remake the account 5 times.
Re:Throwaway Email (Score:4, Insightful)
You don't even need to register a throwaway address for Hulu or sites like it. Enter bugmenot [bugmenot.com], savior of the net.
Bugmenot unfortunately lost their courage a few years ago when they changed the way they function. I suspect they were threatened by a lawsuit. Now, any domain or site owner can request that bugmenot exclude their site from participating, and I've found that so many of the popular ones do that it's lost all practical value for me.
I now use mailinator for all my throwaway registrations, then if I care in the least I change the password just in case someone else reads from the same random email name that I did. I usually don't. For more "durable" sites where I'm likely to participate over a longer time, I'll create a unique sneakemail [sneakemail.com] address and keep them around forever. When something like the Gizmodo breach happens I simply flag them as spam, and they plonk all the email from them for me. I've had to do that a couple of times now. I find their service is well worth the $24/year.
Re:Throwaway Email (Score:4, Interesting)
I now use mailinator for all my throwaway registrations, then if I care in the least I change the password just in case someone else reads from the same random email name that I did.
I put common e-mails @mailinator into the "forgot password" field when i need a login.
It works more often than not.
Re: (Score:2)
...except when they receive a takedown notice.
Re: (Score:2)
I'm dreading having to use a password manager to manage my 3-off visits all over the web.
If you use throw-away email addresses that are derived from the site's address then you can use the same password at all sites and all you have to remember is the algorithm that converts the site's address into the throw-away email address.
Throwaway Passwords (Score:2)
I just use different passwords everywhere, and track 'em in a database here. Most sites let you stay logged in, plus the browser remembers a lot of them, so it's really very little trouble. And the benefit - that a hack on one site doesn't compromise any other... that's worth a lot. Especially if you're doing *any* financial stuff on the net.
As for Gawker, I went and changed my password, but if they're using the same cheezy crypt routine, I dunno how much it's going to help. Any day now, someone might post
Re: (Score:2)
I just use different passwords everywhere, and track 'em in a database here. Most sites let you stay logged in, plus the browser remembers a lot of them, so it's really very little trouble. And the benefit - that a hack on one site doesn't compromise any other... that's worth a lot. Especially if you're doing *any* financial stuff on the net.
I used to to the same thing. I combined it with "tiered" passwords, ie a financial password, a super strong password, a medium level password, and a throwaway that my friends and family know. For other sites, I basically lived by the "Password Reset" feature and the browser's password manager.
Then I started listening to Security Now, and Steve Gibson just kept going on and on about how awesome LastPass [lastpass.com] is, so after hearing it for a few weeks I decided to check it out. I fiddled with it for a few hours a
Re:Further Lessons (Score:4, Interesting)
One benefit of having a domain is having forward all for %.com@domain.com. That way you can see which sites got compromised or which accounts got onsold. They can be easily blocked too.
Still, I do prefer using throwaway email accounts, or not signing up if the content is readily available without registering.
Re: (Score:3)
Yahoo has got a fairly nice feature where you get up to 500 mail aliases. That way you know exactly what site is selling your address and as a bonus you can have it autosort to folders. On top of that, you have the best unsubscription method possible, you simply delete the alias and all their mail will bounce. It probably doesn't hurt to send a "fuck you too" email with the alias saying you know what they did either. I really wish I had discovered it sooner, because my personal address was already a bit spa
Re: (Score:2)
Re:Further Lessons (Score:4, Funny)
Actually, this makes me think this "Gnosis" group might have done us a favor by releasing the names of Gawker readers.
If aliens should attack the Earth looking to harvest DNA, we now have a list of people that won't be missed.
Re: (Score:2)
These assholes wanted to hack a site and used a paper thin excuse to do it.
Maybe, but that doesn't take away from the fact that they have arrived as a politically influential group. I find that kind of interesting, regardless of whether I agree with them or not.
Re: (Score:2)
Not sure why anyone would register with any of the Gawker sites
Sometimes I get tired of the rampant optimism on slashdot.
Re: (Score:2)
Now my email address is going to get spammed . . . .
"Now"?
Re:Goodwill? (Score:5, Insightful)
He's not calling what the hackers did 'goodwill', he's saying they shouldn't allow a situation to come about where the goodwill (or lack thereof) is the difference between an e-mail advising of the vulnerability and... well... this. In other words he's taking responsibility for the vulnerability in their systems instead of trying to say that it's all the evil hackers fault for exploiting it. A refreshing change from the usual response to this kind of thing.
Re:Goodwill? (Score:4, Interesting)
Re: (Score:2)
Gawker had at least one vulnerability that they did not know about. One or more black hats found that vulnerability, and exploited it.
I wouldn't exclude the possibility of someone working for them giving away passwords or being responsible him-/herself for the breach. It happens more often than people might think.
Re: (Score:2)
Not just that, but they were claiming they hadn't been hacked pretty much up until the release of the lists of passwords. They were relying on the goodwill of the hackers to be able to pretend their site hadn't been hacked and their users' details were secure when it had and they weren't.
use VERP, at least for curiosity's sake (Score:2)
I use VERP on most of of the forced registration systems. Unless the spammers strip VERP stuff out, I'll know exactly which spammers got my address from Gawker's network. Not that it'll do much good except satisfy some curiosity...
The other side effect is that your account is a little harder to break into, in cases where the login ID is an email address. Obviously not the case here (username works fine too.)
What should be awesome: we'll get to see how many Gawker commentators are astroturfing. That shou
Re: (Score:2)
Yes. It's a good thing that no e-mail address has been spammed before this happened. And a tragedy that our perfectly shiny inboxes will be lost forever to these hackers.
Someone forgot to log out of the CMS... (Score:5, Funny)
Good thing I don't use those services... (Score:4, Funny)
The torrent file... (Score:5, Informative)
Re:The torrent file... (Score:5, Informative)
Someone uploaded the database to Google's Fusiontable's for you to search for your info against:
http://www.google.com/fusiontables/DataSource?dsrcid=350662 [google.com]
Instructions for use:
1. Get the MD5 of your email address (lowercase)
- Online: http://pajhome.org.uk/crypt/md5/ [pajhome.org.uk]
- Shell: $ echo -n mylowercase@email.com|md5sum
2. Search for the hash (via Show Options)
3. Change your password
By the way for Mac users like me that command won't work. Try md5 -r instead of md5sum
Re: (Score:2)
For the love of $deity folks, mod this up.
(Just checked, luckily not on the list)
Re:The torrent file... (Score:5, Insightful)
So I can check if my address and password were included so I know whether to go round changing them everywhere...
Re: (Score:3)
So they would include all username/password except yours?
I, for one, do not know whether I have ever registered at a gawker media site. I occasionally read some of them, and may have been tempted to comment at some point; I believe registration is mandatory before commenting so would have registered at that point in time. My guess is there's about a 20% chance this happened. If I did, I should find out so that I can change my password. I can't use the "forgotten username" interface at their site to try
Re: (Score:2)
Re: (Score:2)
Now what legitimate use is there in linking to that?
Forensics, for one. Without necessarily looking at the individual data, you can still infer a fair amount concerning the scope and nature of the attack by what data was compromised. Likewise, the kind of data being released tells you something about the attackers' motives. And if they were careless, date information and other metadata might also prove useful.
And all of this without necessarily looking at a single password.
Re: (Score:2)
Re: (Score:2)
Which is kind of useless, because Gawker isn't a super-important website that people should put a really strong password on. Sure you'll find like 90% of the passwords are guessable because it's not a site that really matters if it's compromised. Perha
Re: (Score:2)
To study how random people choose their passwords
Yeah, but does it really matter anymore? I mean, my password of X#ss09@$xxpp-ass93mces!!@!! would be no more secure than my password of 12345 if it becomes easier to just see everyone's password rather than trying to guess.
The days of the username/password are coming to a close, and it looks like it might happen sooner than desired.
Re: (Score:2)
Re:The torrent file... (Score:5, Insightful)
Gawker honestly shouldn't even store the emails. If someone loses a password they can just make a new account. I don't want to sound mean, but if you can't be a good example you might as well serve as a horrible warning.
Re: (Score:2)
Yes, you have found the perfect solution: Never get your e-mail compromised by never using your e-mail! Also perhaps you don't value your account, but many people do value their account information & history they've built up with a site.
If you don't want to provide your e-mail, no one is putting a gun to your head telling you to share your e-mail. Also your e-mail alone is not a security risk. I hope those passwords were salted though...
Re: (Score:3)
Regardless of which site is compromised, two reasons why having your e-mail address harvested is bad news:
Re: (Score:2)
If Gawker, Slashdot or any other online sites that "require" a login account really valued your privacy they would maintain hashes of both your email and password.
Then, when you wanted to authenticate, they would only compare the hashed results of the data you provided with their stored hashes.
If you wanted to recover your password, they would as for your email and *IFF* the email you entered was found in the registries, then they would send a "password reset" page to the email you enter.
Of course, you real
Re: (Score:2)
when you provide it to third parties who may become compromised.
Which is why I'm comfortable using Google for everything. At least they're rich and huge, if something terrible happens to my life because they get hacked, as an American citizen, I have a right to sue the shit out of them along with a ton of other people.
Re: (Score:3, Interesting)
It's a pretty good textboox example of how NOT to secure a website (not to mention a major one). I checked out the README, and it's rather embarrassing. Trivial leetspeak for root passwords, publicly accessible MySQL servers, stuff running Linux 2.6.18 compiled back in 2007 (there have been multiple local root exploits since then), ridiculously insecure passwords for admin accounts, people using the same password everywhere... They also appear to be using ancient DES crypt() for their website user passwords
Re: (Score:3)
stuff running Linux 2.6.18
To be fair, those are RHEL 5 servers, which are going to be supported for several more years. Red Hat backports security fixes, so their 2.6.18 is far from vanilla 2.6.18.
Why 2.6.18? For one thing, it was a long term stable (like 2.6.27 and 2.6.32), and RHEL is supported for (I believe) 7 years.
More, 2.6.18 is required for Xen, which many versions of RHEL come bundled with. (A couple of the gawker "servers" are really virtual machines running under xen). If you want near-instant failover capabilities, x
What's wrong with you? (Score:2)
Don't you support transparency? Don't you support wikileaks? Information was made to be free. When will you stop supporting MPAA and RIAA and join the forces of openness and freedom on the internet!
Hyperbole? A bit, but only a bit.
Re: (Score:2)
Re: (Score:2)
I've lost track of my passwords... (Score:2)
I used to have one password for all. Yeah, great idea huh. Then it became, 1 password for the important stuff, and 1 for the throwaways. Later on it was 1 for the really useless crap that I wouldn't care if they got hacked, 1 for the semi-important stuff, 1 for things I want to have secured, and 2 more levels, the last one being for "e-mails and personal profile use" (i.e. Facebook, oh nooo!).
So now I have 5 passwords (well, plus a few single-site ones for e.g. my bank), but I use them inconsistently. Slash
Re:I've lost track of my passwords... (Score:4, Interesting)
Think up a new password. Just one.
Pass = "PcbEn!"
The mnemonic for that password is "Passwords Can Be Easy Now!"
Now use that one simple password to create stupidly complex passwords for the sites you visit by using Password Hasher.
Every site you go to will have it's own unique mix of 26 upper, lower, numbers, symbols (if it supports it) that can be easily recreated in seconds without ever being written down or stored electronically.
All you have to remember is that passwords can be easy now.
Example password for Slashdot using this example is "nRP2zGk56sYN8IMUyFR/XpIx45" which is out of the brute force range this year and probably next year too.
Re: (Score:2)
Yeah, I'm a bit reluctant to store all my passwords in one place, if someone compromises that database, it's an easy access to ALL my accounts, woo-hoo. I know the encryption is NSA-grade, but what if? (Actually this is a ridiculous question isn't it, if we want to do "what if's", it'd be more likely that a giant website's database be hacked than my own computer.)
Oh well, I think some passwords are already stored for the browser auto-login feature anyway, so that's another place where -- if I'm paranoid --
Re: (Score:2)
I think you guys are all missing the point. Take off the geek hat for a minute.
Seriously, who wants to bother with having to do this?
orly (Score:2)
and by "encrypted" do they mean "we're idiots and stored something other than a salt + hash of the passwords"?
Re: (Score:3)
and by "encrypted" do they mean "we're idiots and stored something other than a salt + hash of the passwords"?
They used crypt() [die.net], which means it's going to be relatively easy to crack everything in the file even if the users' passwords were strong. Why anyone would use crypt() for password hashing is beyond me.
Re: (Score:3)
Given the contempt they apparently hold for their own users [mediaite.com], I don't think they're concerned all that much with protecting those users' data in the first place.
Re: (Score:2)
string EncryptPassword(char * plaintext) // TODO: Implement real encryption before deployment
{
return rot13(plaintext);
}
That's not the most insecure part (Score:5, Insightful)
provide fast remedy (Score:2)
They should provide a fast one stop cgi that their users can do go that will perform these steps, not 'visit our sites and figure shit out'.
Annoying.
Reminds me of the LM hash (Score:5, Informative)
From http://pastebin.com/9rRmf6W5 [pastebin.com]:
"Gawker uses a really outdated hashing algorithm known as DES (Data Encryption Standard).
Because DES has a maximum of 8chars using a password like "abcdefgh1234" only the
first 8 characters "abcdefgh" are encrypted and stored in the database. If your
password is longer than 8 characters you only need to enter the first 8 characters
to log in! "
The LM hash generated two hashes using DES from two 7 byte parts of a 14 byte password.
Basically they use each individual 7 byte part as a DES key to encrypt a fixed string.
Repeat this twice for each 7 byte part, and concatenate the results, and you get the LM hash.
Re: (Score:2)
Mailinator. (Score:2)
Mailinator was made for sites like this.
Re: (Score:2)
nope. alt-f4 or ctrw-w is more like that. gawker network is to be avoided like poison.
Not as Bad as It Seems (Score:2)
After looking through the package released through BitTorrent, not everybody's password has been compromised. Gawker does appear to store passwords in an encrypted form and only particularly weak passwords have been cracked. My username, for instance, does appear in their raw DB dump (with an encrypted form of my password) but not in a separate file which lists the passwords they were able to crack. I have a fairly strong password and I believe that's why. Real examples of passwords weak enough to be cr
the true gem here: ID'ing astroturfers (Score:5, Interesting)
Re: (Score:2)
Not sure how you're going to tell people who are astroturfing from people who are genuinely commenting (maybe even avoiding stories which are a conflict of interest), but the fusion table posted earlier [google.com] has the domain part of the address in the clear.
= microsoft.com: 107 (you can get the exact count by clicking on "many") :P
= google.com: 118
contains samsung.: 4x samsung.com + 4x others
= gizmodo.com: 73 (?)
= gawker.com: 160
= youstuckupgawkerpeopele.com: 1
I don't read the site so I don't know what other domai
EasyDNS (Score:4, Insightful)
It's nice to see a bit of karmic justice after Gawker falsely accused EasyDNS of cutting off Wikileaks (it was EveryDNS), then acted like jackasses when called on it.
http://blogs.villagevoice.com/runninscared/2010/12/gawker_refuses.php [villagevoice.com]
Re:EasyDNS (Score:5, Informative)
Re: (Score:3)
Re: (Score:2)
Really? So, the 1.5 million victims in all of this can go to hell along with Gawker?
I guess the words "measured response" don't really mean anything to you ...
Re: (Score:3)
I have to agree with the "jackasses" comment being well deserved. They falsely accused someone of wrong, tried to quietly correct it, then insult anyone who called them out on their mistake, including those who they wronged.
Being wrong is one thing, but how they handled it turned the editors into "jackasses".
uh (Score:2)
Anyone have any experience changing all their low priority passwords at once? Thoughts?
Re:uh (Score:4)
I took this as a sign to change all my passwords. It's been a pain in the ass honestly, and provided a nice overview of who is is good at letting you change passwords and who sucks. ICQ so far is by far the worst, you can't change it through their website, so you have to download their client, plus they don't allow special characters. Ebay's was really hard to find where to change it as well.
I just went through my bookmarks, starting with the imporant stuff and working my way down. Unfortunately, there are surely some sites i've forgotten. I'll have to change them as they come up, but are mostly throwaway accounts anyway.
Re: (Score:2)
A few weeks ago I had my (2 years inactive) WoW account get owned and banned, possibly through my email account, so that was a major sign to sort out and properly tier all my passwords. I found firefox's list of saved passwords to be particularly helpful as a checklist of sites to change, as well as a reminder of how stupid I had been using my "good" password on far too many low priority sites in the past. Also a strong reason against having one "good" password.
Thanks to your post, however, I am also remi
Re: (Score:2)
They probably did. It's a press release, and a one-way cryptographic hash is close enough to "encrypted" and a helluva lot shorter and more understandable to a non-pedantic audience.
Re:Encrypted? Hashed? (Score:5, Funny)
They probably did. It's a press release, and a one-way cryptographic hash is close enough to "encrypted" and a helluva lot shorter and more understandable to a non-pedantic audience.
At least they didn't say "scrambled".
Re:Encrypted? Hashed? (Score:5, Funny)
Waht? Smcrbalnig is a pfretlecy surece epoitrcyn mhtoed for prdsoaswss!
Re: (Score:2)
Actually they used DES, so calling it encryption is technically correct. (They encrypt a constant string with the password as the key, which is basically a poor mans hash).
Also apparently like LANMAN hashes they only use the first 8 characters of the password, which is just fucking mind blowingly stupid.
Re: (Score:2, Insightful)
Hashed passwords provide a degree of protection, so long as you salt the hash, and store a different salt for each password (for maximum protection [codinghorror.com]).
Any programmer that doesn't understand salts, hashing, and encrypting should not bother making software that handles logins, period.
Re: (Score:2)
Any programmer that doesn't understand salts, hashing, and encrypting should not bother making software that handles logins, period.
Why should they have to? How many times are we going to reinvent this particular wheel anyhow?
Re: (Score:2)
As many times as it takes, for common sense for basic security to actually win?
Re: (Score:2)
Having people reinvent it constantly is counterproductive to your goal. What we need are a few people who actually know what they're doing to design it, and for everybody else to use that.
Every CMS doing passwords their own way is a great way to ensure most of them are doing it wrong.
Re: (Score:3)
Having people reinvent it constantly is counterproductive to your goal. What we need are a few people who actually know what they're doing to design it, and for everybody else to use that.
How about Kerberos, versions 1-4? Oh, wait. Bad example.
My point is that MIT has the people who not only know what they're doing, but are the ones who often define the very security practices the rest of us rely on. And even they needed to get to version 5 before they got it right (for current definitions of "right").
I'm certainly not saying that ShmooCMS is going to do a better job than MIT did with kerberos at defining an unhackable protocol. They're not. I am saying to "be mindful of what you rely o
Re: (Score:2)
Aren't Kerberos and the authentication Google Accounts and Facebooks Connect the same thing? They both rely on authenticating an individual and using a provided token for authorization, one is PAM based and the other is for Web properties.
Central authentication is the way to go, you just need to make your central authentication rock solid from both a security and reliability standpoint (i.e. properly implemented Kerberos).
Re: (Score:2)
In cases where the pertinent part of the codebase/config was lifted as well, such as in the current example with the Gawker data, this doesn't help. At some point, the password algorithm has to have access to the salt. An attacker who has both the complete code and the database will also have access to the same salt, no matter how "secure" t
Re: (Score:2, Informative)
The salt just complicates the rainbowtable lookup method. It's not supposed to be super secret. It makes every password require a expensive brute force lookup rather than a O(1) operation.
Re: (Score:2)
While that is true, it just delays the inevitable. In fact, even with salt, any large scale leaks such as the Gawker crack will always contain a good number of stupid passwords that are easily brute-forceable even without a rainbow table. It will always be relatively easy to either crack a single account you're really inte
Re: (Score:2)
Hashed passwords provide a degree of protection, so long as you salt the hash, and store a different salt for each password (for maximum protection).
True, but as far as websites are concerned, the weakest link is usually the login form where most of the time plaintext passwords get transferred over the net. Releasing a database dump is a big problem, whether passwords are hashed or not, but the gawker intruders might just as well have installed a hidden mechanism that grabs such unencrypted login info over time and for extra fun they could have invalidated all login sessions/cookies/whatever...
Re: (Score:2)
Hashed passwords provide a degree of protection, so long as you salt the hash, and store a different salt for each password (for maximum protection [codinghorror.com]).
Any programmer that doesn't understand salts, hashing, and encrypting should not bother making software that handles logins, period.
Unless you were intending to be ironic, salted hashes (even with per-user salts) do not offer maximum protection. Use bcrypt instead: http://codahale.com/how-to-safely-store-a-password/ [codahale.com]
See this thread for additional discussion behind it: http://news.ycombinator.com/item?id=1091104 [ycombinator.com]
Re: (Score:2)
Can someone please tell me why sites and services like this are saving the passwords of their users, instead of saving some hashed version of them?
4 obvious reasons:
Re:Children suck (Score:5, Insightful)
We considered what action we would take, and decided that the Gawkmedia “empire” needs to be brought down a peg or two.
This is the major problem with the internet - we let children on it.
Really kids? Go play somewhere else and let the adults have peace and quiet. You don't need to piss on everything just to prove you're alive. The smell of your unwashed armpits is already ample demonstration.
There's no indication that the people who compromised Gawker were minors... but to respond to your larger sentiment...
People who have malicious intentions and do bad things exist. They exist in large numbers. It is simply not possible to identify and stop every last one of them. It's not even feasible to significantly reduce their numbers. Not even the power of law can accomplish that. Indeed, law is a tool for managing this fact of life and has no real power to completely prevent it. There's nothing anyone can do about this reality. It can only be acknowledged, accepted, and worked with. Denial and delusion are your only other options.
There's one thing we can do, however. We can harden the targets. We can secure the systems for which each of us is responsible. We can realize that compromises like this are preventable and then take steps to prevent them. We can learn from the example of those who failed to do so. At the end of the day, we can realize that we're not helpless victims completely at the mercy of random chance or luck, but rather, that there is a great deal we can do to become an extremely difficult target.
Posts like this one [slashdot.org] are written in the spirit of this understanding. It highlights that the owners of those systems acknowledge that they have failed, have accepted responsibility for that, and therefore have the fewest obstacles to learning from this experience and overcoming it. An attitude of blaming everything on "those evil hackers", though they truly have done wrong, would practically guarantee that nothing is learned and no skills are improved.
Re: (Score:2, Insightful)
I didn't say minors. I said "children."
I chose that word carefully.
Your points are all very correct, of course. I am just screaming to an apathetic universe.
Re:Children suck (Score:4, Insightful)
I didn't say minors. I said "children."
I chose that word carefully.
Your points are all very correct, of course. I am just screaming to an apathetic universe.
Point taken. In fact the biggest single reason why I am concerned about the long-term well-being of the USA is that most of its "adults" are petty, indulgent, overgrown children with short memories. In that spirit I can see why you had good reason to choose that word as you did.
I maintain that the more adult thing to do is to overcome such events by learning their lesson, rather than indulging in the "blame game" and making it into a 5-minute hate. Not only is that the constructive solution, it also limits the damage of this intrusion to computer systems only. The anger and hatred merely serves the intruder(s) by extending the damage into the personal realm of your own well-being.
Re: (Score:2)
Only if you have a very simplistic and very homogeneous view about information. Information isn't equal. All of it might want to be free, but not all of it should be. You can easily and coherently argue that certain kinds of government communication should be "liberated" -- particularly if it's an abusive government's information -- and that other kinds of personal information should remain confidential.
Re: (Score:2)
Re: (Score:2)
..the future is the "cloud"?
On what planet?
It's a methane cloud.