If there were a way to screw up its response, Gawker found and followed it.
In truth, they had over a month to find this problem but diagnosed the early warning signs in November improperly, were very obviously breached (and told they were breach [sic] by others) on Saturday, and it still took until Monday afternoon to say anything to their user base. And in the meantime their representatives were releasing statements via Twitter up until Saturday evening that were either partially or totally incorrect.Pretty bad. And yet, unlike Forbes' "Firewall" blogger Daniel Kennedy, I'm having a hard time getting too exercised about this.
Yes, the compromise stinks for those Gawker commenters who shared identities (email addresses and/or usernames and/or passwords) between Gawker and other services of arguably greater importance, like Twitter. But I would never have expected a celebrity gossip site to have the greatest security. (In Gawker's case, it appears it had none.) The farther a Web site's business is from technology, the less confidence I place in its commitment to and understanding of genuine security. Gawker trades in gossip. That's how it makes its bones. I would never trust it with any information of genuine importance, like a username/password pair I used for a bank, or even for an email account.
To use the same password for Gawker and Twitter was the kind of mistake inexperienced users make. They'll have to stumble through the consequences, like all newbies to the Internet (and you're a newbie until you've absorbed this kind of lesson, even if you've been online for ages). The quotation from Tolkien's The Two Towers comes to mind: "The burned hand teaches best."
Kennedy has a laundry list of things Gawker should do:
And when they have finished hiring a real security person and drafting an incident response plan, they can create a password composition and management policy, a policy on not writing passwords in chat logs, a patch management policy, and maybe for kicks a policy against bad mouthing their own users internally, users that they themselves put in harm’s way.Reasonable actions for a hacked business to take, but I doubt Gawker will follow through. Real security means investing a lot of time and money in hardware, software, and training. More importantly, it means imbuing everyone in the organization with the kind of mindset that would make "writing passwords in chat logs" unthinkable.
I'll say it again: Gawker trades in gossip. The security gossipmongers worry about is that which stands between them and their subjects. Gawker will do the minimum necessary to get itself back up and running, and then coast along until the next time it's cracked. If its audience has gotten the hint from this fiasco, the only victims of that next incident will be Gawker and its staff.
I hope not, but it's possible.
ReplyDeleteIt's what I do for a living, you'll forgive me if I can get exercised about it. ;)
Anything's possible. The black eye to its reputation might be greater than I think it is, and that might prompt the staff to act with more purposefulness than I expect.
ReplyDeleteMy cynicism arises from what I've heard of Nick Denton and, ironically, from the leaked chat logs you quoted. Remarks like those are not made by people who take their users or their security seriously. And a culture of lax security is not easy to turn around. Either you go the Microsoft route and essentially put everything on hold for a time while you beat the point into everyone's head, or you issue threats from on high and hope fear keeps the staff in line. Gawker will not take the MS tack (it can't afford to: it will lose too much mindshare in the interim, even if it can afford to do so financially). The latter approach works for a short time but since it hasn't effected a fundamental change in attitude among employees, they'll backslide eventually, and then, if you go out of your way to paint a target on yourself the way Gawker did, that backsliding will provide the open door for which honked-off crackers will be looking. (I hope that Gawker at least has learned not to treat hostile techies with public disdain. That was stupendously boneheaded.)
I just read http://blogs.forbes.com/firewall/2010/12/14/discussing-gawkers-breach-with-founder-nick-denton/, your report of Denton's email to you. I understand that you have to be polite, but I have the luxury of indulging my snarky side, so I'll say that his response sounded like nothing more than damage control. It wasn't bad as damage control efforts go, and it might have expressed more contrition than Denton normally would, but actions speak louder than words. We'll see what happens.
" I understand that you have to be polite, but I have the luxury of indulging my snarky side"
ReplyDeleteHeh heh...