The Aftermath of the Gawker Hack [Updated]

By
Like this, but egg instead of pie. Photo: Theo Wargo/WireImage

Last night's attack on Gawker Media might be the only hacker-related story in recent weeks without any direct ties (as yet) to WikiLeaks. But it's not without its own ripple effects and recriminations. The hack, which sent the names and passwords of Gawker's entire staff, commenters, and even some federal, state, and local government employees out across the Internet, was orchestrated by a group called Gnosis. The group seems to be taking up the hacker cause against Gawker, a siege that began earlier this year when the blog tried to defend an 11-year-old girl. The torrent file includes transcripts from Campfire, the channel Gawker employees use to discuss potential stories.

Gnosis posted this exchange as if to say: You mess with the hackers, you get the hack.

Maureen O. it appears that there is dissent among the 4channers as to whether 4chan's attack on us means 4chan is pathetic and unscary now.

Brian M. 10 Things 4Chan Users Should Do Rather than Attack Us

Brian M. The headeline of your post should be "Suck on This, 4Chan"

Hamilton N. Nick Denton Says Bring It On 4Chan, Right to My Home Address (After The Jump)

Ryan T. We Are Not Scared of 4chan Here at 210 Elizabeth St NY NY 10012

Maureen O. hey guess what, 4chan has already declared gawker the winner of the 4chan war! we won!

Richard L. VICTORY

Maureen O. they say that this day will go down in history as the day 4chan failed.

Richard L. that's terrific.

Richard L. they've been demoted to 3chan

The tenor of this insider conversation, done behind what the writers assumed were closed Internet doors, shouldn't come as a surprise to those who read Gawker's coverage of the feud, which at times seemed to taunt 4Chan for its failure to bring Gawker down. But Daniel Kennedy at Forbes takes a harsh jab at Gawker for its role in courting crackers when there's no way for anyone to guarantee that your information will stay secure:

There are a number of examples where antagonizing the population of would be attackers at large can serve as a motivation for them to expend the time necessary to find a way into a system. For example, claiming publicly that something is unhackable is usually a good way to find out that it is. Making unnecessary statements of bravado, statements potentially divorced from reality, changes the equation for an attacker, it suddenly makes compromising your environment worth more of his or her time. Put another way, thumbing your nose at an entire world’s population of crackers is usually a lousy idea.

If you buy the hacker-as-cyberterrorist argument, it's hard to fault Gawker for not bowing its head and scurrying away in the face of 4Chan's malicious targeting of an underage girl. We also found no mention of the word unhackable on the Gawker site. But not baiting the lawless Internet anarchists does sound like a safer option.

To add (more) insult to data-security injury, Gnosis used one of the staffer's log-ins to post a link to the location where users could download the database of hacked files, hosted on the Pirate Bay. However, the leak — which also made public employees' passwords from mission controllers at NASA to a congressman's chief of staff — gives government agencies a chance to change them before Gnosis can launch another attack. Some of the recriminations have come from Gawker's readers, like Reuters's Felix Salmon, who complained that unlike web start-up Hint, which sent out an e-mail warning, Gawker took too long to post an FAQ and alert anyone whose data was compromised.

The hack, which also exposed its source code and valuable advertising statistics, couldn't have come at a worse time for Gawker, which is in the process of a major revamp.

The aftershocks of Gnosis's attacks have already spread to Twitter, where an influx of spammy tweets promoting the acai-berry diet appear to originate from users who used the same password on both Twitter and Gawker. Nick Denton, who should know better, apparently used the same passwords for Google Apps, Twitter, and Campfire. On Gawker, Denton said he'd be hanging out in the comments section today addressing questions and apparently posting photos of himself "looking glum."

"I do want to tell you how sorry we are. I can also reassure those who worry about the role of commenters in the new Gawker. And I'm here for my beating." Looks like they were happy to oblige.


Gawker Data Breach Could Lead to Attacks on Government Agencies [PBS]
Gawker hackers release file with FTP, author & reader usernames/passwords [TNW Media]
http://nakedsecurity.sophos.com/2010/12/13/acai-berry-spam-gawker-password-hack-twitter/ [Sophos]
Gawker Media gets hacked [Reuters]
Related: Gawker Hacked, Private User Information Possibly Stolen