Tuesday, December 14, 2010
I just finished reading the Gawker hack release notes.
There is really nothing to say other than that they have massively incompetent technology people. The are so bad, they don't even know what they don't know.
Now against a determined adversary you are probably screwed anyway, but this whole thing would have been much harder with a few VERY BASIC security concepts, including:
1) Adding a SALT to your stored passwords
2) Adding firewall rules to only allow access to your servers from necessary IP address blocks.
3) Disabling the root accounts
I'm not talking about a sophisticated intrusion detection system, but how about setting up a script that emails you every time someone logs in to the production system? My FUCKING Facebook account does this! That would have prevented allowing them to spend 3 days downloading your database.
There is really nothing to say other than that they have massively incompetent technology people. The are so bad, they don't even know what they don't know.
"They are not stored in plain text and are on entirely different systems than the third-party hosted Campfire screenshots that appear in this article. There's no evidence to suggest any Gawker Network user accounts were compromised, and passwords are encrypted (not stored in plain text) anyway, so stealing passwords isn't even possible."How does this guy not know about rainbow tables? Is their tech guy a journalist who taught himself PHP?
Now against a determined adversary you are probably screwed anyway, but this whole thing would have been much harder with a few VERY BASIC security concepts, including:
1) Adding a SALT to your stored passwords
2) Adding firewall rules to only allow access to your servers from necessary IP address blocks.
3) Disabling the root accounts
I'm not talking about a sophisticated intrusion detection system, but how about setting up a script that emails you every time someone logs in to the production system? My FUCKING Facebook account does this! That would have prevented allowing them to spend 3 days downloading your database.
Thursday, December 02, 2010
There's been some hubbub over this wikileaks situation. If "loose lips sank ships" back in WWII, in the information age it's a warfighting tactic and I think we have just been attacked. So while the original leaker should be hung, and while I would not be averse to having a cruise missle accidentally land in Mr. Assange's parents' house -- there is only solution to this problem long term.
The signal to noise ratio is a measure used in science and engineering to quantify how much a signal has been corrupted by noise. The United States should hire a large group of people to write or forge millions of fake official government/military documents and submit them to wikileaks and found a dozen other document release websites to swamp the signal with noise.
It would be cheap, would give anyone who needed it plausible deniability, and would allow for the release of strategic misinformation to our enemies.
In fact, maybe they've done it already.....
The signal to noise ratio is a measure used in science and engineering to quantify how much a signal has been corrupted by noise. The United States should hire a large group of people to write or forge millions of fake official government/military documents and submit them to wikileaks and found a dozen other document release websites to swamp the signal with noise.
It would be cheap, would give anyone who needed it plausible deniability, and would allow for the release of strategic misinformation to our enemies.
In fact, maybe they've done it already.....