MyATMPinIs1234

I just finished reading the Gawker hack release notes.

There is really nothing to say other than that they have massively incompetent technology people. The are so bad, they don't even know what they don't know.

"They are not stored in plain text and are on entirely different systems than the third-party hosted Campfire screenshots that appear in this article. There's no evidence to suggest any Gawker Network user accounts were compromised, and passwords are encrypted (not stored in plain text) anyway, so stealing passwords isn't even possible."

How does this guy not know about rainbow tables? Is their tech guy a journalist who taught himself PHP?

Now against a determined adversary you are probably screwed anyway, but this whole thing would have been much harder with a few VERY BASIC security concepts, including:

1) Adding a SALT to your stored passwords
2) Adding firewall rules to only allow access to your servers from necessary IP address blocks.
3) Disabling the root accounts

I'm not talking about a sophisticated intrusion detection system, but how about setting up a script that emails you every time someone logs in to the production system? My FUCKING Facebook account does this! That would have prevented allowing them to spend 3 days downloading your database.