Read Gawker? Gizmodo? Lifehacker? You’ve been pwnd.

Posted by Greg Laden on December 13, 2010
(13)
More »

Registered users of Gawker.com media sites have had their names, email addresses, reading histories, and passwords stolen. But that’s OK, because just yesterday I heard you say that any information hackers steal from secret computer databases should be public. (Or did I hear you wrong?)


The hacking appears to have been done by one of the same groups of “Hactivists” that is sucking up to Wikileaks and the largely directionless and infantile Internet anarchist community. [No, wait, probably not. Updated.]

This is all unfolding rather quickly, and you can get updated at least through yesterday here and here, and here is where Gawker tells you to change your password or else.

Do you care if your password and username, which you probably use for a number of different accounts, is in the hands of nameless faceless hactivists? My suggestion to you is to keep your nose clean. Don’t say anything bad about the hactivists, or they’ll use that information to mess you up. Which is their right, after all, because your user name and password are electronic information, and since electronic information can be copied without cost or difficulty, it is free for everyone to use. (Have I got that right?)

Most likely there will be no consequences for the hackers.

(13)
More »

Comments

  1. #1 Rich Wilson
    December 13, 2010

    http://www.google.com/fusiontables/DataSource?dsrcid=350662
    has a list of the MD5 for every compromised email, so you can see if you’re affected. Instructions included.

  2. #2 Timberwoof
    December 13, 2010

    Who stores passwords unencrypted? And who uses anything but one-way encryption for that? The instruction to change your password is security theater or an admission of technical incompetence.

  3. #3 Stephanie Z
    December 13, 2010

    Timberwoof, if you read the note from Gizmodo instead of guessing what’s in it, you’ll see that the passwords were encrypted, but they suggest that people change their passwords because simple passwords may be vulnerable to brute-force attacks.

  4. #4 Sven
    December 13, 2010

    “Have I got that right?”

    Simply: No! Greg, I always like to read your posts but this one only seems to be an unsubstantiated rant. The discussion around Wikileaks was never about “any information hackers steal from secret computer databases should be public” and reducing it to this sentence completely misses the role Wikileaks plays for a unhealthy democracy (a healthy one wouldn’t need it).
    Also, the hacker group “Gnosis”, responsible for the Gawker hack, apparently has nothing to do with the group “Anonymous” who you refer to and even distances themselves from it.

    I don’t agree with the DDoS (also not hacking) attacks by the group Anonymous since they are only destructive and don’t help their case, but I see the idea and necessity behind Wikileaks and have to say you completely missed the point of the whole debate.

    Disappointed by this post!

  5. #5 Greg Laden
    December 13, 2010

    Sven, thank you for coming here to delcare yourself an indignantly ougraged fan with a need to tell me what to think and write. But that’s OK, I’m more interested in the substantive information you bring to the table than your lack of politeness. I mean, I did after all ask the fucking question “Do I have that right” as an invitation to information and correction, didn’t I?

    I don’t mention the group Anonymous by name, yes, it is true that they were named in the posts to which I referred, and that was the situation at the time I wrote this post. There is an update on the first of those links backtracking from that position.

    “any information hackers steal from secret computer databases should be public” does not refer to Wikileaks, it refers to Napster. The link between the breathless worship of Wikileaks and Napster is clear.

    “the role Wikileaks plays for a unhealthy democracy (a healthy one wouldn’t need it).”

    Have you read anything I’ve written about this or are you simply going to classify me as a Wikileaks hater because I don’t happen to be on my knees giving Julian a blog job at the moment?

    You seem to be referring to misuse of the word “hacking” and I totally get your point on that and essentially agree with it, but like many, perhaps most, I’ve given up on maintaining a distinction that nobody else is bothering to maintain. It may be time for actual hackers to call themselves something else, because in the modern, dynamic and often annoying English language, whatever “Hacker” means, it also means a person who breaks into your computer and breaks it or does something else that you didn’t want them to do.

    “I see the idea and necessity behind Wikileaks and have to say you completely missed the point of the whole debate. ”

    No, you’ve simply gleaned what you want to glean (see above).

    “Disappointed by this post!”

    As I am by your comment, but I do appreciate your note about Anonymous and your attempt to rescue the word “Hacker” (as ill fated as it may be).

    My problem, Sven, is that my reaction to the whole wikileaks thing is complex and at least somewhat thoughtful. Read my blog, man. I’m not going to go all cultish and simple just because people are sending me hate for not viewing, and writing of, Julian Assange and Wikileaks in brilliant golden light. You have a more thoughtful than average view of this yourself (as made clear in this post) please don’t accuse me of not getting it because you’ve only gotten part of my message.

  6. #6 Greg Laden
    December 13, 2010

    blog job = blow job. Important not to confuse these.

  7. #7 Irene
    December 13, 2010

    blog job = blow job. Important not to confuse these.

    ROFL

  8. #8 Nemo
    December 13, 2010

    But that’s OK, because just yesterday I heard you say that any information hackers steal from secret computer databases should be public. (Or did I hear you wrong?)

    Yeah you did.

    There’s a difference between privacy and secrecy. Secrecy is the one that needs to die. Granted, the difference is not always crystal clear. (I’m tempted to say it’s the difference between personal and organizational, but that’s only part of it.) But passwords are pretty firmly in the “privacy” category. What they protect, on the other hand, could fall into either category. (In this particular case, I don’t think they’re protecting anything, except the users’ online identities.)

    In this case I think the point was not to liberate information per se, but (frankly) to terrorize. To what end, I’m not sure — why those sites in particular?

    Some “hacktivists” are clueless. This is not news. I really don’t think it reflects on the broader issues.

  9. #9 Greg Laden
    December 13, 2010

    Nemo: The fact that many hactivists are philosophically informed by their desire to get free music (an oversimplification, but you get the point) may be widely known, but why should it not be discussed?

    I’ll think about this privacy vs. secrecy thing. Are you sure there is not any need for secrecy? I’ve blogged about times when I was involved in secrecy and I thought it was pretty important at the time. And, in some of those instances, I think there isn’t much difference between the two.

    For instance, in one place I worked, there was a revolution and the names of ever person who worked for white outsiders (in any capacity at all, mostly menial jobs) were obtained from accounting records. Every one of those people was hunted down, most captured, and of those, most were killed brutally. So, when we worked there two decades later, we were careful to make the names of those affiliated with us in any way at all encrypted and secret. There were no privacy rules, no one cared that anyone else knew they worked for or with us, there was no concept at all that people’s names needed to be private and we were never asked to do that. In fact, people touted that the worked for us, it was a sign of status for many.

    But we kept the names secret. And, there was another revolution. I don’t know if any list of names would have led to extortion, kidnapping, or murder, but since we handled the secrecy well it was not an issue.

    So, no, I don’t agree that secrecy is always bad. I know too many people who’s siblings or parents were killed by insane cultist rebels to think that.

    Once again, please do not translate my statement that secrecy has value to specific secrets that we can (mostly) all look at from wikileaks and be glad they got out. Once again, this is not simple.

  10. #10 Sven
    December 13, 2010

    Greg,
    thanks for your quick answer. I’m sorry if my comment was more impolite than I intended it to be. Lets blame my German genes for it!

    “does not refer to Wikileaks, it refers to Napster.”
    Ok, I have to admit I only saw the reference to Wikileaks since you mention them in the next paragraph.

    You are right that I got a bit carried away in the defense of Wikileaks. I’d read your other posts on the topic and therefore was surprised about the negativity I saw in this post. After your comment I read it again and I still see the link between the Wikileaks debate and the Gawker hack which in my opinion have nothing to do with each other (#8 is right to the point). This apparent link was what led to my comment but I agree it could have been more polite. Heat of the moment problem on my part and I apologise for that!

    I still think that there needs to be a clear distinction between activities of groups like Anonymous and the Gawker hack. From other posts it is clear that you distinguish those, but this did not come across in this one.
    And although I’m sorry now for how I wrote the comment, it got the reply I needed to understand how you meant your post.

    The comment on the use of the word “hack” was almost unintentional but I’m happy it got noticed :)

    So, sorry for my German impoliteness, but the point hidden behind the bad wording still remains. With the current headlines in mind, the sentences about making secret information public will be seen as direct reference to Wikileaks and therefore mix the two things up.

    And I wonder why “give somebody a blog job” is not in the dictionary yet in the times of Web 2.0…….
    Sven

  11. #11 Sven
    December 13, 2010

    I agree that a certain level of secrecy is often needed, but I would put the records you talk about in the privacy drawer. Names and addresses clearly are private information in this case that can be used to identify single people. I would argue that secrecy would have been to not list any local helpers (which in this case would still be justified to protect them).

    On the level of governments I also disagree with Nemo that it has to die completely. Even in a democracy there needs to be a certain level of secrecy but it is important to keep it to a minimum.

    But the distinction between information that can be used to identify individuals and information on processes and decisions (what Nemo refers to as “organizational”?) is important. And I realize there is a thin line here when a organizational body is represented by a person where those two clearly overlap.

  12. #12 Greg Laden
    December 13, 2010

    Sven, this was in the early 1980s. The concept of privacy in that country in that decade with those people did not exist at all, for them or for us or for anyone else, in the way we see it now. Assuming we can’t impose our present day and western ideals on a different time and place, it really wasn’t a consideration.

    though, I agree that by our standards right now, that looks like it was privacy, but that is the point. These definitions can be shot through with wholes by a moderately well trained undergraduate in anthropology.

    Consider the broader issue of security. There is one culture in which leaning a certain stick against the outside of your front door means you are not home, and under those conditions no one is allowed in the house. There is no burglary under these conditions (though it is not a robbery free or crime free culture). That is perfect security in that culture but would be perfect foolishness in Germany or the US.

    I would say that security is a certain goal and privacy and security are ways to achieve that goal in certain circumstances.

    the distinction between information that can be used to identify individuals and information on processes and decisions (what Nemo refers to as “organizational”?) is important.

    I was once involved in an investigation in which my interest was in protecting the interests of some otherwise helpless (from certain outside forces) natives as well as protecting some incredibly valueable and important archaeological sites. I was in several conversations with some individuals who were unable to discover my true identity. Had they known it, they would have walked away from our arragements. Since they didn’t, since my privacy was secure, they told me things that ultimately were used to catch them and stop the very bad things they were doing.

    Secrecy and privacy are the same thing sometimes sometimes not.

    Consider this as well: Currently, in the US freedom of information is the rule, but protecting people’s privacy is the rule. So, for instance, when I worked for the Univesity of Minnesota we had a procedure to follow if we ever got a phone call from someone outside asking for any informatoin about any student (phone number, address, what classes the student is taking, etc.). The idea is that an outside could be a rapist or abuser or whatever, and we could easily be duped into revealing that information.

    At the same time, when the unviersity interviews candidates for the head (president) of the institution, they are required to release that information to the public because it is considered important public information. The previously established system which protected people’s privacy …. people who were already in one job yet looking for another … was tossed out. Now when a potential administrator applies to run a different institution, this is revealed to their current employer. Thus, we can assume that a higher percentage of disaffected administrators (and a small number of very, very secure ones) will dominate the applicant pool.

    And, when the afore mentioned student becomes a president (of something) those class records that were protected before may well become public information. That’s probably not a big deal. But, there is a point to all this: As you say, there is a fine line (or a gray area, really) between these definitions, and what makes perfect sense in one context makes no sense in another. If I knew that soeone could look up in a database what conversations various officials were haveing with whom, I would have been unable to help the people and avoid the damage to the archaeological resource I mentioned above.

    I suspect that people who are saying that there should never be anything withheld ever either have never experienced a long list of things in their lives, or haven’t really thought about it too much.

    All this does not mean that i do not relish the information coming out of Wikileaks, or that I do not thing that on balance this is probably a very good thing.

    I’m just not joining the cult.

  13. #13 Sven
    December 13, 2010

    Greg, I completely agree with your last post. Privacy and secrecy are always things that have to be seen in context and that what might be correct in one situation is wrong in another. And as I said, I believe that many situations need a minimum level of secrecy to work out like the ones you describe.
    The problem in the internet age is that you can never have absolute certainty that electronic information will stay hidden. This is just a fact and I think it’s good to keep that in mind.
    I’m involved in teaching as well and the example with students is a very good one. How much can you say without making it possible to identify a single one? How can you say anything without violating their privacy? Where can a line be drawn? Clearly something that has to be considered in every single case and most of the time can only be guessed.

    The same is true for Wikileaks. Many leaks may have huge impacts which can’t possibly be all foreseen when looking at them. Some information was necessary to be leaked to show where boundaries have been crossed, some might get people into trouble without adding much to the discussion. I don’t envy the people who have to make the decision whether the need to get the information into the public eye outweighs the risks.

    And just to come back to a comment you made at the end of your post. Whoever leaked documents clearly knew he did something illegal but took the risk because he thought it is important. I still think whoever leaked documents has to be prosecuted. The guys who hacked Gawker definitely should because they only wanted to cause harm and clearly wanted private information to get out. But also people who have a noble cause should, because they broke laws and the trust their employer had in them. Wikileaks is another filter on top of that and I would say it is kind of a review entity but in my opinion is protected by freedom of the press. It doesn’t steal information like the Gawker hackers but merely presents a chance for people who think something s foul and people should know. These people know that they can be prosecuted and have to be in order to keep a system where the necessary secrecy can be maintained.

    There are definitely no general rules where privacy ends and secrecy begins…..

    I share your reservations and the examples from your own experience clearly show the grey area