[Owasp-singapore] Gawker tech boss admits site security was crap

Wong Onn Chee ocwong at usa.net
Sat Dec 18 06:01:51 EST 2010

So are we still going to let insecure codes go live?


"Having looked at the Gawker PHP source, I'm shocked it hasn't happened
sooner," Mike Bailey, who specializes in web-application security
recently tweeted
<https://twitter.com/#%21/mckt_/status/14187457570414592>. "Test code
all over the place, bugs galore."

"Gonna go ahead and make a prediction: Nothing short of a full site
rewrite is going to keep Gawker online at this point," he said in
another message <https://twitter.com/#%21/mckt_/status/14188068114268160>.

Another amateur goof was the use of DES, or Data Encryption Standard, to
protect some 1.5 million account passwords despite long-known weakness
in the hashing algorithm. As a result, the attackers were able to
retrieve the first eight characters of plaintext for each one.

"On all of our sites, we will be introducing several new features to our
commenting system to acknowledge the reality that we have lost the
commenters' trust and don't deserve it back," he wrote. "We should not
be in the business of collecting and storing personal information, and
our objective is to migrate our platform away from any personal data
dependencies (like email & password). ®


Best Regards
Onn Chee

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/mailman/private/owasp-singapore/attachments/20101218/ab50a8ae/attachment.html 

More information about the Owasp-singapore mailing list