[Owasp-singapore] Gawker tech boss admits site security was crap
Wong Onn Chee
ocwong at usa.net
Sat Dec 18 06:01:51 EST 2010
So are we still going to let insecure codes go live?
"Having looked at the Gawker PHP source, I'm shocked it hasn't happened
sooner," Mike Bailey, who specializes in web-application security
<https://twitter.com/#%21/mckt_/status/14187457570414592>. "Test code
all over the place, bugs galore."
"Gonna go ahead and make a prediction: Nothing short of a full site
rewrite is going to keep Gawker online at this point," he said in
another message <https://twitter.com/#%21/mckt_/status/14188068114268160>.
Another amateur goof was the use of DES, or Data Encryption Standard, to
protect some 1.5 million account passwords despite long-known weakness
in the hashing algorithm. As a result, the attackers were able to
retrieve the first eight characters of plaintext for each one.
"On all of our sites, we will be introducing several new features to our
commenting system to acknowledge the reality that we have lost the
commenters' trust and don't deserve it back," he wrote. "We should not
be in the business of collecting and storing personal information, and
our objective is to migrate our platform away from any personal data
dependencies (like email & password). ®
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-singapore