By on December 13, 2010


We know there’s more than a little overlap between TTAC and Jalopnik, the Gawker Media empire’s car blog, so we’d like to remind our readers who do have a commenting account at Jalopnik to change their password (since Gawker was apparently too “in shock” to warn users earlier). Gawker Media was attacked by a group of hackers known as Gnosis, and at least 200,000 Gawker user accounts have been hacked, exposing commenters’ login information and allowing some Twitter accounts to be taken over and used to send spam messages. The attack on Gawker was reportedly a response to the blog pioneer’s “outright arrogance,” and some have speculated that it was related to Gawkers antagonism of the famed hacker hangout 4chan; we reckon that Lotus was somehow behind it. To find out if your account has been compromised, surf over to Gawkercheck.com, or simply change your password at Jalopnik or any other Gawker Media site. Or, you could just delete your account and become a regular here at TTAC instead. Just saying…

Get the latest TTAC e-Newsletter!

45 Comments on “PSA: Don’t Forget To Change Your Jalopnik Password...”


  • avatar
    ash78

    Not only was mine hacked, but that site is also blocked at my job, so I can’t even fix it. Hopefully I don’t have the same login data at too many sites…

    EDIT: I was a regular here well before Jalopnik (~4-5 years ago), and am now a regular once again–thanks to the blockage and the hacking. It also helps that the front page isn’t covered with Death Watch editorials anymore. No offense to RF, but my eyes started to glaze over around installment #100…

    • 0 avatar
      Robert.Walter

      Loved Death Watch … gave me ammunition every day to keep in mind and in the mind of management, that Carmageddon was coming and that we could position against/for it… Lazy old Auto News could only report on what the OEM’s press-releases said…

    • 0 avatar
      ash78

      Death Watch was a wonderful novelty and I enjoyed reading it, but most of them eventually got down to way too much business mumbo-jumbo and detail (IMHO). It began to define the site a little too much, at the expense of actual car reviews and other editorials like we have now.

    • 0 avatar
      FTGDWolverineEdition'10

      Hah! I knew you were hanging around here! To be honest, I love both TTAC and Jalopnik, each of these have their own different/ refreshing perspective on things, complement each other. They are definitely more “out” there, stand out from the other auto sheeple blogs. Sure, the overlords at Jalopnik have been trying to tone down the site a bit, but whenever they cross the line, there is a big pushback from the commentors. That’s what I love about it. As much as Mr. Denton would love to mainstream it a bit more, he can’t escape the fact that the commentors and the interaction between the editors is what makes it tick. If I just want some auto news, I will go to any one of the million websites out there, thank you.
      I categorize TTAC and Jalopnik in the same class as Top Gear, it’s not all just boring plain old car facts, it’s more than that, it’s entertainment.

  • avatar
    PeriSoft

    You can’t delete accounts at any Gawker sites right now. There’s “a problem”. Uh huh.
     
    I use the same L/P for a few sites, but only ones that don’t really matter (sorry, TTAC; you’re not as important as my bank). Still, I’d rather not have myself posting ads for Acai Berry on TTAC and my home theater forum, so… *rolls eyes*
     
    It’s kind of funny that they make you have such strong passwords on, say, student loan sites. What’s someone going to do – hack my account and pay off my balance?

  • avatar
    photog02

    Thanks for the timely update- I was doing my darnedest to ignore that giant red bar at the top of Jalopnik that said “Important: Gawker Commenting Accounts Compromised, Change Your Passwords” since yesterday afternoon.

    • 0 avatar

      This post was a service for folks who might have a Jalopnik account but no longer visit the site as regularly as they used to… our research indicates this may be a growing demographic. Either way, we definitely weren’t trying to make news with this, just trying to help our readers stay spam-free.

    • 0 avatar
      postjosh

      “who might have a Jalopnik account but no longer visit the site as regularly as they used to… our research indicates this may be a growing demographic”
      and this would be because of a defection of a certain excalifornian blogger who now resides in colorado?

    • 0 avatar

      Case in point: me. I have a Jalopnik account, but stopped visiting there a couple months ago. I recently started reading TTAC. I would not have known about that, and thus would’ve had a compromised account were it not for this notice.

    • 0 avatar
      M 1

      I bailed on Jalop shortly after they turned into Son of Autoblog.
       
      Interestingly, I received an e-mail (which I found in my spam folder) from a group who took it upon themselves to e-mail everyone on the compromised list to warn them about the hack — something which Gawker themselves still haven’t done.

  • avatar

    Protip: never use the same password for any two accounts. dd if=/dev/urandom bs=16 count=1| od -x is one easy way to make them. The downside of this is management, e.g. my password store has 288 entries but protected with only one PGP pass-phrase. But it basically is down to what attack vector you think is most dangerous.

    • 0 avatar
      psarhjinian

      if=/dev/urandom bs=16 count=1| od -x is one easy way to make them

      Well, yes, except that’s 37 keypresses for a 16-char result.  :)

      I’m starting to agree with the supposition that passwords are a bad thing and that federated and/or PKI-based systems would be better.  I had the privilege of participating in a demo of a smart-card based ID system for a while that federated all logins (internal, of course) and it was a warm bath for the brain: no remembering passwords, no forms, and if you terminate someone or a card is compromised all you need to kill is the card record and all the federated accesses die with it.

      It still brings a tear to my eye to think about it.

      I see the point that such a system gives you a single point of attack, but is it much worse to attack a best-of-breed PKI-based federated system than to take whacks at hundreds of horribly coded auth systems and/or deal with people who think that adding “1” to the end of their username is highly secure.

    • 0 avatar
      Robert.Walter

      Psar, I know I’m going off-topic here, but what is your opinion on fingerprint readers?  My mom’s HP came with one using DigitalPersona, and while this is a nice way to be able to log-in, the fact that the DP file contains all u/n and p/w makes me wonder if this is more risky than keeping a list on a piece of paper somewhere … any suggestions of a simple yet secure way (i.e. best practice) for a home user to keep track of all pw and un ?  Thanks for any suggestions.

    • 0 avatar
      PeriSoft

      dd if=/dev/urandom bs=16 count=1| od -x is one easy way to make them

      When people ask why linux isn’t big on the desktop, the fact that linux people post things like this on non-tech forums is a quontessential case in point.

    • 0 avatar
      psarhjinian

      @Robert: I’m unsure them, but that’s more professional conservatism than anything else.
       
      The technology is sound (assuming they leverage hardware TPM), and they can encourage security best-practice because they help facilitate the use of quite complex and difficult passwords without the burden of memorizing them  This is a good thing, because weak passwords are a concern, and online systems like OpenID or Passport give me the willies still.  They also encourage users to not know their own passwords, which is even better as they can’t be coerced into disclosing them, either by trickery or force.
       
      The problem, and it’s more of a theoretical one, is that you have to trust that the TPM system hasn’t been compromised by the vendor.  Not because you can’t trust the vendor, but because someone else could leverage that flaw and harvest all sorts of information.
       
      But if you asked me what I trust more: the sanctity of TPM versus the ability of your average user to come up with and secure passwords, I’d choose the former.
       
      My only serious complaint is that the systems aren’t truly, seamlessly federated: they rely on add-on software that can have it’s own problems (eg, you upgrade your browser or apply your service pack and suddenly the system can’t recall your passwords, or the passwords are stored in such a way that you can destroy them or render them unreadable).  That’s where I would see a home user getting bit, whereas corporate implementations have PKI infrastructure to handle that kind of thing.  Again, though, it’s still a net gain.
       

  • avatar

    I’m reposting my comment form Jalopnik and Gizmodo (where I have a star) since it may disappear.
    “What is being done about the contemptuous pricks in charge who see the users of your site(s) as ‘unimportant’ and ‘peasants?’

    Data breaches happen, and hopefully more attention is being paid to site security and keeping things safe and updated.

    But when people whose jobs depend on the eyeballs of the sites’ loyal reader base hold the users of their site in such little regard, then I feel there need to be SERIOUS changes in leadership from the top down.

    You are lucky to have us here. And not allowing people to cancel/delete their accounts after they’ve lost their trust in you DOES NOT show the slightest remorse on your part. So you are going to lose our passwords and email addresses, THEN hold our accounts HOSTAGE by not allowing their deletion for those who want to leave?

    This comment may lose me my star, or get me banned outright, as well as disappear. So read it while you can, commenters. Thank you.”

    • 0 avatar
      ash78

      I’m with you….I’ve been commenting there for a LONG time (starred at Jalopnik for 2+ years), and over time their readership has begun to rely more and more on the commenters themselves. This shows a lack of respect for the million+ people who effectively act as unpaid interns for their content. This is directed not just at Gawker, but for any site who opens themselves up to reader commentary.
       
      I’ve always had a hard time reconciling some of the very high quality editors on some of the sub-sites with the overall powers-that-be in the Gawker empire. Seems like a philosophical mismatch in the name of greed, at times.

    • 0 avatar
      Sam Smith

      “I’ve always had a hard time reconciling some of the very high quality editors on some of the sub-sites with the overall powers-that-be in the Gawker empire.”

      Sadly, this is a common complaint.

       

  • avatar
    grzydj

    You can’t actually delete a Gawker account, but they’re apparently working on that.

    • 0 avatar
      DeadInSideInc

      Not soon enough. I’m bailing, star and all, when I can.

    • 0 avatar
      M 1

      Deleting your account at Gawker won’t change the fact that your e-mail address and password are still floating around in that half-gig data file. The real risk is people who use the same password in multiple places.
       
      You may realize this, but others may not, given the wide variance in tech-savvy among Web users these days. I’m just trying to clearly make the point that whether you have an account at Gawker or not NOW, after the fact, is irrelevant in terms of your exposure risk.

  • avatar

    Ed, we appreciate your help in spreading the word to all nine of our site’s 22,503 commenters who came over from your post to change their passwords.

    • 0 avatar

      Cool story, Bro.
      Keep counting those numbers and we’ll keep… you know… blogging about cars.
       

    • 0 avatar
      DeadInSideInc

      As the Edward said above:
      “This post was a service for folks who might have a Jalopnik account but no longer visit the site as regularly as they used to… our research indicates this may be a growing demographic…”

      Hi Ray, I’m part of that demo. The ‘automotive’ content has declined perceptibly of late and the loathsome children in the comments have kept me away.
      I would recommend re-doing the commenting guidelines – seems like an appropriate time – and having Spinelli revisit the manifesto.

    • 0 avatar

      @Carson Daly: Sweet. You should put another one up your count!
      -I mean, up your cuont with 10 commenters.
       
      +++You were AWESOME on “Last Call” on NBC! -squeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee!!!

    • 0 avatar
      Robert.Walter

      Maybe there was a bit of schadenfreude in Ed’s PSA post, but the tone of Mr. Wert’s comment seems to have given post-facto justificaiton to this.  That is, of course, unless Mr. Wert just happened to forget to throw a clarifying emoticon, e.g. ;O)  into a comment given in the name of good natured, and friendly, rivalry…

    • 0 avatar

      @Robert.Walter — no, I literally counted how many people came in from this post. And at the time I wrote it — it was nine people. Now, almost 18 hours later — it’s up to 18.
      I was merely curious about Eddie’s “more than a little overlap” comment — and what evidence he was using to back it up.

  • avatar

    Jalopnik sucks

  • avatar
    Jimal

    This all comes down to how much of your personal information you allow online and the drawbacks of having a unified life on the internets. I have a Jalopnik account, a TTAC account, accounts on other sites and an account on the facebook. None of them will ever see each other precisely for these security reasons.

  • avatar
    Martin Woodman

    Oh! This has remind me of something, sometimes I appear to logged in TTAC under someone elses username just by opening an article. I don’t know under which circumstances this happens or what causes it but I think someone from the site should look into it.

  • avatar
    ajla

    The attack on Gawker was reportedly a response to the blog pioneer’s “outright arrogance”…
     
    Yea, I can see that.

    Just check out Wert’s response up above…

    • 0 avatar

      That wasn’t arrogance. That was the actual number of visitors we brought in off the post. 18 hours later, it’s doubled.
       
      As I said above, I was curious where Ed was getting his justification for stating there’s “more than a little overlap” in our readership.
       
      18 people is more what you’d call a “little overlap.”

    • 0 avatar

      Ray: make it 19, but I didn’t use the link from here, I just opened a new browser. Don’t have too much faith in traffic to/from posts. For better or worse, I never have.

  • avatar

    I have a star @ Jalopnik, it may have even been given by Wert himself. I like the site and I wish Ray and his crew well. I’ve made it clear to Ray that I think being associated with Gawker may drive traffic to their site but it’s not the kind of traffic they necessarily want. Murilee has said on the LeMons forum that Gawker wants their sites to be whores to unique visitors (well, Murilee put it a different way), that there was a lot of pressure to create stories that draw new, as opposed to existing, viewers.
    Gawker also recently announced a company wide redesign. All stories will be graphics or video driven. Apparently all those unique visitors have short attention spans so you have to grab them with flashy graphics and pretty pictures. I don’t have any objection to cool graphics, all those car magazines that I used to love sure had some purty pikshurs. As a matter of fact, I’m currently working on an idea for a car website that would have graphics as a primary draw. The times and the technologies are ripe. I just think that the way Gawker is implementing them are more tabloidish than setrightish.
    These pressures will make Jalopnik more attractive to a general audience but less attractive to auto enthusiasts.
    Also, Gawker recently got slapped down by Sarah Palin’s publisher after Denton ran a story that had facsimile reproduction of 12 (or 21, I’ve seen both numbers) full pages of her then yet to be published book. Not only was that a gross violation of the concept of fair use (and the judge agreed), as I told Ray Wert, I think it would particularly damage Jalopnik. To do automotive writing well you sometimes can’t tell the full truth, or sometimes you have to delay that truth. By that I mean that you sometimes get told things “off the record” or are asked to not photograph a proprietary device, or you are asked to honor a press embargo on a new product announcement. Publishing another publisher’s works before publication takes violating a press embargo to a new level.
    All this bodes badly for Jalopnik. For all of VS’ flaws, they leave us alone. We can say whatever we want and as long as Ed and you guys like it, we’ll keep writing this stuff. TTAC has become arguably the most influential automotive publication on the web, in great part because the B&B are not ironically named. We have so few idiots posting comments here compared to the AOL ported Autoblog, and Jalop is just a tad too hoontastic to be taken completely seriously.

  • avatar
    Geeky1

    Since, in light of this incident, I’m not going to be commenting (or visiting) over there again, I’m going to go ahead and express my disgust here.
     
    This whole incident was mishandled from the beginning, and it’s very clear that the people running Gawker really don’t give a shit about their users. From their classifying us as “unimportant (…) peasants” ( http://static01.mediaite.com/med/wp-content/uploads/2010/12/GawkerBIG.png ) to the fact that the hackers apparently had access to the servers for at least a month before they determined what was going on, to the length of time it took them to let us “unimportant peasants” know about the data breach, everything about this situation indicates that they don’t value their source of revenue at all.
     
    They were using DES encryption for their users’ passwords, a standard that’s going on 40 years old and which was cracked in freaking 1998. Especially now that the hackers have made all of the data they obtained publicly available, it’s not a matter of if your Jalopnik password will be cracked, it’s a matter of when. With the processing power available in modern computers, an individual’s e-mail and associated password can be decrypted in a matter of hours-if not minutes or seconds. And, as if that weren’t enough, these idiots apparently didn’t even store any input beyond the 8th character; i.e. your password on Jalopnik could have been “supercalifragilisticexpialidocious”, but all you would have had to type to log in is “supercal” because the remaining 26 characters were just discarded. Furthermore, their servers were on Linux kernels that were years out of date. You can argue back and forth about Linux vs. Windows security in a server environment all day long if you really want to, but Linux has security holes of its own (as evidenced by this attack) and running kernel versions that far out of date on anything interacting with the internet can only be considered moronic.
     
    I mean I thought that I was a lazy sysadmin because I forget my weekly backups sometimes but judging by this event the Gawker IT department evidently spends all of their time at work eating cheetohs and watching porn. There’s no excuse for security this lax on a major website.
     
    And in spite of having outdated, halfassed security systems these idiots went out and antagonized 4chan and the hacking community in general. Essentially they were playing Russian roulette with their users’ data-and their own, apparently-with a semiautomatic.
     
    Gawker can go to hell.
     
    Additional reading for those that care: http://blogs.forbes.com/firewall/2010/12/13/the-lessons-of-gawkers-security-mess/

  • avatar

    Ed, we appreciate your help in spreading the word to all nine of our site’s 22,503 commenters who came over from your post to change their passwords. – Ray Wert

    Ray, my fellow MOT, since you’re obviously following this thread, I’d like to point out to you that there is at least a little irony in your comments on this thread. I suppose you meant to show how puny our readership is compared to the mighty giant that is Jalopnik (<-aliteration with different consonants… and you didn’t even think I was worthy of a rejection when I asked about replacing Ben on the Detroit beat, harrumph!). But you’re here, aren’t you Ray? In an as yet unpublished piece I point out that TTAC is widely read within the automotive media itself and that while some think we’re nuts, a larger group of influential people read us. I’d mention names but I don’t like pissing contests. Suffice it to say that the head editor of Jalopnik reads TTAC. One of our main competitors think we’re worthy of his comments.

    Do we really need more of an endorsement than that?

    • 0 avatar
      Robert.Walter

      Seems everybody benchmarks the competition … after all, unless all Ed knows vis a vis Jalopnik is coming from a flock of friendly birdies, I’d say that Ed also knows his way around Wert’s site as well…

    • 0 avatar

      Not to belittle TTAC, as I have read the site fairly frequently, but I actually found the post because I have a Google Alert set up for “Jalopnik.”
       
      Also, I don’t really think we’re TTAC competitors. I think Autoblog’s industry-obsessive content is likely closer in content level to TTAC — even if the style is different.

  • avatar

    Ed, we appreciate your help in spreading the word to all nine of our site’s 22,503 commenters who came over from your post to change their passwords.
    TTAC’s server says that yesterday, gawkercheck.com was the most clicked outgoing link on TTAC. Today, it trails in the #2 position behind pontiacsonline.com. And that’s only because someone is ruining all the fun at Curbside Classic Clues.

    • 0 avatar

      So there were what, 22 people who clicked to pontiacsonline.com?

    • 0 avatar

      To Ray: I don’t think you have access to the access logs of and referrers to gawkercheck.com, so you can only form a highly uneducated opinion.
      To all: While changing your password to any of the Gawker sites is good advice, here is better advice. If you are one of the many who use the same email and password for multiple sites (and don’t we all sometimes do that?), you should immediately change your login information to those other sites. Like now.
      You account data is often stored and accessible. You can be impersonated and used for nefarious purposes. If you are one of the many of us who log into other sites with the same email and password and who then forget where they logged in, then you are in deep doodoo.
      Gawker stores the passwords in encrypted form (as any responsible site should do) but their encryption did not hold up to a simple cracking tool, as described here. To make a long story short, many if not most email/password combinations used on all the Gawker sites are there for the world to see.
      Use something like gawkercheck.com or didigetgawkered.com to check whether you are on the list of compromised Gawker data.
      Techie part:
      Even the toughest encryption cannot protect you if you use a simple password like “Swordfish”. The way this works is when you sign on, your password gets converted to encrypted data, called a “hash” and is stored. A hash cannot be decrypted (at least it should not). But the same password always creates the same hash. That’s how you are being let in when you log in the next time. Knowing that, a cracker compiles a wordlist and converts the list to hashes. Once the hashes are created, the cracker compares the stored data with the hashes in the compromised data, and bingo, there are the passwords. That’s why they tell you to use at least a number or special character in your password. Even that is not foolproof.The best password is a totally random word, upper and lower case, with numbers, something like d65Gh234hJSF. The next best is to remember one sentence, like “I want to have sex with two girls” and then turn that into Iwth6w2g . But then again, don’t use the same sentence for many sites. Why? Some sites I knew WANTED to know your password in cleartext and patched the software so that the cleartext password was stored with the hash …
       

  • avatar
    ash78

    Settle down, guys….I remember when these two sites were more complementary of each other (that’s complementary with an “e” and maybe sometimes with an “i”).
     
    Jalopnik has gotten more off-beat, while TTAC has gotten VERY businessy. That divergence has been good, IMHO, and that’s why they’re the only two general auto sites I visit (well, at least until work blacklisted Jalopnik a few days ago. I guess I was spending too much time there…lol)

Read all comments

Back to TopLeave a Reply

You must be logged in to post a comment.

Recent Comments

  • 28-Cars-Later: Maybe its time to occupy the Dutch East Indies again, I believe they had a number of rubber trees at...
  • 28-Cars-Later: Interesting I was not aware of an additional HVAC load, though it makes perfect sense.
  • 28-Cars-Later: “I’d sell high except there is nothing to buy.” Real estate has the same issue. I see...
  • downunder: I read through the article and couldn’t see where the colour of the cables was a politically...
  • Corey Lewis: Any buying for me would be in three years or so, after the market has normalized again. I tell everybody...

New Car Research

Get a Free Dealer Quote

Who We Are

  • Adam Tonge
  • Bozi Tatarevic
  • Corey Lewis
  • Mark Baruth
  • Ronnie Schreiber