I'm changing my passwords, shouldn't you?
There's something unbelievable about Gawker claiming to be "embarrassed." Considering the amount of raunch and rumor Gawker sites like Gizmodo publish, editors show no signs of being embarrassed by anything they do. Yesterday's hack, which exposed 1.3 million Gawker usernames and passwords and some of the content management system source code, can only be good for churning pageviews. How funny if "embarassed" turns out to be ashamed of profiting so much from readers' hardship -- Gawker having an unusually good month of traffic.
The Gawker hack and other mischief and mayhem going on this month should be warning to everyone on the InterWeb: Nothing is private. Amazon, Facebook or Google mine your private information, while some hacker or insider makes it available for everyone to read, whether on some torrent or even WikiLeaks. There's no such thing as privacy on the Internet, and there never really was. People acknowledge this all the time, then flip on the denial -- "It could never happen me" -- switch. No doubt, many Betanews commenters speak out elsewhere. If that's Gizmodo, you've been hacked, baby. It's time to change passwords anyplace using the same one(s) at Gawker.
The Gawker hack should disturb anyone living in the cloud. Imagine the consequences of your Facebook password being compromised and through Facebook Connect unlocking other accounts. Already, the data exposure led to Twitter account compromises. Then there are Google or Windows Live services. Loss of one password could expose the kit and kaboodle. Single sign-on is convenient as is choosing one or even a couple passwords to use everywhere. The latter is my habit and something that changes today.
You shouldn't trust anyone to protect your data or identity. You are the best defense. Gawker shows how little you can trust any cloud service, particularly those offering something for free (while likely mining some of your information for profit). Its statement about being hacked:
Our user databases appear to have been compromised. The passwords were encrypted. But simple ones may be vulnerable to a brute-force attack. You should change your Gawker password and on any other sites on which you've used the same passwords. We're deeply embarrassed by this breach. We should not be in the position of relying on the goodwill of the hackers who identified the weakness in our systems. And, yes, the irony is not lost on us.
There's no "appear" about it. Hacker(s) Gnosis has already posted names and passwords. "Encrypted" by what means, if the account information for even Gawker editors and writers was published, too? Perhaps for legal reasons -- can you say lawsuits -- Gawker must cage its statement for protection against future litigation, or even current cases; surely there is some juicy internal Gizmodo communications about the stolen -- eh, lost -- iPhone prototype.
Trust no one. Not even us.
There is something else really important to note here. Fourth quarter 2010 has seen an observable rise in activist hacking, such as denial-of-service and other attacks by WikiLeaks supporters and detractors. Gnosis targeted Gawker for "outright arrogance." That sounds like hacktivisim to me, with a message: No one is safe, and that means you and me, bud.
I'm adopting a new password policy today. I thought to write a password primer, and may still, but wanted to open up the topic to discussion first. How do you protect your identity and accounts in the cloud? What would you recommend that others do? Please answer in comments.