Archive

Gnosis: Inside the Hacking Group That Broke Gawker Media

As Gawker Media users scramble to change their passwords in the wake of a massive security breach, members of Gnosis say they’re not planning any more big hacks—but their power has increased exponentially, says Brian Ries.

articles/2010/12/15/gnosis-inside-the-hacking-group-that-broke-gawker-media/ries-gawker-security-breach_147275_avjx9i
Photo Illustration

Members of the hacking group Gnosis are quick to point out they’re not all that malicious.

This in spite of their recent successes hacking into the websites at Gawker Media—which include Gawker, Jezebel, and Gizmodo—where they stole source code and confidential commenter login information and promptly posted the text document on the file-sharing site The Pirate Bay. Millions of people were affected, as anyone with a Gawker account raced to change their passwords across the web.

But really, Gnosis is not malicious at all—just computer geeks out fighting for the sake of knowledge, security, or something like that.

ADVERTISEMENT

The background information on the group is admittedly scarce. A member tells me its members live in a world of Don’t Ask, Don’t Tell, where identities are kept under wraps, locations aren’t disclosed, and all that members know of each other are the personalities and skills that they see in the chat rooms.

Gnosis was never really “founded,” per se, but forged over time among a group of people who became friends talking over code. For much of this year, they used public-facing IRC chat rooms to communicate, and only in recent weeks did they switch off the public servers in favor of a more private mode of communication.

Since July, as they incubated and increased their focus, the members of Gnosis had kept themselves occupied on various projects, occasionally pulling pranks on fellow hackers and rival groups.

This was confirmed by a mysterious—and anonymous—Twitter user who contacted me via direct message from the username @ fuck_it_all_ late Monday night. “I have sort of a vendetta on these guys,” he wrote me, while providing an encrypted file that detailed some of the suspected usernames, locations, real names, and jobs of a handful of the Gnosis members.

“We try to keep our ears open,” said one of the Gnosis members. “We sometimes hear that a big site is vulnerable and we take a look, and everyone is fair game on the Internet, in my opinion.”

articles/2010/12/15/gnosis-inside-the-hacking-group-that-broke-gawker-media/ries-gawker-security-breach_147275_x1e2ul

“Be sure to forward the appropriate info to authorities as well,” he wrote. “Who are you?” I asked. The reply: “No one.” Of course. Anonymity is the name of the game.

Gnosis is internationally based—from the U.K. to V.A., USA. Each member brings a range of talents and skills to the collective brain trust. Some are activist types, others simply coders. The 13-member collective is “hand-picked based on their skills and personality,” they disclosed in an interview with the U.K. tech site The Next Web, and exist completely decentralized with no leader.

This shows in interviews and public statements, as some members speak of punishing Gawker for its “sheer arrogance,” while others say they “have nothing against them.” I was told on Tuesday that one member regretted leaking the information before alerting Gawker to the original security breach.

A fraction of the members have a side gig. At least two are allegedly involved in a blackhat hacker group dedicated purely to the “extermination” of whitehat hackers, a sort of bad guys versus good guys battle that plays out daily on the Internet. In the encrypted file sent to me over Twitter, a newsletter/attack log detailed various hacking missions against security firms guilty of various crimes against the hacker culture.

Members here talk openly of “whitehat scum,” the security industry’s inability “to secure their own systems,” and their enjoyment going “deep into enemy territory to sabotage and dismantle these whitehat circle jerks.” These newsletters are filled with ascii—character-encoded images of Homer Simpson, computer screens, and a Ninja Star-throwing cat.

But those were all fun and games until now. The Gawker hack was their first big coup as a group. They had been at it for a month. As the news broke and Gawker Media was scrambling to patch the holes, Gnosis sat quietly, “Gawking at the media response,” according to one involved in the aftermath.

In the wide-ranging interview published Monday afternoon, three members of the group, identified as I, N, and T, told TNY reporter Matt Brian that they acted with Gawker commenters’ best interests in mind when posting the 1.5 million usernames online.

“To be honest,” Hacker I explained, “they would rather it was us, than some Russian spammer who would sell their databases, or use them for more malicious uses.” It was the safest path to exposing Gawker’s security vulnerability, the hackers said, despite the damage done to those “caught in the ‘crossfire.’”

To be sure, it’s because of this crossfire that Tuesday on the Internet will forever be known as The Day We Changed Our Passwords. I, for one, have been using the same string of letters, numbers, and an “!” since I was 14 years old, having pulled the phrase straight off my parents’ promotional mouse pad. Judging by the top 50 passwords used, others had been, too.

So by hacking into Gawker’s site and exposing us for the lazy password-generators we are, Gnosis not only unveiled a major vulnerability at a popular media company, but a flaw in the way we all use the Internet today.

In a conversation Tuesday afternoon, I asked if the Gawker hack was related in part to the recent surge in hacker-related activities, perhaps an awakening empowered by WikiLeaks’ pseudo-army of script kiddies. The answer came back no, not really.

“I don’t think it is an awakening as such, it is simply circumstance,” the Gnosis hacker explained. “These kinds of attacks happen every day, and I think it is pure circumstance that several high-profile ones happened in fast succession.”

“It simply brings what is normally quiet background noise into the forefront of people’s attention.”

As for the future, Gnosis had only planned to swing back by Gawker’s servers in a few months’ time, after giving Nick Denton & Co. time to regroup and reload their security. Nobody else should feel too threatened that Gnosis is out digging around. Speaking to TNW, one member mentioned having “a few pokers” out, but others said they won’t be conducting any attacks “like we have this time.”

But that’s just the thing. Their autonomy means one user could dig up a vulnerability at some major site and simply light up the Bat Signal—and Gnosis would join.

“If a member wants to investigate, or a group of members such as with Gawker, then he or she can do, it's at their discretion,” one of the Gnosis member explained.

“We try to keep our ears open. We sometimes hear that a big site is vulnerable and we take a look, and everyone is fair game on the Internet, in my opinion.”

What Gnosis is saying is, “We’re not your next iteration of Anonymous, out to DDoS and destroy, but we’ll be watching.” Their message to IT admins at consumer-facing sites? Keep your servers locked, your passwords encrypted, and your exploits under wraps.

And with a core ideology that involves the hunt for knowledge, their key takeaway from all of this is a concept as simple as “insight.” Gnosis now understands how a large website such as Gawker functions.

This knowledge they’ve now gleaned means potential power down the road—and power is the underlying force in the ever-expanding battlefield over information playing out online.

Brian Ries is tech and social media editor at The Daily Beast. He lives in Brooklyn.

Got a tip? Send it to The Daily Beast here.