Archive for August, 2015

Schadenfreude

Thursday, August 20th, 2015

In case you aren’t familiar with the term, “schadenfreude” is a German word for enjoying others’ misery. I think it fits the release of Ashley Madison customer data this week.

So what should we make of this compromise and disclosure? I think there are at least two subject areas – technical/security and sociological/moral.

Technical

As has been pointed out before, this looks very much like an inside job. It just screams for better internal controls, including Privileged Access Management, data loss prevention and plain old employee and contractor screening. It’s quite possible that, despite lots of claims about motivation, this is the work of a disgruntled employee or contractor.

It’s also interesting to see what the operators of the site — Avid Life Media — got right and wrong:

  • Right:
    • Strong encryption of customer passwords (blowfish plus hash).
  • Wrong:
    • No privileged access management.
    • Retain excessive customer data, including physical location (GPS coordinates, presumably from smart phone app), phone number, personal e-mail address, security question/answer in plaintext, detailed credit card data, including mailing address.
    • Failed to delete this data, even when paid to do so.

Sociological

This discussion is just beginning, and will no doubt continue for a long time. A few observations:

  • Despite best efforts by the AM legal team, the data is out in the wild. They got it removed from a few web sites, but it’s on BitTorrent where content is essentially un-removable and un-deletable. Get over it – the data is permanently public.
  • The data appears to be quite authentic. Some had thought (hoped?) that the data may be fake – but that’s just not so.
  • The volume of data is huge – about 32,000,000 customer records.
  • It’s mostly men. Really – there aren’t many women on this site. It’s a lot of men, chasing after a few women. A completely one-sided seller’s market for women.
  • It will be interesting to see if someone can figure out how many of the profiles are real people, and how many are bogus data injected by the company. I suspect a significant number of fake or duplicate profiles, because the numbers just beggar belief. For example, there appear to be over 100,000 profiles in Calgary, where I live. There are just over a million people here, and I don’t believe that 1 in 10 are trying to cheat on their spouse. The data are mostly men, so that’s really, 1 in 5 males. If you subtract children, the elderly and single people, it probably reduces to 1/3 or 1/2 of adult males in relationships, and no matter how low your view of humanity, that’s just not believable. But that’s the data, so the data is obviously lying.
  • This is a treasure trove of data for various purposes. For example, someone has already published a heat map of where the users (real or fake) are and whether they are overwhelmingly male (>85%) or merely majority male (<85%).
  • This will be a bonanza for divorce lawyers. Not as big as everyone assumes, however, as there are certainly many users on the site who are not endangering an existing relationship:
    • Fake or duplicate users, as mentioned above.
    • I know at least one person who has a profile on the site, that he setup while single – he was just using it as a normal dating site. I bet there are lots of these.
    • There are probably many users on the site for whom the excuse “I was just curious” is actually true – they were curious about the market or looking for their current partner, to see if that person was on the site.
    • Another person I know pointed out that sex workers use this and similar sites, so there are likely thousands of those.
  • As always happens with disclosure of sexual behaviour that is widely considered to be immoral, public figures, especially those who spout socially conservative views, will be shamed. I’m not too sure what “family values” are other than a code word for social conservatism, but apparently someone who pushes that as a political cause has already been caught with his pants (literally?) down: some idiot public figure called Josh Duggar.
  • I bet the security establishment in many countries is looking at this data, as it provides leverage for foreign governments against their own people, in sensitive positions. I would expect employees to be fired or shuffled to less sensitive positions as a result.
  • Employers may cross check employees or candidates against this data set, as an (unethical and almost certainly illegal) test of character.
  • I fear that physical harm may come to some people whose data was disclosed, including sex workers and people with overzealous partners.

I’m sure there’s more.

The big lesson, as always, is to assume that privacy is a chimera. If there is something you don’t want to share with the world, don’t upload it to some web site!