Tuesday, May 3, 2016

32 Million people signed up for a cheating web site?

Since their widely publicized breach, Ashley Madison claims they have added 4 million subscribers. Let's think about this logically. If all the news is bad, that simply can't happen. And trust me the news is bad. Some of the key points in this sordid story are below, but first there are a two perceptions I want to explore:

The first perception is that it is going to stay secret if you give your credit card details, (and they are starting to crack down on gift cards if that is plan B), to an infidelity web site. To a security guy like me, reading about breaches daily, the reality is that not being outed is almost impossible. But somehow the customers believed. Could the famous picture be part of the cause? 

CNN Money reports: Ashley Madison also had offered a "full delete" service that would permanently remove their names from the database if they paid the company to do so. But those names remained on the company's servers and were revealed by the hackers. If it is on the Internet, it is out of your control forever. Forty two former Madisonites joined a class action suit, they hoped they could be John Does, but they are going to have to give out their names. They're suing Ashley Madison for lacking the proper safeguards to protect them from a massive hack that revealed the personal information of more than 32 million customers. Ashley Madison had advertised that its systems were secure and its customers would remain anonymous.


The second is the Fembot , or virtual "girlfriend" aspect. I think we are going to see more and more of this as AI develops. Gizmodo probably studied this more than anyone else: The developers at Ashley Madison created their first artificial woman sometime in early 2002. Her nickname was Sensuous Kitten, and she is listed as the tenth member of Ashley Madison in the company’s leaked user database. On her profile, she announces: “I’m having trouble with my computer ... send a message!”"

It is already starting, for example with a videogame, Huffington PostThere are players who consider LovePlus' three girlfriends -- Rinko, Nene and Manaka -- far better company than any "IRL" lover. And the players can shape their ideal companion with a few taps on the console: The women can be programmed, with their moods and personalities adjusted to suit the desires of the player.

There is also Kari. Expansions include alternate voices and expansion packs, (different names and personalities). Google is experimenting with feeding romance novels to one of their AI platforms. This is interesting because females outnumber males in romance novels; this could lead to a personality that appeals to women. 

This is my original Ashely Madison Post on Linkedin:

The Christian Post reports "From 2010 to 2013, the cheating website's revenue growth was steadily decreasing, but the company suddenly reported a 50 percent increase in 2014. It is worth noting that the firm did not provide any explanation for the sudden surge in revenue. The trail of evidence seems to say that the company is simply lying about a lot of things, the report suggests."


It has been widely reported those sexy women were often fembots, Gizmodo has studied the code and done a number of analyses "To the Ashley Madison “guest,” or non-paying member, it would appear that he was being personally contacted by eager women. But if he wanted to read or respond to their messages, he would have to shell out for a package of Ashley Madison credits, which range in price from $60 to $290. Each subsequent message and chat cost the man credits. As documents from company e-mails now reveal, 80 percent of first purchases on Ashley Madison were a result of a man trying to contact a bot, or reading a message from one."

The problem is, Ashley Madison is at the top of the news. . . bad news.
They have just done one thing that has to be done in such a situation, they canned the CEO. The Washington Post has done a well balanced job of telling that story. The Verge also carries the story with a priceless photo.

Then there is the bounty. You knew you were not secure with a website whose breach will probably cost more than a few marriages and relationships. And human life. And you offer a bounty of $379k? The fanciest car I drive is a Mustang GT 5.0, but I will bet you there are cars that cost over $400k. Ashley, surely you have heard the famous expression, "go big or go home".

And now there is the analysis of the exfiltrated data. Plain text passwords, I can feel my skin crawling just to think of it. And an almost all guy eco system. It is going to take me a long time to wrap my brain around the fact that not one or two deviants, but lot's of guys created fake girl profiles.
My prediction is they are too deep in a dive to pull out. With apologies to the movie Wag the Dog, it would take a war to distract the media. I am keeping notes, maybe this whole story will be good for a paper, or a management of incident response scenario.

 The Seattle Times posts a very touching, heartbreaking, story, an Elegy for John  Gibson, whose name was on "the list" and took his life. An elegy is a lament for the dead. The Inquisitr reports "Pastor and Seminary Professor John Gibson of New Orleans Baptist Theological Seminary, who took his own life when the news became public to his wife and two children."

Brian Krebs reports a cease and desist letter claiming defamation. You can see a copy of the letter here. I am no legal authority, but the way I read the letter is that they are objecting to the term "hacked" being used to describe Mr. Bhatia's actions. I surely do not know what happened, but if this line from Bhatia's email proves to be true, “Also, I can turn any non paying user into a paying user, vice versa, compose messages between users, check unread stats, etc.”, it isn't far from any definition of hacking that I know.

In my copious spare time I am working on the evening program for SANS Boston 2016, Aug 1 - 7. In one sense, this could be a great panel, but the problem is, by then it will be a dated example. Perhaps a timeless theme: Life is short, help someone

No comments:

Post a Comment