Re: Leaked AshleyMadison Emails Suggest Execs Hacked Competi
Posted: Tue Aug 25, 2015 9:22 pm
The Ashley Madison hack - further thoughts on its aftermath
by Per Thorsheim
July 28, 2015
NOTICE: THIS WORK MAY BE PROTECTED BY COPYRIGHT
This weekend, I warned of the serious danger of jumping to the wrong conclusions if the Ashley Madison user database ever becomes public, and how - because the site doesn't properly authenticate email addresses - any such data doesn't prove anything.
I was shocked when Graham told me that my article had been picked up by British newspaper Daily Mirror.
But there have been other developments...
A call from an Ashley Madison user
I woke up sunday morning, and received an SMS in Norwegian, shortly after breakfast. Here is my simple translation:
Since then, I have exchanged many messages with this gentleman, and we have even spoken on the phone.
I don't know his name, but he is in his fifties, has kids and is married. Not long ago, during a hard period in his life, he created an account on the Ashley Madison site.
He says he looked around, and engaged in a little "dirty chat" with some women.
But he never met anyone. He says some people drink or finds other ways to vent their frustrations in life. To him flirting on the Ashley Madison website became a short escape from reality.
He regretted his actions, he told his wife, he was forgiven and life and marriage goes on.
But now he is afraid of the leaked data eventually being released publicly, because his kids, neighbours, colleagues and others may not understand his situation at all.
Stories of suicide
I came across an American news website that published a fake story about a man committing suicide in the aftermath of the Ashley Madison security breach. They even quoted the alleged suicide note which claimed the man's death was a direct consequence of the hack.
Bogus news report of Ashley Madison-related suicide
Why a website, purporting to contain legitimate news, would run a fake story about a man committing suicide after the Ashley Madison breach is beyond my understanding.
What I do know though, is that the press here in my home country of Norway are very careful around use of the word "suicide". There is a danger that if we talk about such personal tragedies in such detail in the press, that others may follow.
What the howling wolves doesn't seem to understand is what they are doing is online bullying. The kind of bullying that clearly can cause such personal tragedies.
"If they are cheating, they deserve it" the wolves reply.
While I totally disagree with that argument, let me add that their kids do not deserve to lose a parent. Their family doesn't deserve to lose a loved one. And that also applies to friends, colleagues, neighbors and others.
If you are found to have bullied somebody into suicide however... I believe you deserve jailtime for that.
Was Ashley Madison extorting money from users?
Many articles - including the one that The Intercept published - have mentioned that Ashley Madison demands money to have accounts deleted, and have described the practice as "extortion".
(I'm pleased to hear that Ashley Madison is now allowing users to delete their accounts for free).
I have my own experiences of what some may consider extortion.
For instance, once, at a nightclub in Berlin, I was given a small card at the entrance. The waiters would cut small marks into the card when I ordered beer and drinks, and when I left the club they counted the marks and gave me the bill.
What would happen if I lost the card? I would have to pay the maximum price before I was allowed to leave. I remember considering that as "a funny way to commit extortion".
Another time, I acquired a free SSL certificate from one of the many certificate authorities out there. Did I read the EULA for that? Of course not! Silly me...
Because if I had I would have seen that I ever wanted or needed to revoke the certificate because my site and certificate became compromised, I would have to pay money to have it revoked. I wonder if The Intercept would consider that extortion as well?
The definition of extortion as far as I can see says that it is a criminal offence. Yet the three examples given above are all still legal as far as I know.
So don't beat Ashley Madison up for asking for money to have accounts deleted - you may not approve of that business practice, but users should really have read the EULA when they created their accounts in the first place.
What Ashley Madison did wrong was to to make it way too easy for people to create fake accounts using other peoples names, pictures and email addresses.
Raise your hand if you always read the EULA before signing up for a service or product, and I'll gift-wrap and send you a stone, so that you can throw the first one.
by Per Thorsheim
July 28, 2015
NOTICE: THIS WORK MAY BE PROTECTED BY COPYRIGHT
YOU ARE REQUIRED TO READ THE COPYRIGHT NOTICE AT THIS LINK BEFORE YOU READ THE FOLLOWING WORK, THAT IS AVAILABLE SOLELY FOR PRIVATE STUDY, SCHOLARSHIP OR RESEARCH PURSUANT TO 17 U.S.C. SECTION 107 AND 108. IN THE EVENT THAT THE LIBRARY DETERMINES THAT UNLAWFUL COPYING OF THIS WORK HAS OCCURRED, THE LIBRARY HAS THE RIGHT TO BLOCK THE I.P. ADDRESS AT WHICH THE UNLAWFUL COPYING APPEARED TO HAVE OCCURRED. THANK YOU FOR RESPECTING THE RIGHTS OF COPYRIGHT OWNERS.
This weekend, I warned of the serious danger of jumping to the wrong conclusions if the Ashley Madison user database ever becomes public, and how - because the site doesn't properly authenticate email addresses - any such data doesn't prove anything.
I was shocked when Graham told me that my article had been picked up by British newspaper Daily Mirror.
But there have been other developments...
A call from an Ashley Madison user
I woke up sunday morning, and received an SMS in Norwegian, shortly after breakfast. Here is my simple translation:
"Dear Per Thorsheim! Thank you for your post at grahamcluley.com. I am one of those affected by the things you wrote about, and I feel bad. We need more like you out there to adjust the perspective."
Since then, I have exchanged many messages with this gentleman, and we have even spoken on the phone.
I don't know his name, but he is in his fifties, has kids and is married. Not long ago, during a hard period in his life, he created an account on the Ashley Madison site.
He says he looked around, and engaged in a little "dirty chat" with some women.
But he never met anyone. He says some people drink or finds other ways to vent their frustrations in life. To him flirting on the Ashley Madison website became a short escape from reality.
He regretted his actions, he told his wife, he was forgiven and life and marriage goes on.
But now he is afraid of the leaked data eventually being released publicly, because his kids, neighbours, colleagues and others may not understand his situation at all.
Stories of suicide
I came across an American news website that published a fake story about a man committing suicide in the aftermath of the Ashley Madison security breach. They even quoted the alleged suicide note which claimed the man's death was a direct consequence of the hack.
Bogus news report of Ashley Madison-related suicide
[DELETE] of Chicago, IL, had been married for the past 11 years. He and his wife had two children, owned a home, and by all outward appearances were living the American dream. However, Donald was seeking intimate relationships with women other than his wife and was using the Ashley Madison site to do so.
In a suicide note recovered by police, [DELETE] expressed his regrets, and why he choose to take his own life. “I am sory[sic] for being unfaithful. I know that you will leave me now and take the kids. I know that I will be fired from my job at your fathers[sic] company and that my life as I know it is going to change drastically for the worse. So I’m just going too[sic] make it easy on you. You get everything. Goodbye.”
The corner’s report indicates that [DELETE] took a fatal dose of prescription medication. His death has been ruled a suicide, and authorities say they do not believe there was any foul play involved.
Why a website, purporting to contain legitimate news, would run a fake story about a man committing suicide after the Ashley Madison breach is beyond my understanding.
What I do know though, is that the press here in my home country of Norway are very careful around use of the word "suicide". There is a danger that if we talk about such personal tragedies in such detail in the press, that others may follow.
What the howling wolves doesn't seem to understand is what they are doing is online bullying. The kind of bullying that clearly can cause such personal tragedies.
"If they are cheating, they deserve it" the wolves reply.
While I totally disagree with that argument, let me add that their kids do not deserve to lose a parent. Their family doesn't deserve to lose a loved one. And that also applies to friends, colleagues, neighbors and others.
If you are found to have bullied somebody into suicide however... I believe you deserve jailtime for that.
Was Ashley Madison extorting money from users?
Many articles - including the one that The Intercept published - have mentioned that Ashley Madison demands money to have accounts deleted, and have described the practice as "extortion".
Full Delete
Be Discreet, remove all traces of your usage for only [Euros] 15.00
DELETE YOUR PROFILE
Full Delete Removal Includes:
Removal of profile from search results
Removal of profile from the site
Removal of messages sent and received
Removal of messages from recipient's mailboxes including Winks & Gifts
Removal of site usage history and personally identifiable information from the site
Removal of photos
Note: It may take up to 48 hours for some traces of your profile to be fully removed.
(I'm pleased to hear that Ashley Madison is now allowing users to delete their accounts for free).
I have my own experiences of what some may consider extortion.
For instance, once, at a nightclub in Berlin, I was given a small card at the entrance. The waiters would cut small marks into the card when I ordered beer and drinks, and when I left the club they counted the marks and gave me the bill.
What would happen if I lost the card? I would have to pay the maximum price before I was allowed to leave. I remember considering that as "a funny way to commit extortion".
Another time, I acquired a free SSL certificate from one of the many certificate authorities out there. Did I read the EULA for that? Of course not! Silly me...
Because if I had I would have seen that I ever wanted or needed to revoke the certificate because my site and certificate became compromised, I would have to pay money to have it revoked. I wonder if The Intercept would consider that extortion as well?
The definition of extortion as far as I can see says that it is a criminal offence. Yet the three examples given above are all still legal as far as I know.
So don't beat Ashley Madison up for asking for money to have accounts deleted - you may not approve of that business practice, but users should really have read the EULA when they created their accounts in the first place.
What Ashley Madison did wrong was to to make it way too easy for people to create fake accounts using other peoples names, pictures and email addresses.
Raise your hand if you always read the EULA before signing up for a service or product, and I'll gift-wrap and send you a stone, so that you can throw the first one.