Organizational Doxing of Ashley Madison

The—depending on who is doing the reporting—cheating, affair, adultery, or infidelity site Ashley Madison has been hacked. The hackers are threatening to expose all of the company’s documents, including internal e-mails and details of its 37 million customers. Brian Krebs writes about the hackers’ demands.

According to the hackers, although the “full delete” feature that Ashley Madison advertises promises “removal of site usage history and personally identifiable information from the site,” users’ purchase details—including real name and address—aren’t actually scrubbed.

“Full Delete netted ALM $1.7mm in revenue in 2014. It’s also a complete lie,” the hacking group wrote. “Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed.”

Their demands continue:

“Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails. The other websites may stay online.”

Established Men is another of the company’s sites; this one is designed to link wealthy men with young and pretty women.

This is yet another instance of organizational doxing:

Dumping an organization’s secret information is going to become increasingly common as individuals realize its effectiveness for whistleblowing and revenge. While some hackers will use journalists to separate the news stories from mere personal information, not all will.

EDITED TO ADD (7/22): I don’t believe they have 37 million users. This type of service will only appeal to a certain socio-economic demographic, and it’s not equivalent to 10% of the US population.

This page claims that 20% of the population of Ottawa is registered. Given that 25% of the population are children, that means it’s 30% of the adult population: 189,000 people. I just don’t believe it.

Tags: anonymity, data breaches, hacking, privacy

Posted on July 20, 2015 at 3:15 PM • 63 Comments

Comments

Daniel • July 20, 2015 3:49 PM

I was at the doctor’s office recently and the receptionist waved a camera in my face and said they wanted to take a photo “for their files”. I refused.

The problem with “for their files” is that they won’t stay as their files for very long. Then not only will the hacker have my PII, he will have a recent photo too.

It’s as if we as a society are going out of our way to make life easier for hackers.

well, duh • July 20, 2015 4:09 PM

a propos:

According to the hackers, although the “full delete” feature that Ashley Madison advertises promises “removal of site usage history and personally identifiable information from the site,” users’ purchase details — including real name and address — aren’t actually scrubbed.

so, well, duh, who believes these “you have full control over your own data and can delete it when-ever you like” promises anyway?

the same claims are made by the likes of Facebook, Google, and others that want your data.

they don’t delete the data – they just mark it as no longer visible to the user. This is one major reason on why companies like FB and G need to keep building larger server farms around the globe.

Gweihir • July 20, 2015 4:23 PM

Sounds more like right-wing authoritarian terrorism to me, designed to scare those that do not conform to their idea of morality.

rgaff • July 20, 2015 4:25 PM

1) “removal of… personally identifiable information from the site” hmmm… now why would anyone expect that to mean a full purging of all internal business records that are not on the web site? They have a point, that such business records might be even more important (just as all kinds of metadata is more important), but that’s clearly not what it promises… Unless someone jumps to conclusions about what “full delete” means I guess without checking the details at all….

2) This whole episode just highlights why things in general need to be made much much more secure, rather than weaker like the US Government is trying to do… Maybe enough rich powerful cheaters are out there to wake up, slightly? Well, we can always hope…

Gerard van Vooren • July 20, 2015 4:39 PM

What worries me is the numbers.

The Adobe hack: Passwords and other account info from 150 million customers
The OPM hack: Personal data from 24 million civil servants
This one: Personal data from 37 million customers
Tomorrow: ???
The day after tomorrow: ???
The day after that: ???

The day after that it isn’t even newsworthy anymore.

It reminds me about roughly 30 years ago when Aldrich Ames walked away with floppies when before he would have needed to copy large amounts of paper files. I think we only learn the hard way.

Tamir Pardo • July 20, 2015 4:43 PM

Yeah, sorry for the inconvenience but we need that to cross-reference with the OPM adjudication files.

Peter A. • July 20, 2015 5:04 PM

Two things to note about “full deletion” promises:

Even if a particular company is honest and keeps its promises and actually tries to delete all user’s data by removing it from the website’s data storage backed, it may be not competent enough to really do it thoroughly. Old backups, website logs, “temporary copies” of live data made by application developers for testing purposes etc. etc. may still be lurking around in the company’s network for the doxers to scrub.
In most jurisdictions companies are legally required to keep some business and financial records like customers’ identification data, amounts billed and dates etc. for a long time – often for five years or more, which is near-eternity in current fast-moving Internet landscape. This data is available for doxers as well. Virtually no company will store such data completely offline (e.g. in paper files) – even if they keep them on separate machines/network it is only a matter of doxers’ skills to cross such boundaries.

tyr • July 20, 2015 5:14 PM

Since the usual argument is there is nothing worth
hiding, the renewal of transparency should be a
welcome addition to the new age thinkers. The
numbers are quite interesting, I didn’t realize
there were that many intellectually challenged
rich folks.

Anonymous Coward • July 20, 2015 5:28 PM

I fail to see the difference between “Organizational Doxing” and “Revenge Porn” – except the targets.

Dirk Praet • July 20, 2015 7:11 PM

@ Tamir Pardo

Yeah, sorry for the inconvenience but we need that to cross-reference with the OPM adjudication files.

The first thing that crossed my mind too. A cross-section of both data sets makes for a really neat attack vector.

Clive Robinson • July 20, 2015 7:32 PM

@ Gweihir,

Sounds more like right-wing authoritarian terrorism to me, designed to scare those that do not conform to their idea of morality.

Err possibly not.

Many scandals have shown that “right-wing authoritarians” are in reality “Do as I say, and keep secret what I do” hypocrites.

These web sites are probably loaded with right-wing authoritarians such as political aids and sponsors…

@ Tamir Pardo, Dirk Praet,

Yeah, sorry for the inconvenience but we need that to cross-reference with the OPM adjudication files.

How about the GOP members and supporters / sponsers lists.

Better still all those who have purchased an Aran Rand book in recent times…

Clive Robinson • July 20, 2015 7:37 PM

Opps,

That should be “Ayn” not “Aran”…

I guess I’ll have to make like Atlas and Shrug it off.

Finn • July 20, 2015 7:50 PM

37M is a rather large user count for a site like that. Its no surprise internet vice has always been the good business.

Godel • July 20, 2015 7:56 PM

@ Clive Robinson

Or maybe “Aryan Rand” 🙂

JB • July 20, 2015 7:59 PM

I got to say, I am loving this hack and the result.

Coyne Tibbets • July 20, 2015 8:02 PM

@well, duh – “the same claims are made by the likes of Facebook, Google, and others that want your data. […] they don’t delete the data – they just mark it as no longer visible to the user.”

That’s probably true, but Facebook, Google, and etc., did not make $1.7 million selling a “Full Delete” function…and thereby make an express and implied contractual promise that the function would actually work.

@rgaff – “now why would anyone expect that to mean a full purging of all internal business records that are not on the web site?”

@Peter A. “In most jurisdictions companies are legally required to keep some business and financial records like customers’ identification data, amounts billed and dates”

“Secret sexual fantasies” are not not the kind of internal business records a company would accumulate for a credit card transaction. Those are obviously accumulated by the site for social purposes, and should not have been retained after “Full Delete” Especially when the company is promising it won’t be retained.

The “legal requirement” won’t wash either, since if a company is subject to such requirements it should not be making promises contrary to those requirements.

@Peter A. “Even if a particular company is honest and keeps its promises and actually tries to delete all user’s data by removing it from the website’s data storage backed, it may be not competent enough to really do it thoroughly. Old backups, website logs, “temporary copies” of live data made by application developers for testing purposes etc. etc. may still be lurking around in the company’s network for the doxers to scrub.”

Possibly there’s a point there. However, such miscellaneous records are…well, “scrub” is the word alright, since such records tend to be uncoordinated, incomplete, or both. To me, the hacker statement seems to apply that wasn’t required…but maybe…

NP hard • July 20, 2015 8:08 PM

I fail to see the difference between “Organizational Doxing” and “Revenge Porn” – except the targets

One subsumes the other:
You can do an organizational dox of a revenge porn site.

8675309 • July 20, 2015 8:41 PM

Anyone else thinking this Hack was done by someone wanting to wake up those who ignored the Snowden releases into learning opsec and actually caring about corp data retention, 3rd party doc, etc. Just curious.

rgaff • July 20, 2015 9:09 PM

@Coyne Tibbets

Frankly, you’re sounding like the doxer with your arguments…

I’ll admit that “full delete” isn’t a good name for what was happening, because some could misunderstand… but if you LOOK at the DESCRIPTION of what they explicitly said “full delete” actually was… it ONLY promises full web site removal, NOT full business record purge. I’ve always assumed business records were kept for many years everywhere (who you are, what you paid, etc). And obviously business records should NOT include “secret sexual fantasies”… that was either a breach of their promise, or the doxer only exposed that for those who weren’t under “full delete”… either could be valid explanations from what I’ve seen so far.

neto • July 20, 2015 9:13 PM

The problem for those that signed up to these sites is that the mere act of signing already puts them in disrepute. They’re doing (or showing intent of doing) something that they think is wrong and trying to hide it plus being stupid enough to think this high profile way is actually safe in the first place.

The problem, of course, is that “sex sells” so news outlets will have a field day with this one if names ever get published. The first thing people/”media” outlets look in hacked emails is not signs of wrongdoing or lawlessness but sex related scandals.

I’m not sure threatening the users of a service (No matter the morality of the particular case) can go along with the word “Whistleblowing”.

This is blackmail (with clients as collateral, if you want) more than anything.

rgaff • July 20, 2015 9:15 PM

…unless “secret sexual fantasies” is somehow the name of a specific service sold… THEN that could be considered part of business records (i.e. what exactly did the customer buy from you)…. but not any such actual fantasies, just the name of a service. So, yeah, you should be careful what kinds of services you buy with traceable money like credit cards, it’s always recorded for a really long time.

rgaff • July 20, 2015 9:23 PM

On the other hand, it would certainly be great if enough high profile people were exposed that they all FINALLY figured out that the whole “if you’ve done nothing wrong you have nothing to hide” thing is garbage, and computers and communications need to be redesigned from the ground up to actually have security, and then it would be nice if they all put their money and influence behind fixing things, instead of billions being spent purposefully breaking things further!

Terry Cloth • July 20, 2015 9:56 PM

Disheartening
@8675309: We should be so lucky.
The fact that 37e6 men are so clueless as to puchase disreputable services with their credit cards suggests to me we’ve lost the war. How many of them pay enough attention to cyber-security to even hear our warnings, much less attend to them?

anon • July 20, 2015 10:06 PM

Buried somewhere in the dataset will be information about fake profiles. The number of these might be very embarrassing to the company. The possible existence of these profiles on AM is discussed here:

http://abovethelaw.com/2013/11/ashley-madison-should-take-better-care-of-the-females-it-hires-to-trick-you/

Bruce Schneier • July 20, 2015 10:33 PM

“37M is a rather large user count for a site like that. Its no surprise internet vice has always been the good business.”

Thinking about it, that number doesn’t sound plausible to me. It’s 1/10th the population of the US. Yes, this site is international, but it’s only going to appeal to a certain socio-economic class. I don’t believe it.

rgaff • July 20, 2015 10:44 PM

“37M is a rather large user count”

As the abovethelaw link @anon posted made clear, a significant number of the female profiles are fake, by paid employees of the site, and they are clearly open about it in their Terms Of Service that nobody reads (though perhaps they do not indicate the clearly large scale of this in the TOS).

tz • July 20, 2015 11:53 PM

Like the Gawker Geithner Gay escort?

Jacob • July 21, 2015 12:43 AM

@ Bruce

Since the site does not truely delete accounts, the 37M may be a cumulative number of users throughout its operational years. People come and go, and the active users at any given time may be just a small fraction of that stated 37M.

Gerard van Vooren • July 21, 2015 5:34 AM

@ Bruce

Even if it’s 3.7M or .37M we are still talking about large numbers.

nym • July 21, 2015 5:57 AM

Prostitution. You forgot prostitution in your list of stuff people say AShley Madison is about.

Anyway, my understanding of one thing the brain trust at this site did was demand a payment from its own customers in order for them to have their personal information removed (scrubbed) from the Ashley Madison’s database. If that’s true, and I only heard about it online and can’t confirm it, then some might say that’s a form of implicit blackmail.. or something a lot like blackmail.

It’s an unusal request, no? Don’t give us money.. we just want you gone. Who might be motivated to make such a demand? Let’s see..

Wife who contracted herpes / hpv / cervical cancer when her husband hooked up using this site and in the ensuing divorce settlement acquired enough of Mr Big’s money in alimony to contract with eastern European hackers…..

Above with genders reversed…..

Someone who did not like the data scrub fee and decided to get even.

Someone who knows the principles and those principles have, in other parts of their exemplary lives, done something that person considers really horrendous…

It’s like when the mob starts dropping their own. Hmmm.. now who ever would have gone after this upstanding member of our community? Even the cops just want to grab some popcorn and watch the bodies drop.

nym • July 21, 2015 6:14 AM

One more baseless theory.

Of course A.M. is not going to submit- the demand (stupidly) requires A.M. to realize the worst of all possible outcomes for themselves. Even if AM loses 90% of their client base, that’s still better than submitting.

So what happens nex. Release of compromising data- some of which is faked. THe faked part of the data contains the names of people who are the real target of this doxxing. The big move hides the small. The huge release contains certain nuggets which are the point of this entire operation. Everyone else (he real names) are just collateral damage. This is a classic CIA / NSA type operation especially since A.M. is international in scope. No one is going to believe that one singnle guy when he claims the entire thing was targeted at one single guy.

If this is true, then it’s the reason the doxxers (is it 2 xes?) DIDN’T make a financial demand- hwever large. What if AM paid it? THen what? Then the game ends and nothing was accomplished.

By the way, if I am right, CIA / NSA / TLA please don’t ruin my life for outing your operation. For one thing, I’m an American citizen and you can’t do that and if that reason doesn’t grab you then, come on man, if I can think this one through then it’s just not that clever an operation. It’s a clear signal you need to step up your game in terms of sophistication. Come on man, don’t shoot the messenger… come on…

Bob S. • July 21, 2015 8:11 AM

We need MORE dumps like this.

It’s the only way users will learn to guard their data. Clearly, governments are totally committed to slurping up this kind of data as much as criminals, the point being, governments will NEVER do what’s necessary to truly protect data.

In this case and others, I wonder how things would have been different if Ashley faced a zero tolerance prosecution and $10k fine for EACH USER data unit lost?

Maybe they and others would have tried harder. Right now, all corporations need do is say the magic words “WE are sorry”: End of liability.

I don’t think it should end there.

K.S. • July 21, 2015 8:18 AM

I hope AM user database breach will change people’s attitudes toward privacy. There will be substantial number of divorces as a result of this breach, and with this, almost everyone will know someone who got impacted. As a result I hope people will start demanding both legislation and technical measures to safeguard their data.

I hope hackers go through with the data release, because society needs proverbial kick in the groin to get out of 90s-era thinking about PII.

K.S. • July 21, 2015 8:28 AM

As to AM, the way to defend, after the fact, against this breach is to poison (with a phone book data) their own database in various ways and than anonymously release multiple versions of it to pastebin. This way any given database version, including real one, will only have a probability, and not certainty of being accurate. This move would be very damaging to the innocent public, but it will give impacted customer base plausible deniability.

IanLB • July 21, 2015 8:33 AM

The government can’t fix the problem. They can’t even secure their own infrastructure, they certainly won’t secure private ones.

Of course companies are liable, especially in key industries where compliance is mandatory. Victims are going to sue AM over this. We could always raise the legal consequences from hacking, but it won’t help as much as people believe. It’s not an awareness problem – we are way pass the awareness phase. It’s been a hot, hot topic for years now in all major businesses, and it’s only growing.

Something that is going to be obvious for people inside the industry, but is missing from the “outsiders” perspective, is that we are losing the battle. Hard. Not because people are incompetent, but because this war is inherently unfair. Hacking is becoming cheaper and cheaper, so cheap that even private groups are starting to perform operations of complexity and depth that were limited to nation-states a few years ago. On the other hand, more and more infrastructure and services are computer-based, the attack surface keeps getting bigger, and there’s no magic-bullet fix-all solution in view. It’s only going to get worst, much worst.

Bob S. • July 21, 2015 8:55 AM

@IanLB

Re: “there’s no magic-bullet fix-all solution”

No perfect solution, but simple stuff like NOT saving personal data in the first place, ditto for credit card data, which they aren’t supposed to do anyway.

Also, any necessary private data should be OFFLINE only accessible via authorized hands on terminals.

Various laws could be written, like BIG $$$ fines for breeches, would help, too.

IanLB • July 21, 2015 9:24 AM

@Bob S.

The « Simple stuff » you mentioned are among the first questions asked (and the first recommendations made) with regard to information protection. I think it’s even directly integrated in the PCI official guidance. Same thing for the “put it offline” bit. We have already been doing this for years. These are low-hanging fruits, and low-hanging fruits are the first picked.

There are already laws. There are already fines. It depends a lot of the industry and the jurisdictions, but these things already exists. We can always put more laws and more fines – I don’t actually disagree. But their effect on the problem will be marginal at best.

What pains me is the overall cynicism regarding hacking, because I feel people just don’t get what is happening. They don’t understand that their information is next, and that victim blaming and armchair quarterback claims of “if they would have done XYZ it wouldn’t have happen” are going to sound just as hollow when the shit hits the fan. Please don’t take this comment personally, but when you said “We need MORE dumps like this”, to my ears it sounds like saying “we need MORE traffic fatalities” so that people can be more aware of the danger of speeding. Somehow I wonder if this is an healthy attitude. People don’t die in car accidents because they are unaware of the danger, or because there’s no law regarding safe car driving, or no consequence to speeding or drunk driving.

kingsnake • July 21, 2015 9:47 AM

What are the odds Anthony Wiener is the first name released?

Coyne Tibbets • July 21, 2015 10:13 AM

@rgaff – “Frankly, you’re sounding like the doxxer with your arguments…”

ALM’s breach of contract existed whether the doxxers stole the data or not, and the fact no one knew about it until the doxxing does not relieve ALM of responsibility for their breach. They might have concealed their breach indefinitely, but it remains a breach.

I can deplore ALM’s breach and still deplore what the doxxers did; and I do: I deplore both.

gordo • July 21, 2015 11:25 AM

As ARS Technica reported, Avid Life Media (ALM), in their initial press release, equated the “criminal act” with “cyber-terrorism”:

At this time, we have been able to secure our sites, and close the unauthorized access points. We are working with law enforcement agencies, which are investigating this criminal act. Any and all parties responsible for this act of cyber–terrorism will be held responsible.

ALM’s apparent wrongdoings aside, this is a case of trespass, theft, and blackmail – not terrorism.

rgaff • July 21, 2015 12:15 PM

@ gordo

Then define “terrorism”….

That’s the issue… anyone can define it to be just about anything they don’t like… You ask 3 people for their definitions and you will get 5 different answers. So a “war on terror” is really a war on anything you want it to be on, politically speaking. It’s a blank check for war.

albert • July 21, 2015 12:22 PM

Well, two wrongs don’t make a right, but they make it a lot more fun.

I don’t give a RSA about folks sexual proclivities*. Sex sells. It’s an ubiquitous, and apparently unstoppable drive. A drive that permeates all societies, and yet not well understood.
.
You pays your money, you takes your chances. This is simply V2.0 of the sex trade.
.
As others have pointed out, these many episodes illustrate the publics lack of knowledge about basic computer security and ‘data privacy’* It also illustrates the cynicism and arrogance of the companies involved. A little transparency and ethics goes a long way.
.
I don’t want to hear any BS about ‘laws’, either. ‘Laws’ about business practices are very expensive to enforce, and then mostly by private individuals, not the gov’t.
.
As far as I’m concerned, it’s just another day at the office. I don’t have any sympathy for the clients or the companies. There are no ‘innocent’ parties here. If I thought it would stop or deter further abuses, I’d say go ahead and release everything (Except CC & SS numbers).
.
…
* certain exceptions apply, see my Disclaimer. By reading this comment, you agree to follow the Terms and Conditions cited.
** we need a special, less oxymoronic term for this.

Gerard van Vooren • July 21, 2015 1:20 PM

@ Albert

“I don’t have any sympathy for the clients or the companies. There are no ‘innocent’ parties here. If I thought it would stop or deter further abuses, I’d say go ahead and release everything (Except CC & SS numbers).”

I love this kind of comments. Yummy! It has it all. Shortsightedness, lack of compassion and you are ok with that people are being ruined, except financially, because they are only human.

albert • July 21, 2015 2:50 PM

@Gerard,

I’m glad you liked it. I’ll be sure to submit more! And I’ll concentrate on ‘shortsightedness’ and ‘lack of compassion’ with you in mind.

.
…

tyr • July 21, 2015 3:02 PM

@Gerard, albert

I’d like to how the equation that things we’d rather
not be public and ruined is balanced out. A lot of
things people do are conflated in the interests of
maintaining the hypocritical facade of humanitys
self chosen virtual reality.

Exposure of the reality under the facade only is
ruin when it exposes someones false front. When
they have claimed to be other in public then it is
called justice not ruin.

AM isn’t the noble enterprise falsely put upon by
some evil knave they are as crooked as a dogs hind
leg and seem to have pissed someone off with their
behavior.

The law in its even-handed majesty forbids rich and
poor alike from sleeping under a bridge. The Net in
its packet equality allows evenhanded retribution to
fall on corps and individual alike.

There’s a famous story about Russian espionage when
they decided to turn a US military guy. They had
a ballerina initiate an affair with him and then
approached him with pictures of his escapades. he
responded to their threat of exposure by asking
for a bunch of copies so he could use them as proof
that he had scored with the ballet star. Blackmail
only works if you have something to hide. He had a
good time and their scheme fell apart.

gordo • July 21, 2015 3:06 PM

@ rgaff,

Yes, the “terror” of cliché!

MikeA • July 21, 2015 5:15 PM

Seeing as they didn’t ask for Cougar Life to be shut down, I have to wonder if the perpetrators are connected to the Bletchly Circle.

albert • July 21, 2015 5:29 PM

‘Cougar Life”? ‘ethical hacks’? Stop it. You guys are out of control!

rissanen • July 21, 2015 9:38 PM

about obtaining pictures and data posted by 37 millions users…

perhaps this can be a real amount if we consider that at least 1 billion people currently have internet access around this planet.

meaning we do not need to consider only the US populace in order to determine whether the amount is realistic or not.

but another question that comes up is, is it really reasonable that they would have transferred photos and other data posted by that amount of users over the internet?

wouldn’t it take like a rather long time and set a rather heavy load on the Ashley Madison DB servers?

rissanen • July 21, 2015 9:42 PM

as an addition to my previous posting, the Ashley Madison web site allows user to select their location from different 63 countries, among which we have countries like India and China.

so it’s not unrealistic for that site to have 37 million users.

John Campbell • July 21, 2015 9:47 PM

Actually, in our culture, respectability is inversely proportional to sexuality.

Is it any wonder the scandal rags prefer to expose sexual peccadilloes?

And, frankly, for those who have been customers of these sites, the site has collected, over time, a whole pornucopia of vulnerabilities.

Respect is a key part of reputation; Reputation is something others think they know about us… and we all figure that is important.

Justin • July 21, 2015 11:32 PM

@John Campbell

Actually, in our culture, respectability is inversely proportional to sexuality.

Whose culture is that? Because that is an odd statement to make, and it bespeaks some repression. Obviously some morality is incumbent for respectability, but I would posit that sexuality itself seems neutral as long as it is kept within bounds. I mean, are celibate people really respected more than married people?

Or is the word “sexuality” being used here as a euphemism for certain less respectable forms of it? Because I hate it when people talk about sexual issues and don’t say what they mean.

ianf • July 22, 2015 8:04 AM

Following the security breach, i.e. after the horse has bolted from the stables, the Ashley Madison site has TEMPORARILY lifted the fee for deletion of one’s profile (thus, once the record’s gone—or “gone”—the previous customer won’t be able to sue?)

Here’s what happened when @carmenfishwick of The Guardian, who once opened an account there for research purposes, but then balked at presenting her bosses with a £15 bill for purging her data, tried to delete it this time. That’s some customer service they’re running… instructive, to say the least.

Walking back the cat, if it cost £15 to “delete” a profile, and Ashley M’s parent Avid Life Media indeed “netted $1.7M (~£1.09M today) in revenue for Full Delete in 2014,” we can derive from it a close-enough number of customers that attempted it, and now potentially could sue ALM for breach of contract: 72500… a figure that is far more plausible in the context that the oft-bandied 3.7M accounts.

In other news, the Edward & Laura-saga, Snowden & Poitras in Hong-Kong & elsewhere, is getting the full Hollywood Oliver Stone-treatment. Melissa Leo will be playing Poitras, but, as the official teaser for the movie shows no footage, it’s doubtful it’ll be finished in time for next year’s Oscar Awards.

Huckleberry • July 22, 2015 7:55 PM

Its been noted that internet vice sites inflate user counts, as do other legitimate social media, to not only bandwagon but game investors. Full delete fees as well as click thru free trial sign ups, followed by billings, are known to trap the curious as we know its killed cats in the past. But genuine users of the site, if follow the 5%, is still close to a whopping million, sugar daddy/mom and solicitors alike. If you would coerce or trick $500 from each the going rate of a pro then that is still good business, until exposed that is.

Matt • July 24, 2015 1:47 AM

First I thought, “Nice hack of an unsavoury service.”

Then I thought better. Would the hack be worth the life of one depressive or newly depressed individual?

I think not. So, shame on the hack for targeting the citizenry and tempting the likely fate of awful collateral damage.

Coyne Tibbets • July 24, 2015 8:28 AM

@rgaff – “Then define ‘terrorism’….”

Recent events in the cases of Dylan Roof (killed 9, indicted for hate crimes) and Mohammad Youssuf Abdulazeez (killed 4, case being pursed as terrorism) make it clear the problem of defining terrorism has been solved by our government and news media:

Terrorism is any violent act committed by a Muslim.

This has been a difficult question; glad to see it’s been “resolved.”

rgaff • July 24, 2015 1:30 PM

@Coyne Tibbets

Not only is it wrong to define it that way, additionally there’s nothing to keep it from expanding in all sorts of ways. Don’t think that it’s not your color or nationality or religion so it doesn’t affect you. Before you know it, there’s no such thing as “crime”… it’s all just “terrorism”…. We need much bigger prisons too.

http://www.prb.org/Publications/Articles/2012/us-incarceration.aspx

albert • July 24, 2015 2:27 PM

@Coyne,
That’s the problem with labels; they don’t always work. Wiki has a surprisingly good treatment here: https://en.wikipedia.org/wiki/Definition_of_terrorism

Propagandists love these kinds of labels. They are ‘flexible’. They are emotionally charged. They can influence public opinion in serious ways.

If someone is to be prosecuted as a ‘terrorist’, then that term must have a legal definition, and, the law must be clear on specific punishments.

Who is more dead, the one killed by a terrorist, or the one killed by a racist?

.
…

Max Entropy • August 20, 2015 9:45 AM

Yep, nearly 37e6. Now playing at a torrent near you…
http://arstechnica.com/security/2015/08/ashley-madison-hack-is-not-only-real-its-worse-than-we-thought/

Gerard van Vooren • August 21, 2015 11:57 AM

@ Albert,

Looks like you got precisely you wanted! Glenn Greenwald wrote an interesting article about this hack.

Insert Edgy Name • August 22, 2015 2:35 PM

I feel no pitty for the people doxed by this hack. We live in times where most people assume that everyone can make up his own reality, free of social norms, science, truths and everything else. The common logic used “if two adults consent, it’s none of your business, because it’s private”. Well, by this logic, you can pretty much excuse everything else in this world, including murder (if done privately ofc.).

Justin • December 10, 2015 2:01 AM

Somebody at the state department did something similar:

http://www.networkworld.com/article/3013633/security/ex-us-state-dept-worker-pleads-guilty-to-extensive-sextortion-hacking-and-cyberstalking-acts.html

ianf • December 10, 2015 8:31 AM

@ Justin, frankly, I’m speechless… there are so many items in this U.S. London Embassy sextortionist/ cyberstalker Michael C. Ford, 36, story, that I don’t know where to begin. Here’s an incomplete list of question marks.

For starters, a London embassy posting is a plum job, not given to anyone (you have to have powerful mentors, sponsors, both within and outside the Dept., Congressional or Senate at least; and/or superiors who want to promote you within the service over someone else’s favorite son). For another, just to be in the running for a State job at this level (even if you’re employed as House Janitor/ Electrician at the Embassy) you need to have been to reputable schools, universities, maybe researched for some politician, wrote some papers. In effect you arrive there first after some other postings to less pleasant places, and carry your family’s/ mentorship baggage. Then there is the internal vetting and indoctrination.

This guy knew his way around computers, yet believed himself to be beyond grasp and detection by [whatever service that is used to watch data traffic in governmental buildings abroad]? That’s INEXPLICABLE. And how come his “super-sexed” persona wasn’t detected earlier? People like that hardly begin at this high level of tech-access.

Frankly, any new Joe McCarthy (or why not The Donald) would for once be well within propriety when using this story to pound the “sexcyberstalker-infested,” (rather than Commie-,) State Dept into oblivion. This deserves a wider exposé than a mere notice of the indictment and the upcoming sentencing… keep an eye on it, maybe we’ll learn from it, Six Sex Starved Signs To Look For In State Applicants or something.

Schneier on Security

Organizational Doxing of Ashley Madison

Comments

Leave a comment Cancel reply