
'More Ashley Madison' data leaked onto dark net - benevol
http://www.bbc.com/news/technology-34004741
======
wanderfowl
Maybe I'm naive, but I'm hoping that the lawsuits from this will be the start
of a push for data-breach insurance, and that the insurers, as Bruce Schneier
has been advocating for many years, will force the security that the marketing
VP doesn't see the need to pay for.

~~~
xlm1717
Maybe you are naive, but you are certainly not as naive as the marketing VP
who didn't see the need to pay for security, and is today watching in horror
as his business is getting hacked to hell.

~~~
siegecraft
Is this marketing VP a real person or just a hypothetical scenario? Because it
doesn't make any sense to me that a marketing VP would have any decision
making power about the need for security.

~~~
shaggyfrog
In my experience, non-technical stakeholders can have disproportionate
authority over technical decisions. For example, if a security best practice
results in slower logins, the development team could get immediate pushback to
speed up the process, even at the risk of weaker security.

Risk can be difficult to quantify, and if the focus is on chasing the short-
term, you might be told to damn the torpedoes and get the product launched.

~~~
iofj
In every programmer's experience, security can have a disproportionate amount
of influence. For instance, they are unwilling to do any real development, yet
have the authority to demand their stuff be used.

There is no reason any authentication process has to use more than a single
request + single response (and a single request and immediate reply from the
auth server). The usual concerns like replay attacks, allowing third parties
to relay data for the auth server can all be solved using encryption. In 15
years of working as a developer, I have encountered one company that actually
does this both correct and fast. Security departments demanding that user
authentication happen over an LDAP+Kerberos connection, for example, are
commonplace and this is stupid and very slow, for no good reason.

------
matheweis
When this happened to SONY, they went dark immediately and rebuilt from the
ground up... Seems to the be the "right" approach, as opposed to business as
usual from ALM. You have to wonder if they aren't still infiltrated.

------
nickysielicki
In the comments on the TPB torrent of the original leak people were debating
the legality of downloading/having this information on their computer. Irony
of that situation aside, if I was interested in studying these leaks how much
legal danger would I be putting myself in by grabbing them? I'm US based.

~~~
e40
It's really hard to imagine that AM would go after the downloaders. That would
be like pour oil on a fire. Imagine the extra amount of publicity their
idiotic security would get.

~~~
amyjess
They're already DMCAing tweets that contain excerpts from the data.

(side note: every time I hear "AM", I think "Aggressive Menace", which sounds
about right)

------
untog
I'm surprised - though perhaps not really - to see that this new data contains
the CEO's e-mail. If the aim was to punish Ashley Madison (as the leak team
have suggested), why not leak that first, before customer details and credit
card transactions?

~~~
nostrademons
Attention. Get people to pay attention because the leak of customer data is
personal (it'll probably affect you or someone you know), and then release the
_really_ damaging data once the press cycle has started and everybody's
looking for more information.

The Snowden leak had a similar structure: it started out with PRISM (which
affected every American, and caused widespread indignation), then Snowden
claimed responsibility (trying to get out ahead of official government
investigations, putting a human face on the leaker and controlling the
messaging), and then they followed up with a number of even more damaging
leaks (eg. MUSCULAR, the Merkel cables, etc.) once they had the world's
attention.

~~~
differentView
>Attention. Get people to pay attention because the leak of customer data is
personal (it'll probably affect you or someone you know), and then release the
really damaging data once the press cycle has started and everybody's looking
for more information.

Then they probably should have released the first data dump on Monday and the
second dump on Tuesday. By the time the media dig through the CEO's emails
it'll be Friday and lose a lot of steam over the weekend.

~~~
nostrademons
I think they did - the first Reddit post on it [1] is dated 4 days ago, and
the torrent [2] was datestamped for just after midnight on Sunday morning.

My guess is that the timing didn't go according to plan - they picked an
obscure subreddit to post on, and the first press coverage didn't happen until
Tuesday night (having apparently heard about it on Tuesday morning). And then
it's generally a good idea to let at least 2 days pass between press releases,
otherwise the public doesn't have a chance to absorb the first media cycle.
They probably hoped it would be noticed on Sunday night, hit the press first
thing Monday morning, and then they could follow up with the CEO dump on
Wednesday.

[1]
[https://www.reddit.com/r/AnythingGoesNews/comments/3h71ar/we...](https://www.reddit.com/r/AnythingGoesNews/comments/3h71ar/we_are_the_impact_team_we_are_releasing_the/)

[2]
[https://thepiratebay.vg/torrent/12237184](https://thepiratebay.vg/torrent/12237184)

------
rjurney
Its hard to feel too bad for the victims of these attacks, given that their
behavior hurts others. Oh wow I think I'm getting old.

~~~
acqq
There is an older discussion on HN on these topics. Think again what the site
really was: probably 95% of visitors were men. That means that maybe 18 from
20 didn't find a "match"? Moreover, somebody mentioned that there were fake
female profiles. Reduce the number of successful "matches." Most of the
visitors probably didn't _do_ anything. "But they intended!" can somebody say
"and that is enough." Well then think again. How many weren't actually in
relation but expected to get the "match" easier on the site where potential
(not actual!) members aren't prepared to the long-term bind to the "matched"
partner. Etc.

Do you still consider _all_ these poor dastards as the big "sinners?" Which
percentage of the persons on the lists "deserve" anybody's "wrath"? Do you
really want to condemn everyone? Does that match your moral values? You can
even ask how many of these hopeful to "do something" actually didn't do
anything exactly because they tried to use the given site instead of, like,
approach somebody who they knew in the physical world and who would respond,
so maybe even the site existence was a "net positive" considering the happened
and "intended" number of "immoral" acts?

~~~
zajd
I think saying "it's hard to feel bad for" is a far cry from "condemning
everyone". This is a lot of words to try to absolve the members of a site
explicitly about cheating on your partner of any wrongdoing.

~~~
acqq
Do you have any proof that even more than 50% "cheated"? I gave you arguments
that it can be estimated that maybe one in 30 actually did cheat? Why do you
want to condemn (edit: the more correct word were "accuse," I agree, but you
did write that the given arguments don't "absolve" them, which implies that
you've already found them "guilty") 29 of 30 people for actually doing
nothing, most of them, according to their own data, not even being in
relation?

~~~
zajd
Again, I'm not condemning anyone.

"It's hard to feel bad for" =/= Condemnation

All I said was that Ashley Madison explicitly markets itself as a site to
cheat on your partners. You'll find plenty of people (myself included) who
think engaging in a sexual relationship knowing that your partner is in a
committed relationship is immoral alongside cheating on a partner.

~~~
acqq
Your actual words were

> This is a lot of words to try to absolve

just some post before (if they can't be absolved then they are, if I
understand, already "guilty" in your view).

Do you want to accuse as "cheaters" 30 people on the list when only one of
them cheated? When half of them weren't in the relation at all? Is that a
moral thing to do?

~~~
zajd
I'm not accusing them of being cheaters, I'm accusing them of signing up for a
website with the explicit goal of either cheating on your partner or entering
a relationship with someone who is doing so. Whether or not that's moral is up
the individual to decide (in my eyes, it's not, but that's pretty irrelevant
to my point). Either way, leaking the data was NOT a moral thing to do.

~~~
acqq
> I'm accusing them of signing up for a website with the explicit goal of
> either cheating on your partner or entering a relationship with someone who
> is doing so.

Are they "guilty" even if that very action of them (signing in to the site and
"just looking") effectively reduced the total number of cheats in the world?
Is the site "guilty" if their "grand total" had the same effect?

~~~
zajd
Yes.

No, it's not equivalent to cheating on your partner, but it's still wrong.

Much like drawing/distributing pictures of sexualized children is still wrong
even if it's an outlet that (and you can't prove this, which is where the real
problem with your logic lies) prevents a child from being abused.

~~~
acqq
Thank you. I have no more questions.

The start of this discussion was the assumption that _every_ person on the
list made the actions that hurt others, validity of which I questioned (asking
if even the majority did something that hurt anybody, giving the arguments
that with the high probability most didn't actually hurt anybody and maybe
even reduced the number of actual "cheats"). And you claim that you "don't
condemn" everybody but still find everybody "guilty" for doing the "wrong"
thing to the equivalence of an unproved but possible child abuse. O-K.

~~~
zajd
Quite the edit there. The start of the discussion was someone saying he found
it hard to feel bad for those outed by the leak and then you writing some
paragraphs about how he was condemning those individuals. All I was trying to
add was a little nuance.

> Are they "guilty" even if that very action of them (signing in to the site
> and "just looking") effectively reduced the total number of cheats in the
> world?

This is what I was talking about, it's a classic defense of cartoon depictions
of child pornography, which I find immoral. Go to a therapist if you're
struggling with the temptation to cheat on your significant other, not a
dating site for cheaters.

~~~
acqq
> Go to a therapist if you're struggling with the temptation to cheat on your
> significant other, not a dating site for cheaters.

It seems that here most of these that you like "outed" and consider "guilty"
haven't had the significant other.

~~~
zajd
That I like outed? I told you the leak was not a good nor moral thing.

~~~
acqq
I agree with you: that leak was not a moral thing.

