
Online Cheating Site AshleyMadison Hacked - albedoa
http://krebsonsecurity.com/2015/07/online-cheating-site-ashleymadison-hacked/
======
MertsA
Not too surprising. Security in the past has been worse than abysmal on that
site. I had a friend that jokingly made an account and sent me a link to his
profile. However, that link was also his entire session. Once in the profile
section it would let you change the password without knowing the current
password. And the last kicker, the change password box had asterisks in it on
page load and a quick "view source" revealed my friend's "not joking" password
all from a link that didn't look too important.

In summary:

    
    
      1. Having a session id just stored in a GET variable for (most?) pages.
      2. Use of http on profile edit page.
      3. Allowing password change without reauthentication
      4. Storing of all passwords without any form of hashing.
      5. Sending passwords over http every time the profile edit page was viewed
      6. Very easy for a user to accidentally share confidential data.
    

I want to say this was back in 2008 and the site was launched in 2001. I can't
imagine that they are making any of these mistakes today but if the past
incompetence has any relevance then this security disaster was a long time in
the making.

~~~
mcphage
> I had a friend that jokingly made an account

"a friend"

~~~
MertsA
Had it not been a friend I would have assumed as he did that the session id
wasn't just slapped in the URL. What was great was when I sent him back
"f1reball" and nothing else and he didn't believe that I could have possibly
gotten that from the link he sent me.

------
ulrikrasmussen
I see a few comments sympathizing with the vigilantes behind this, implying
that the exposed users had it coming. I am a bit sickened by this attitude,
for several reasons. First of all, adultery is not illegal in the countries
where most users of AshleyMadison are presumably residing, and even if it
were, people could have used fake names which could implicate someone not
actually associated with the site. This could destroy lives!

Second, performing your own vigilante punishment by outing people who you feel
are not living up to your own personal moral standards has no place in a
developed society. It is not your right to destroy a family, not to mention
one where every member is a stranger to you, by outing one of its members as a
cheater and at the same time putting all other members of the family on public
display.

~~~
mdip
My only concern _is_ for those who's credit card information was used
illegally. If I were an employer, I'd be concerned about hiring someone who
joined this site. Most jobs put people in a position where they could "get
away" with theft or other illegal activities that could deeply harm the
company and I can see employers being very concerned about hiring someone
associated with the site. Those folks just had their lives ruined -- even when
they manage to prove to the banks that the activity was illegal, they're now
associated with this for life.

As for the "real users". I don't think the lack of sympathy stems from
people's misunderstanding that extramarital affairs are not "illegal". Most
marriages have an expectation of monogamy and most users of this site were
doing so in order to enjoy that activity without getting caught. They were the
ones who decided to engage in an activity that broke up their family and
"destroyed lives". This just sped up the process of getting caught. Aside from
the moral contract that was broken, the cheating spouse also exposed their
partner to sexually transmitted diseases without their knowledge.

I think sites like this are despicable and people using them should expect
that a site that caters to helping you "get away with things" is not a
trustworthy place to do business. They actually charged $19 to have your
profile "completely removed" and then didn't do what was paid for.

I don't condone "vigilante punishment" and a read of the comments seems
focused more on the activities of the users than the condoning of how they
were caught, but I completely understand the lack of sympathy. I doubt you'd
see such a lack of sympathy if the site catered to helping individuals escape
addiction or cope with mental illness -- where a similar desire for anonymity
exists.

 _Two wrongs don 't make a right_, yes, but expecting the average married
person to have a lot of sympathy for a site that caters to weak people who'd
rather destroy their marriage than figure out how to be a good wife, husband,
father or mother is a stretch. There are many corners of the internet that
make a huge profit catering to vice that is not illegal but getting caught
doing these things would have consequences outside of the law. Users engaged
in that activity are choosing to accept the consequences and folks investing
in sites like this need to fully understand that the site has a big red target
on their back; it will probably be attacked successfully at some point in the
future.

As an aside, why is it assumed that all cheaters are men? The "vigilantes"
frustrated me most with the comment _Too bad for those men, they’re cheating
dirtbags and deserve no such discretion_. Anecdotally, I know of several
relationships broken up by infidelity. I doubt I'm alone, it seems to be the
main reason that my friends' marriages end in divorce -- people don't like to
be alone so rather than end their marriage, attempt to mature and figure out
why they were so unhappy, they jump to another partner and start off a new
relationship with _no trust_ as the foundation. In my small dataset, almost
all of the affairs were had by women.

~~~
ulrikrasmussen
I do not expect anyone to have much sympathy with the site nor its users. But
still, being publicly defamed on the internet for eternity is far too harsh a
punishment for cheating on your spouse. The motivations for cheating can be
complicated, and while it certainly destroys many relationships, I believe
that some might still be salvaged when the cheater can come clean on his/her
own terms.

Outing a cheater which you have no relationship with is a disgusting violation
of the privacy of all parties involved, including the partner who was cheated
on. It is interesting how the anonymity of the internet suddenly makes people
more comfortable with shaming other people whom they have no personal
relationship with.

I guess I'm just opposed to having a society where people punish strangers for
not living up to their own moral codes. If we accept that someone reveals the
names of cheaters on the internet, then we are accepting a society where it is
okay to meddle in the most intimate parts of other peoples lives, even if
their actions do not affect ourselves or society as a whole. This is wrong and
disgusting in the same way as it is wrong when vigilante "sharia patrols" roam
muslim neighborhoods in London, to bring up an admittedly extreme example. It
is none of my business how other people lead their lives, even if I disagree
with their lifestyle, as long as their actions do not harm me or the society
as a whole. There is a reason we do not have a karma police.

~~~
ysv2
> It is none of my business how other people lead their lives, even if I
> disagree with their lifestyle, as long as their actions do not harm me or
> the society as a whole.

Willful deceit and endangering your spouse is not a "lifestyle choice", it's
wrong in an objective ethical sense.

Exposing your spouse to sexually transmitted diseases without their knowledge
harms society as a whole. In cases where it's a wife cheating on a husband,
forcing men to pay to raise children who are not their own harms society as a
whole.

I'm not in favor of this kind of vigilantism either, by the way. But I think
the relativism you express above, implying that cheating is a personal
decision without a victim, is desperately in need of a reality check.

~~~
ulrikrasmussen
I admit that "lifestyle" is bad wording which sounds way too apologetic
towards cheating. Of course there are victims, but society has still decided
not to make cheating a punishable crime, nonetheless. My point is that it is
not the duty of me to expose my fellow citizen, it is a private matter between
that person and his/her spouse.

------
jdalgetty
It get's me that so many people are basically saying it serves these people
right for using the service.

I don't think that it matters that this is a "cheating" site, your privacy
should still be guarded and it's not fair that all these people are being
exposed.

Secondly, I'd wager that many of the users sign up to use Ashley Madison for
the thrill of the idea and probably aren't actually cheaters themselves or
hooking up with other cheaters. A lot of the users are probably into the idea
of roll playing or something similar.

It's just too bad because I think due to the nature of the site a lot of
people's private information is going to be leaked because this hacking group
thinks they are doing something righteous and justified.

~~~
aetherson
Lots of people who use the site may be "innocent" (because they didn't
actually do anything, or because they're in an open marriage or whatever). And
even people who are to one degree or other "guilty" are not as a class to be
declared guilty and given all the same punishment.

That said, while I can't necessarily judge any given _user_ of the site, I'm
pretty confident that the people _running_ the site are contributing to net
misery in the world. And certainly I think that it would fall within the realm
of justice for them to be (at least!) forced to turn the site off.

But I don't think that's the most likely outcome.

~~~
netcan
Liberalism is an idea that has a lot of weight on this site.

For some, it's libertarian kind of liberalism where people should be left to
make their won economic decisions. For others its the social liberalism kind
where people should be allowed to decide for themselves what is a valid
marriage, or what drugs they will or won't put in their bodies.

Most flavors of liberalism have at their heart the idea that "The State" is
neither competent nor qualified to intervene in everything or make all
decisions on behalf of its citizens. The State is usually the belligerent, but
you could equally say "society" or a body like a twitter mob or a hacker
group.

We don't need to collectively decide whether or not this site should exist.
People should make their own choices.

There are a lot of things I think people shouldn't do and other people that
help them do that. I don't think people should join churches. But, the only
way I want to see churches close down is when people no longer choose to be
members.

This is a freedom issue, like speech. You don't look inside to make your
judgement. There is a right and a wrong here. The wrong is not the site.

~~~
TimJRobinson
Your style of marriage, your religion and what drugs you take are all
victimless crimes. Cheating on your spouse definitely has a victim which is
why it's much more of an issue than the others you've listed.

Most liberals are not anti state, but pro freedom as long as it doesn't affect
anyone else's life.

~~~
Flimm
Style of marriage, religion, drugs and cheating all do affect other people's
life, even harm, to varying degrees and definitions. There is no freedom that
doesn't affect anyone else's life.

~~~
wutbrodo
Right, up to and including eating a slice of cheesecake, which is why your
definition is useless. What we're discussing here is things that are harmful
to others _per se_. Theft, violating agreements (like cheating), etc are
obviously examples of this. Religion, drug use, open marriages are obviously
not.

The distinction here is kot

~~~
vidarh
Whenever someone claims something is "obvious" alarm bells goes off for me.

For starters, cars are obviously harmful: People get killed in car accidents.

So clearly, it is insufficient that something causes harm for us to consider
them as harmful enough to argue against them on principle - at least for the
vast majority of us.

Are you going to argue that violating agreements is always harmful? Almost
always?

How do quantify that harm? Why? Do you have any basis for assuming there
aren't people out there that e.g. just don't care? (because there certainly
are)

At the same time you claim drug use in the other category, despite the large
number of deaths tied to drug use. Religion has been the catalyst for massive
amounts of deaths too. To some of us religion are "obviously" harmful to
others _per se_. So clearly _your_ "obvious" statements are not objectively
obvious.

It becomes very hard to take your argument seriously when your "obviousness"
criteria are so obviously subjective and used to avoid having to justify your
claims.

~~~
wutbrodo
> For starters, cars are obviously harmful: People get killed in car
> accidents.

This comment is a truly impressive strawman. Strawman abound in fora like HN,
and everyone (unwittingly or otherwise) is probably guilty of them here or
there, but this one is really worthy of note. You took a word ("obviously")
that _I didn't even use in my definition_ and claimed that I'm using it as a
"criteria [sic]" (as opposed to just using it with some simple illustrative
examples). I usually assume that perhaps I was unclear or that someone
misunderstood my comment, but you're not even attempting to pretend that
you're not wholly misrepresenting my comment so that you can attack a claim no
one made.

My actual definition (which you completely ignored) is that the definition of
harm is applied to things that are harmful _per se_. Note that I wasn't making
any statement about what I believe in, I was describing a distinction which is
fundamental to modern ethics and policy, all over the world. I'll ignore the
half of your comment that's impotently flailing at a claim _that no one made_
(as described above); The half that actually approaches coherency is an
attempt to devise a litmus test for what would fall under this definition and
what wouldn't (i.e. how do you discern things that are "inherently" harmful
from those that aren't, given that you can construct a scenario of harm around
literally every action anyone takes ("breathing is harmful if you take the
last gulp of air from someone's oxygen tank!!")).

TW: Use of the word "obvious"[1]

The obvious[1] litmus test here is: is it possible to conceive of an example
of someone performing the action without causing harm? To put it another way,
is the action separable from harm? This is quite obviously[1] true for the
examples given above: drug use, religion, etc. You can dream of (and many here
have probably experienced) a thousand instances of drug use and acts of
religion that harmed no-one else. This is in stark contrast to theft,
violating agreements, etc.

> Are you going to argue that violating agreements is always harmful? Almost
> always?.... Do you have any basis for assuming there aren't people out there
> that e.g. just don't care? (because there certainly are)

Are you kidding me? This is true by definition. Inasmuch as utility is
expressed by people making an agreement and wanting to hold you to it, the
violated party in the agreement is being harmed. Note that this makes no
statement as to whether _net_ harm is being done, and of course that this
entire comment is all under the assumption that the person being harmed in
each case is considered to have full agency as an adult (e.g., most people
wouldn't consider it harmful to remove something dangerous from your child's
possession, even though in the context of an adult possessor that would be
considered theft).

If I'm interpreting your latter statement correctly in the quote above, you're
talking about violating an agreement with the other party's consent? That's
not violating an agreement by any common usage of the phrase, that's just
mutually agreeing to call off an agreement.....The word violation makes it
clear that it's done without the consent of all parties involved.

> At the same time you claim drug use in the other category, despite the large
> number of deaths tied to drug use. Religion has been the catalyst for
> massive amounts of deaths too. To some of us religion are "obviously"
> harmful to others _per se_.

Sigh. You can't just put the words "per se" at the end of a sentence when you
don't know what they mean. Words have meaning. Use them with care. Christ.

You're preaching to the choir when you talk about finding religion to be
harmful overall. But again, it's not harmful _per se_. Using the litmus test
described above, an act of religion that harms no-one else is me praying
briefly before going to sleep. This act is easily separable from someone
killing someone else in the name of religion. I honestly never thought I would
have to explain this to anyone who wasn't a very small child (and even then, I
probably wouldn't have cause to talk about why people murder each other).

> It becomes very hard to take your argument seriously when your "obviousness"
> criteria [sic] are so obviously subjective and used to avoid having to
> justify your claims.

An interesting question here is whether a grade-school level of reading
comprehension unleashed in a forum full of (ostensible) adults is inherently
harmful. /s

[1] You apparently have an allergy to the word "obvious", so I'll clarify for
your benefit here. I'm saying this is obvious because the fundamentally basic
thought process described here is part of the underpinning of almost literally
every single moral system in the history of mankind (even the most theocratic
ones). Most of the differences between more dated moral/legal systems and
today is the level of bluntness we're willing to tolerate when deciding
whether an act is likely to be separable from harm.

------
tenpoundhammer
The possibilities are endless, I imagine someone will make this data easily
searchable and journalists will be digging through to found anyone of
notoriety that was dumb enough to sign up with their own names and credit
cards etc. This hack could create a ton of news stories, including record
divorce rates.

I'm curious as to how the ashley madison admins are killing these links? DMCA
takedowns? What's the mechanism for this?

~~~
cheald
There's another case to be considered here, too - people who have used the
site, got caught/came clean, did the work to fix it and have rescued their
marriages (or were doing it with the blessing of their spouse), and now are at
risk for their name being published for viewing by their coworkers, neighbors,
members of their church, etc as a "cheater", "adulterer", etc, even after
they've ostensibly paid their moral debt.

There are certainly a lot of karma coming to a lot of people who deserve it,
but there's also a lot of hurt coming to people who probably don't.

An unrelated thought: I can only imagine how giddy the staff over at Gawker
must be right now. This is like the David Geithner story times 37 million.

~~~
Asbostos
If your friends or coworkers abuse you because of their beliefs, then they are
the ones causing harm, not the person who informed them. You sound like you're
not giving full blame to those abusers or at least accepting that their
behavior is inevitable. If you're a member of a church which abuses
adulterers, and you don't think adulterers should be abused, then you're as
much to blame by supporting that stance with your membership.

~~~
reitzensteinm
I think you're making the mistake of treating blame in this instance as though
it has to add up to 100%, and blame on one party lessens it on another.

If my friend's dad hates gays, I tell him his son is gay knowing it's likely
to cause violence, then the father and I are both total pieces of shit. His
guilt does not absolve me in the least.

~~~
scoggs
Forgive my language but a saying I like to live by and I'll say to myself
quite often:

"You look like an asshole pointing out that somebody else is an asshole."

------
rm_-rf_slash
If you're going to cheat, expect to be caught. If your search for sex involves
putting any personal information online, definitely expect to be caught. If
you don't want to be caught, be careful, use pseudonyms, and protect yourself
from tracking.

Or just ask for a divorce.

~~~
spacemanmatt
Or an open relationship. There are many options people may choose.

~~~
crikli
Tobias: You know, Lindsay, as a therapist, I have advised a number of couples
to explore an open relationship where the couple remains emotionally
committed, but free to explore extra-marital encounters.

Lindsay: Well, did it work for those people?

Tobias: No, it never does. I mean, these people somehow delude themselves into
thinking it might, but ... But it might work for us.

~~~
spacemanmatt
Heh. Some people aren't up to it.

~~~
Karunamon
It requires a completely different mindset to relationships, most importantly,
two people with that same completely different mindset, it's counter to most
culture and how most of us were raised, but it can and does work.

Also, I find interesting the survivorship (or perhaps anti-survivorship?) bias
in a _marital counselor_ talking about how a certain arrangement doesn't
work.. what about all those people who never sought counseling because their
relationships are happy?

------
heimatau
So much for this. "AshleyMadison has become the last truly secure space on the
Internet." \- AM's PR team. Source:
[https://www.facebook.com/photo.php?fbid=10153447889029655](https://www.facebook.com/photo.php?fbid=10153447889029655)

------
coldcode
People get hacked all the time but the data these folks failed to defend is
almost as bad as what the Feds lost. You can always repair your credit, get
new cards, even replace your money but you can never ever get back your
reputation or your family or the respect of others if you lose that. But
giving such a site this type of information (even if you were only curious) is
just asking for it to become public. The consequences can range from
embarrassment to divorce to losing children or even getting murdered. Whatever
the thrill it's not worth the risk.

I don't know how to implement such a thing, but failing to protect people's
information seems like it should be prosecutable. Maybe it's an impossibility
but I don't know how else to make people care about protecting private
information.

~~~
mikegioia
This is insane, you're saying Ashley Madison should be prosecuted for having
their data hacked? Do you have any idea what that means for the rest of the
world's websites? And to even make a claim that this is somehow worse than the
massively private information the Feds lost is laughable.

Do you know what data AM had on its users? Do you think it's even remotely
close to the data the Feds had on every single public sector employee in the
US? Should the US be prosecuted for losing that data? Should I be prosecuted
because my site got hacked through a 0-day?

Should KVM be sued for a bug that allowed for that hack? Should Linode since
they're the data center?

No, no one should be sued. If you want people to wake up about their private
information, then prosecuting the sites is in no way going to achieve that.
How about people themselves are the ones in the wrong for cheating, and not a
website that makes it easier. This is akin to blaming and banning alcohol
because someone drove drunk.

~~~
dreamfactory2
What's wrong with the idea of having limits on data collection and regulations
around their storage? You can't prosecute someone for being the victim of
hackers but you can (and should) for not applying reasonable efforts in
safeguarding data or storing more than they should.

~~~
superuser2
There is always someone on HN who thinks whatever data you're collecting is
too much, and plenty of hacks were the result of pretty sophisticated 0days in
underlying systems despite reasonable precautions being taken in
administration processes. There is already negligence on the books.

~~~
dreamfactory2
'Too much' isn't just some random person's opinion where it's all relative.
There are already plenty of examples of data regulation in governmental and
commercial contexts - from PII of minors, to PCI, to data residency, to what
companies are allowed to do in regions like Europe, Russia, and Asia.

All these hacks we are seeing of both public and private data are proving
increasingly damaging as more data is being collected and aggregated (whilst
as you point out, impossible to fully protect against).

This very clearly indicates an urgent need for far greater regulation of what
is allowed both in transit and at rest, as well as suitable penalties for
negligence. This should be a politically non-partisan issue as it's so wide
ranging, covering national security (e.g. Snowden, OPM) as well as comedy gold
in the commercial sector like Ashley Madison and more serious cases like
Target.

~~~
superuser2
Data regulation has to do with things like retention length, reasonable
precautions, the right to have your data deleted, the right to see what they
have on file about you, requirement that data be anonymized under certain
contexts, etc. There is not a clear bright line about what data is "too much"
for your application - that's a judgement call, and a nightmarishly vague and
technical concept for a jury to decide.

~~~
dreamfactory2
It also has to do with what kind of data is allowed in transit and at rest as
per the examples I gave which are all around legal and commercial regulatory
compliance. It has never been a free-for-all where operators use their
personal judgement. In several territories you need to be registered with the
government to collect certain kinds of data for a start.

But now we are at the point where there is sufficient data being collected and
aggregated (by both public and private orgs) that hacks can damage economic
infrastructure and harm wider society i.e. not limited to those who have
interacted with a particular entity. This means that light touch regulation is
completely untenable (quite apart from the general naivety of looking to the
market to solve problems it could not even theoretically be solved in the
marketplace when your infrastructure itself is toast).

------
jpredham
Also worth noting is the continuing evolution of the motivations behind hacks.
The impact team made a seemingly moral (subjectively, not objectively moral,
of course) when they could have likely blackmailed these users for money or
influence.

It's interesting to try to guess how these factions, each occupying some point
on the political/idealogical grid, are going to look like in 10 years. My
guess would be that we begin to see more competition between them as well as
an increase in internal organizational structure.

------
Gustomaximus
Does anyone know if it would it be illegal to look at and/or download this
information once it is publicly available? I guess this would vary by country
a bit. Would this count as 'possession of stolen goods' type thing? Seems
likely, though catching people or having the will to is another thing.

~~~
dogma1138
Illegal, also once you've compiled a data base of PII the laws governing
personal information apply to you so you can be screwed from both ways.

~~~
lawnchair_larry
So it's illegal to copy the phone book or class graduation lists?

~~~
dogma1138
Yes copying them is copyright infringement, if you build them from source
yourself then the rules governing PII apply.

~~~
koenigdavidmj
Phone books are not copyrightable.

[https://en.wikipedia.org/wiki/Feist_Publications,_Inc.,_v._R...](https://en.wikipedia.org/wiki/Feist_Publications,_Inc.,_v._Rural_Telephone_Service_Co).

~~~
dogma1138
In the US maybe not, in Australia Telstra had copyright on the information in
yellow and white pages till 2010, in the UK it's still protected by copyright
as far as i know.

UK Law: "original non-literary written work, eg software, web content and
databases"

Seems like the BT phone directory isn't protected however the database of
yellow pages is still protected.

------
sp332
[https://twitter.com/PreachySnow/](https://twitter.com/PreachySnow/)

> Do you know what some men do when they find out their wives have been
> cheating? They beat them. They kill them. They don't just leave. Also, users
> of Ashley Madison could lose their jobs. You know, their support system that
> allows them to take care of their kids. Millions of people being revealed
> for committing adultery isn't anything to rejoice about. This is not the way
> to handle such a situation.

~~~
caskance
And when that happens, it is the man's fault for reacting violently, or if
you're particularly callous, the wife's fault for cheating. The person who
reveals the truth is quite a ways down the blame list.

~~~
sp332
It's certainly the abuser's fault. But if you can avoid the situation by
literally doing nothing (not leaking the info) then you might have a moral
responsibility if you do it. And a lot of people think leaking would be a good
thing, but they generally only think of breakups and don't consider violence.

~~~
caskance
That kind of cowardly pseudoreasoning allows those who are willing to threaten
violence to get whatever they want effortlessly.

~~~
sp332
These are the two points:

    
    
      1. Millions of people being revealed for committing
          adultery isn't anything to rejoice about.
      2. This is not the way to handle such a situation.
    

Neither of these are cowardly, and neither of these give anything to people
threatening violence. Outing someone to their abusive partner is clearly
morally wrong.

------
sandycheeks
Most private investigators must be spending their Sunday night trying to get
everything they can on this. They can and will make money on this data.

EDIT: Spelling

~~~
cowpewter
Most private investigators make all their money gathering evidence on worker's
comp fraudsters for big insurance companies. My dad's been a licensed PI for
over 25 years now and domestic cases are few and far between (maybe 1-2 per
year) because Mrs Smith pissed off about her cheating husband doesn't have the
cash that Bigco Insurance does and PIs charge by the hour. The insurance
company has the cost of hiring a PI for 3-4 days so they can win fraud suits
with the video evidence built into their cost structure. Unless the payout
from a prenup is really big, it's not going to be worth hiring a PI to follow
your husband around after work for a week.

(Sidenote: If you're ever dumb enough to try to commit worker's comp fraud,
you'd better keep up the act everywhere. Don't limp pathetically to and from
your car at the doctor's office, then get home and work on your car or jump on
the trampoline you have in your backyard. True story.)

~~~
Lawtonfogle
As to the sidenote, it must suck for the people who have periodic pain bad
enough for them to be unable to hold a manual labor job but who can still have
bouts of living a normal life. Either they have to forgo the moments of
freedom they receive or risk losing any disability.

~~~
cowpewter
Eh, it's not longterm disability cases that the insurance companies hire PIs
on. Hiring a PI is expensive. The insurance companies don't do it until they
are already positive the person is defrauding them. The percentage of cases my
dad's worked where the claimant was not very obviously faking is vanishingly
small. Like less than 0.5%.

By the time the PI is involved, the insurance company is already ready to sue,
they just want extra evidence to solidify their case. They're nearly all acute
injury cases - "I slipped and fell at work, and now my back's out and I can't
work for six months" and they hobble their way into the doctor's office
leaning on a cane when less than an hour ago they were doing heavy yard work
(or jumping on said trampoline!) with no difficulty.

Believe me, I have sympathy for people with chronic pain/invisible illnesses.
I have fibromyalgia, my mom has myasthenia gravis. We are not the kind of
people that wind up with PIs following them around with a camera.

------
Jugurtha
As much as I admire and respect the United States and its people, I can't be
but amazed by the reactions to sex stories.

I have the impression that you can get away with anything, except sex. You can
get away with incompetence, dilapidating tax payers' money, corruption,
invasion of privacy, aggression on sovereign countries, authorizing torture,
brutality, injustice. Big deal. Few care, and if they do, there are no
consequences and no appologies. But God help you if your sex life is slightly
different than what people say should someone's sex life be, it's the end of
the world.

I found the whole Tiger Woods thing to be incredibly stupid. Appologizing to
people you don't know because you slept with someone else than your wife. How
exactly did several million people became part of the family?

I don't know why, but sex seems to be such a big deal in the U.S. media. You
can shift the country's attention from something really important because the
President enjoyed oral sex. Nevermind recording a conversation you're having
with your friend.

Really.. How important is it to the nation which person is the President
having sex with? It puts important things (like "Is he doing his job well?")
to the background. "He's utterly incompetent, but he's never cheated on his
wife and he's good people". Why would I care if he's having orgies if he's
doing the job he was elected to do: doing everything for the interest of the
people and the country.

Petraeus comes to mind, too. I mean a four-star General. Highly decorated.
Going down for an extra-marrital affair. Seriously? Everything else he's done
has the same weight and importance as "this"? The only thing it should have
impact on is his family life, why should his career and public image suffer?
Isn't this invasion of privacy from the public? And if we can tolerate this,
shouldn't we tolerate that the Government spies on us and exposes what we do,
in the media. Your dirtiest little secrets.

How come this phoniness and hypocrisy goes accepted? Politicians boasting
"family values" shaming others for cheating while they themselves cheat.
Boasting "family values" as an argument against same-sex marriage while you
cheat on your husband/wife?. People pulling religion and abstinence stunts
only to be discovered to be human after all and enjoying someone's body from
time to time...

Why can this be used as ammunition by people who do it themselves, and how can
the public opinion fall for these shaming campaigns by people who aren't clean
from them.

How come whenever it's about cheating, it's mostly the men politician? Do you
mean women don't cheat?

I simply don't understand how a country as developed as the U.S. can have the
priorities organized in such an interesting way: 1- What X's sex life.
2-Everything else. Is it normal that people behave like 5 year olds seeing a
vagina for the first time.

~~~
cheald
In our leaders, cheating on one's spouse is problematic (and plays well in the
media) because it is an extremely clear-cut example of being willing to
violate one's most sacred vows for one's personal pleasure or convenience -
not a quality that engenders much confidence in said leader's ability to honor
the vows they made to serve the interests of their country and her citizens.

Many of the other things you listed - corruption, incompetence, invasion of
privacy, aggression on other countries, torture, brutality, injustice - are
all potentially explainable as at least well-intentioned or misunderstood or
justified by the ends. Violation of marriage vows, on the other hand, doesn't
have a lot of wiggle room.

~~~
forgottenpass
Your argument is basically circular reasoning. You say the cultural attitude
is based on the unambiguity of violating one's commitments. But the very
amount of ambiguity and "wiggle room" we find in marital infidelity compared
to corruption, torture, etc... is itself a product of American cultural
standards.

Culture is self-reinforcing, but you didn't explain why those standards exist,
you've just shown how they get perpetuated from person to person.

\---

Breaking marriage vows is only a extremely clear-cut example only because the
massive weight Americans put on marriage vows in the first pace. The society
could put less weight on them and look at cheating in a "don't be nosey, they
could have an open relationship" sort of way.

Sounds crazy right? But this is closer to the level you have to look at these
things.

How did American society get so there was wiggle room around torture and other
war crimes? Certainly those could be a "known or should have known" attitude
towards prosecuting government officials, or at least becoming a disgrace with
no option but to resign. We use "wiggle room" to accept a level of criminality
in the politically connected class that would give a district attorney a field
day if it were committed by everyday street gangs.

~~~
TheOtherHobbes
There's no such thing as a legal open relationship.

Maybe there should be. I think the world would be a happier place if people
who aren't naturally monogamous didn't have to pretend to be - to themselves,
or to anyone else.

The space in that place is a natural sticky area for sociopaths who enjoy
lying and hurting people. Making "poly" an explicit orientation would make
that space smaller and save everyone a lot of confusion.

But marriage is as much about property, taxes, and inheritance as it is about
sex. That's the real reason it's a binary in/out yes/no state. And it's
difficult to make those elements work when there are multiple people involved.

That aside - yes, it definitely is weird that starting wars and torturing
people gets by with a nod and a wink, but infidelity brings out the howler
monkeys. I think the reason is because virtue in America is defined by heroic
force projection, greedy accumulation of resources, and dominance over enemies
and the weak.

If you look like you're doing that, it's all fine. Having sex with people you
aren't married to doesn't fit into that, so it gets big downvotes for weak
self-indulgence, and - most of all - for leaving you vulnerable to a
counterattack on your status and reputation.

~~~
dsp1234
_There 's no such thing as a legal open relationship._

Can you tell me which law an open relationship would be breaking in the state
of Oregon?

------
JohnTHaller
Krebs is down again, so here's a link to the Washington Post coverage:
[http://www.washingtonpost.com/news/morning-
mix/wp/2015/07/20...](http://www.washingtonpost.com/news/morning-
mix/wp/2015/07/20/online-cheaters-exposed-after-hackers-access-ashleymadison-
hookup-site/)

TL;DR: Hackers took basically all data from cheating site AshleyMadison.com
and what the hackers claim is a human trafficing/prostitution site
EstablishedMen.com, have released some of real
names/addresses/photos/profiles, and are threatening to release all 37 million
personal records if the company doesn't take both sites offline.

------
amyjess
Krebs has a bunch of information on this:
[http://krebsonsecurity.com/2015/07/online-cheating-site-
ashl...](http://krebsonsecurity.com/2015/07/online-cheating-site-
ashleymadison-hacked/)

It's recently been updated with a statement by ALM.

------
duncan_bayne
The one group of people for whom I feel exactly no sympathy in all of this is
the owners, investors and employees of AshleyMadison.

Anyone who creates a site specifically to encourage and facilitate adultery
deserves everything he or she gets.

~~~
jarman
I don't have problem with 'encourage and facilitate' \- blame lies 100% on one
committing adultery.

But they deserve being hunted down by lynch mob of defrauded cheaters for that
removal fee extortion.

~~~
duncan_bayne
How does that work? If I sell you a gun knowing you're going to commit murder
with it, am I not also morally culpable?

~~~
jarman
Adultery is contract breach - you are not culpable unless you are part of that
contract

Murder is rights violation - you are in 'contract' by being human in society -
you always can be culpable

~~~
duncan_bayne
I think you may be confusing morally culpability with legal culpability.

If you encourage someone to commit adultery, you are morally culpable, just as
if you encourage someone to commit murder, you are morally culpable. The only
difference is that, in the case of murder, you are also _legally_ culpable.

~~~
jarman
No, I am not, I was talking purely from morality standpoint.

>If you encourage someone to commit adultery, you are morally culpable

Apparently we just happen to have different views. For me, adultery
encouragement is unsympathetic act, but does not fit criteria for being
amoral.

------
beedogs
It couldn't have happened to a more deserving site.

~~~
simplexion
Why is it deserving of this? Genuinely interested.

~~~
Asbostos
Cheating can cause a lot of emotional harm. Imagine a site for people to
commit minor sexual assaults and publish the pictures of the victims. That
would be easier to think of as deserving of being hacked though neither is
causing tangible physical harm.

The article also gives the reason that they apparently falsely sold customers
a "delete your information" fee without actually deleting it. That kind of
fraud can only really be exposed by hacking or whistleblowing.

~~~
sneak
Cheating is legal. Publishing people's PII is not.

~~~
Asbostos
Being illegal doesn't necessarily make is more wrong. Those laws are quite
peculiar to this time and country. You could say that the laws in a democracy
reflect what the people feel is right and wrong, but only on a very coarse
level. There are bound to be laws that the majority disagrees with, as well as
actions which people agree are wrong but individual cases are so complicated
the law wouldn't really be able to handle them, so they're allowed.

~~~
egeozcan
> Being illegal doesn't necessarily make it more wrong. Those laws are quite
> peculiar to this time and country.

It does make it more wrong, without getting into personal opinions. Morals
vary even more across communities, cultures and countries. It's a fallacy to
think yours is universal.

------
Animats
Waiting for the names of politicians with accounts to appear in the press.

------
flippinburgers
Cheating is not cool, but acting like all of the users of that site "deserve
it" is such a horrendous broad stroke. It just reeks of White Knight BS. Every
last person on earth struggles with balancing their own inner desires against
the expectations of the society around them. Some are better at this than
others. I'm glad some of you are such perfect little angels that you feel that
wrecking other peoples live is ok. I've been cheated on before. It was fucking
god awful but I wouldn't expect that the other person's life be destroyed as a
result. Relationships are WAY more complex than some holier-than-thou promise
that people make to one another.

------
jjuhl
I don't get why people get so worked up over this. Yes, people have afairs; so
what? It's fun and everyone likes to have a bit of harmless sex with new
people once in a while. No big deal.

------
barbs
Where was the information published? Couldn't find it anywhere...

~~~
Gustomaximus
Haha, I'm going to be very tempted to cross reference the data to my personal
contacts if this information goes public. It's probably better not to know as
many friends you know the partner also and it could put yourself in an awkward
position.

------
fapjacks
Cross-referencing the dump from this hack with the OPM dump containing a list
of everyone with TS/SCI clearance... Now _that_ is a very handy bit of
information.

------
ArtDev
I may not like the idea of the site, but it wasn't until I started seeings ads
for it, that I started hoping for its downfall.

My wish was granted!

~~~
ArtDev
Here is a banner ad I am referring to: [http://thehairpin.com/wp-
content/uploads/sites/3/2011/04/1-7...](http://thehairpin.com/wp-
content/uploads/sites/3/2011/04/1-74-percent-affair.jpg)

~~~
rue
Me, I have an adblocker and let other people do what they want to do.

------
kendallpark
What a blow for this company. What is the more ethical decision for a company
in an ethically questionable business: shutting down the site and letting the
hackers have their way, or allowing the hackers to release tons of private
data?

I feel a class action law suit on its way...

~~~
tedunangst
Hire assassins to kill the hackers.

~~~
kendallpark
Two wrongs don't make a right, but three do!

~~~
CapitalistCartr
Three lefts do.

------
miesman
Perhaps it's a weakness on my part but it's difficult for me to see this as
anything other than karma

------
emmapersky
It seems that no one is making the distinction between actually having an
affair and simply the fantasy of it that most of these members probably engage
in.

I would guess that of those 40m members only a small handful have ever engaged
in an affair through the site.

------
rbanffy
Engadget has some coverage too [http://www.engadget.com/2015/07/20/ashley-
madison-hack/](http://www.engadget.com/2015/07/20/ashley-madison-hack/)

------
joeevans1000
Apparently, there is data from all around the world. I hope it's realized that
some countries punish cheating by corporal punishment or worse. If the data is
published, I hope the data of users from those countries are removed.

------
killface
Assholes attacking other assholes online? Meh, I'm not going to lose any sleep
over it. Some of them will get what they deserve (personal opinion, of
course), on both sides.

------
cm2187
Another nail in the coffin of the confidence in the IT industry. It starts to
look more like a porcupine than a coffin now.

~~~
Gigablah
Your purview of the "IT industry" is pretty narrow.

~~~
cm2187
Well, does it matter to the end user whether it is a flash or OpenSSL
vulnerability, a sql injection vulnerability, a weak password or simply a
careless employee who didn't check the URL before entering a password?

It is a long chain in which every single link has shown to be weak so far.

~~~
ionised
You're talking about network security, which is a very small subset of IT.

------
markgavalda
Let the bitcoin extortion begin... :-/

~~~
stephengillie
Would it be better if the extortion were in Euros or Yen?

~~~
mahouse
Who would be so stupid to try and extort people using those currencies?

~~~
tinkerrr
Extortion predates Bitcoin

------
MeNotMe
Two points:

1\. Encrypt all database data, decrypt in application.

2\. If you only do perimeter defense, you're doing it wrong.

~~~
someDevOrOther
Regarding the first point, how would that help? The password has to be stored
in the clear on the server. If an adversary got control of the box, then the
adversary would get the password. And secondly, how would you search a
database full of encrypted data? Homomorphic encryption isn't ready for prime
time as I understand it.

~~~
MeNotMe
1\. It's much easier to compromise a DB into a dump with injection,
insufficient access control etc. than dump the db, find out it's encrypted,
then hack the app servers and find a key somewhere in the binary.

2\. You can use key distribution schemes to the app servers.

3\. If you need to 'live' search in personal data you're doing it wrong. You
can move search to a fulltext engine for the stuff you really need, which is
more difficult to dump and reassemble. E.g. if you search for city, you only
have primary keys and cities in one system.

4\. You should also not keep profiles, personal data and other data on one
server. Compromising one of the access paths will compromise all your data.

------
evandrix
so where's the leak @? .torrent / pastebin ?

------
curiousjorge
the company was “working diligently and feverishly” to take down ALM’s
intellectual property.

I don't think the CEO understands how extortion works on the internet. If
anything, their failure to protect it's users will result in a lot of divorces
and sad kids. Even people who probably signed up out of curiosity is going to
have a tough time explaining it to their spouses. The only option here is to
shut down AM, but that seems unlikely given their history.

CEO thinks it's an inside job boy we've heard this line over and over after a
massive leak. Hacking Team used it. Sony used it. It's not even taken
seriously anymore. If a former employer is being scapegoated, he's about to
make serious bank by suing his employer. There's no way to prove or even
attempting to question him would immediately be liable for defamation.

If it is true that "powerful and rich people" are now going to have to
divorce, give up have of their wealth to their spouse, I think ALM has bigger
things to worry about in the form of class action lawsuits. The only outcome
that makes sense is for AM to shut down.

------
smpetrey
[https://twitter.com/ftrain/status/623095490226159616](https://twitter.com/ftrain/status/623095490226159616)

~~~
NullCharacter
How is full name, address, credit card information, and private pictures and
messages considered "just metadata"?

Nothing about that is metadata.

~~~
acqq
Imagine private pictures and messages not published. Then, full name, address
and credit card information are actually "just" metadata, by the definition
we've often heard from the officials. And publishing that is more than enough
for those involved to really worry, that's the idea behind the message.

Moreover, the article states "the company didn’t provide information on how
much data might have been compromised." Where did you get the info that
private pictures and messages are available?

~~~
NullCharacter
I might be able to bite on full name/address (considering it's what you'd see
on an envelope) but the context is important. The fact that Person A sent a
letter to Person B on this can be considered "just" metadata. But certainly CC
information couldn't be classified as such, and again, context is important.

~~~
acqq
The context is what the message is all about. Just the presence of the names
on the given site is enough. And can you please quote how you know that the
private messages and pictures are to be published too?

~~~
NullCharacter
I agree with you. The presence of the names on the site transcends "metadata"
at that point.

As for your request, straight from the horses mouth (the hackers): "We will
release.... all the customers' secret sexual fantasies, nude pictures, and
conversations..."

Source via Krebs: [http://krebsonsecurity.com/wp-
content/uploads/2015/07/impact...](http://krebsonsecurity.com/wp-
content/uploads/2015/07/impactteam-580x657.png)

Is that sufficient?

------
dummy7953
Someone's getting a divorce for Xmas!

------
ocfx
Good. I hope the company goes bankrupt. People murder other people and kill
themselves over shit like this.

~~~
philwelch
People who commit murder and suicide over their insecurities and jealousies
are responsible for their own actions.

~~~
pyre
How is this any different than creating a site that is a "marketplace" for
cheating on your tests/essays/whatever in University? The cheaters are
responsible for their own actions, right?

~~~
gdubya
because that is illegal

~~~
cheald
It's almost certainly a violation of the school's code of academic integrity,
but illegal? Doubtful; nobody goes to jail for cheating on their exams.

