
Who Hacked Ashley Madison? - david_shaw
http://krebsonsecurity.com/2015/08/who-hacked-ashley-madison/
======
philangist
> They said Avid Life employees first learned about the breach on July 12
> (seven days before my initial story) when they came into work, turned on
> their computers and saw a threatening message from the Impact Team
> accompanied by the anthem “Thunderstruck” by Australian rock band AC/DC
> playing in the background.

This reads like a scene straight out of Hackers or some other campy tech
movie. Life imitates art.

~~~
vezzy-fnord
It's art imitating life. Old school warez, demoscene and hacker groups have
always had a very "campy" countercultural aesthetic to them. _Hackers_ the
film doesn't hold a candle to the real-life cDc. These types of groups are a
dying breed, though.

~~~
flycaliguy
There is some academic writing on the subject I can't find at the moment.
Basically the idea that Hackers are the modern day tricksters of mythology.
Sneaky, morally ambiguous, possessing mysterious powers over our surroundings.
It's important to be over the top and silly with your hacks.

~~~
biella
Might be Hacker Hoaxer Whistleblower Spy, which I wrote
[http://www.amazon.com/Hacker-Hoaxer-Whistleblower-Spy-
Anonym...](http://www.amazon.com/Hacker-Hoaxer-Whistleblower-Spy-
Anonymous/dp/1781685835)

I do raise the trickster there. You can find a pdf of it out there too if you
google for it.

------
smtddr
I don't condone this hack, but morals/ethics aside for a moment:

The one positive thing this hack has done is really give serious ammo to the
battle for online privacy, because the demographic hit by this hack is the
most politically & economically powerful demographic in the world....

~~~
vezzy-fnord
I'd argue the opposite. The AM hack hasn't helped at all, since enough people
view it as a just retribution due to it being about a pet moral value that is
held dear, namely marital fidelity. And to others, it's all a big joke.

The cheating cheaters (who likely never got the opportunity to cheat) have
been named and shamed, and because of those asserting that it's acceptable to
do this if it strokes their personal moral vendetta, then this type of
chilling privacy violation is on its way to being normalized.

~~~
x5n1
The future is a future where no semblance of privacy exists.

In the year 3000:

"Truth about the ugliness of the human race will finally be revealed when
every single detail about anyone's life is public knowledge available to all."

~~~
Tloewald
Once privacy disappears we can actually base our morality on data rather than
wishful thinking. It's the transition period (i.e. now) where we have pretty
arbitrary morals largely based on ancient religious texts, etc. and we're
finally getting _actual_ data on what people actually do that is the nasty
part.

E.g. we know that rich people have always obtained abortions, used illegal
drugs, and had promiscuous sex, but public morality and social mores were
constructed entirely on the fiction that this was the exception and not the
rule.

~~~
thret
These aren't arbitrary just because they are enshrined in religion and custom.
Before the pill, women couldn't sleep around without fear of getting pregnant.
Before condoms, people couldn't sleep around without fear of STDs. Before DNA
testing husbands couldn't be sure they were the father of their own children
if their wife had an affair. Before modern medicine, abortion carried a
significant risk of complications - potentially death.

We are adjusting our social values in response to advances in technology.

OTOH, lying, cheating, and betraying those closest to you will never be
acceptable. I think we will simply move towards a state where open marriages
are much more common.

~~~
Tloewald
Back when sex always entailed a chance of pregnancy, food was scarce, disease
was a mystery, we lived in small tribes, etc. etc. many of these rules may
well have made sense. Survival heuristics got encoded as religion, which was
then horribly misinterpreted, and adhered to long past its point of utility.
Now these rules aren't random, but they are pretty arbitrary.

Consider that our hangups about sex are tied to a sense of right and wrong
that comes down to food scarcity (and other base needs, such as safety from
predators) and reproductive rights. So we've got a bunch of people who treat
sex as having moral significance owing to a survival/economic importance that
no longer exists.

When sex first became disconnected from reproduction we had a "sexual
revolution" where people tried to act as if the underlying rules and norms had
changed overnight and there were horrible repercussions, but that's not
because there's something intrinsically correct about our current (or recent
past) sexual mores. Rape within marriage used to be just fine (indeed, it only
became illegal throughout the US in 1993).

------
tempVariable
I know it's a giant long shot, and the Zhu is not using his own IP/ISP, but
could the FBI use the screenshot showing his desktop with Twitter, Youtube,
Google and do an intersection of IPs on those services for the pattern that
matches his use on those services ? The twitter user Zhu, who listened to
Thunderstruck and went to Google within a time period.

 _edit: I 'd like to have 1% of the $500k bounty wired in Dogecoins please_

~~~
unreal37
I'm going to guess that if the NSA was at all interested in this guy, they
know exactly who he is already. But they're probably not.

------
lawl
So Krebs has no conclusive proof for anything?

As he himself admits:

> _It is possible that Zu is instead a white hat security researcher or
> confidential informant_

Jeez, how about talking to the police and let them do their job, or at the
very least censor the name.

This is just a witch hunt.

~~~
ChuckMcM
unclear if its a witch hunt or if Krebs wants to be on record with his
reasoning in order to secure some of that $500K bounty if it turns out to be
this guy?

I've never figured out how they actually decide who gets what if they have to
split that up.

~~~
lawl
He could have not posted the twitter handle but a hash instead?

echo "The Twitter handle Brian Krebs anonymized in this blog post is..." |
sha256sum

There you go, you can prove it to anyone at any point in time.

~~~
dougk16
Not familiar with Twitter, but if you can easily get all or most handles
through their API or scraping then wouldn't it be easy to brute-force reverse
the hash?

Edit: Maybe add a private salt?

Edit again: Oh, missed that "The Twitter handle Brian Krebs..." is effectively
the private salt, nevermind.

~~~
slig
Probably one should do something similar to this:

echo "The Twitter handle Brian Krebs anonymized in this blog post is @user and
this a random salt qF7KKAUxtrEtQbnj4LPkUZM4." | sha256sum

~~~
biot
The inclusion of a salt only protects against precomputed hashes. It makes
almost no difference to how many millions of hashes one can perform per
second.

~~~
Ded7xSEoPKYNsDd
I think the idea is not to publicize the salt. The proof still works (after
both user name and salt are publicly known), but a dictionary attack with all
twitter handles won't work.

~~~
zaroth
Exactly. If you publish just the digest of "HMAC(salt,handle)" and want to
find a new salt in order to fill in a different twitter handle but with the
same digest, this is called a pre-image attack -- finding a message with a
specific hash value, with a time complexity of 2^n.

------
LordKano
My reaction is still mostly schadenfreude.

If/when these people are caught, they should face the consequences of their
actions but I'm not going to wrap paranoia over my own peccadillos in fake
outrage over internet privacy.

I'm opposed to people doing unauthorized things with other people's property
on general principles. I'm far more concerned with the IRS's data breach
because every victim was legally compelled to submit certain personal
information to the IRS. Everyone on Ashley Madison was there voluntarily for
nefarious purposes.

Catch them and prosecute them but don't cry crocodile tears either.

~~~
dhimes
Agree. But if I understand correctly, the _purpose_ of the hack was to take
down a website that was ripping people off and, in the minds (if not
experience) of the hacker(s), a scam.

In a way, it's not unlike Snowden's revelations. Yes, it was illegal. Yes,
some people are embarrassed. But the intent, in the long run, is actually to
_protect_ those people.

And, regrettably, the fact that sex secrets were exposed is likely to alert
much more of the population to the real dangers of privacy erosion than
Snowden's revelations.

~~~
isaacremuant
Read the "Time's up" message they wrote. They pretty much speak in a righteous
way to the signed up people. They tell them to "atone and move on" or
something of the sort.

This reads to me more like "power trip" than anything else.

~~~
d23
Peoples' motivations for doing things are never cut and dry. Yes, an amount of
ego may have snuck in there, but they may have also genuinely thought they
were doing a Good Deed.

------
signaler
The old narrative of vigilante justice in the hacker set is getting
repetitive. I wish reports weren't so biased to use 'hacker' in their stories
because it forever connotes hack with something unsavoury. This is an infosec
breach, not a hack. The 'Impact Team' even said they did not have to try that
hard. Any good hack has hack value, and the only reason AM was booted offline
was because it happened on their clock, and not the clock of any other
{random} internet database. This could have been any site. Also I wrote this
small piece on hackerdom and what paths we can take if we are inclined to
hack: [http://blog.higg.im/2015/05/27/hacker-with-lots-of-free-
time...](http://blog.higg.im/2015/05/27/hacker-with-lots-of-free-time-what-
are-you-doing-about-that/)

------
GigabyteCoin
>To say that Zu tweets to others is a bit of a misstatement. I have never seen
anyone tweet the way Zu does; He sends hundreds of tweets each day, and while
most of them appear to be directed at nobody, it does seem that they are in
response to (if not in “reply” to) tweets that others have sent him or made
about his work. Consequently, his tweet stream appears to the casual observer
to be nothing more than an endless soliloquy.

Perhaps that's all Zu is? A bot, or a covert chat channel of some kind.
Perhaps prime numbered words from every third tweet contain the real message,
or something like that?

~~~
fowkswe
It seems like the tweets are selectively pulled responses from a chat stream.

------
hackuser
Hmmm ... is it appropriate for Brian Krebs to dox this person (at least to
some extent), in a much more public forum than someplace like 4chan, because
Krebs suspects him or in order to compel him to talk to Krebs?

------
deadlycrayon
This is pretty poor journalism. Reminds me of the reddit Boston bombing
witchhunt. Note that in the comments, Krebs had to be "reminded" to reach out
to Thadeus Zu for comment.

~~~
rememberlenny
He was being reminded to post about reaching out.

------
graycat
Can we also ask, HOW did they hack Ashley Madison?

~~~
smtddr
[http://digg.com/2015/ashley-madison-hack](http://digg.com/2015/ashley-
madison-hack)

Not a complete answer, but:

 _" MOTHERBOARD: How did you hack Avid Life Media? Was it hard?

The Impact Team: We worked hard to make fully undetectable attack, then got in
and found nothing to bypass.

MOTHERBOARD: What was their security like?

The Impact Team: Bad. Nobody was watching. No security. Only thing was
segmented network. You could use Pass1234 from the internet to VPN to root on
all servers."_

~~~
graycat
Wow! It's easy to make jokes, but actually this is serious -- a lot of people
are going to be hurt, and so far already two have died.

Sounds like AM's computing was all f__ked up! In US Army terminology, FUBAR.
Or SNAFU. Gads.

Wonder how AM paid, maybe I should say, _compensated_ , their server farm
system administration staff? Their server farm security was _wide open_?

Should the users have expected something else?

~~~
sbierwagen
1.) They could be lying.

2.) My read is that, instead of _no_ security, (or else AM would be have been
compromised instantly by script kiddies) they used manufacturer default
passwords on internal firewall appliances.

------
lifeisstillgood
This seems awfully meta - as the AM hack revealed 30m people to have lost any
real privacy in the digital age, the person seemingly / likely / possibly
responsible is hunted down and much of his life laid out like a private
investigators report through his digital trail.

It's curious - we are all being affected by the new digital pollution

~~~
dublinben
There isn't any contradiction, if you were implying there was. All of the
information compiled in this article was published to the public. Any private
information that has been revealed about this individual is likely
misdirection or irrelevant.

~~~
lifeisstillgood
No, no contradiction just ... We are all in the gutter, covered in the same
mud.

------
mahouse
OT: where's the source code for the AM website? Is it inside one of the dumps?

Edit: found it in "Ashley Madison 2nd dump 20 GB"

~~~
tempVariable
I'm not asking for a public post, but can you send info how to acquire the AM
data dump via EM?

~~~
mahouse
TPB

------
jasonmp85
> But there may something else going on here. It is possible that Zu’s
> approach to tweeting — that is, responding to or addressing other Twitter
> users without invoking the intended recipient’s Twitter handle — is
> something of a security precaution. After all, he had to know and even
> expect that security researchers would try to reconstruct his conversations
> after the fact. But this is far more difficult to do when the Twitter user
> in question never actually participates in threaded conversations. People
> who engage in this way of tweeting also do not readily reveal the Twitter
> identities of the people with whom they chat most.

I love how Krebs has reframed "subtweeting" as some sort of new security
practice as opposed to an annoying passive-aggressive thing everyone does from
time to time :-D

------
mackeeeavelli
The AM hack is similar in tenor to the Sony hack. Nothing about the hack has
the feel of a lone wolf or black hat operation. I have no doubt someone will
get pinned for the hack, but I also think if it wasn't an inside job it was
state-sponsored.

------
danblick
I can imagine two separate motives for this hack:

(1) The hackers dislike the idea of adultery and wanted to harm the site &
punish its users;

(2) The hackers wanted to blackmail the site and its users by threatening to
expose them if they did not pay hush money or perform other services (e.g.
reveal secrets).

It seems that motive (1) has some acceptance (people are cheering the
hackers), but I think (2) seems more plausible. These guys aren't heroes: they
found a vulnerable target and went after it.

~~~
nkozyra
Except they didn't do #2 and instead just released it. That kind of kills the
blackmail value, doesn't it?

~~~
mahmud
Maybe they had a private communication with AM, and only released it after the
negotiations broke down?

------
madrinator
AshleyMadison reward = $500k CAD ($376k USD) divided by 40M users = $0.01
#privacy should be worth more than 1 cent!

~~~
unreal37
The privacy of the 40 million cannot be bought back.

------
Zenst
The aspect that a company who's business model resolves around people breaking
contracts (marriage contracts) finding itself on the downside of what could of
been an employee who broke their employment contract is something ironic.

Maybe we should not be calling those a hack and more a data-affair.

Still one can only hope that we gain some better protection and rights
regarding how companies handle data and more so in the area of authority
auditing that those rules and standards are maintained.

------
fjbarrett
Wow this is elegant. Well-written article and super engaging story. The tab on
the screenshot is magical.

------
werber
My impression is that Zu is actually an author researching a real life cyber
crime novel.

------
akash3333
Anyone else wondering what tool would Krebs use to download another users
timeline?

~~~
akash3333
Never mind, got the answer

[http://krebsonsecurity.com/2015/08/who-hacked-ashley-
madison...](http://krebsonsecurity.com/2015/08/who-hacked-ashley-
madison/comment-page-3/#comment-391736)

------
ivoras
deuszhu's tweets are indistinguishable from a bot's. Well, most of them.

------
andyl
If caught, what types of legal liability might the AM hacker face??

------
Benichmt1
Ah, another internet witch hunt. Good thing this account seems to be taking
credit for it. Otherwise this could've been ugly.

------
futureYCalum
Did I find the culprits?
[http://www.impactteam.info/](http://www.impactteam.info/)

------
satanrepents
Half a million in Canadian dollars? Is that like paying it out in monopoly
money?

~~~
cdelsolar
No

