Security

The Ashley Madison files – are people really this stupid?

Lots of users appear to have used work addresses

Dunce's cap graffiti by https://www.flickr.com/photos/lord-jim/ cc 2.0 attribution https://creativecommons.org/licenses/by/2.0/

Comment2 It has been a depressing and enlightening day at El Reg's San Francisco office as we've been churning through the Ashley Madison databases, and a recurrent theme echoing around the room is: "How could people be so stupid?"

It's not the cheating per se – let's not get started on the morals of it all – but it's clear that many of the 36 million people who signed up didn't have the first clue about safeguarding their privacy – why put all that compromising info in the hands of one website? – and more than a few were signing up from their work addresses.

Analyzing the email addresses is fraught with dangers. Many are obviously spoofed – foxmulder@fbi.gov and i-trust-you-not@nsa.gov are clearly fakes, and it's unlikely that Tony Blair really is signed up using his official email address.

But we've done some checking up, and it's likely that some of these work emails are legitimate. Five British police officers using their .police.uk email accounts have details that check out, as does one address for a senior member of the British civil service in a position that would make him a ripe target for blackmail. In all we've found nearly 100 .gov.uk email addresses, many of whom do seem to be the real deal.

It seems astonishing that IT departments are letting sites like Ashley Madison through web filters. Having a relatively open access policy to internet use at work is all well and good – and studies suggest is helpful to productivity – but dating sites? It seems a lot of filters need to be checked again.

It's easy to understand, on one level, why work addresses are used. A partner on the prowl won’t want to use a home address in case their better half sees it on the family computer. But setting up new email accounts isn't hard and burner addresses would seem like a logical step.

Even some tech savvy users of the site seem to have got caught out. There are profiles that have the GPS coordinates of people's homes attached to them. It may well be that people set up dummy accounts but did it with apps that logged their location, unbeknownst to the user.

Ashley Madison itself comes out from this leak looking not too bad – well, apart from charging people $19 to permanently delete their accounts. Credit cards (apart from the last four digits) were not stored in an easily accessible format, and passwords were hashed using bcrypt. Some people claim to have found credit card numbers in the databases; how that happened, we don't know. Based on experience, the internal security of the company was better than most, just not good enough.

Interestingly, the vast majority – as much as 90 or 95 per cent – of Ashley Madison's users are men. Many, many people will have signed up and failed to hookup.

One final point: reading thorough some of the profiles it's clear that this wasn't all just horny malcontents looking for a cheap flesh fix – although that seems to make up the vast majority. But a couple of profiles state explicitly that the advertiser would expect an online paramour to talk to the poster's partner before meeting, to assure that consent was given.

There are many kinds of relationships under the sun. Some monogamous, some monogomish, others that are totally open. Without knowing the people involved it's impossible to know their situations and, quite frankly, it's none of anyone else's business.

After spending the day reading through this database I wonder how many lives are going to be ruined by this hack? How many families torn apart? How many suicides?

The Impact Team claim to be doing this for high moral reasons, but tell that to those wrenched from a family because someone got curious and stupidly signed up, or just had their email address cut'n'pasted into a profile and subsequently leaked.

In the long term hacks like this are going to be a fact of life and we're all going to learn more about our friends and neighbors than we really wanted to. How well we handle that will show quite how mature we are as a species. ®

Let's not assume Ashley Madison dump sites are altruists, please

When natural disasters strike, vile scammers start sending emails by the million offering you a chance to send donations to those in need, writes Richard Chirgwin.

Security companies and governments point out that such emails are scams designed to take advantage of your good nature.

They're not quite doing so yet for people or organisations offering the chance to “search the Ashley Madison data here”, but it's likely to happen.

The good news is that there are some such services worthy of your trust. Troy Hunt's HaveIBeenPwned website, for example, has all the email addresses, but you can't search it. If you're signed up for (free) alerts from HaveIBeenPwned.com, you'll be told if you're on the leaked lists. But you can't rifle through it looking for your neighbour or boss or spouse.

Hunt is a security specialist with an enviable record, he's explained his handling of Ashley Madison data here, secures his site with HTTPS, and identifies himself as the operator of the site in its whois information.

In other words, Hunt is putting his own reputation on the line.

Other sites – to which The Reg will not link – are being cited by mainstream publications and the tech press, but surely do not deserve your trust. They don't offer HTTPS or complete whois records, so they don't deserve any more trust than scam donation emails.

The evil minds behind email scams are also entirely capable of dreaming up the idea of an Ashley Madison search site as a honeypot. Your prurience – and that of media linking to such sites – therefore increases the chance of your details appearing in another, future, data dump.

To restate:

  • Don't trust your data to a non-HTTPS lookup site;
  • Don't trust your data to a site that lets anyone search without verification;
  • Don't trust sites that don't provide whois information.

It's also worth considering the laws of the land in which you dwell, as privacy legislation around the world frowns upon unauthorised use of data. New Zealand's privacy commissioner has pointed this out and also noted that under the nation's Harmful Digital Communications Act of 2015 it may be considered cyber-bullying to name and shame supposed Ashley Madison members.

Commissioner John Edwards has also pointed out that Ashley Madison didn't verify the email addresses that users provided. It's therefore entirely likely that elvis@gracelands.com didn't sign up for the service.

Sponsored: The Nuts and Bolts of Ransomware in 2016