The biggest lesson from Ashley Madison is about security, not fidelity

Ashley Madison founder Noel Biderman poses during an interview in Hong Kong August 28, 2013. Founded in 2002, Ashley Madison, the world's biggest online dating website for married men and women, has over 20 million users in 30 regions all over the world. REUTERS/Bobby Yip (CHINA - Tags: SOCIETY BUSINESS) - RTX13UKT

Life’s short. Use PGP.

Once IPO bound, Ashley Madison is almost certainly doomed to shutter following a ruinous hack. As an early indication of its inevitable shutdown, parent company Avid Life Media announced yesterday that CEO Noel Biderman is stepping down.

Likewise, its 37 million users may never recover from having their most private thoughts and fantasies spread around the Web.

The website that helps married people have extramarital affairs promised discreet encounters and robust security. It even had a “full delete” service that purported to delete “all traces of your usage” for a fee. And even after the attack, the website still flaunts a gold and purple medallion icon with the words “trusted security award” next to it.

From VentureBeat
Get faster turnaround on creative, more testing, smarter improvements and better results. Learn how to apply agile marketing to your team at VB’s Agile Marketing Roadshow in SF.

Last week a group calling themselves the Impact Team released 32 gigabytes’ worth of data pulled from Ashley Madison’s servers. The leaked data has already resulted in six lawsuits in the U.S. and two in Canada, many of which are seeking class action status. Considering that 37 million accounts were affected, Avid Life Media, Ashley Madison’s parent company, is only likely to see more suits.

Legal costs

Even if none of these cases win, the mounting legal battles are likely to drain Avid Life’s cash reserves.

Earlier this year, Target paid out $10 million in damages to settle a class action lawsuit over a data breach that took place in 2014. Home Depot meanwhile is still fighting a consolidation of class action lawsuits. Already, Ashley Madison is facing more than half a billion dollars in damages. In addition to legal costs, the company, which reportedly earned $115 million in 2014 revenue, is likely to see a drop in its paying user base in the wake of the attack.

On top of class action lawsuits, Avid Life Media could face scrutiny from the Federal Trade Commission, which was recently granted the ability to look into instances of unfair trade based on poor security infrastructure.

Legal framework

Traditionally, there’s very little legal framework for consumers seeking recourse from cybersecurity incidents. Damages from a hack can be hard to prove. For instance, if a person’s financial information was stolen during a hack, but hasn’t been used, it’s difficult to assess potential financial loss. In the case of Ashley Madison, how do you calculate the damages incurred as a result of leaked information about a potential affair? Plus, most companies aren’t obligated to secure user information unless it’s a health care business or a financial institution regulated under the Health Insurance Portability and Accountability Act and the Securities and Exchange Commission, respectively.

However, there is an interest among members of Congress and the White House to build just such a framework. A number of cybersecurity bills have been introduced to Congress over the past 10 years, though meaningful legislation articulating for what companies are liable in the event of a hack has yet to materialize. The two cybersecurity bills currently on the table in the House (H.R. 624) and Senate (S. 754) are more focused on allowing companies and the government to share information about breaches and security measures than providing consumers with legal protections.

Now, because of the outcome of an FTC case against Wyndham Worldwide, consumers might have a bit more support. An appeals court ruled in favor of the FTC, which accused Wyndham of “failing to safeguard consumer data.” What it means is that under certain circumstances, the FTC can penalize companies for not implementing a certain standard of security.

“It wouldn’t apply to a malicious, determined hack that got through industry-standard security. It probably wouldn’t even apply to a lot of security breaches caused by negligence. What it would apply to is companies that just take a passive, haphazard approach to data security,” said Josh King, general counsel at Avvo, an online legal advisor.

Ashley Madison didn’t do much to prove the identity of its members. Registering for Ashley Madison only required an email address, and it’s possible a number of accounts were created under dubious circumstances (created for blackmail and other reasons).

Failing to provide a reasonable identity verification process could easily fall within the purview of the FTC, thanks to the Wyndham case. But, even if Ashley Madison’s security is up to snuff, the company still might attract the gaze of the FTC for promising services it did not deliver.

Not only did Ashley Madison boast about top-notch security and then fail to protect its unpaid users, it also neglected to comprehensively delete user profiles covered under its “full delete” service. Internal data reveals that Ashley Madison retained GPS coordinates, date of birth, as well as height and weight even for users who paid $19 to have their information deleted from its servers.

There are also questions about whether Ashley Madison stocked its user base with fake accounts meant to goad male users into spending more money.

Cultural implications

One way or another, Ashley Madison users will have their day in court. However, whatever recompense they’re ultimately offered will probably not add up to their losses. Money can’t make up for the emotional effects of divorce or even greater losses that have occurred as a result of the hack.

“There are a lot of ancillary effects,” said King. “It reinforces why it’s so important for people to take their privacy seriously when they’re dealing with sensitive stuff.”

King noted that because the Ashley Madison incident has obtained such a high level of visibility among prurient Americans, it stands to teach them a lesson about online security. “You can’t just rely on the privacy policies of these companies,” he said; you have to secure yourself.
Despite two years of persistent data breaches at major companies, many U.S. consumers still haven’t taken precautions with their personal data online. While Americans don’t seem motivated by having their financial information stolen, they may, as John Oliver once astutely pointed out, be more inspired by leaks of their most personal data — their dick pics.

The Ashley Madison hack shows a holistic picture of just how much information people are willing to turn over to companies even though they are often under no real obligation to protect that information. This isn’t about handing over your dick pics and credit card information; it’s about entrusting a for-profit company with your deepest fantasies and thoughts.

Perhaps the breadth and the nature of the Ashley Madison hack will have Americans running to encrypt their email or even start using sites that don’t track, such as DuckDuckGo. Could 2015 kick off the Year of the Black Phone, or herald a large uptick in preventative measures taken to effectively hide our identities online?

Unlikely, said Malwarebytes security analyst Adam McNeil. “Events such as the disclosure of data from Avid Life Media should make consumers more aware of the potential dangers of sharing personal information with online entities, but the pessimistic reality is that it probably won’t.”

He said similar leaks of private photos from iCloud and Snapchat could have woken Americans from their optimistic apathy — and yet, here we are.

“While events should cause consumers to embrace the notion of online security (and security in general), history has shown that it probably will not.”

VB's research team is studying web-personalization... Chime in here, and we’ll share the results.

The Honeywell Bubble Count Revisited

count-zero I am a tall straight white cisgendered Canadian man in excellent health, i.e. I won pretty much every available lottery on the day I was born. People expect me to excel at things, or at least they don’t expect me not to. Concierges at five-star hotels are eager to help me, and rarely even ask me whether or not I am a guest. Read More

Researchers find many more modules of Regin spying tool

Security researchers from Symantec have identified 49 more modules of the sophisticated Regin cyberespionage platform that many believe is used by the U.S. National Security Agency and its close allies. This brings the total number of modules known so far to 75, each of them responsible for implementing specific functionality and giving attackers a lot of flexibility in how they exploit individual targets.

HTC cofounder Peter Chou joins Hong Kong visual effects studio in VR push

Reuters / Eduardo Munoz

The cofounder and former chief executive of struggling Taiwanese smartphone maker HTC has joined Hong Kong-based visual effects studio Digital Domain Holdings, according to an exchanges filing Friday.

Peter Chou’s appointment as executive director and a member of the executive committee will take effect as of August 31, though the move does not signal his exit from HTC.

In March, Chou was replaced by Cher Wang as chief executive following three years of poor performance, but stayed on as head of HTC’s Future Development Lab.

From VentureBeat
Get faster turnaround on creative, more testing, smarter improvements and better results. Learn how to apply agile marketing to your team at VB’s Agile Marketing Roadshow in SF.

Chou’s move makes sense from a strategic perspective considering HTC’s push into virtual reality with Vive. The Hong Kong visual effects studio earlier this year formed a joint venture called IM360 with Dallas-based Immersive Media for its own push into VR content.

While HTC’s immediate goal in the VR space appears to be gaming and entertainment, it noted in a blog posting Thursday that there are “rumblings of the potential of VR in medical science and training, architecture, and other areas many of us haven’t even considered.”

Clearly this move by Chou is further signs of HTC’s intentions to double-down on its VR efforts, and build out more synergies with leaders in the space. While Immersive Media is known for its 360-degree video technology, Digital Domain is seen as pushing the envelope in motion capture and generated imagery.

Digital Domain says it has worked on visuals for more than 100 movies, including Iron Man 3, the Transformers series, and Titanic.

However, consumers keen to get their hands on HTC’s Vive as soon as possible were left disappointed Friday, when the company announced that initial shipments of its VR goggles are going to be limited, and not available until the first quarter of 2016.

We’ve reached out to HTC and Digital Domain for further comments, and will update you if we hear back.

Check out HTC’s latest video from this week to get a glimpse into what it’s doing with Vive:

More information:

Powered by VBProfiles

VB's research team is studying web-personalization... Chime in here, and we’ll share the results.

Russia’s Kaspersky threatened to ‘rub out’ rival, email shows

Eugene Kaspersky, chairman and CEO of Kaspersky Lab, listens to a question during an interview in New York March 10, 2015.

(By Joseph Menn, Reuters) – In 2009, Eugene Kaspersky, co-founder of one of the world’s top security companies, told some of his lieutenants that they should attack rival antivirus software maker AVG Technologies by “rubbing them out in the outhouse,” one of several previously undisclosed emails shows.

He was quoting from Vladimir Putin’s famous threat a decade earlier to pursue Chechen rebels wherever they were: “If we catch them in the toilet, then we will rub them out in the outhouse.”

Former employees say that the reprisal Kaspersky was pushing for was to trick AVG’s antivirus software into producing false positives – that is, misclassifying clean computer files as infected.

From VentureBeat
Get faster turnaround on creative, more testing, smarter improvements and better results. Learn how to apply agile marketing to your team at VB’s Agile Marketing Roadshow in SF.

As previously reported by Reuters, the plan involved creating fake virus samples and malware identifications to fool competitors into disabling or deleting important files, thereby creating problems for their customers.

“More and more I get the desire to smack them with their falses,” Kaspersky wrote in Russian in one email seen by Reuters, dated July 23, 2009. He accused AVG of poaching staff from his company. “AVG is carrying out an HR attack on the company, mostly the managers.”

The emails shed fresh light on the allegations of two former Kaspersky Lab employees that the Moscow-based company had sought to sabotage rivals to gain market share and retaliate against competitors it believed were mimicking its malware detections instead of relying on their own research.

Kaspersky Lab has strongly denied the allegations. On Friday, it said the emails “may not be legitimate and were obtained from anonymous sources that have a hidden agenda.”

“Kaspersky Lab has never conducted any secret campaign to trick competitors into generating false positives to damage their market standing. Such actions are unethical, dishonest and illegal,” the company said in a statement.

The ex-employees told Reuters that AVG, Microsoft  and Avast Software were among the companies targeted by Kaspersky Lab in campaigns between 2009 and 2013 to spread false positives through threat information-sharing programs.

“To be honest, I’ll feel pretty bad when AVG goes public and earns a billion. They won’t say thanks to you or me – don’t even hope,” Kaspersky wrote in another email seen by Reuters, dated Oct. 8, 2009.

“‘Rubbing out’ – is one of the methods, which we will DEFINITELY use in combination with other methods.”

A day earlier, Kaspersky had urged his team in another email to consider “rubbing them out in the outhouse,” noting that his European chief was “very positive about falses.” The emails do not confirm that an attack was launched against AVG or say how effective it might have been.

AVG’s former chief technology officer, Yuval Ben-Itzhak, previously told Reuters the company was hit with waves of doctored virus samples from 2009 to 2013.

AVG, Microsoft and Avast have all declined comment on who might have been behind the sophisticated assaults. AVG did not immediately respond to a request for comment on the emails.

China campaign

In the emails, Eugene Kaspersky did not give specifics on the “rubbing out” method that he envisioned using against AVG. But he said it was a trick that the company had used against a competitor in China years ago. He did not identify the company in the email.

“We’ve already had an experience ‘rubbing out’ – in China. In year 2002-2003. And we did end up moving one of then-market leaders,” Kaspersky wrote.

A former Kaspersky Lab employee said the Chinese target was Beijing Jiangmin New Science & Technology Co, one of the biggest antivirus companies in the country at the time. Jiangmin General Manager Guo Changsheng declined to comment.

In 2002, Kaspersky Lab had been struggling to gain traction in the massive Chinese market, where piracy was rampant in the software industry, according to former employees.

Jiangmin did well in part because it copied Kaspersky Lab’s identifications of malicious software files, said two former software engineers at Jiangmin, and a Chinese expert who had worked with both companies. The three sources spoke on condition of anonymity.

After repeated threats and attempts to reach a licensing deal with Jiangmin failed, the Chinese expert said, Kaspersky Lab began to fake some of its malware detections in China in order to cause problems on Jiangmin’s customer machines when the Chinese company copied them.

Kaspersky Lab did this to protect itself from more piracy, the Chinese expert said, adding that the campaign worked. “All of a sudden, customers came to Kaspersky.”

Jiangmin’s general manager declined to comment on the allegations that the company copied Kaspersky Lab’s detections. He also declined to comment on whether Jiangmin had suffered from false detections during the period in question.

Kaspersky Lab has previously said that it too had been hit with fake virus samples. It declined to provide copies of the samples or give other details.

It is not known how much business Kaspersky Lab may have gained in China or elsewhere as a result of these alleged attacks.

In one of the emails, Eugene Kaspersky said the China attack, which he called a “rubber bomb,” was a success. The term “rubber bomb” comes from a Russian joke about an explosive that keeps bouncing and inflicting more damage.

“Something tells me that without that ‘rubber bomb,’ things wouldn’t be so rosy for us in China,” Kaspersky wrote in the Oct. 8, 2009 email.

(Additional reporting by Gerry Shih in Beijing and Alina Selyukh in Washington; Editing by Tiffany Wu)

VB's research team is studying web-personalization... Chime in here, and we’ll share the results.