Ashley Madison disclosure shows paper-thin privacy

The membership data for a site that advertised itself as catering to cheating married people has been disclosed, shredding some last vestige of online confidentiality.

Ashley Madison hack
Credit: Ashley Madison

Registering for Ashley Madison and Established Men, sites that market themselves, respectively, as for married cheaters and sugar daddies, may not indicate a breach of trust between the person setting up an account and anyone else in his or her life, marketing hype aside.

In America and many countries, relationships—married and otherwise—aren’t subject to government oversight anymore, and social opprobrium becomes difficult in an age of seeming total transparency, in which people become increasingly aware of the glass house in which they live from which they are throwing stones.

Where the breach in trust absolutely, provably occurred is where the company operating these sites failed to engage in proper security to ensure the privacy and integrity of its members. Further, while Ashley Madison promised permanent deletion of user data for $19, it appears clear that they did not—the contention of whomever extracted the data a month ago and has now released it.

Hold the moral pickle

A tut-tutting occurs whenever naked photos of celebrities are grabbed from private accounts and posted. Surely, they shouldn’t take such pictures; they should know better; the Internet is untrustworthy; and, ultimately, “it’s their fault for taking them.” This is akin to being told that being robbed in a “bad” neighborhood is your fault for carrying money and being there. The fault lies with the criminals.

Apple received more appropriate opprobrium when Jennifer Lawrence and others’ photos were apparently retrieved via their iCloud accounts a year ago, ostensibly through a combination of background research, social engineering, and a lack of iCloud password-attempt limitations.

The company has ratcheted up its efforts. In the year since that hack, following previous ones, it enabled more extensive use of two-step verification, and has built native support for extensive and simplified use of two-factor authentication into the upcoming iOS 9 and El Capitan (OS X 10.11) releases.

However, login protection doesn’t keep ne’er-do-wells from snarfing private databases. That’s a separate responsibility—and we’ve seen hundreds of thefts in which details were stolen and often sold or released, affecting many tens of millions of people in America alone.

What can we trust that’s stored online, even if we don’t deserve the blame for the thefts? That’s the real question, and it relates to how firms need access to your data.

While a two-factor-protected iCloud account could still suffer from extraction if someone finds a way to break through Apple’s defenses to siphon up data that includes yours, it’s arguable that the current system allows a very high degree of relative safety for your photos, contacts, and other information. It’ll be better when the more stringent native implementation rolls out in a few weeks. Google has offered two-factor authentication for years, and with its proper use, should be equally relatively secure.

It’s account-related information that remains at most risk: the metadata of your arrangement with a site that tells them where you live and how to charge your credit card and the like. Companies could potentially put in layers of additional security to segregate that information, but their systems need rapid and automated access to it. When security is breached, that account data is either mostly unencrypted by design or, if it’s protected, crackers can gain access to the same systems that are used to decrypt it for routine use.

While people are chuckling about “cheaters” being exposed, privacy isn’t a movable feast. Snacking on popcorn while searching for one’s neighbors, relatives, and coworkers in one of the databases of Ashley Madison data that have popped up serves only one end: prurience. And there’s really no difference between this data set and dozens of others except that simple fact.

A silver lining

The only bright light of this exposure is that Ashley Madison did a few things right. First, they don’t appear to have disclosed credit-card information that can be used to create new charges, only confirmation details, including the last four digits of a card. (There’s some suspicion that knowing the card type—which defines the first four digits—and the last four digits, plus some available knowledge about how number sequences are used can be used to reconstruct entire card numbers some reasonable percentage of the time, though.)

Second, unlike previous cracks in which passwords were either entirely unprotected or used outdated hashing mechanisms, the company used an encryption algorithm widely recommended for this sort of storage; it’s called bcrypt. It both salts and hashes a password, while also having scalable difficulty, so that as processing power increases, the amount of computational cycles necessary to crack can also be ratcheted higher. (For more on salting, hashing, and proper password protection, see “LastPass was hacked: Here’s what you have to do” from June. LastPass also did the right thing.)

Because of this, any even modestly difficult password will take a substantial amount of time to crack, and each stored password has the same level of difficulty to crack. Even with souped-up systems with piles of GPUs, it could take minutes to hours per account to crack even the simplest passwords. A password with the slightest bit of difference, such as a digit or punctuation mark, might be effectively unrecoverable unless someone focused specific effort over days—or much longer—to break it.

I don’t pretend to make decisions for other people about how they conduct their private relationships, nor do I waggle my finger at folks who want cloud-based access or cloud-based backups and not worry about their stuff being ripped off.

What this release of data demonstrates is that one has to engage in more effort to keep one’s figurative and literal affairs private. Some sites that offer demimonde services accept Bitcoin, which is anonymous though not entirely untrackable. Others provide email services that lock down your identity. The future of reliable privacy may involve more subterfuge even for the most innocent of activities.

Subscribe to the Best of Macworld Newsletter