The Ashley Madison Data Dump

madisonThe hack itself is an old story; Ashley Madison was hacked and profile information stolen. What is new is that the group behind the hack, Impact Team, dumped all the data. It has now been made available by many legitimate folks who created searchable online services against the data.

As much as I could enjoy the schadenfreude in this story, I simply cannot. I’m compelled to point out that just because an email is in the database does not mean it is a legitimate account. Email is a notoriously weak verified identifier, and while many websites have a sign-up flow for email verification, many don’t do anything to purge unverified emails. My thesis is that even unverified emails harvested in the sign-up flow have value for marketing purposes and, therefore, remain in the company’s database.

My email,, has been used by far too many “jnolans” to count. Often signing up for mundane services like car buying sites, but also for things that would certainly make my wife ask questions, like and an unrelated service for making arrangements with dominatrixes for a variety of, well, services.

The amount of crap I get from websites I have never visited is simple extraordinary. My oldest son has a gmail address that is first name only and I purge over a thousand emails from his account each month, and he’s only used it a few times for sending schoolwork.

2013101108The Impact Team has shrewdly wrapped themselves in a veil of moral righteousness to conceal a criminal act. While they aren’t stoning adulterers in the town square – or beheading them in a stadium – they are stealing personal information and using that in a form of extortion.

I find the entire affair, no pun intended, reprehensible and while AshleyMadison is itself objectionable, they are also a victim (of stupidity first and foremost). Despite complete awareness of the risks to the company and their customers, they did not employ best practices to secure their data. In addition to that, they had a sign-up flow and password recovery process that made it exceptionally easy to determine whether or not an email was in their user database. The flawed password recovery feature allowed for an entirely different line of attack employing social engineering to hijack individual accounts.

I won’t shed any tears if they shut down, which they likely will because recovering now is all but impossible, but I won’t celebrate the fact that a group of hackers brought their demise. To do so would welcome a global online sharia law where only those services that pass a moral test can exist.

PS- yeah, I searched for my email in the database! Who wouldn’t?

The Challenge of Being a Russian Security Software Company

Passwork. Password manager for teams. Collaboration and password sharingI came across Passwork today and was really impressed with the presentation as well as focus of the product. This is the kind of product that I would instinctively sign up for and test drive… but for an unrelated reason I started poking around on their site to find out more about the company.

It became clear that the company is Russian and this fact alone represents a major impediment for any company in the security software space. In all fairness I am making this assumption off factors like domains and language… the company itself provided no contact information on their website, which is itself kind of weird.

There is obviously a lot of good tech that comes out of Russia but there is an intractable problem when going global and that is the ambiguity about the extent to which Russian government activities encroach on the activities of commercial companies. The same can be said of China and in the interest of being fully objective about this topic, the same can be said of the U.S.A. as more attention and disclosure was put on NSA, FBI, and other government agencies. Selling globally I know this is the case, companies not based in the U.S. have significant objections about domiciling data in U.S. datacenters.

The problem for companies in Russia (and China) is that of the perception of egregious bad actors, including overt criminal activity. It’s one thing to have the government accessing your data, it’s another altogether to believe you would be exposed to criminal industrial espionage. I simply would not try to build a security software company in Russia if I have an aspiration of selling to a global enterprise market. Kaspersky Lab is a notable exception here when it comes to endpoint security but it’s clear that the company is aware of this and also the rising tensions between the U.S. and Russian governments.

Passwork is also, apparently, aware of the obstacles and goes to lengths on their website to highlight open algorithms, data security and privacy. In addition to addressing these issues up front, they also offer a version of the software that is on-premise. I’m not sure any of these measures really overcome the perception of risk, which in many ways is a binary condition.

As much as I liked the marketing for Passwork, I didn’t sign up.