The Ashley Madison Data Dump

madisonThe hack itself is an old story; Ashley Madison was hacked and profile information stolen. What is new is that the group behind the hack, Impact Team, dumped all the data. It has now been made available by many legitimate folks who created searchable online services against the data.

As much as I could enjoy the schadenfreude in this story, I simply cannot. I’m compelled to point out that just because an email is in the database does not mean it is a legitimate account. Email is a notoriously weak verified identifier, and while many websites have a sign-up flow for email verification, many don’t do anything to purge unverified emails. My thesis is that even unverified emails harvested in the sign-up flow have value for marketing purposes and, therefore, remain in the company’s database.

My email, jnolan@gmail.com, has been used by far too many “jnolans” to count. Often signing up for mundane services like car buying sites, but also for things that would certainly make my wife ask questions, like BlackPeopleFinder.com and an unrelated service for making arrangements with dominatrixes for a variety of, well, services.

The amount of crap I get from websites I have never visited is simple extraordinary. My oldest son has a gmail address that is first name only and I purge over a thousand emails from his account each month, and he’s only used it a few times for sending schoolwork.

2013101108The Impact Team has shrewdly wrapped themselves in a veil of moral righteousness to conceal a criminal act. While they aren’t stoning adulterers in the town square – or beheading them in a stadium – they are stealing personal information and using that in a form of extortion.

I find the entire affair, no pun intended, reprehensible and while AshleyMadison is itself objectionable, they are also a victim (of stupidity first and foremost). Despite complete awareness of the risks to the company and their customers, they did not employ best practices to secure their data. In addition to that, they had a sign-up flow and password recovery process that made it exceptionally easy to determine whether or not an email was in their user database. The flawed password recovery feature allowed for an entirely different line of attack employing social engineering to hijack individual accounts.

I won’t shed any tears if they shut down, which they likely will because recovering now is all but impossible, but I won’t celebrate the fact that a group of hackers brought their demise. To do so would welcome a global online sharia law where only those services that pass a moral test can exist.

PS- yeah, I searched for my email in the database! Who wouldn’t?

Identity and The Rise of Borderless States

I had this conversation with @andredurand a few weeks ago. What services does a government provide?

– Identity
– Central bank-backed currency
– Law-and-order (optimally in equal proportions)
– Defense

Of course there are more but many of the things we associate with government, e.g. social services, are in fact choices that a citizenry has made rather than a core obligation of government as a necessary means to govern. So the question now is whether or not we are entering a phase of a pseudo-borderless form of governance where people self-associate according to fluid social preferences and needs. The reason I am inclined to think this is not only possible but probable is that two of the core services that government provides are being undermined, the first by their own actions and the second by technology.

Currency is increasingly disconnected from economic conditions and central banks are demonstrating on a daily basis that their ability to affect currency is tenuous at best. The rise of Bitcoin is presenting a viable alternative currency that has many of the attributes of central bank backed currencies, namely a liquid market to trade. Games and social networks have similarly organized and promoted virtual currencies that can be arbitraged against non-virtual currencies.

Identity, on the other hand, is increasingly being driven by technology and at CIS the various talks about 3rd party verification services really stimulated my thinking on this. What if government-backed identification is no longer the gold standard for proof of identity? What this would mean is that the ability for governments to authenticate identity for transactions and contracts would be undermined and we would be one step closer to borderless states.

I have no way of assessing probability to any of this but the one certainty is that the pace of technological evolution is accelerating and with it comes dramatic social change that has implications well beyond the product and service capabilities by themselves so if I were to think about what the world looks like in 30 or 50 years, I am not sure I would discount any of this.

Speaking of 50 years, this article in American Banker really drives home the point about how identity is informing future businesses in ways that are entirely disruptive to traditional business models.

Fifty years from now? In her excellent and thought-provoking Long Finance report on the future of financial services, Gill Ringland rather memorably said that the citizen of the future would need the critical resources of an identity, a credit score and a parking place in order to function. If that’s true – and I certainly believe it to be the direction of travel – the bank’s critical role will be built on the customer identities, not their deposits. The vaults will not be stuffed with material valuables, but with the most valuable asset of all: personal data.

More on this topic (What's this?)
Daily ETF Trend Report – Currency
Forex Fundamental Analysis
Read more on Currency at Wikinvest