Saturday, September 12, 2015

Crime, ignorance, ethics, and irony in the wake of the Ashley Madison affair

I'm hoping that the Ashley Madison hack will be a turning point in cyber-ethics, the point in time when we collectively decide that:
  • hacking companies and publishing the private information they have stored about people is morally reprehensible; 
  • lying to your customers about how you handle their data is unforgivable and needs to be punished; 
  • passing judgment on the sex lives of consenting adults is a fool's game; 
  • hacking people and products just because you don't like them is irresponsible and stupid; and 
  • hacking organizations to show they are not protecting data as well as they could be is a waste of skills and everyone's time - we know this already so creating more evidence does nothing to advance human knowledge or improve life on earth.
Sadly, a lot of the early media coverage and social discussion of the Ashley Madison hack showed few signs that we are at this hoped for ethical turning point. In light of this, I thought I would try to move the discussion forward with thoughts on five different parties to this whole mess.

1. The Perpetrators: So-called hackers

The people who recently stole and published gigabytes of data from the website AshleyMadison.com need to be identified and made to answer for violating the privacy of the tens of millions of real people whose information is apparently in that data dump (the number of real people affected is hard to determine because the website's owners, Avid Life Media or ALM, made little effort to prevent people creating multiple fake accounts and are alleged to have created many such accounts themselves).

To be clear: there is nothing brave or noble or good about what was done by these "hackers" (whom it would be better and more accurate to call "data thieves"). Furthermore, any deaths or other harms that come from the theft and release of this data are on the heads of the person(s) who perpetrated these acts. They had no right, moral or otherwise, to carry out these acts.

By stealing and then publishing this data, the perpetrators have enabled countless scams, frauds, and other criminal acts, not least of which is blackmail. There is no legal, logical, or ethical analysis of their actions which can absolve them of responsibility for what they have done (and which cannot be undone, as well they know).

As for the rest of the world, most notably the world's media, claiming that people who are named in that data dump somehow deserve exposure is a totally untenable position, not least because many of those named didn't actually have affairs, or seek affairs, or even sign up to the site. Some people surfed the site out of curiosity or for titillation; and registering people on the site was a common prank, made possible by the irresponsible and frankly avaricious data handling practices of its owners.

Look for someone to sue the Ashley Madison data thieves for privacy violation, which is different from suing the company that failed to keep the secrets from which it made its money, Avid Life Media. The latter form of legal action is already underway to the tune of $578 million.

2. The Corporate Victim: Avid Life Media

Whatever you think of the business model of ALM, and I happen to think it sucked, they have been victimized by criminal perpetrators. If you condone the actions of those perpetrators you are appointing yourself judge and jury and enforcer of your own values, a course of action which, if replicated, poses a threat to society.

What if I dislike the way you do business? What if I think your employer needs a dose of "hacktivism" acted out as the righteous liberation of confidential data, which may happen to include, like it did in the Sony Pictures hack, the identity data of current and former employees, yourself included?

Are we really going to make the leap from justifiable anger at shady business practices to trashing cyberspace and turning it into a playground for disaffected bullies and jerks? What do we do when someone gets hurt? When someone takes their own life? Do we just dismiss them as collateral damage in our self-appointed war on whatever it is we don't like?

3. The Corporate Creeps: Avid Life Media

In their eagerness to make money, the folks running AshleyMadison.com not only cut corners on security, they deceived people. Here's an example, an email that was sent to someone who had registered on the website and then asked to be removed. The email certainly reads like the person's request had been honored:

However, after the recent dump of data from ALM's computers, this person found their information was still there, more than five years after they thought it had been removed. At some point ALM actually introduced account removal as a paid service! I don't know when that was, but if you've spent any time studying privacy law and the widely held principles of fair information practices, it is simply staggering that a commercial organization would charge a person to delete data about them.

Of course, if you read the above email closely, it doesn't actually say the person's data has been erased. This is just one of many ways in which ALM used weaselly wording in an effort to make money however it could. While making apparently serious claims to guarantee customers an affair, the ashleymadison.com terms and conditions state "there is no guarantee you will find a date or partner on our Site or using our Service. Our Site and our Service also is geared to provide you with amusement and entertainment."

But when you take money for promising to remove people's information, and then don't? That's beyond weaselly, and many people have alleged that their data persisted on ALM's systems even after they had paid to have it removed. These deceptive practices are particularly heinous because of how Ashley Madison positioned itself, as both the epitome of discretion and the endorser and enabler of actions some portion of the population find to be immoral and worthy of exposure.

4. The Innocent Victims: Ordinary people

To be clear, meeting people online is not, in my opinion, immoral. I met my partner of 30 years through a dating site, one that was located on the pages of the San Francisco Bay Guardian. We used pen and paper and postage stamps not computers, but it was clearly the precursor to online dating services, with which I have no problem. I know numerous couples who, like my partner and I, met through a dating service of some kind and remain happily married and monogamous.

And as long as nobody gets hurt, I don't have a problem with adults enjoying non-monogamous inter-personal relationships. I'm pretty sure many monogamous people fantasize about affairs without having them, which may contribute to their staying in a relationship. And I expect a lot of Ashley Madison clients were doing just that. Of course, many people, married or otherwise, surfed the site out of curiosity or for titillation; and registering people on the site was a common prank, made possible by the irresponsible and frankly avaricious data handling practices of its owners.

5. The Big Loser: Society at large

Make no mistake, if we continue down this road - exercising a self-appointed right to publish confidential personal data without the data subject's permission - we all lose. And by all, I mean humanity, and by lose, I mean serious losses, not least of which are the potential benefits of responsible data sharing, from telemedicine to population healthcare and genetic cures, from energy efficiency to environmental protection and improvement programs, and so on.

It is my firm and considered opinion that the promised benefits of big data and the Internet of Things will not be realized if we humans don't learn to avoid the temptation to abuse the underlying technology for selfish and/or misguided purposes.

Which leaves us with this irony: the criminals who stole and published the Ashley Madison data, wrong as they were, may have given us an opportunity to take stock of the way we are using digital technology, revealing in the process how far we have yet to go in our efforts to enjoy its benefits while managing its risks.

Tuesday, August 04, 2015

The cost of cybercrime: short version

The cost of cybercrime = $66.66.

That rather beastly number is a rough and very modest approximation of the cost of 18 minutes of my time, which is how long it just took me to make an online tuition payment to my school in England. Allow me to explain.

1. The tuition for my MSc in the Criminology Department at the University of Leicester is paid in multiple chunks of about $2,800 per chunk.

2. The university has a very convenient online payment system.

3. I am fortunate right now to have a credit card that can handle $2,800.

4. But I cannot charge $2,800 to the card via a website that is outside the US unless I spend 18 minutes on the phone with the bank to let them know this charge is okay (believe me, I've spent longer, and I've tried doing the transaction without the call enough times to know that this is typical, across multiple cards/banks).

5. That phone call is required because there is so much payment card fraud being perpetrated around the world today, most of which can be classified as cybercrime.

6. I work in cybersecurity. The hourly rate for an appropriately certified independent consultant in this field is likely to be at least $200. So 18 minutes of wasted time at that rate = $66.66.

Now multiply that by all the transactions that match the "must call us" category. Like when you're trying to surprise your wife with an upgrade as you're flying out of Heathrow (despite the fact that you told the credit card company you would be in England, still they required a call). At that rate the cost of cybercrime, just in terms of lost productivity, quickly adds up.

As for the rate calculation, I think I'm being reasonable. Back in the 1990s, our IT security consulting firm billed clients $2,500 per person per day, which was a combination of overhead and direct labor costs. The going rate today for specialists in this field, like the people brought in to respond to a big corporate data breach, can be as high as $900 per person per hour. I'm not saying my time is worth more than another person's, I'm just trying to put a number on the surcharge that cybercrime imposes on an otherwise efficient payment processing system. Time is money and spending 18 extra minutes to complete an online transaction is costly, whomever you are and however you look at it.

And this is nothing to do with my university. I have the same problem buying tickets for international air travel. And in some ways I'm glad I have the problem because it means my bank is protecting my account. But I'm also sad that the darker side of human nature has imposed these limits on our enjoyment of technology's many potential benefits (like studying at a university in another country).

Speaking of time, I've spent quite a bit of it studying the size and cost of cybercrime in my work as well as at school. I will be talking about this topic later this year at the Virus Bulletin Conference in Prague, as well as at this month's ISSA meeting in San Diego. Measuring the cost of cybercrime is not easy, indeed, it might be impossible. But I do think you can argue that the cost of cybercrime could get too high: if we reach a point where the cost of cybercrime deters the adoption of otherwise helpful technology, then we will have a much bigger problem than me getting grumpy on the phone with my otherwise very helpful bank.

Saturday, May 30, 2015

Recent security research output

Good evening. Welcome. Just time for a quick update (with apologies to John Oliver and Last Week Tonight).

The following links are humbly presented as evidence that I am still very actively involved in researching security, mainly as it relates to crime and computers, a.k.a. cybersecurity and cybercrime.

1. Blog posts on We Live Security, of which there are many. These are conveniently listed here.

2. Webinars on Brighttalk, which include this introduction to risk analysis and this look at cybersecurity legislation.

3. Slide decks posted on Slideshare, like this one: Cybercrime and the Hidden Perils of Patient Data. I used that deck when talking to a group of about 40 dentists in San Diego. Here's a deck I used in security awareness sessions with about 400 petroleum plant workers in Texas. 

4. Snippets posted on Twitter by @zcobb, which may consist of quotes, statistics, pieces of information that I think will help people better understand security challenges. Here's an example:
So, while the rate of posting here on S. Cobb on Security has not been stellar of late, it's not because I'm not working on security problems.

Sunday, January 04, 2015

Why Willie Sutton Robbed Banks: the real answer, and what it has to do with the #SonyHack

Willie Sutton was one of the most notorious American bank robbers of the twentieth century, spending two years on the FBI's list of Ten Most Wanted Fugitives.

Sutton is also the subject of one of the most frequently cited - and bogus - anecdotes in all of security (we're talking everything from physical security to information security and cybersecurity). At just about every security conference that I've attended, someone has used some version of the following:
"When a reporter asked the bank robber Willie Sutton why he robbed banks, Sutton replied: "Because that's where the money is.""