The Thinker

Ashley Madison stupidly lets itself get pwned

So I have been streaming Mad Men on Netflix. It’s a strangely compelling series about the world of Madison Avenue in the 1960s. It’s a world of constant drinking, endless cigarettes and infidelity. The principle character is Don Draper (played by Jon Hamm), the creative director for the advertising firm Sterling & Cooper. As we quickly learn, Don was previously Dick, he is a deeply messed up man, and he also happens to be one hunk of a guy. Don’s a liberal drinker, a liberal smoker and a liberal bed hopper as well. He does this while somehow staying married to his ultra pretty and slinky wife Betty (January Jones).

It takes a few seasons but Betty eventually figures out Don’s infidelities. They divorce but Don keeps bedding the women, often inappropriately, including his secretary. Yet Don is hardly the only character in the series with his pants down. Most of the characters are involved in an illicit relationship or two. I have no idea how close any of this is to real life on Madison Avenue, but from what I’ve read it was not too far off the mark. Most of the men are caught between who they really are and the roles they are supposed to play. How they manage all this screwing around in these pre-Ashley Madison days is kind of mysterious, but likely all that booze helped reduce inhibitions.

Yesterday of course the infidelity website ashleymadison.com quickly went dark after hackers posted a dump of its database on a number of websites. While bad for cheaters out there, what it said about Ashley Madison was even worse. First, its security system was laughably bad. Second, even after the hack they could have taken down their site and saved their forty million members embarrassment, but they didn’t. They kept collecting fees right up until they went dark. In short, they gave the online infidelity business not only a moral stink but in an unexpected way: they were so busy chasing short term profits that they were willing to throw its forty million customers on mercy of their spouses. Doubtless the hackers provided samples to prove they had hacked the good stuff, including apparently seven years of credit card transactions. AM was hoping they would blink.

Doubtless too that marital counselors and divorce lawyers are going to get a sharp increase in business. It would not surprise me if their phones were ringing off the hooks. As for AM, I wouldn’t blame its customers if they arrived en masse to torch its offices. Cheaters of the world, unite! Anyhow, fifty years after Mad Men, there are still plenty of Don Drapers out there that are mostly hooking up online. Until a couple of days ago apparently Ashley Madison had the lion’s share and then some of this market.

What interests me is not that AM brokered infidelity. As disgusting as most people at least claim to view infidelity and those that aid them, there are far worse things on the Internet, with ISIS beheading videos coming immediately to mind. Some entities like AM are to be expected in our electronic age. What’s interesting and more than a little appalling is how bad a job they did in keeping their clients’ information confidential. As a software engineer, but also as a guy that is currently getting paid to ghostwrite articles about data security, AM gets an F.

Yes, AM kept a record of all its credit card transactions for the last seven years! It’s such a mind boggling, stupid and reckless thing to do, particularly given the profitability of the site. It would have made much more sense to give in to the hackers’ demands and quietly establish a new site under a new name, oh and fix those security problems too. Doubtless they had the money to do it. Forty million customers, figure 30 million of them men, figure each putting out at least $50 each, that’s at least $150 million in revenue. Since they’ve been in business fifteen years, it’s likely a lot more than that. Likely their overall revenue likely exceeded a billion dollars, not that we’ll know for sure. They aren’t publicly traded, although maybe their successor or whoever buys the brand (Vivid Entertainment?) will be publicly traded, and doubtless do a better job at security.

If I had fewer scruples and more money I might create the next AM site, one that its dubious clients could actually trust. Of course there are always risks in anything done over the Internet. AM’s clients now understand that. The next AM is bound to arise from its ashes, and probably sooner rather than later. Here are some actions items for whatever entrepreneur wants to sail in these turbulent waters in the future:

  • Do not keep records of credit card transactions. Just don’t. Purge these daily, if not more often, from any internal databases. Don’t journal them on backup somewhere.
  • Do not collect any privacy information from your customers, you know like their real names, address and phone numbers. Instead, let some third party act as your broker. Your client gives the broker some money and the broker provides some electronic token identifying the payee that doesn’t actually identify them to your company. The future AM should never collect anything that could identify their clients.
  • Accept more discreet ways of payment. There are lower tech and anonymous ways to pay fees confidentially: wire deposits and money orders, for example. I’d say accept BitCoins but BitCoins are hardly anonymous.
  • Don’t use cloud hosting. Use your own data centers that only you can access and control.
  • One person can’t do this in his basement. So find employees who have a history of being trustworthy, very talented, and discreet and pay them very well. Give them incentives to be discreet. Make their bonuses contingent upon their contributions to improving the business’s security.
  • Retain security experts. To get AM’s entire database required a whole lot of bandwidth. This can be monitored. The tools exist to cut off suspicious behavior already.
  • Do regular vulnerability testing of your website and applications. The tools are out there. Of course fix any vulnerabilities found quickly.
  • Hire a CISO, a Chief Information Security Officer with of course the right credentials.
  • Don’t store obviously sensitive information, like a client’s IP address. Passwords should be encrypted in a MD5 hash in the database.
  • Tell your customers what your security plan is. Get an annual (or more often) security audit from a trusted security auditor and publicize the results for your customers.
  • Provide your customers security tips, like clearing your browser history. I can think of another one. Figure out a way for clients to share pictures anonymously. I’m pretty sure it could be done with Instagram.

As for AM’s clients, those who are not on their way to marital counseling or divorce court, you might consider picking up strangers at bars again or just plastering them with lots of alcohol in the privacy of your office. It sounds cheaper and faster. It worked for Don Draper.

 

Leave a Reply

Switch to our mobile site