InfoSec, Ashley Madison, and The Poisonous Tree
Imagine a scenario where a local Catholic Priest kept a diary of everyone's moral transgressions as well as temptations, his 'short cut' notes for confessionals. Consider that he trusted others with the security of his Church, and with the security of his room. Ponder that he hide a small key to this diary in his garden, also tended by others. Assume this had gone on for years.
One day, this same Priest opens Mass by noting the diary has been stolen. The congregation panics! Not simply stolen he says, but apparently copied thousands of times, by thousands of men, and freely distributed over the world. He tells you that Newspapers would be publishing the names and address of some, noting not just the transgression, but even temptations not acted upon, and also the address, the location, the tools used, in short, Omniscient levels of detail. He reminds you that well meaning security firms would also be reviewing 'every page' not just to prevent further theft, but to also help tabloids, journalists, and others 'determine' exactly who did what, when and why. Finally, he tells you that right now people all around the world are taking apart this stolen data, putting it back together, and thinking of ways to use it against you - blackmail, threats to your job, embarrassment to your family, all ready to go.
In US law, the legal metaphor 'Fruit of the Poisonous Tree' applies to evidence that was obtained illegally not being allowed in court, which is generally considered an extension of the exclusionary rule. The principle is a great American tradition - don't encourage law enforcement to break laws in the pursuit of 'justice' or 'truth'. In the UK, roughly speaking, evidence is evidence, don't let the criminal off because the constable did a poor job. Both approaches of course have exceptions - most notable in the USA where 'national interest' allows the press to often use stolen data for a 'greater good' - Watergate being the classic example, or the various Snowden leaks.
Regardless of what legal framework you are in - and Ashley Madison data by the way has passed through them all anyway - most would have to agree what I've outlined above makes them uncomfortable, but generally speaking those victims at this hypothetical Mass noted would have had many, many legal avenues to pursue against companies, newspapers, and others that worked to slander them and violate their privacy.
Ironically, very similar matters of fact apply in the Ashley Madison Hack, yet most are acting as if this stolen data is somehow different vs a stolen diary, or stolen files taken from a office building. Is it really in the public interest to expose millions of people, to open them to blackmail, to implicate the likes of the US military because a tiny fraction of accounts were .mil addresses? Is it really 'value add' for certain security firms to be reviewing the data itself and being quoting in the press commenting about the people exposed here and talking about their potential blackmail, vs focusing on preventing hacks like this in the future? Security firms should focus on the means of the hack - how it happened, why, what controls they can propose to fix, vs the 'ends' of the hack, the data and the enablement of privacy violations.
In both Common and Civil law traditions, certain fundamental rights and expectations exists. Do they vary somewhat from country to country in the EU, in the USA, and in other parts of the Western world? Absolutely. But until the 'cyber' world starts treating data like the property it is, until the press and our governments start applying laws and principles to intangible assets and data the same way we apply it to tangible assets and physical files or documents, a real double standard has the potential to develop. Heck, it has been going on for years: shoplift a DVD in inner city Chicago, get booked in jail. Steal 100 movies and upload them to a server then watched by tens of thousands illegally, and the odds are near zero you are held to account.
It is easy to despise what Ashley Madison represented. It is clearly also easy for security firms, the press, and others to gleefully dig through this trove of data looking for 'dirt' on people and throw stones all around glass houses. Yet I do fear that few people these days are considering the longer term implications AFTER a breach occurs - as data is copied, moved around, shifted to new servers, etc - they seem to forget they are working with stolen data. By cavalierly playing around with the privacy of millions, or the Intellectual property of firms, most people and firms seem to have no idea what long term impacts these actions will have, nor do they seem to care, as there are no consequences.
Already we see the impact: a suicide today, 'fake' data dumps with malware and viruses, clever phishing campaigns saying 'click here as you OR your spouse are on the list' triggering malware / viruses / etc in corporate networks - this is just the beginning of unintended consequences.
Perhaps vicarious liability needs to be revisited and extended dramatically - after all, in the digital world, all can be traced. Our actions and the people they impact continue to expand by degrees of separation. In the cyber world, no longer does an immoral action of theft have just one direct impact, rather, one immoral action is magnified by the thousands of follow on thefts, by the collective mob aiming to destroy a man not just today, but for his entire life, with a digital trail of shame that can never be erased.
And to think, all of this can be done by the click of a mouse and the wink of a hacker as he copies stolen data and moves it onwards to others, with only a cold pizza slice as his judge and witness.
“Looters become looted, while time and tide make us mercenaries all.” - Patrick Rothfuss
Manager, IBM X-Force
9 年Hey Robert, great post. We seem to be on the same page https://securityintelligence.com/blurred-lines-researching-the-ashley-madison-data/
Consultant and Investor
9 年Great summary of this situation and issues this presents Rob. Highlighting the difference in law and perception of the real and virtual worlds still being miles apart is interesting. And while there is an awful impact of those affected, this is also a hard lesson in how little privacy we really have on the internet to bring the kind of awareness and 'life skills' needed to protect it.
Hi Robert A long reply... Let's start with morality: "In morality there is something good and something bad. In being natural there is something wise and something stupid. A man who is natural is wise, not good. A man who is not natural is stupid, not bad. There is nothing bad and nothing good, only wise things and foolish things. And if you are foolish you harm yourself and others, and if you are wise you don’t harm anybody – neither others, nor you. There is nothing like sin and there is nothing like virtue – wisdom is all. If you want to call it virtue, call it virtue. And ignorance is there if you want to call it sin – that is the only sin." (Osho, Tantra, the supreme understanding) We live in a non-natural societies. ALL cultures and value systems are build upon stories we tell ourselves as a collective and embrace them via a false understanding of our individualism. These flawed, knowledge based systems are accelerated in the digital era, and as such stupid act brings more suffering to humanity, to us. Now, let us look at why we are evolutionary wired to do stupid things: --------------- "The human brain has a very important mechanism that was developed over hundreds of millions of years to identify dangers. It is called amygdala. The way it works is like that – the amygdala is like your personal alarms system, and your brain’s neurology is wiring all the information it process to it. The amygdala is training itself to process this information (which most of the time is received from our senses) in order to try and identify dangers. It is great to identify visual imagery like a lion or a bear, it is also great to identify suspicious sounds, and temperature differences, or when your mother-in-law is about to arrive. These types of dangers are pretty easy to train because this kind of sensory information has been around for millions and millions of years, and giving an OK or NOT OK signals from such information is fast and effective. HOWEVER, the amygdala was not really created to handle the flow of endless letters and sounds that we process today, because a link is just a click away, while the text that appears on the email itself which we must read before we press the link requires a lot of different parts of the brain in order to process the meaning of it. Until that processing time is over, your amygdala already sent an OK signal, and this “OK” reply is light-years faster (in terms of brain processing time) than the complex neurological associations you are required to perform when you need to do an analysis of a letter you just received and decide if it is a spam or not. Combine that with the way our brain is always comes up with excuses to what we do and you can start to understand why we have a large population that is clicking on links without thinking and that are not even aware of it. (Source: "Amygdalala-land", Sense of awareness blog, Eh'den Biber, 2011) ---------------- Since we are not wired to notice digital danger from an evolutionary point we depend more and more on technological means to protect us, but it makes us even more fragile. These technologies are new and as such more fragile, thus can be manipulated, circumvented or broken. It's a subject which I've written about this in one of my previous posts "dancing with Faust". We all experience what our actions do to others, but the less aware you are, the longer it takes till you realise it. Most people or organisations will realise it when they will experience death in some form, as I wrote about in "the corporate book of the dead", and in that case it is a BIG lesson, much worse than the pain one tried to avoid when deciding not to be aware. If someone (organisation or individual) want no suffering the solution is a sense of awareness. not the "fast-food-awareness" that is being promised via every corporate CBT program or awareness posters. a sense of awareness comes only via love, compassion, kindness, happiness and stillness.
You're right, there likely will be many more tragic endings now that this has proven to be effective.
Founder at Validato | Security Validation | Threat Simulation | Cyber Risk specialist | Third Party Risk |
9 年A great post Robert. Even more tragic to hear that the immature actions of the group that stole and disclosed this data have now resulted in two reported suicides in Canada this morning. I wonder how that weighs on their minds?