Monday, August 24, 2015

ASHLEY MADISON are suicides the final straw? Open letter to our privacy commissioner and a call to arms for our journalists

People are now committing suicide because their lives have been impacted by this issue and it seems that we are only looking at the hackers and never really looking at the serious lack of ethics at Ashley Madison.

Over at Ashley Madison, the original landing page is back, complete with FALSE STATEMENTS about their outstanding security!

Class Action Lawsuits are being launched and should have no issue showing the lack of ethics that management has shown and continues to show.

Ashley Madison faces $578M Canadian class-action lawsuit

Yes, you read that correctly, LACK OF ETHICS at Ashley Madison.

I realize they are selling a service that many would find lacking in ethics, yet even a hitman is expected to follow certain basic rules that evade the management of Ashley Madison.

I would like to turn this blog post into an open letter addressed to the Canadian Privacy Commissioner, the law firms that are about to take an axe to the subject, and any journalist that wishes to ask that single question that kills:

QUESTION: Ashley, you claim to have a security certification or "award" as you call it, titled "TRUSTED SECURITY AWARD", can you provide the details of this award, and can we "see" the evaluation criteria and the audit report that surely accompanies such a prestigious award.

Here is the thing.  The main landing page was just put back to what is essentially the same as before the security issue, and their are numerous FALSE claims right there, right in your face.

You cannot just make up a trusted security award and give it to yourself.

You cannot claim 39,285,000 ANONYMOUS MEMBERS when your entire member list was just leaked.

You cannot claim 100% LIKE-MINDED PEOPLE when the entire world has seen your members list and at least 175,000 have downloaded it and gone through it and found an impressive amount of fake accounts. 

You cannot claim 100% DISCREET SERVICE because you have not even yet resolved the issue I blogged about several weeks ago about any intercepted emails from Ashley Madison allowing anyone in without asking for a username and password.

You certainly cannot claim all these things when people are now jumping off bridges because of your failure.

Yet you are doing exactly that.

You're also telling us in your press releases (along with a regular infusion of bullshit) that an impressive task force of law enforcement is working on this problem.

I'm sceptical here.  No one had died up until now, and to be honest, you're a bunch of clowns running a pretty shit quality service.  Sure the front page looks good, but clearly you have not invested in security practices that would make you proud.

I find it hard to believe that all these police agencies are going to invest an incredible amount of time and effort on this case, and....if they do, I would be very VERY upset that MY tax dollars are being spent looking for someone who has just slapped you around when you keep giving me endless reasons to actually fly to Toronto and smack you around myself.  Now, certainly the fact that people are committing suicide will place the case on the top of the list, but there are two criminal activities to investigate.

1) Lacking security at Ashley Madison, yet they continue to make claims of great security
2) Criminals stole Ashley Madison data

Both these things are criminal

Bottom line, Ashley, you suck and are as much responsible for the problem as the "evil" hackers that stole "our" data.

If you want to show the world you are a trust worthy enterprise, you should publish your system logs.  The logs that show the connection IP addresses for the last login from each user account.  We already have all the user accounts, why are you shy.  Perhaps you do not want the entire world to see your system logs, fine, get creative, send them to me, I will confirm what I see and destroy them when done.  Why are you not letting REAL experts look under the hood.

I will tell you why.  Fake profiles are pretty damned easy to spot when you have ALL the information.

Terrible security is equally easy to spot.  Criminally negligent is under the same banner.

Ashley doesn't want that.

Someone needs to start asking real questions about the numerous laws and privacy regulations that have been broken over at Ashley Madison.

Ashley Madison is offering $500,000 to catch the criminals behind the attack.

Is our government going to do their job and investigate Ashley Madison to the same extent....

To the law firms going after Ashley Madison, please call me.  I have a lot of interesting information to share with you.


Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique University in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

1 comment:

Are we even trying over at BRP

This will be a short blog entry.  Essentially, a general observation. If your enterprise was breached and screenshots of user account passwo...