Thursday, August 20, 2015

The Ashley Madison Breach Was Likely a Good Thing

UUID: 4cf5d0bf-381b-4bc5-be2f-f31b8fb0d481

Unless you happen to be a victim, anyway. There is a large set of users who will trust their most sensitive secrets to some random Web site. That has been true since the Web was born, and it isn't going to change, save temporarily. This is one of those moments when a lot of people get outed, and the extent to which it damages them is likely proportional to both their perceived importance (celebrities are not intrinsically important people) and their foolishness.

We can expect a stream of celebrity 'exposures' as news agencies comb a large data dump. Meh. Much noise, signifying nothing. Though I do not doubt that security vendor marketing departments of one sort or another are grinding their heads trying to come up with a way to peddle another White Paper.

The threat, minimal though it is, lies in having someone within your organization who is doubly foolish. Enough to trust that random Web site to begin with, and now willing to do silly things, in the hopes that they will not be outed via what is a very public data dump. In other words, victims of extortion, waiting to happen.

The outcome of that could be very bad indeed. But it really isn't very likely, despite what IT press might indicate.

Take The Register, for example. Always a favorite amongst many IT folk, for the headline comedy, if nothing else. They are unabashedly, well, flamboyant. Now Ashley Madison hackers leak CEO's emails, source code As IBM, Cisco and HP lead the IT pack on adultery website, it seems. They have a couple of bar charts. The first might be of interest to sociologists, as it's about Attached Male Seeking Female, etc. Though one would hope that even practitioners of the soft sciences would do their own research. The second graph is even better. 'Number of Valid Ashley Madison Accounts Among the Largest Tech Companies'. The winner is IBM, with 311. Oh, noes! Until you realize that this is out of a headcount of 379,592 employees at the end of 2014, according to Bloomberg. Eight hundredths of one percent. I doubt that the IBM risk management team is sweating this, and you likely shouldn't either.

What is more likely, in my opinion, is that unteachable people are the greater threat. Those unfortunate people who fall for every phishing scam, click any link in email from strangers, can't exist without a years-old version of Adobe Flash, etc. Yeah. Those people.

Who, by the way, are not mentally deficient, and if you are one of those people making snide remarks referring to 'lusers' instead of 'users', you are part of the problem. If you are heard making a remark like that as you make your way through the cube-farm, you have just alienated the people you are supposed to helping. It's unprofessional, and hasn't been funny for twenty-odd years.

A large subset of the workplace population have certain characteristics that may make a security worker's life more difficult.

  1. An inherently trusting nature
  2. Not comprehending the nature of the environment
  3. Exclusive focus on the task at hand

There's nothing you can do about 1, save waiting for life to burn them enough times for them to develop the required amount of cynicism. Which it undoubtedly will. Number 2 is usually teachable, provided you have not blown any chance of building a rapport via 'luser' comments, etc. Number 3 involves a certain amount of irony, in that we often admire people who can get to that level of focus, and refer to it as in the zone, flow state, etc. That's my personal Happy Place, so I'm sympathetic. Their managers will likely value these employees, because duh. They are very productive.

So there you have it. 2 and 3 mean teaching, which is mind-boggling more effective if you can establish a rapport. 1? We're back to my title. The Ashley Madison Breach Was Likely a Good Thing. IT touches everything these days, from Wall Street to the local tire company. The chances are probably good that the legions of celebrity gossip fans, whom you probably never hoped to reach, will in some way be influenced by this.

How is that not a win?