Monday, July 20, 2015

Ashley Madison's data breach is everyone's problem

by Russell Brandom Late last night, the 37 million users of the adultery-themed dating site Ashley Madison got some very bad news. A group calling itself the Impact Team appears to have compromised all the company's data, and is threatening to release "all customer records, including profiles with all the customers' secret sexual fantasies" if Ashley Madison and a sister site are not taken down. Collecting and retaining user data is the norm in modern web businesses, and while it's usually invisible, the result for Ashley Madison has been catastrophic. In hindsight, we can point to data that should have been anonymized or connections that should have been less accessible, but the biggest problem is deeper and more universal. If services want to offer genuine privacy, they have to break away from those practices, interrogating every element of their service as a potential security problem. Ashley Madison didn't do that. The service was engineered and arranged like dozens of other modern web sites — and by following those rules, the company made a breach like this inevitable. The company made a breach like this inevitable The most obvious example of this is Ashley Madison's password reset feature. It works just like dozens of other password resets you've seen: you enter in your email, and if you're in the database, they'll send a link to create a new password. As developer Troy Hunt points out, it also shows you a slightly different message if the email really is in the database. The result is that, if you want to find out if your husband is looking for dates on Ashley Madison, all you have to do is plug in his email and see which page you get. That was true long before the hack, and it was a serious data leak — but because it followed standard web practices, it slipped by mostly unnoticed. It's not the only example: you could make similar points about data retention, SQL databases or a dozen other back-end features. This is how web development usually works. You find features that work on other sites and you copy them, giving developers a codebase to work from and users a head start in figuring out the site. But those features aren't usually built with privacy in mind, which means developers often import security problems at the same time. The password reset feature was fine for services like Amazon or Gmail, where it doesn't matter if you're outed as a user — but for an ostensibly private service like Ashley Madison, it was a disaster waiting to happen. Now that the company's database is on the cusp of being made public, there are other design decisions that may prove even more damaging. Why, for instance, did the site keep users' real names and addresses on file? It's a standard practice, sure, and it certainly makes billing easier — but now that Ashley Madison has been breached, it's hard to think the benefits outweighed the risk. As Johns Hopkins cryptographer Matthew Green pointed out in the wake of the breach, customer data is often a liability rather than an asset. If the service is meant to be private, why not purge all identifiable information from the servers, communicating only through pseudonyms? Customer data is often a liability rather than an asset The worst practice of all was Ashley Madison's "paid delete" service, which offered to take down user's private data for $19 — a practice that now looks like extortion in the service of privacy. But even the idea of paying a premium for privacy isn't new within the web more broadly. WHOIS offers a version of the same service: for an extra $8 per year, you can keep your personal information out of the database. The difference, of course, is that Ashley Madison is an entirely different kind of service, and should have been baking privacy in from the very beginning. It's an open question how strong Ashley Madison's privacy needed to be — should it have used Bitcoins instead of credit cards? insisted on Tor? — but the company seems to have ignored those issues entirely. The result was a disaster waiting to happen. There's no obvious technical failure to blame for the breach (according to the company, the attacker was an insider threat), but there was a serious data management problem, and it’s entirely Ashley Madison’s fault. Much of the data that's at risk of leaking should never have been available at all. But while Ashley Madison made a bad, painful error by openly retaining that much data, it’s not the only company that’s making that mistake. We expect modern web companies to collect and retain data on their users, even when they have no reason to. The expectation hits every level, from the way sites are funded to the way they're engineered. It rarely backfires, but when it does, it can be a nightmare for companies and users alike. For Ashley Madison, it may be that the company didn't truly consider privacy until it was too late.

Thursday, November 6, 2014

STD dating website fined $16.5m in privacy case

An internet dating site for users with sexually transmitted diseases has been ordered to pay $16.5 million in damages in a privacy case. The plaintiff, in the case- known only as John Doe, argued that and parent company Successful Match mined and shared users' personal information, including photographs, and distributed them on its subsidiary.

Saturday, June 29, 2013

How to Meet an Online Friend in Real Life Without It Being Awkward

You're not looking to bang every person you meet online. Sometimes, you're just looking for friends. But somehow, meeting someone you know online platonically has become a far more awkward endeavor than a random DateFling date. You know her but you dont know her. Do you shake hands? Do you hug? Do you do that open-palmed half-wave? God forbid she goes for the hug and you go for the handshake like you're in some jerking, uncoordinated, chest-poking dance.

We know how to navigate these waters with dates we picked up online, but digital friendships don't always translate seamlessly to the real world. And yet increasingly, internet is how we meet people now. So you better be able to ride out that unavoidable initial awkwardness.

That looming uncertainty of what someone you already know is really like is where a lot of the nerves come from. Plus, there's the very normal desire to make a good first impression. But there are a few easy ways to make the butterflies in your stomach chill out a little bit.

Meet in a group setting. Do you have a few people you know from the internet you'd like to meet? Why not all meet at once? If you're going to be awkward, at least be awkward together. You'd all have to be trying very deliberately to achieve much awkward silence between the five of you. (Though god help you if you do.)

Meet somewhere public. As with Craigslist transactions and drug deals, you'll want to meet somewhere with other people around. A bar is the most obvious destination, because there will at least be a bartender there and there's a clearcut escape route. Plus, booze!

Bring a friend for support. The buddy system isn't a bad idea, either. Sometimes it helps to have another mouth around to keep the conversation going. And again, it provides you with an easy out.

I've actually done real life meetups quite a bit. One that stands out happened in February with a bunch of media types at a dark bar in Brooklyn that serves kitschy beach drinks. We decided, Hey we jabber at each other all day through our keyboards, why not make it honest and actually, you know hang out? This is sort of an extraordinary circumstance, but everything came together perfectly. It started with a few people who knew each other from Twitter and whatnot and wanted to have a drink together, and the word sort of spread to others who wanted to join in on the fun IRL. It was great! And all the awkwardness was avoided thanks to the group setting (and the drinks).

The beauty of the whole thing is that we never would have met were it not for the internet. Not every situation is so ideal, but there's no reason your internet friends can't be real world friends too.

Friday, March 29, 2013

Article: Following its new iPhone campaign, Apple shares ‘Why you’ll love an iPad’

Apple used to set the standards, but now, I have the feeling that they are trying to play catchup. 

Following its new iPhone campaign, Apple shares 'Why you'll love an iPad'

Sent via Flipboard

Sent from my iPhone

Monday, January 28, 2013

Facebook Is Primed To Disrupt Online Dating

Editor’s Note: Brian Bowman is founder and CEO of, a fun way to discover people, places, and things. Follow him on Twitter @BowmanBrian.
The responsibility of dating sites should be to facilitate great first dates. Unfortunately, the dating industry has chosen to protect its charge-to-communicate business model instead of give consumers access to information to make an educated decision about a potential date: Is my date a real person? Who do we know in common and what mutual interests do we share?
But there is a site out there with 1 billion people that is quite familiar with my friends and me, as well as all of our interests: Facebook.
I have been involved in the dating and social industries since 2003. I was the vice president of product at, then vice president of community at Yahoo and am now the founder and CEO of I met my wife on an online dating site, and we have been happily married for nine years.
Since the launch of Match in 1995, singles have searched for fun and love online by attempting to describe themselves in 500 words or fewer. They check boxes, they answer quizzes, and they hope for the best. This method has worked for some, but it has left millions of other users dateless and dissatisfied with their online dating experiences. A shallow pool of compelling matches, coupled with outdated information, leads to a constant churn of unhappy daters. Singles belong to 2.5 dating sites on average, expressing their desire to reach more people and find a better solution.
Men and women experience online dating very differently – think hunter-gatherer. Men typically send out hundreds of quickly written emails hoping someone will respond. Women can receive hundreds of emails a week, but respond to less than 2 percent. Part of the single’s frustration is that you can’t respond to an email unless you pay. On average, fewer than 10 percent of people subscribe to and unlock communication, meaning 90 percent of people can’t respond to your emails.
To complicate the single’s experience further, most dating profiles are static and lack social network updates. The site restricts information sharing to prevent identity leakage and maintain control over communication. A common question you will hear most singles ask when they first meet is, “Who do we know in common?”  While real identity is standard on Facebook, LinkedIn and Google+, a majority of dating sites require anonymity, which prevents consumers from seeing mutual friends. The result: Most consumers don’t pay, and they abandon sites in frustration.
Why Hasn’t Social Discovery Disrupted Online Dating?
The social discovery market can be distilled into two primary markets: business networking and dating. While Badoo, Tagged and MeetMe position themselves as “meeting new people,” their primary use case is dating. Each has achieved reasonable success, but they have not integrated Facebook’s social graph so you can see someone’s friends. There is a lot of untapped opportunity to disrupt traditional dating if they take steps to integrate further with Facebook.
Why Hasn’t A Killer Social Dating App Taken Off?
I remain convinced that online dating will evolve and integrate social elements. People have always met through mutual friends and shared interests, and bringing these capabilities online will enhance the user experience. But for most startups, there is a significant cold-start problem. Few startups are funded well enough to afford the marketing required to achieve scale. To be a successful, U.S.-wide, general-purpose dating site you need about 250,000 profiles. This allows the display of meaningful search results when singles filter for age, ethnicity, religion, distance and sexual preference.
Since most social dating sites can’t afford to buy users, they launch features to get viral. However, independent of age, four out of ten people will not post publicly on Facebook that they are using a dating app, and this arrests virality. The reluctance to share romantic activities on Facebook seems due in part to the intimacy of dating and the desire to share only with close family and friends. Many people feel increased reluctance to share their romantic endeavors on Facebook, because their group of Facebook friends has grown substantially to include co-workers, high school/college friends and extended family.
To illustrate the challenge, no social dating site has gained meaningful traction: (10,000), Yoke (10,000—Buzzfeed acqui-hire), (1,000), LikeBright (1,000), thedatable (200), and (Alexa Rank 164,000) have struggled, while Wings, Gelato, and Thread are shuttered.
Despite these challenges and lack of innovation by the leaders, the online dating industry continues to be recession-proof  - it is growing and has won wide acceptance among singles today. With Facebook’s Graph Search and the company’s newly expressed interest in online dating, can it reinvent dating, drive down the associated stigma and expand the market?
While the primary hurdle for Facebook may be privacy, there are other challenges, too. Just because someone’s profile indicates they are single does not mean they are ready for dating or want to be contacted by a stranger. On Facebook, receiving messages from strangers feels creepy (paid or not).
Facebook’s profiles are shallow and not representative of a user’s current interests or romantic preferences. Facebook’s structured data for things like movies, books, restaurants and sports is not as good as Netflix, Yelp, Amazon, etc. If Facebook becomes more competitive in these areas, will they maintain access to structured third-party feeds?
The real question may be how important is the dating market to Facebook? It will be a challenge to run so many vertical solutions: dating, recruiting, ratings, reviews, etc. Will they pick a few ideas on which to focus, and will dating make the cut?
How Can Facebook Disrupt Online Dating?
First, Facebook can assure singles that dating can be a completely private experience, and that dating activities will not be published on a wall unless singles want it to be published. Facebook can create a pseudo-closed environment by offering a dedicated dating section in About Me and allowing singles to choose whether that section is public, private or only viewable by people with dating profiles.
Facebook can easily leverage their massive social graph to enable meaningful friend-of-friend introductions. They can create very detailed, self-updating profiles by displaying and structuring data from Pinterest, Spotify, Pandora, Yelp, Netflix, Amazon, ESPN, GoodReads and more.
They can dominate real-time communication: chat, check-ins, poke, texting and Skype video chat. To help singles feel more comfortable, they can even set up a “dating inbox” to isolate unsolicited messages. To improve both the quality and response rates of emails, they can allow anonymous ratings of senders, and reward those with good behavior and thoughtful emails.
If I am on a date and I know we share trail running, Bikram yoga, spiritual books, action movies and five mutual friends, I have a lot of topics I can discuss. Facebook Graph Search will allow singles to find that special someone and could be transformational to the industry.
But most importantly, by simply allowing consumers to share their user names from other dating sites, Facebook can maintain the existing industry’s niches while allowing search and free communication across all dating services. In doing so, Facebook can simultaneously dismantle the pay-to-communicate business model that underpins a majority of the revenue in the industry today, and reinvent online dating by creating a massive front door that allows consumers to have a compelling, high-quality experience for free.

Friday, January 4, 2013

This Genius Used OkCupid To Get a "Date" With the Scumbag That Stole His iPhone

Click here to read This Genius Used OkCupid To Get a "Date" With the Scumbag That Stole His PhoneWhat do you do when your iPhone is stolen? Cry? Get a new one? Scream at the sky? How about tracking down the thief by luring him to a sexy date over OkCupid and then threatening him with a hammer so he gives it back? That last one worked out pretty well for Nadav Nirenberg.

On New Years Eve, Nirenberg (trombonist for awesome-tastic ska band Streetlight Manifesto, I might add) lost his iPhone 4 in a cab. The very next day, he woke up to email alerts that the thief had been using the phone to message hotties on OkCupid, and sprang into action. Creating a fake profile for a non-existent "Jennifer in BK," paired with an image of a busty babe culled from Google, he messaged the thief with a proposition, and suggested the pair meet up "Jennifer's" apartment. "I used lots of winks and smiley faces so I would seem like a girl," Nirenberg told the New York Post.
And when the thief arrived with a bottle of wine, Nirenberg showed up to the door not wearing something skimpy, but rather brandishing a hammer. The thief sheepishly returned the phone, and Nirenberg even gave him $20 for his trouble before he ran off. And for the cherry on top, Nirenberg told the Post, "As he was walking away, I said, ‘You smell great, though,'." How's that for a date with destiny? [The New York Post via Geekosystem]

Wednesday, June 13, 2012

Scout - The iPhone Flirting App Under Fire

Skout is a fast-growing, free flirting app for iPhone. Recentry it has come under fire, after it was discovered that a 3rd child was raped by a man posing as a teenager in the app's separate section for 13 to 17 year olds.
The NY Times reports:
In one case, a 24-year-old man was accused of raping a 12-year-old girl in Escondido, Calif. In the second, a 15-year-old girl said she had been raped by a 37-year-old man she met using Skout. In the third, a 21-year-old man in Waukesha, Wis., is facing charges that he sexually assaulted a 13-year-old boy.
It seems like this is only happening when users opt into using the GPS feature of the application, which allows them to find users nearby.
Mr. Christian Wiklund, Skout's Founder has expressed his desire to help the police with any investigations they undertake, to which we commend him. 

Thursday, June 7, 2012

eHarmony Passwords Leaked [Security]

In addition to the recent leakage reported by LinkedIn, eHarmony is now reporting that passwords may have been accessed. eHarmony posted the below statement on their blog this evening:
The security of our customers' information is extremely important to us, and we do not take this situation lightly.
After investigating reports of compromised passwords, we have found that a small fraction of our user base has been affected. We are continuing to investigate but would like to provide the following actions we are taking to protect our members.
As a precaution, we have reset affected members passwords.
Those members will receive an email with instructions on how to reset their passwords.
We recommend all members to practice these robust password security tips:
• Create a strong password of at least 8 characters, composed of lowercase and uppercase letters, numbers and symbols
• Create different passwords for each of the Internet sites you use
• Change your passwords every few months
Please be assured that eHarmony uses robust security measures, including password hashing and data encryption, to protect our members' personal information. We also protect our networks with state-of-the-art firewalls, load balancers, SSL and other sophisticated security approaches.
We deeply regret any inconvenience this causes any of our users.