Joel Eriksson
Vulnerability researcher, exploit developer and reverse-engineer. Have spoken at BlackHat, DefCon and the RSA conference. CTF player. Puzzle solver (Cicada 3301, Boxen)

Ashley Madison Post-Mortem

What would have I done differently, in the Ashley Madison case, knowing what I know now.

Someone asked me this question on LinkedIn, and I thought I’d share my response here as well.

Knowing what I know now, I would start working much earlier on a tool I developed later in the investigation in order to significantly slow down the torrents leaking (among other things) customer data + buying me time to gain access to the box used to seed the torrents & shred the data.

I started researching the torrent protocol & developing the tool in question after the first torrent (out of three) was released. I was able to significantly slow down the downloads of the second and third torrent, but unfortunately didn’t look into gaining access to the seed box until the third one. It turned out to be surprisingly easy once I did, due to rookie mistakes by the perpetrator(s).

My tool was also tracking how much and which parts of the torrent that had been downloaded so far by each of the peers in the “swarm”, and at the time I was able to shred the data on the seed box noone had downloaded the full thing yet.

Combining all the pieces that had been downloaded so far, only about 7% were missing though. The missing pieces were spread out over about 20% of the later parts of the file though so people would encounter errors when decompressing the archive (7z IIRC) after having extracted about 80% of the data.

This part of my work on the project was not even mentioned in the documentary, but it was really the most significant part for me personally.

From a purely technical perspective, it was interesting to me because I got to do a bit of research and develop a tool that could be used in other cases where torrents were used to leak data.

In general, if something can be done using existing tools and/or public knowledge, it doesn’t really make much sense to involve me to begin with.

Besides the technical aspects, I felt that we lost the actually important battle once the customer data had been leaked though. I cared a lot less about the business side of things than the side of people whose life were ruined because of it.

It’s easy to moralize against cheaters etc, but the fact of the matter is that this data leak directly lead to multiple suicides and shattered the lives of a lot more people than ones that people might think “deserved” it.