Security Researcher Brian Krebs Receives Legal Threat From Former Ashley Madison Exec Over Hacking Allegations
from the possibly-some-merit-in-the-threats-for-a-change dept
Ashley Madison’s former CTO, Raja Bhatia, is toying with the idea of suing security researcher Brian Krebs for libel. Bhatia has problems with an earlier story by Krebs, which quoted emails obtained from the Ashley Madison hack that seemingly indicated the company’s execs participated in the breach of a rival’s customer database.
The original story made these claims (again, based on the content of exposed emails):
A review of those missives shows that on at least one occasion, a former company executive hacked another dating website, exfiltrating their entire user database. On Nov. 30, 2012, Raja Bhatia, the founding chief technology officer of AshleyMadison.com, sent a message to Biderman notifying his boss of a security hole discovered in nerve.com, an American online magazine dedicated to sexual topics, relationships and culture.
At the time, nerve.com was experimenting with its own adult dating section, and Bhatia said he’d uncovered a way to download and manipulate the nerve.com user database.
“They did a very lousy job building their platform. I got their entire user base,” Bhatia told Biderman via email, including in the message a link to a Github archive with a sample of the database. “Also, I can turn any non paying user into a paying user, vice versa, compose messages between users, check unread stats, etc.”
Bhatia’s legal rep says Bhatia takes exception to being labelled a hacker in the headline and body of the post. Unlike countless other legal threats, this letter to Krebs takes the time to point out the specific claims Bhatia takes issue with, as well as offering up information that seemingly contradicts Krebs’ assertions.
Contrary to the express statement in the article’s title and the suggestion in its body, Mr. Bhatia did not “hack” Nerve.com. Rather, he noticed a readily apparent security gap and remarked on it to Noel Biderman, Ashley Madison’s CEO, with whom he happened to speak shortly thereafter. At no time did Mr. Bhatia attempt to bypass Nerve.com’s security or to exploit its gap in any way. He did not bulk exfiltrate this data or attempt to alter it, as implied by the selective quotes from his emails included in your post. To the contrary, Mr. Bhatia expressly stated that he would not do so in the email sequence referred to in the article, a point omitted from your report.
Bhatia’s lawyer has asked for a correction and retraction of the earlier post. Krebs has refused to do, standing by his earlier assertions and posting Bhatia’s letter in full.
Unfortunately for Krebs, he has a much higher bar to reach to get this thrown out. The lawsuit, if it arrives, will be filed in Canada, where Ashley Madison’s parent company (Avid Life Media) is located. Canadian law shifts much of the burden of proof to defendants in defamation cases and Canadian courts have been known to reach some very questionable conclusions when dealing with these sorts of lawsuits. That being said, the SPEECH Act would likely prevent a Canadian court from issuing an unenforceable order targeting a US site. But it still would mean Krebs would need to spend money and time fighting the lawsuit.
The other thing that might hurt Krebs is any discussion of the word “hacking.” The way it’s used in his original post brings an entirely negative connotation to a word that is also frequently used to describe the work done by Krebs himself. Any efforts to prove the truth of his hacking allegations against Bhatia are likely to do additional damage to a word that can also cover the “neutral” and “good” ends of the spectrum. Obviously, it’s in Bhatia’s interests to push for redefining “hacking” as purely a nefarious activity, seeing as the legal threat refers to the “implications” of Krebs’ post almost as much as it refers to any “false and defamatory statements.”
In a very colloquial sense, Bhatia’s discovery of a security flaw is “hacking.” Bhatia’s legal team obviously views the use of “hacking” in this context to be wholly negative. Litigation over “hacking” allegations has the potential to further push “hacking” towards being synonymous with “evil.” According to Krebs’ own words, no real “hacking” was done, at least not in the criminal sense (where protective schemes are attacked and breached). This “hack” was no more inappropriately intrusive than uber-troll Weev’s incremental alteration of user ID numbers to access AT&T user account info.
On the other hand, arguments in favor of a more colloquial definition of “hacking’ could work in Krebs’ favor, where “hacking” simply means using or accessing something in a way the general public wouldn’t. In that sense, the headline and the quasi-accusation would be truthful, if not especially accurate. Krebs could argue his use of the word “hacking” wasn’t meant to have negative connotation but was simply used as accessible shorthand for Bhatia’s actions. Either way, colloquial use of a term that encompasses a wide variety of actions (good and bad) isn’t really enough to rise to the level of defamation.
The larger issue may be the statement that Bhatia exfiltrated nerve.com’s user database. As the letter states, other emails indicate he did no such thing (and indeed wouldn’t) even though he had the opportunity.
At this point, it’s Bhatia’s move. Krebs is refusing to comply with the requests of Bhatia’s attorney. Now that everyone’s lining up to file a lawsuit against the company, it’s probably a safe to assume a few lawsuits will be filed in the other direction, targeting those utilizing information obtained from the hack. Bhatia has a favorable venue and very little to lose by pursuing this, so I would expect an announcement of a lawsuit in the near future.
Filed Under: ashley madison hack, brian krebs, canada, defamation, hacking, raja bhatia, speech act, threats
Companies: ashley madison, avid life media, nerve.com
Comments on “Security Researcher Brian Krebs Receives Legal Threat From Former Ashley Madison Exec Over Hacking Allegations”
And Ken White (Popehat) has already offered to assist Brian. WOOOOOOO!
How funny, I remember reading here stories about people that “noticed readily apparent security gaps” being called “hackers” by the companies who were noticed by them.
Re: Re:
Exactly what I came here to say. Even something as simple as URL manipulation has landed people in court and labeled as a hacker.
Re: Re:
This ship sailed about a decade and a half ago. Nobody’d listen to us. “Hacking” has a long distinguished history (cf. MIT’s “model railroad club”, et al). It’s about curiosity about how things work. We tried to distinguish “white-hat hacking” from “black-hat cracking“, but the media’d have none of that. It didn’t fly. Meh.
Krebs is a credible security researcher and reporter. He would not mis-read an email, ffs.
However, thanks for warning me about Canadian law. I should shut up more often it seems.
On the other hand Canada has a Loser Pays system. If Krebs wins, Bhatia would have to pay his legal bills. That discourages a lot of litigation that would happen in the US.
It “Cracking”, ya fools. Geez, warez really did burn down the world.
There must be some sort of Heisenberg Principle applicable to hacking. The very act of observing creates the hacking.
How do you know you have unencrypted used data without actually opening at least one record? How do you know you can access or change fields without at least reading the fields – how do you know you have write capability without querying status or something – all of which implies at minimum getting onto a system in a manner you are not permitted to.
Re: Re:
Is Vint Cerf a co-defendant? “ping -c 1 $IP_ADDRESS”
If it’s on-line and you haven’t a valid login on it, is it illegal now to touch it in any way? Is there an RFC that says anything about what we can and cannot do to a machine connected to a network that was designed to make all connected hosts valid connectivity paths?
Re: Re:
When you increment a URL, you are essentially sending a note to a security agent of the company in question requesting information.
Imagine a demonstration in a hypothetical court: Pass a note to the judge, requesting that he raise his right hand then lower it. The note does not compel him to act or trick him into doing so, he chooses to do so or not to do so of his own free will. Adding the words ‘on the internet’ to the process does not create a violation of anti-hacking statutes (such as the CFAA to name one example) nor does it imply deceit of any kind.
A request was made and fulfilled. If the company employing the security agent — whether digital or flesh and blood — has not told their agent not to give out certain information upon request, that is on the company not the person making the request.
For a court to rule otherwise would result in absurdity at best.
For example, even if you have a login and password and only access your own stored data, if that data is about something the company dislikes then accessing it would make you a hacker.
For that matter, people like OotB here on Techdirt could be accused of hacking and even convicted of it for doing nothing more than using their own account to post an unpopular opinion.
People could be sent to prison because a company made a mistake and posted confidential information in a public venue, and people read it. Ever gotten an email from someone by mistake? If an authorized request that results in information being released improperly is hacking, then reading that hypothetical email would make you a felon.
Huh?
Shill, I mean lawyer: “He did not bulk exfiltrate this data”
Then what does..
Bhatia: I got their entire user base
..mean?
Re: Huh?
Exactly. Discovery alone is going to cost Bhatia any future jobs. You have to actually not have done anything close to hacking and his own emails betray that as a lie.
Re: Re: Huh?
I think discovery has already been done, and ready for immediate download… There’s probably not a whole lot left for Krebs to request.