There have been plenty of times I have received personal abuse, deaths threats and other forms of harassment online in response to my efforts hosting leaked data, most recently in the case of Patreon. As a result, I thought I would take some time out of the day to explain why I do what I do, and what I hope to accomplish with it.
Hosting the leaked data is a risky business. I accept the fact that one day I may be arrested for handling the data if it is alleged to have been stolen. As a result, my legal team are aware of my actions and we already have legal challenges to such an arrest should it be made. However, my reason for doing so is that there is a public interest whenever such data is leaked, both from journalists in established outlets and independent forms of media.
The alternative of not sharing the data is also rather grim. Frankly whether or not I make it available, that data will still be on the internet, and it only takes a quick Google search to reveal this. Most of the other places to obtain the data, however, are from unknown sources and are very difficult to verify the authenticity of the data. Not to mention, I have come across plenty of these sources where said files have malware attached to them, designed to work as people scramble to fulfill their curiosity and download the material without any form of scrutiny as to their origin. So regardless of who hosts it, that data shall always be available. By taking the responsibility to host a copy, it allows journalists and others to focus on the work of analysing the data and leaving the management of that source to me.
The exposure of the information further allows the public to vet what procedures are in place at companies to protect data. The unfortunate reality is that their security is already bypassed at the point of the leak, but that isn’t the end of the story. Passwords for example in the Patreon leak used bcrypt, a hashing algorithm designed to be extraordinarily difficult to brute force and reveal a user’s true password. This is an example of a very good security measure that other organisations and businesses should take note of, especially the many who still store passwords in plain text. It also allows people to identify vulnerabilities, such as how although Ashley Madison employed bcrypt as well, but this was negated thanks to them cutting corners and using MD5 in the process of storing the login tokens (see Joseph’s article on Motherboard here).
Using leaked data allows us an understanding of the true state of affairs of how companies handle your personal data and emphasises to the corporations that personal data is not just another commodity. An organisation with strong password hashing policies like LastPass or indeed Patreon, means they have plenty of time to warn users to change their login credentials. Furthermore, a timely disclosure can repair the company image much better than trying to ignore the problem, as HackingTeam found out (and who still hold a grudge against me to this day for). All in all, the only way to avoid a major catastrophe is for companies to start adopting better ways they collect, use and dispose of data. If they do not need to store some information, then it should be disposed of, a fatal flaw in the operations of Ashley Madison. One of the reasons I support the use of bitcoin is that with no fraud risk from chargebacks, personal information does not need to be collected in the very first place.
Like many of the data breaches this year, it is not what happens once the data is leaked that is a problem, but what you do before it that matters. Taking the proper precautions and maintaining minimal user information, is the only way to safeguard against misuse either from the legal forces in play, or the rogue hackers looking for their next victim.