Last month, KrebsOnSecurity posted an exclusive story about emails leaked from AshleyMadison that suggested the company’s former chief technology officer Raja Bhatia hacked into a rival firm in 2012. Now, an attorney for the former executive is threatening a libel lawsuit against this author unless the story is retracted.
According to Bhatia’s attorney, the part of the story they consider defamatory has to do with the headline of the piece, and this bit:
“A review of those missives shows that on at least one occasion, a former company executive hacked another dating website, exfiltrating their entire user database. On Nov. 30, 2012, Raja Bhatia, the founding chief technology officer of AshleyMadison.com, sent a message to Biderman notifying his boss of a security hole discovered in nerve.com, an American online magazine dedicated to sexual topics, relationships and culture.
At the time, nerve.com was experimenting with its own adult dating section, and Bhatia said he’d uncovered a way to download and manipulate the nerve.com user database.
“They did a very lousy job building their platform. I got their entire user base,” Bhatia told Biderman via email, including in the message a link to a Github archive with a sample of the database. “Also, I can turn any non paying user into a paying user, vice versa, compose messages between users, check unread stats, etc.”
Libel lawsuits in the United States are usually quite difficult and expensive for the plaintiff to win. But in Canada — where Bhatia’s attorney and AshleyMadison’s parent company Avid Life Media are headquartered — the libel laws are more complex for defendants. For example, according my consultation with a prominent Canadian digital media attorney, the onus there is on the accused to prove the disputed libelous claims are in fact true.
Nevertheless, I have no intention of posting a retraction or correcting any elements of this story. But I’m publishing a copy of the letter (PDF) from Bhatia’s lawyer in the likely event that other publications have also received libel and defamation threats from AshleyMadison and/or its current and former employees.
A story at Wired.com from Kim Zetter that ran shortly after my piece aired includes quite a few more colorful quotes from leaked emails Bhatia allegedly sent to AshMad CEO Noel Biderman.
Update, 11:49 a.m. ET: Added reference to Wired piece as the last sentence of this story.
It’s not libelous to report facts.
The content of Bhatia’s email originated with Bhatia, unless its a forgery.
I’d say, stay out of Canada and you should be ok.
In the attached PDF, it does not appear that the attorney ever claims the email thread was a forgery. On the contrary, I get the impression from the attorney’s letter that the emails are in fact real and they point out that some of the email was omitted.
If the emails were forged, that would be the first thing they claimed.
I’d say Bhatia had better stay out of the USA. A Canadian national hacking a US-based business is an international cybercrime. If those discovered facts can be substantiated to the point of legal soundness then Bhatia could face criminal prosecution from DHS. Bhatia’s threat against Brian could be become another grand example of the “Streisand Effect.”
correct. What most lawsuit-happy rats such as this one forget is: to succeed with a libel case, one must first prove willful manipulation of facts.
Not only was this true, making a libel lawsuit baseless in both obvious common sense as well as the court environment, but even if it weren’t true, it wouldn’t automatically suggest malicious intent with foreknowledge of falsehood.
Aside from that, libel and defamation existing in our legal system or not, there’s freedom of speech, or supposedly anyway.
The AM guys did this to themselves, they’re trying to put the genie back in the bottle, but instead it just shows how lowly they really are.
We have a question of fact here, don’t we? Naymark says “Mr. Bhatia ceased to work at Avid Life in 2009.” You say “On Nov. 30, 2012, Raja Bhatia, the founding chief technology officer of AshleyMadison.com, sent a message to Biderman notifying his boss …”
Those two assertions are in conflict, right?
He’s identified as a former AshleyMadison employee in the story. Also, one can be the founding CTO and still not work at the company anymore. In any case Bhatia by his own admission in my stories was working as a contractor for AshleyMadison when this story was written.
If he didn’t work at the company any more, he wasn’t sending a message to “his boss.” But (in my non-expert opinion) working as a contractor probably covers you.
Brian, I was not implying that you were somehow at fault here. I’m just an engineer and I picked up on what seemed to be a simple factual discrepancy. I don’t have an axe to grind. Yeah, one can quibble about the exact meanings “former” and “boss” — as can one for that matter quibble about the exact meaning of “hack.”
“I got their entire user base” and ” I can change a non-paying customer into a paying customer” sounds like an admission of theft.
A civilized person would have stopped at “I found they built a lousy platform”.
I can kind of sympathise with this ex-CTO, as I too find vulns on an occasional basis as I explore the web, as part of my job and outside the confines of the companies for which I work. Often accidentally.
Where I can’t sympathise is with his approach once he found the vulnerability. First, don’t enumerate the whole customer database. Don’t explore “how deep the rabbit hole goes”. Initial discovery of vulnerability is all you need to do in order to report it and have the site fix it. And yes, even if you find bugs in your competitors’ sites, you directly report them after minimal discovery. Otherwise, you open up questions as to your motives, and those of the company you work for.
Just last week, I reported an access control vulnerability to a security software / services vendor, demonstrated that I was able to fetch a single customer record that was not in the customer database I was supposed to have access to, and offered to assist in further reproducing the problem.
This week, that same vendor thanked me, and offered some significant recompense. This happens fairly often with well-reported findings.
So, yeah, if the ex-CTO had been acting blamelessly, he would have reported the vulnerability to the competitor (or shut up about it, and forgot he ever had access to the data). Asking his boss what to do shows immaturity at best, a desire to engage in inappropriate (and possibly illegal) practices at worst.
Letter claims that Bhatia was not employed by AvidLife or Ashley-Madison when the letter was sent. Is that accurate?
Otherwise…did not “bulk exfiltrate”? Yeah, because it’s not hacking if you only exfiltrate a few records, right?
And of course he had to have exfiltrated *some* data to know what he’d found and that the hole was legit. Said exfiltration absolutely *is* hacking. A lawyer could try to claim it’s not black-hat, but Krebs description of it as hacking is 100% accurate.
I’m pretty sure that Krebs, seasoned journalist that he is, is very careful about what he puts in print, and how he characterizes it. To me, this is simply a legal ploy to try and scare our Krebs off. Good luck with that! Eh, you hosers, eh?
+1
One assumes that Bhatia has never heard of the “Streisand Effect”
I don’t think Brian should retract the story. This probably helps Brian because now he can have more fuel and adrenaline to continue the fight for the truth. It is just the character of anyone associated with Ashley madison to follow it’s culture of lying and continuing to lie to sustain those original lies, just like the flow of the site itself.
So true. I still get stumped, news story after news story across several outlets, why the lawyers of the public figures don’t advise against the Streisand effect.
It’s because they’re complacent yesmen getting a p@ych3ck.
Unfortunately, it is often the case that the winning side in a libel action is the one that can throw the most money at it.
Interesting development, Brian. Please keep your reader/community informed about new developments, as I doubt it will appreciate ham-handed attempts to silence you.
On the merits, I’d love to know what Nerve.com has to say about all this, and what it is planning to do. Github also might have data and meta data that could clarify what happened. Nerve might want to issue a record preservation letter to Github. It would also be interesting to know if Bhatia’s counsel has already asked Github to preserve records — NOT asking would speak volumes about Bhatia’s motivation.
I’ve helped bloggers threatened by this company before, with success. I help threatened bloggers in general. Feel free to reach out.
Ken White
Popehat.com
Dear Ken:
I’m pretty sure Mr Krebs and his site won’t have any problem with this missive. However, others less savvy may have the same problem, so thank you for the note.
Wow! Two of my Internet heroes. 🙂
Get em Popehat!
That’s interesting. “This firm” seems to have opened for business on 1 September this year.
http://www.naymarklaw.com/
God I can’t stand lawyers. They are right there with bartenders, jizz moppers and child molesters on the social scale. They’re worse than 9/11. I hope you can somehow counter this and stick it up the lawyers briefs until paper flies out of his mouth. Godspeed Young Krebs.
What the hell do you have against bartenders?
A termite walked into a bar and asked: “Is the bar tender here?”
please do explain why bartenders are there at that social scale. I am very curious to read your reply.
Brian, looks to me like you don’t have to prove anything he did, just what was emailed. And that should be simple, no?
Good luck, and stick to your principles!
I sent this article along to Ken over at my other favorite blog Popehat. Hopefully he gets in touch, this is right up his alley.
Exploiting a “a readily apparent security gap” or “readily apparent inadequacy in the site’s security” sure sounds like hacking to me.
The letter claims he was not working for AM. Acting as a contractor would appear to count as working for them. In either event, you clearly identify him as “a former company executive” the first time you mention him. Hard to see how a reader could be mislead about his status withe the company.
One problem with suing is the so-called Streisand Effect – the law suit just brings more attention to the issue.
I also find it interesting that if a teenage computer nerd comes across the common security vulnerability, he’s branded a terrorist hacker. Whereas when a wealthy senior VP comes across a common security vulnerability he’s just coming across a common security vulnerability.
According to their website Naymark Law opened shop on Sept. 1, 2015.
Daniel Naymark is still listed as a lawyer for the “boutique litigation” house Lax O’Sullivan Scott Lisus.
He’s either opened his own shop a few days ago for this or is moonlighting.
http://www.counsel-toronto.com/ourpeople/daniel-naymark/
oba.org has no record of Daniel Naymark.
Geeze, who needs those vapid TV dramas when all we have to do is read Krebs posts for more real life cyber drama that a body can stand. I love it!!!
Raja: “..you want me to find out where this data is being sold on the dark web?” Noel: “yes”
https://i.imgur.com/MCP8HX9.png
Krebs keep up the good work and don’t allow them to let you down. You are one of the best journalist in the infosec industry.
You should consider publishing the entirety of Raja Bhatia’s pertinent emails which were part of the Biderman email dump, possibly shedding light on the background of both issues.
You’re right. I’ll at least update the piece with a link to a Wired story that has more colorful quotes between Bhatia and AshMad CEO Noel Biderman.
Daniel Naymark appears to work for Lax O’Sullivan Scott Lisus LLP http://www.counsel-toronto.com/ourpeople/daniel-naymark/
From the Naymark letter: “Mr. Bhatia did not hack Nerve.com. He merely noticed a readily apparent inadequacy in the site’s security”.
Sheesh. Just how apparent would a security flaw have to be in order for someone like Bhatia to notice it without actually exploiting (i.e. hacking) it? Perhaps it was a”Click here to get our entire user base” button or a”turn a non-paying user into a paying user” checkbox on the Nerve.com home page.
I hate it when those programmers leave their debugging code in the production version…
Raja to Noel: “They did a very lousy job building their platform. I got their entire user base. Also, I can turn any non paying user into a paying user, vice versa, compose messages between users, check unread stats, etc.”
That’s a felony under the Computer Fraud and Abuse Act. Both Bhatia and Biderman are subject to extradition if the Feds wish to prosecute.
Noel to Raja:
“feel free to let any hackers know. http://victoriamilan.co.uk.hypestat.com”
https://i.imgur.com/kibzi8X.png
Raja to Noel: “They did a very lousy job building their platform. I got their entire user base. Also, I can turn any non paying user into a paying user, vice versa, compose messages between users, check unread stats, etc.”
That’s a felony under the Computer Fraud and Abuse Act. Both Bhatia and Biderman are subject to extradition if the Feds wish to prosecute.
funny, that law office is right across the street from me.
The letter from Bhatia’s attorney doesn’t directly threaten a suit. While it’s certainly possible they may choose to do so, I’m assuming that you have no assets in Canada, so pursuing a suit would be an expensive process for them with no likelihood for financial renumeration.
I’m not an attorney (nor do I play one on TV), but this sounds like legal bluster, hoping you’ll cave and change the article.
I’ve been expecting to read that Baty and Birdman were arrested for hacking. Maybe next week.
(yes I misspelled the names out of disrespect)
Throw a rock through their window.
Who is this guy kidding. He noticed a security ‘gap’. Why was he looking and it isn’t like a security gap is a beg red banner on the front page of their site. Did Nerve authorize the Pen Test? Did they agree to a scan? How would you know there is a user database behind the security flaw without exploiting it.
This letter implicates his client.
An exec associated with a company that makes money by tricking married men into thinking there is an army of women who want to help them cheat on their wives…is very concerned about the fine nuances of truth.
We’d crowdfund your defense if necessary.