The 14 largest mega-churches in the world range from the Lakewood Church in Houston, Texas, (45,000 members) to the Yoido Church in Seoul, Korea (253,000 members). It is comforting to note the pastors of only two of these churches, as far as I can see, were members of Adult FriendFinder, and both were searching for anonymous gay hookups.
Of the 535 members of Congress, only 16 congressmen and two senators were members of this adult website. Most were interested in BDSM. Only three were interested in gay hookups. Of the Fortune 500 corporations, fewer than 1,420 executives (directors, vice-presidents and above) were members. Another 230,000 or so rank-and-file employees of Fortune 500 companies were also members – following in the footsteps of their admired superiors no doubt.
Their interests ranged widely. Of the 2,400,000 odd employees of the US Federal Government, we find a measly 120,000 or so who were members. This warms my heart.
What is Adult FriendFinder?
It is an internet-based, adult-oriented social network, online dating service and swinger personals community website. It allows members to interact online, meet new friends, and seek out like-minded sex partners promoting threesomes, cybersex, BDSM and various other sexual fantasies.
When I tell you, however, that over 90% of all these members accessed the website – which describes itself as "a thriving sex community" – while at work, using government or corporate computers, you might raise an eyebrow or two.
This tragically fascinating information comes from a well-publicised hack of Adult FriendFinder, accomplished at the end of May by ROR(RG), a hacker living in the beautiful and magical city of Bangkok.
Adult FriendFinder was asked to comment on the contents of the database at the time of publication but it had not responded.
English people seemed positively puritan by comparison. Of the 650 members of Parliament, only three, all from the House of Commons, were included in the hacked data. Two were looking for ordinary straight hookups with a member of the opposite sex. One was looking for gay partners. There were fewer than 100 executives of British corporations who were members, although their interests tended toward more interesting hookups.
Over 20% of them, for example, were looking for partners who were adept at various aspects of BDSM. Only four members of the British judiciary were found – again, simply looking for straight hookups with a member of the opposite sex.
An axe to grind
I need to make something perfectly clear. The hacks that reach public awareness are extremely rare. For a hack to reach public awareness, someone has to make a serious mistake, or they are demanding money or some other asset or, in the case of ROR(RG), they have an axe to grind.
ROR(RG) insisted Adult FriendFinder owed a friend of his nearly $250,000. He wanted his friend to get paid, so he went public. I would estimate that for every computer hack that reaches the public's knowledge, there are 100 hacks that go unnoticed. This is something you need to carefully consider if you are in the world of information security.
Hacks of a personal nature seldom reach the surface web and, thereby, the attention of the press. What the Adult FriendFinder hack shows is that to an adept hacker, very little is immune to access.
Who is John McAfee?
John McAfee remains one of the most influential commentators on cyber security anywhere in the world.
He initially found success with Tribal Voice, which developed the first instant messaging program, and he subsequently founded McAfee Antivirus, one of the world's foremost companies in its field. His new venture - Future - focuses on Scurry and personal privacy related products.
McAfee also provides regular insight on global hacking scandals and internet surveillance, and has become a hugely controversial figure following his time in Belize, where he claims to have exposed corruption at the highest level before fleeing the country amid accusations of murder (the Belize government is currently not pursuing any accusations against him).
I am not a top-notch hacker but I did spend most of my life attempting to stop hackers from accessing or damaging data. It was my job. As part of my job, I had to know how hackers did their jobs and I became moderately good at it.
It may sound devious or somehow over the line but would you buy a lock from a lock manufacturer who professed to know nothing about how a lock is picked? I would not.
Anyway, with my limited talents I could easily have simply walked into the Adult FriendFinder database –or indeed that of almost any online dating or sex website – and collected the same thing that ROR(RG) collected and, using it for analysis, written my story.
But that would have been illegal. Instead, I went to ROR(RG)'s area where he had placed the data. As usual, being a day late and a dollar short, by the time I knocked on the door, he was selling incomplete segments of the database for non-exclusive use for $16,000.
That's more than I make for an article so paying him (he wanted bitcoins by the way) was out of the question. I briefly considered barging in, grabbing what I needed and taking off without leaving any trace, but, let's face it, he wanted money for it, so I would be committing theft.
Turning to the concept first proposed in the movie Minority Report, where people were detained by acts called "pre-crime", I contacted a friend of mine who had sucked up a copy before ROR(RG) had a chance to lock it down and begin asking for cash.
I can only assume this would be classified as pre-theft and, according to Federal and State statutes, pre-theft was not yet a crime. I simply asked my good friend – Andrew Aurnheimer – @rabite on Twitter (he demanded I include his name and handle). He gave me access and I began to analyse it.
The key to my analysis of the data was the inclusion of the IP address accompanying each login. There were, of course, handles, valid email addresses, age, city and state, sex, race and other key identifiers included in the database, but these can be bogus as we all know.
An IP address on the other hand can only be hidden by passing communication through one or more proxy servers. I have a realtime database of all underground proxy servers, as well as all legitimate corporate and government proxy servers, and I can generally work backwards and find the real IP address.
Few of the IP addresses in the AFF database were hidden despite this being allowed by the dating website. This was the strangest thing about the hack. You would think a US congressman, communicating with a young woman about the type of bondage equipment he wanted her to use prior to whipping him with a cane – while on his office computer – might think twice about the pitfalls of ignoring the tools of anonymity that my 13-year-old daughter uses with ease. But no.
It's time to get to the meat of this hack. I could care less about who sleeps with whom and what nameless acts may occur between them. To be frank, the older I get the funnier sex looks to me, and the less important sex seems as a judgment of character. However, my attitude is in the majority viewpoint.
ROR(RG) is asking for approximately $16,000 for partial, non-exclusive access to the data that he holds. However, rumour is rampant deep in the Dark Web that an unnamed country has offered him $25m for exclusive access to the non redacted database. Why, you might ask? Here is the answer.
High-ranking officials within every agency of the US government, not to mention six US state governors and 18 members of Congress, and countless aides to the same people, are all members of Adult FriendFinder.
Nearly all of these officials are married with children. Imagine what would happen if Russia, or China, got hold of this information. They would certainly not demand money to keep quiet. No –each of these people would be visited by a warm-hearted, well-dressed, kind and empathetic person whose conversation would go like this:
"We are so sorry that you got caught up in this nonsense, and we realise that it in no way taints your character or value as a productive citizen. Frankly, I myself have done far worse. We, in Russia, take a more practical view to such issues. They are not important.
"We have done what we can to keep your name out of this sad affair and can guarantee it will never come to light. That would help no one and we wish to hurt no one. So you have a friend in me and a friend in the country of Russia.
"I believe I could even help you gain power and prestige in your own country. I am privy to much that is happening behind the scenes in Russia and would be willing to advise you on affairs that impact both or our countries. You may call me at any time. In fact, the vote coming up in July is one such issue that I can give you good advice on. Please call me."
Can't happen you say? I say that nothing will prevent it from happening. If this hack was not the potentially most damaging hack we have experienced, then prove me wrong and I will eat my shoe.
John McAfee is among the most prolific commentators on cybersecurity anywhere in the world. His new venture - Future Tense Central - focuses on security personal privacy related products.