Please turn away from this blog post if even discussing the existence of porn is a problem for you. You’ve been warned.
I’ve seen last night the giggling around about recent publishing of YouPorn accounts and password data and I started wondering what most of the fuss was about. Most of the sites are either copy-pasting the same statements or showing, well, some very strange ideas about porn altogether, I think.
Let’s be clear, I’m not going to advocate one way or another about it, but I don’t think that I’m scandalised that porn exists and that people look for it. Heck I can’t remember the last time I saw a TV series with characters in the late teens or twenties that never ever discussed about porn at all (okay I’m wrong, there’s 7th Heaven but I never liked that anyway). I’m neither saying this is how everybody is nor whether this is right or wrong, but it should probably be taken for granted now.
Considering this, the two notes about this publishing of YouPorn accounts being detrimental to marital and work relationship seems to be … bogus, to me. Let’s start with the second of the two: job relationship. People expect that employers will just fire people because they registered on the YouPorn site. Why should they? If they had used a corporate email address, then it might be that the leak, more than the registration itself, is detrimental to the company’s public profile, but that seems to be a corner case. If the problem is that they are supposed to have been surfing for porn while they were supposed to be working… this leak is providing no new info, for any decently-run company.
Even when using HTTPS, corporate proxies know for which hostname you’ve been looking for (after all, when you’re using proxies you’re not even allowing DNS to pass through, so no aliases can be resolved and no IP addresses are involved). So if corporate policy is “no porn at work”, the solution is not to hope for a leak of account information (let alone the fact that the site is very well usable without registering), but set up a proxy system that either blocks navigation to those sites or warn the administrator about users attempting to connect to them.
Furthermore, I would be surprised if many employers are so uptight that just having a registration on a porn site would make them fire their employee (of course it can always be used as a good excuse to fire a bad employee, or one you hate, but that’s beside the point here, I’m talking about this only reason as ground). Reason why it sounds strange to me is that my own customers talk to me about YouPorn. That’s how I know it in the first place, a customer of mine. And I don’t mean the man or boy who brings here his computer to be fixed after a herd of viruses made it unbootable, I mean corporate customers.
As for the marital relationships, I admit I don’t have much experience (actually, I have no experience at all, given that I’m a twenty-six years old single, virgin, who never ever kissed a girl — let’s not go there now), but I’d be very surprised if any spouse would be concerned about one’s registration on a porn site… if the leak included the viewed videos, now that would be a different story altogether (and let’s remember that since the website is not HTTPS-protected, employers do know which videos are viewed — I know that because I manage a couple of the named corporate proxies and I’m asked to check for that kind of stuff from time to time).
After all this, though, there is another question I have in mind: are we sure the leak is legitimate? Seems like YouPorn themselves made a statement (safe for work, mostly) declaring that the breach involves a third-party service called YP Chat. The password list (which I have checked out against my own customers to warn them if I found their passwords) looks suspiciously neat, with similarly-named users over and over, and so many identical passwords between different users that it looks more like a textbook example than an actual passwords’ list (as pointed out on the Naked Security’s post’s comments). Also, I somehow doubt that the YouPorn registered users are just in the thousands, even though the website is entirely well-fruible without an account, as spammers just love registering to websites.
With this in mind my question would be: is it enough to post pastebin full of usernames and passwords for a scandalous website to get someone you don’t like fired from their workplace? That would be tremendously stupid; at the same time, do websites such as Naked Security actually check out what they post around? I haven’t read any “we confirmed that the username/password is valid” on the articles I found relating to this, and that would have been a very shallow test as well. I’m honestly surprised about how much it is talked about something that might not actually exist in the first place at all.