**Please feel free to repost**

The FSC recently announced their program Adult Health & Safety Services, aka APHSS which is meant to be a replacement for the now defunct AIM.

Great:-) Monthly testing is the adult industry’s self imposed regulations that enable the risk of STI’s and HIV being dramatically reduced.

Ela Darling recently gave the following quote defending the industry’s protocol, as a rebuttal to Cal Osha’s attempts to force the use of condoms on set:

“As an adult performer in the porn industry, the proposed changes to Cal/OSHA frighten and infuriate me…. As an individual and as a performer, I would rather have unprotected sex with someone whom I know for sure has been tested for HIV, Gonorrhea and Chlamydia in the past thirty days, than have barrier-protected sex with someone whose STD status is either unknown or positive.” via AVN.com

The majority of the industry favors the option of choice in the use of condoms in conjunction with regular testing. So APHSS is a awesome, right?

Not the way it currently is set up.

The FSC claims that there is no linkage of performer names and legal names in the APHSS database, and that no “health data” is stored there, only the performer’s legal name and work availability.

OK. Except…

PornWikiLeaks hasn’t even been down for a month yet, but somehow memories seem to be fading of exactly what information was used against us to perpetuate that organized harassment and terror. For the majority of us, it wasn’t “health data” that fueled the fire of that hell, it was the mere linkage of our legal names with our performer names, which just happened to be obtained by a medical database breach.

Maggie Mayhem realized this just last week when she became aware of painfully lingering online harassment efforts of a member of PWL that occurred months ago.

PWL used the linkage of her performer name and her legal name to spam the FaceBook profile page of her elementary school class, stating she (legal name) was a whore who went by Maggie Mayhem (performer name). The post had been made 5 months ago and was only discovered last week.

The following is from her twitter stream the day the revelation took place..

(Read from bottom to top)

 

 

 

Although adult performer’s legal names were gleaned from a medical database breach, the majority of the damage we sustained was due to legal name linkage, not the actual health data from the breach.

For some, that harassment didn’t stop at a mere one  hateful paragraph template based wiki on the PornWikiLeaks site, it delved further into their lives, taking google earth images of their homes, digging up & posting private phone numbers, targeting the children of some adult performers, via the children’s facebook pages, or even worse, posting images of adult performer’s children on PornWikiLeaks itself.

Clearly, the issue isn’t just about “health data”.  It’s also about your privacy, and the need to maintain anonymity, even if it’s a struggle.

The Free Speech Coalition posted via their twitter account, a link to the following article, entitled Do You Use Your Real Name Online?  It’s an interesting article for them to post, perhaps it’s to condition adult performers for future potential  personal privacy violation issues that APHSS may have a part in.

The initial “pre-registration” phase of APHSS asked for a performer’s legal name, performer name, and Driver’s License number, among other things.

 Hmm.. wasn’t that the exact same info that was leaked during the AIM data breach, and subsequently provided the building blocks of PornWikiLeaks?

The signup process at the time I actually wrote this only asked for your email and legal name, which is a far cry better than the pre registration incarnation.  However it now asks for your email, legal name, and phone number.

But there’s still the potential for real name linkage to your performer name, should anyone ever gain access to the log files that hold the registration information.

Hmmm… I didn’t see a warning on the signup page encouraging performers to use an email address that has no reference to their performer name, did you?

No. 

So APHSS must be safeguarding our personal information with air tight security, right?

It doesn’t appear that way to me.

On the FSC’s blog site, the following was stated as part of their announcement of APHSS, “Furthermore, we are very grateful to Dave Astels, who generously donated his time and database expertise“.

Ok, so who is Dave Astels?

Dave Astels until recently worked for EngineYard.com, has a Wikipedia.org page, and his own tech blog.  His expertise is in database architecture, and he’s quite skilled at programming in Ruby from what I gather.

However, Dave Astels is not a security programmer or consultant, as is evident by his easily accessible blog file library.

Upon a recent statement and consequent query via twitter to the FSC stating that I hope they had a security programmer involved in the design of APHSS, I was first ignored by the FSC itself, and then attacked by a boyfriend of an FSC member, in a clear attempt to shame me into not raising concerns.  It was pointed out to me a bit later that it’s kind of odd that the FSC lets him speak on behalf of the FSC, and yet, he claims to have no direct affiliation with them.  Even more odd is the intensity of his rantings.

I realized there were a few I missed in the initial screencaps, so I utilized Topsy.com

So I took a superficial look at APHSS myself..

Please note that I am NOT a computer security expert, though I do know a few, and have gained an active interest ever since Porn Wikileaks.

When programming in Ruby, the output *isn’t* usually PHP..

Upon easy query, it showed that APHSS runs on a very outdated version of php, version 5.2.1.

 

By going to php.net, I found that the most current version of php is 5.3.6

Here are a list of the vulnerabilities that have been updated since 5.2.1 was released.

 

 

Wow.  ”Over 100 bug fixes”. That’s a whole lot of ways for someone who’s dedicated to get at the potential real names of adult performers.  And that was actually a pretty easy breadcrumb trail to track, since my only qualifications are supposedly “crushing men’s privates for $”.

So when the FSC Membership Director Joanne Cachapero  makes the following statement, “Our number one priority is the privacy and well-being of performers, as well as continuing health and safety standards for the protection of adult productions” as part of the announcement of the official launch of APHSS, what do you think of that statement?

APHSS has done one thing right so far by creating an advisory board that includes well known and articulate representatives from the adult performer community.  ”The performer representatives are Jessica Drake, Bobbi Starr, Danny Wylde and Steve Cruz.… Performer Nina Hartley will serve as Educational Advisor.”

Maybe they finally grasped the idea of “with  us, not for us” as it pertains to creating policy that effects a specific group of people.

Hopefully, the advisory board can impress upon them the importance of keeping adult performer’s legal names from being linked to their performer names, and take the “extraordinary measures” Mr Whiteacre scoffed at publicly to ensure that happens.

 

Aug 31, 2011

This blog was reposted by several people and it came to my attention that I made a typo in the original version by the following comment that was posted on Mike South’s site:

“A few minor technical points. When programming a web app using Ruby-on-Rails (RoR), the output is usually HTML which is the HyperText Markup Language sent to your browser for rendering into a web page. Ruby is the language used by the Ruby-on-Rails web framework. A programmer would write the web app in Ruby using RoR to handle the common tasks that almost all web apps need (accessing a database, writing HTML back to the user, parsing a web address, etc). RoR is well regarded and trusted by many app developers. The Phusion Passenger module simplifies deployment of the app on Apache (a popular web server).

As for the recency of the PHP versions, the PHP 5.2 and the PHP 5.3 languages are considered separate product lines since some older PHP code cannot run on 5.3. The latest version of PHP in the 5.2 line is the version that they are running (5.2.17) which was released on Jan 6, 2011 and only included one fix since the code is quite old and stable in the 5.2 line. From a security standpoint, old and stable is usually preferred to the new code (take salt grain now) because new code invariably contains undiscovered bugs (depends on many factors though – not always).

I’d be remiss if I didn’t point out that security is a process and not a product (a famous security quote). You don’t get security by just loading the newest code. Many hacks started by people scamming valid credentials from support staff (so-called social engineering). Big topic. Anyway, best-regards.”

Here’s my acknowledgement of the typo which I just fixed in the original post above:

‘Morning. Since this isn’t my blog, and I’ve been a bit busy with a sick friend, I only now checked in to see comments, after reading Mike’s latest posts.

@Abutnik I just reread what I’d written based on your comment. Clearly, I need to get better at proof reading  ”is” was meant to be “isn’t”, and actually on rereading, a better way to have said what I was trying to get across would have been “.. the output of the filenames usually isn’t php”.

As I’m still just learning to program using Ruby this year, I’m not going to debate with you on php versions, as you probably do know more about that than I do. However in discussions with various programmers, I have heard that using the most recent version of software that is no longer in Beta testing is preferred, as there is less online documentation about ways to exploit that version.

I agree that security is a process, not a product. But I subscribe to the notion that Security Through Obscurity is an obsolete model. So it seriously disturbs me that there isn’t a security advisor on the APHSS advisory board. Nor has there been mention of implementing periodic independent security audits.

But the biggest issue in my eyes, is the flippant disregard that has been given to protecting performer’s legal names.

I understand that the issue of anonymity online is a hot topic right now. Rather than just giving up people’s privacy rights as a lost battle, I think it is important to stand up for what has been defined as a human right by the UN, in addition to defending the First Amendment of the US Constitution, which was also later declared a human right.’