MySpace Private Pictures Leak

Martin writes "We all heard about the MySpace vulnerability that allowed everyone to access pictures that have been set to private at MySpace. That vulnerability got closed down pretty fast. Unfortunately though (for MySpace) someone did use an automated script to run over 44,000 profiles that downloaded all private pictures which resulted in a 17 Gigabyte zip file with more than 560,000 pictures. The zip file is now showing up on popular torrent sites across the net."

It's a diversion..

[GreggBz]

It's p2p diversion... It was the RIAA. Brittney Spears or Brittney next door? Curiosity and perversion are certainly more powerful than greed.

Solution:

[Normal Dan]

Ask 'Who cares?'
Then ask 'why?'
Then ask 'so?'
Then keep asking 'so?' until you realize it's not that big of a deal.
Problem solved.

Why you would want to do that?

[El Lobo]

You only do that if:

1- You are just a punk who give a shit about privacy and fuck everybody else

2- YoU R jUsT ShOwInG ThE wOrLd ThAt YoU ArE JuSt TeH ShIt aNd PoWn MySpAce. YoU R sO KoOl

3- Just to piss off MySpace, because it sucks and you think, you , of course suck less (or rule the universe)

Anyway, there are no legitime reasons for just doing that.

Maybe it's just me...

[Derek Loev]

I personally have better things to do than waste 17gb of space -- and a large amount of time -- looking through other people's pictures.

Trap!

[fictionpuss]

No way would I touch that torrent.. all it takes is one underage myspace kid to have posted one nipple.. cue child pornography charges/public outcry/p2p filtering mandated/end game. It's the wet-dream of the **AA crowd.

Re:Solution:

[CaptainPatent]

Ask 'Who cares?'

Um, Anybody concerned with internet privacy along with everybody who had a myspace account with pictures posted privately they did not intend the public to see.

Then ask 'why?'

Because this has huge implications for online security.

Then ask 'so?'

So, something like this that is potentially damaging should have had much better security measures against it.

Then keep asking 'so?' until you realize it's not that big of a deal.

I'm asking... it's still a big deal

Problem solved.

I think not.

Private?

[Eberlin]

I understand the general idea of privacy...but to expect any sort of privacy by putting your pictures online onto a server out of your control isn't exactly the smartest thing to do. I say if you've voluntarily uploaded it on one of the social networks, it can't be THAT private.

I know, I know, the myspace demographic doesn't know any better.

Re:You know what to do...

[wiggles]

And risk getting busted for KP? How many idiot high school kids post naughty pics of themselves on there?

Misplaced Trust

[Dragonshed]

Although I do think people should have a reasonable expectation of privacy when marking/tagging pictures as private though services like MySpace, I think it's a risk anytime you upload a picture or document or anything else to any computer that isn't physically your own property.

If anyone was actually exposed by this, it's their own fault.

Can someone run porn detection on this and reseed?

[Anonymous Coward]

Porn-Detection Software [yangsky.com]

Looking through all the junk is going to take too long.

Re:Solution:

[Bob9113]

something like this that is potentially damaging should have had much better security measures against it.

Ummm, if you store potentially damaging photos on a third-party web site that is not intended to be a secure repository, why would you expect high security?

Because this has huge implications for online security.

Really? I think it just shows that MySpace is not (nor is it intended to be) a high security repository.

It bears repeating:

[snarfies]

If you want to keep something "private," DO NOT PUT IT ON THE INTERNET.

Re:Misplaced Trust

[LWATCDR]

Imagine that. You upload pictures to someone server and have little to no control who downloads them.
Top it off with the fact that MySpace really seem to be pretty poorly written to start with and it is no big shock.
What I don't get is how they didn't notice this one IP address sucking down this much data.
I guess they don't look at logs.

Re:Solution:

[Anonymous Coward]

The site is also directed to teens and pre-teens.
Do you really think they have the common sense to know that?

One of the first rules on the internet?

[Animaether]

"Um, Anybody concerned with internet privacy along with everybody who had a myspace account with pictures posted privately they did not intend the public to see."

I thought one of the first rules on the internet was that anything you put out there can fall into the wrong hands / become public?

I certainly wouldn't trust MySpace with personal affairs - if not because of technical glitches / hackers, then because of a disgruntled employee who decides offering the entire database up is so much more rewarding than going postal.

Though the whole idea of using MySpace - a site where everybody openly shares information about themselves.. that's the whole point, after all - for *anything* private at all sounds ridiculous to me in its very premise.

Just my 2cts.. I do feel sorry for those who are/will be affected, especially in the days to come as the juicier bits are filtered out and plastered all over the web and into youtube videos for truly everybody to see, as even though my opinion is that there's no reasonable expectation for true privacy on those sites, that doesn't mean they asked for some stupid hacker and a scriptkiddie to go running amok with it.

Gee Thanks

[TI-8477]

By covering this story, Slashdot has exponentially accelerated the spread of these images, and the number of seeders.

Dueling compression algorithms

[Yurka]

ZIPped JPEGs? What's the point?

Re:Solution:

[sm62704]

Um, Anybody concerned with internet privacy along with everybody who had a myspace account with pictures posted privately they did not intend the public to see.

Rule #1 of the internet: If you don't want anyone to see something, don't fucking put it it on the internet! There is no such thing as "posted privately on the internet". If it's REALLY something you don't want seen don't even put it in a computer CONNECTED to the internet. In fact, don't even take the damned pictures!!!

Gees, if brains were dynamite some people wouldn't have enough to blow their noses. I wonder how many pics in that 17 gig file are goatse?

Re:Maybe it's just me...

[gnick]

Agreed. I'm not sure who this cache of pictures appeals to. If you're looking for porn, go download some porn. If you're looking for a bunch of stranger's vacation pictures, snapshots of their pets in cute poses, and cell-phone-cam pics of them making funny faces, then you're just weird.

Re:Trap!

[L4m3rthanyou]

Actually, I think this is more of a threat to myspace itself. After all, they were hosting all of these pictures... when people discover how much kidporn is stored on myspace (I'm sure there's a significant amount of it), THEN there will be a public outcry, and no one is going to care about the people who downloaded the leaked photos. The backlash will be against myspace itself, by the "think of the children!" nutjobs.

Figures... and they just put further measures in place to attempt to "protect" children from themselves. Oh well, I have a hard time feeling sorry for myspace since (a) it's myspace and (b) it's owned by News Corp.

Re:Solution:

[Aphex Junkie]

They should, assuming that all the "Internet Safety" classes those hysterical moms created are actually doing their job. I often hear: "Do not give out personal information online.". How much more personal can you get than a photo (a nude photo especially)?

Re:It bears repeating:

[RiyazShaikh]

Hmm... that's almost like saying "If you don't want people taking your money, do not put it in a bank".

Re:Misplaced Trust

[Belial6]

I know you are not the only one saying this, but really... At some point you are trusting third parties with your data. Just because you physically own the computer doesn't mean that your data is even close to being secure. We are specifically talking about pictures here. Even if you trust Microsoft, who has shown that they believe copyright is only to be used to their benefit, you also have to trust the phone manufacturers, as well as trust the employees of every driver producer you install drivers from.

While there are ways to reduce your exposure, there is no black and white answer to who you should trust and who you shouldn't. Only shades of gray.

Just look at the number of people that trust private information to Google or their ISP. It is no less reasonable for most people to trust MySpace than it is to trust Google with their data.

Re:4chan is gonna have a field day with this...

[spun]

I thought everyone on 4chan was an angsty teenager with a real reason to cry, being that no human woman will ever touch them.

Re:Solution:

[Anonymous Coward]

First off - Troll much?

Second - myspace has a large teenage and younger crowd who don't necessarily know all that is internet security. I agree that if you don't want a picture seen you shouldn't post it, but when Myspace says nobody but you and your friends or nobody but you can see these pictures, they should be able to back that up.

While Myspace did a timely job in fixing the exploit, they are just as much at fault as the users who put private pictures there in the first place.

Re:Trap!

[orclevegam]

Actually, I think this is more of a threat to myspace itself. After all, they were hosting all of these pictures... when people discover how much kidporn is stored on myspace (I'm sure there's a significant amount of it), THEN there will be a public outcry, and no one is going to care about the people who downloaded the leaked photos. The backlash will be against myspace itself, by the "think of the children!" nutjobs.

Figures... and they just put further measures in place to attempt to "protect" children from themselves. Oh well, I have a hard time feeling sorry for myspace since (a) it's myspace and (b) it's owned by News Corp.

This does bring up the interesting question though, of how one deals with kidporn that's being posted by the kids in the pictures. Obviously the nutjubs are going to go after whatever company is doing the hosting, but unless I'm missing something, if they're not aware of the content then all they have to do is make a good faith effort to delete anything they find, much like the case with copyright violations. Any legal experts on the laws concerned here no for sure what sort of issues this brings up?

Re:Dueling compression algorithms

[JesseMcDonald]

The originator may not have actually compressed the file, perhaps he did it just to have an archive?

In case you're new at this: a torrent file can contain more than one file, organized unto subdirectories. There's no need for any encapsulation.

What makes even less sense, though, is where a single large (compressed) file is split into a bunch of .RAR files and then all the .RAR files are repackaged into a single torrent. The resulting torrent is no smaller or resistant to corruption, and requires external tools that most people don't have to reassemble.)

Re:Trap!

[meringuoid]

This does bring up the interesting question though, of how one deals with kidporn that's being posted by the kids in the pictures.

You charge the perpetrator with child abuse and with making and distributing indecent images of a minor. And you try them as an adult just for the glorious irony.

Re:Private?

[Ajehals]

The myspace 'generation' *are* supposed to be the ones using and seeing 'value' in all the weird and wonderful crap out there geared toward them, they are the ones who are supposed to be massively connected with their mobile phones, email and social networking account. They are supposed to be benefiting from a massively connected world, identifying and receiving wonderful services and consuming all those wonderful products geared toward them. They are the generation that (apparently) cannot tell real life from role playing, are emotionally and mentally damaged from playing video games and browsing the web. In short they are the generation that everyone is referring to when they scream "think of the children".

We, (I refer to the /. crowd, although I may be being over simplistic) are the demographic that saw the internet evolve, have technical knowledge of how parts work and can separate out our real lives and what we want to keep private, from our on-line identities and what we wish to be public. Unfortunately we are also the generation who don't understand nor see the appeal or utility in of many of the new and wonderful social experiments going on on the web, we see the real dangers involved in using them in an inappropriate or irresponsible manner.

We know the danger is from information about us being harvested, being used by future employers, insurance companies, the government, other corporates etc.. They (the 'myspace' generation) are worried about paedophiles and stalkers, whilst simultaneously being drawn to having deep personal relationships and generally being interesting (by whose standards I don't know) and pushing their personal information to anyone who will give them a linden dollar, a discount voucher or a chance to win an iPod.

Or am I just getting old?

Re:Solution:

[Pendersempai]

Rule #1 of the internet: If you don't want anyone to see something, don't fucking put it it on the internet!

Really.

So you don't have an online interface for your credit card? You don't do online banking? You don't manage your IRA or 401K online? You don't write any emails that you wouldn't want published? You don't use SSH to access sensitive information? You don't send any instant messages that you wouldn't want published? You don't visit any websites that you wouldn't want the world to know about?

Oh, but that stuff's all different, you say. Sure, the information is all on a server, but the server will only send it to people who have the right password! Except, the MySpace photos weren't leaked by a mole; they were leaked because the server mistakenly sent it to anyone who asked for it.

This is a big deal, and your snide reply (essentially "don't use the internet") doesn't come close to offering a workable solution.

Re:Solution:

[Bob9113]

With underage kids able to post whatever photos they want without moderation, it needs to be [high security], though.

No, it does not. It is the job of the parents to provide moderation. It is not my job, my company's job (though I don't work for MySpace), nor my government's job to parent someone else's children. If we can have cars traveling down streets at high speed without child restraint systems to keep children from walking into traffic, we can damned well expect parents to keep their kids safe online.

Re:Trap!

[afidel]

Yeah anyone who reads fark on a regular basis knows that kids who make home movies often get charged as adults for laws meant to protect the childish innocence. It really is very ironic and very SNAFU.

Re:Dueling compression algorithms

[blueg3]

I'm not sure how torrent handles this, but having a large number of small files can cause internal fragmentation (wasted space) and substantial additional overhead. It's fairly standard practice, from a convenience standpoint, to package large numbers of files into a single .zip -- especially if you plan on supporting having the data shared via a system that doesn't graciously handle multiple files organized into subdirectories.

The multi-part .rar business is historical -- either it's data designed for distribution by a different medium that's mirrored onto bittorrent, or it's someone who's emulating the other distribution format for some reason. (Data posted to newsgroups used multipart archives, for example.)

Re:Solution:

[mstahl]

That's not really what I'm saying. You're already given the fact that kids are posting god knows what online, whether parents moderate it or not (and I agree with you: they should). Given that, whatever it is they've got up there be it really sleazy or not needs to be kept away from pedophiles and other shady characters anyway. The point I was making is that there are far too many users, far too many photos, for all of them to be looked over before they're made public. There's a reason profiles of children under the age of 16 are made private, anyway, and it's mostly to absolve Myspace of liability. I'm saying that they have failed even at this.

Look where you're posting. I don't think there's anyone here who's arguing that it's the government's job to raise people's children. The government's job is to protect the common good, which includes keeping children safe from predators.

Re:Misplaced Trust

[griffjon]

And from TFA: "...an automated script to run nearly 44,000 MySpace user profiles through one of the ad-supported sites, MySpacePrivateProfile.com -- a process he says took about 94 hours"

uh... seriously? Did no one notice a huge spike of requests for only images from one IP, over the course of almost four days?

Though I guess this seems to be just the most egregious violation of this hole (any double entendre based on the potential content of said pictures is unintentional); as "The MySpace hole surfaced last fall, [...] A YouTube video showed how to use the bug to retrieve private profile photos. The bug also spawned a number of ad-supported sites that made it easy to retrieve photos. One such site reported more than 77,000 queries before MySpace closed the hole last Friday following Wired News' report." (emphasis mine)

So, as long as your privacy hole doesn't get on Wired's front page, you don't need to close it, I guess?

Re:Solution:

[Anonymous Coward]

Rule #1 of the internet: If you don't want anyone to see something, don't fucking put it it on the internet! There is no such thing as "posted privately on the internet". If it's REALLY something you don't want seen don't even put it in a computer CONNECTED to the internet. In fact, don't even take the damned pictures!!!

Rubbish. It's not about "anyone", it's about limited access. Possibly only access for the owner from various locations, or from one location that cannot be used as trustworthy storage, but also possibly and likely only for a designated group, like family.

Which if obvious but you've skipped sense to make a stupid rant. That's par for an open forum, but the question is what moron made this Score:5 Insightful?

Re:anything interesting?

[mac1235]

No.

Re:You know what to do...

[Cecil]

I would recommend the National Center for Missing & Exploited Children online tip form.

Yes, because teens on myspace who take nude pictures of themselves are clearly being exploited by... themselves.

The insane kneejerk hysteria surrounding the ever-growing umbrella of things that unfortunately technically qualify as "child pornography" is truly something to behold.

Re:Solution:

[bcguitar33]

We need to take this further. What about children talking on the telephone? They could be talking to pedophiles, potentially making plans to meet up. The government has got to monitor all telephone calls made by people under 18. Then again, these children could be out in public meeting pedophiles, or worse, being abused. It's the government's responsibility to monitor these minors at all times, to make sure they're not being abused. It would certainly take a lot of man-power to keep know where all these children are at all times. We'd have to resort to some sort of model of distributed responsibility. How about, we have 1-2 adults focusing on every child, and become responsible for what the kid is up to? For the sake of convenience we could just have the people who birthed each child be the ones responsible for them, and if they're not available, we could assign other ones. Any takers? This could solve all our problems!

Re:Trap!

[ShieldW0lf]

Ironic. It's little known that parents are explicitly allowed to have nude photos of their kids as long as they are obviously not being abused and the pictures are not distributed. It keeps all the parents with the pictures of babies in the bathtub from going to jail. Kinda stupid that your parent can have a picture of you naked but this girl gets charged with child porn charges for having pictures of HERSELF.

Just to play devils advocate: If we consider publishing nude photos of yourself to be pornography, why would we consider it not pornography when a young person does it?

You might make the argument that child pornography should be treated differently when the perpetrator is also the child in question, but trying to say it's not pornography is nonsense.

Re:Gee Thanks

[Anonymous Coward]

Thank you captain obvious. Do you have a point to make?

Doug Stanhope

[milsoRgen]

Doug Stanhope - MySpace Pedophiles http://youtube.com/watch?v=8APlx9btTn8 [youtube.com]

Re:I've looked. Yaaaaawn. Look again

[Chapter80]

I found exactly zero images that I think anyone would give a crap about.

One could say the same thing about the photos taken by Google's street view. But some people somewhere found time to find that one picture of the girl with the thong getting into her car.

Just watch. Queue the countdown.

Re:Trap!

[dgatwood]

Of course, this whole is pretty silly since any possession conviction must, by definition, be willful possession with presumption of illegality. A UPS driver can't be charged with possession of kiddie porn for delivering a package that happens to contain it unless the driver has reason to suspect that something in the package is illegal. Is there reason to have a presumption of the existence of kiddie porn in this torrent? I would say that there is not, since MySpace has people who go through the private photos and look for that stuff and report it, IIRC. No guarantees, of course. Therefore, I would find it highly unlikely that somebody downloading this torrent would get prosecuted for kiddie porn possession. Invasion of privacy, perhaps, trafficking in stolen proerty, perhaps, copyright violation (all photos are copyrighted by their creator), perhaps, but not kiddie porn possession....

That said, IANAL, so do not take this as legal advice.

Re:Trap!

[cyphercell]

so all pictures of nude people are pornographic? I think there's a word for that world view, oh yeah, prude.

Re:Once again - two faces.

[Cid Highwind]

The two faced attitude of Slashdot rears it's ugly head again.

It's almost like there's more than one of us here, isn't it...

Re:Trap!

[Mr2001]

Just to play devils advocate: If we consider publishing nude photos of yourself to be pornography, why would we consider it not pornography when a young person does it?

The issue isn't whether or not it's pornography, but whether it merits all the outrage that usually accompanies "child pornography".

"Child pornography" is generally considered bad because in order to make it, you have to have a minor in front of your camera who's posing erotically or having sex. Since the law presumes that minors are incapable of knowing whether or not they want to pose erotically or have sex, this means that producing these photos or videos involves an act that's equivalent to rape: putting a minor in that situation without her (legally recognized) consent.

In the case of a minor posting her own pictures, however, there's no third party who could be accused of putting the minor in that situation against her will. It isn't even conceivably similar to rape, because the "victim" is making all the decisions on her own - if that's analogous to rape, then so is underage masturbation, and every teenager in the world is a sex offender.

Re:Solution:

[torkus]

"The government's job is to protect the common good, which includes keeping children safe from predators"

Who defines common good? Who defines what level of 'protection' is appropriate or necessary? Sorry, but i disagree with you. It is the job of the *PARENTS* to keep children safe. No one else unless they agree to take the responsibility. i.e. you hire a babysitter, school, or other activities intended specifically for children. Even then, the ultimate responsibility still falls back on the parents. Check out the daycare. Babysitter isn't a pothead?

It's not myspace's fault if their site is mis-used by children. They make a reasonable effort to protect children on their site. There is NO guarantee of ANYTHING (read the 20 page TOS/disclaimer). Just like gun makers aren't responsible for gang shootings, myspace isn't responsible if someone uploads KP.

Re:I've looked. Yaaaaawn.

[inviolet]

So far out of 4500 images, I found exactly zero images that I think anyone would give a crap about. I'm not even sure why the vast majority of them are even bothered marking private; nobody would care about them at all.

It is done for the same reason women, including me, enjoy fretting about rape: they're flattering themselves.

One thing the internet's sheer size teaches you: you are just another nobody, who'd have to dig deep to find some trait that is simultaneously unique and valuable. On the one hand this is a Good Thing, because it blasts from Earth forever the notion that one might be a freak in some way. On the other hand, now we have to struggle to differentiate ourselves, even in our own minds.

Re:Solution:

[Anonymous Coward]

Which is why I LOVE how screwed up people are. it makes getting to the top in interviews easy. Lots of managers are googleing people and when they see you posing on myspace with a plunger up your bum and a ball gag in your mouth, I am guessing your PHD in Computer science is going to be worth less than the ITT graduate degree the next guy has that has a clean online profile.

I'm sure as soon as one person shows up to the interview with pictures of the hiring manager with a plunger up his ass and a ballgag in his mouth, there'll be a law banning the use of myspace in hiring and firing decisions. Ah, I love the smell of corporatism in the morning!

Re:It bears repeating:

[WNight]

Okay, if you want to keep something a secret, don't share it with anyone.

Putting it on the net just implies that you're trying to show some people, but not others. That's a mistake (see above). Even if you assume perfect cryptography and perfect server security, your friend could send it to someone else.

Not getting old, just stupid

[SmallFurryCreature]

There is no /. crowd. Get this stupid idea out of your head, you got Bill Gates lovers and Steve Jobs fanboys. You got MSCE's and real engineers. You got Window monkeys, linux users and BSD weido's.

There is everything here from rocket scientists to people who clean toilets for a living. Age varies from almost dead to just old enough to sit upright.

We even have rumors of women visiting this place.

So how can you have a /. crowd?

Answer you don't. Sure there are some trends, there are probably a few more MS haters here and a few more Jobs lovers then in society as a whole, but read any article on Apple/MS and you will find people who go against the flow.

The reason I point this out is that it is VERY dangerous to think that all people from a certain part of society are the same.

And it is very relevant in this discussion. SOME kids using myspace are stupid enough to send private information on a public network, therefore YOU seem to conclude ALL kids using myspace are stupid enough to send private information on a public network.

This leads to nanny state rules, where because 1% of the populatin is unfit to live 99% has their freedoms restricted.

Myspace is a tool some people will get it wrong, though shit. This has nothing to do with generations or whatever, there have ALWAYS been stupid people who do stupid things, society survives.

Re:Trap!

[TheLink]

Isn't being put on a sex offender list thing a "cruel and unusual punishment"? In a way it's like "precrime".

The assumption appears to be that sex offenders WILL offend again no matter what.

In which case why don't you just lock them up permanently or execute them?

Are rapists so much more likely to rape again once you let them out of jail, compared to say a violent person being likely to bash someone else up again?

Re:You know what to do...

[chrish]

For fun, hit up flickr and search for the keyword "private" or similar. It seems that some people think adding a "private" keyword will somehow restrict access to their naughty pictures.