MySpace Private Pictures Leak 405
Martin writes "We all heard about the MySpace vulnerability that allowed everyone to access pictures that have been set to private at MySpace. That vulnerability got closed down pretty fast. Unfortunately though (for MySpace) someone did use an automated script to run over 44,000 profiles that downloaded all private pictures which resulted in a 17 Gigabyte zip file with more than 560,000 pictures. The zip file is now showing up on popular torrent sites across the net."
You know what to do... (Score:5, Informative)
fetch! [thepiratebay.org]
Trap! (Score:5, Insightful)
Re:Trap! (Score:5, Insightful)
Figures... and they just put further measures in place to attempt to "protect" children from themselves. Oh well, I have a hard time feeling sorry for myspace since (a) it's myspace and (b) it's owned by News Corp.
Re:Trap! (Score:5, Insightful)
Figures... and they just put further measures in place to attempt to "protect" children from themselves. Oh well, I have a hard time feeling sorry for myspace since (a) it's myspace and (b) it's owned by News Corp.
Re:Trap! (Score:5, Insightful)
You charge the perpetrator with child abuse and with making and distributing indecent images of a minor. And you try them as an adult just for the glorious irony.
Re:Trap! (Score:4, Informative)
Re:Trap! (Score:5, Informative)
Re:Trap! (Score:5, Insightful)
Re:Trap! (Score:4, Insightful)
Of course, this whole is pretty silly since any possession conviction must, by definition, be willful possession with presumption of illegality. A UPS driver can't be charged with possession of kiddie porn for delivering a package that happens to contain it unless the driver has reason to suspect that something in the package is illegal. Is there reason to have a presumption of the existence of kiddie porn in this torrent? I would say that there is not, since MySpace has people who go through the private photos and look for that stuff and report it, IIRC. No guarantees, of course. Therefore, I would find it highly unlikely that somebody downloading this torrent would get prosecuted for kiddie porn possession. Invasion of privacy, perhaps, trafficking in stolen proerty, perhaps, copyright violation (all photos are copyrighted by their creator), perhaps, but not kiddie porn possession....
That said, IANAL, so do not take this as legal advice.
Re:Trap! (Score:4, Informative)
Forgive me, but I didn't want to google child porn at work.
Re: (Score:3, Informative)
Re: (Score:3, Insightful)
The assumption appears to be that sex offenders WILL offend again no matter what.
In which case why don't you just lock them up permanently or execute them?
Are rapists so much more likely to rape again once you let them out of jail, compared to say a violent person being likely to bash someone else up again?
Re: (Score:3, Interesting)
Re:Trap! (Score:5, Interesting)
Re:Trap! (Score:5, Insightful)
Just to play devils advocate: If we consider publishing nude photos of yourself to be pornography, why would we consider it not pornography when a young person does it?
You might make the argument that child pornography should be treated differently when the perpetrator is also the child in question, but trying to say it's not pornography is nonsense.
Re:Trap! (Score:5, Insightful)
Re:Trap! (Score:5, Insightful)
"Child pornography" is generally considered bad because in order to make it, you have to have a minor in front of your camera who's posing erotically or having sex. Since the law presumes that minors are incapable of knowing whether or not they want to pose erotically or have sex, this means that producing these photos or videos involves an act that's equivalent to rape: putting a minor in that situation without her (legally recognized) consent.
In the case of a minor posting her own pictures, however, there's no third party who could be accused of putting the minor in that situation against her will. It isn't even conceivably similar to rape, because the "victim" is making all the decisions on her own - if that's analogous to rape, then so is underage masturbation, and every teenager in the world is a sex offender.
Re:Trap! (Score:4, Funny)
Re: (Score:3, Interesting)
Re: (Score:3, Informative)
Re:Trap! (Score:5, Funny)
*fap*
*fap*
*fap*
*fap*
Re: (Score:3, Insightful)
Re:You know what to do... (Score:5, Insightful)
Yes, because teens on myspace who take nude pictures of themselves are clearly being exploited by... themselves.
The insane kneejerk hysteria surrounding the ever-growing umbrella of things that unfortunately technically qualify as "child pornography" is truly something to behold.
Re:You know what to do... (Score:5, Funny)
Re: (Score:3, Informative)
Most other dogs attempt to fetch no matter what you throw: sticks that are obviously too heavy to fetch, snowballs, small objects which you only pretend to throw but actually hide inside your sleeve...
Lotsa phun...
Script to upload them to HotOrNot (Score:5, Funny)
Re: (Score:2, Funny)
Gee Thanks (Score:4, Insightful)
Re:You know what to do... (Score:5, Funny)
Who cares? Wake me up when somebody offers up the "director's cut" of this torrent, ie only the really goofy and naked pics.
Re:You know what to do... (Score:5, Funny)
On the plus side (Score:5, Funny)
Yeah. Good grief, just what I need - 17Gb of pictures of other peoples cats.
But on the plus side, you could head over to Fark and be a LOLCAT GOD.
My god, it's full of... (Score:3, Funny)
Re:On the plus side (Score:5, Funny)
What was the plus side again?
Re:On the plus side (Score:5, Funny)
Re: (Score:3, Funny)
Re:You know what to do... (Score:5, Funny)
But, you admit you've already got 17Gb of pictures of your own cat?
Cheers
Re:You know what to do... (Score:4, Funny)
Cheers
Re: (Score:3, Funny)
Re:You know what to do... (Score:5, Funny)
Re:You know what to do... (Score:4, Funny)
Re: (Score:3, Funny)
Re:You know what to do... (Score:5, Informative)
It's a diversion.. (Score:5, Insightful)
Re:It's a diversion.. (Score:5, Funny)
Solution: (Score:5, Insightful)
Then ask 'why?'
Then ask 'so?'
Then keep asking 'so?' until you realize it's not that big of a deal.
Problem solved.
Re:Solution: (Score:5, Insightful)
Re:Solution: (Score:5, Funny)
Re:Solution: (Score:5, Insightful)
Ummm, if you store potentially damaging photos on a third-party web site that is not intended to be a secure repository, why would you expect high security?
Because this has huge implications for online security.
Really? I think it just shows that MySpace is not (nor is it intended to be) a high security repository.
Re: (Score:3, Insightful)
Do you really think they have the common sense to know that?
Re: (Score:3, Insightful)
Re: (Score:3, Interesting)
Really? I think it just shows that MySpace is not (nor is it intended to be) a high security repository.
With underage kids able to post whatever photos they want without moderation, it needs to be, though. If myspace can't hold their shit together with this then they're going to either have to start moderating photos somehow, start verifying ages somehow, or not allow youngin's to join at all. I doubt any of those is particularly palatable with them, but really this is just a consequence of appealing to the super-young crowd anyway. It's become a haven for all manner of shadiness.
Re:Solution: (Score:4, Insightful)
No, it does not. It is the job of the parents to provide moderation. It is not my job, my company's job (though I don't work for MySpace), nor my government's job to parent someone else's children. If we can have cars traveling down streets at high speed without child restraint systems to keep children from walking into traffic, we can damned well expect parents to keep their kids safe online.
Re: (Score:3, Insightful)
That's not really what I'm saying. You're already given the fact that kids are posting god knows what online, whether parents moderate it or not (and I agree with you: they should). Given that, whatever it is they've got up there be it really sleazy or not needs to be kept away from pedophiles and other shady characters anyway. The point I was making is that there are far too many users, far too many photos, for all of them to be looked over before they're made public. There's a reason profiles of children
Re:Solution: (Score:5, Insightful)
Re:Solution: (Score:4, Insightful)
Who defines common good? Who defines what level of 'protection' is appropriate or necessary? Sorry, but i disagree with you. It is the job of the *PARENTS* to keep children safe. No one else unless they agree to take the responsibility. i.e. you hire a babysitter, school, or other activities intended specifically for children. Even then, the ultimate responsibility still falls back on the parents. Check out the daycare. Babysitter isn't a pothead?
It's not myspace's fault if their site is mis-used by children. They make a reasonable effort to protect children on their site. There is NO guarantee of ANYTHING (read the 20 page TOS/disclaimer). Just like gun makers aren't responsible for gang shootings, myspace isn't responsible if someone uploads KP.
One of the first rules on the internet? (Score:4, Insightful)
I thought one of the first rules on the internet was that anything you put out there can fall into the wrong hands / become public?
I certainly wouldn't trust MySpace with personal affairs - if not because of technical glitches / hackers, then because of a disgruntled employee who decides offering the entire database up is so much more rewarding than going postal.
Though the whole idea of using MySpace - a site where everybody openly shares information about themselves.. that's the whole point, after all - for *anything* private at all sounds ridiculous to me in its very premise.
Just my 2cts.. I do feel sorry for those who are/will be affected, especially in the days to come as the juicier bits are filtered out and plastered all over the web and into youtube videos for truly everybody to see, as even though my opinion is that there's no reasonable expectation for true privacy on those sites, that doesn't mean they asked for some stupid hacker and a scriptkiddie to go running amok with it.
Re:One of the first rules on the internet? (Score:5, Funny)
No, the first rule of the internet is we don't talk about the internet.
Oh crap...
Re:Solution: (Score:4, Insightful)
Rule #1 of the internet: If you don't want anyone to see something, don't fucking put it it on the internet! There is no such thing as "posted privately on the internet". If it's REALLY something you don't want seen don't even put it in a computer CONNECTED to the internet. In fact, don't even take the damned pictures!!!
Gees, if brains were dynamite some people wouldn't have enough to blow their noses. I wonder how many pics in that 17 gig file are goatse?
Re:Solution: (Score:5, Insightful)
Really.
So you don't have an online interface for your credit card? You don't do online banking? You don't manage your IRA or 401K online? You don't write any emails that you wouldn't want published? You don't use SSH to access sensitive information? You don't send any instant messages that you wouldn't want published? You don't visit any websites that you wouldn't want the world to know about?
Oh, but that stuff's all different, you say. Sure, the information is all on a server, but the server will only send it to people who have the right password! Except, the MySpace photos weren't leaked by a mole; they were leaked because the server mistakenly sent it to anyone who asked for it.
This is a big deal, and your snide reply (essentially "don't use the internet") doesn't come close to offering a workable solution.
Re:Solution: (Score:5, Funny)
The intersection of these two sets is empty.
4chan is gonna have a field day with this... (Score:4, Funny)
Re:4chan is gonna have a field day with this... (Score:5, Insightful)
Re:4chan is gonna have a field day with this... (Score:5, Funny)
Maybe it's just me... (Score:5, Insightful)
Re: (Score:3, Funny)
Re:Maybe it's just me... (Score:4, Funny)
Slight Tweak: Myspace Privates Leak, Pictures! (Score:5, Funny)
Private? (Score:5, Insightful)
I know, I know, the myspace demographic doesn't know any better.
Re: (Score:2)
They've got more important things to do, like buy $150 HD-DVD players from Wal-Mart.
Re:Private? (Score:5, Insightful)
We, (I refer to the
We know the danger is from information about us being harvested, being used by future employers, insurance companies, the government, other corporates etc.. They (the 'myspace' generation) are worried about paedophiles and stalkers, whilst simultaneously being drawn to having deep personal relationships and generally being interesting (by whose standards I don't know) and pushing their personal information to anyone who will give them a linden dollar, a discount voucher or a chance to win an iPod.
Or am I just getting old?
Not getting old, just stupid (Score:3, Insightful)
There is no /. crowd. Get this stupid idea out of your head, you got Bill Gates lovers and Steve Jobs fanboys. You got MSCE's and real engineers. You got Window monkeys, linux users and BSD weido's.
There is everything here from rocket scientists to people who clean toilets for a living. Age varies from almost dead to just old enough to sit upright.
We even have rumors of women visiting this place.
So how can you have a /. crowd?
Answer you don't. Sure there are some trends, there are probably a few more MS
anything interesting? (Score:2)
Misplaced Trust (Score:3, Insightful)
If anyone was actually exposed by this, it's their own fault.
Re: (Score:3, Insightful)
Top it off with the fact that MySpace really seem to be pretty poorly written to start with and it is no big shock.
What I don't get is how they didn't notice this one IP address sucking down this much data.
I guess they don't look at logs.
Re: (Score:3, Funny)
Re: (Score:3, Insightful)
uh... seriously? Did no one notice a huge spike of requests for only images from one IP, over the course of almost four days?
Though I guess this seems to be just the most egregious violation of this hole (any double entendre based on the potential content of said pictures is unintentional); as "The MySpace hole surfaced la
Re: (Score:3, Insightful)
never underestimate (Score:5, Funny)
Can someone run porn detection on this and reseed? (Score:4, Insightful)
Looking through all the junk is going to take too long.
It bears repeating: (Score:2, Insightful)
Re: (Score:3, Insightful)
Putting it on the net just implies that you're trying to show some people, but not others. That's a mistake (see above). Even if you assume perfect cryptography and perfect server security, your friend could send it to someone else.
huh (Score:3, Funny)
Re: (Score:3, Funny)
Well, some of them totally nailed the "Magnum".
I've looked. Yaaaaawn. (Score:5, Informative)
So far out of 4500 images, I found exactly zero images that I think anyone would give a crap about. I'm not even sure why the vast majority of them are even bothered marking private; nobody would care about them at all.
Re:I've looked. Yaaaaawn. Look again (Score:3, Insightful)
Just watch. Queue the countdown.
Re:I've looked. Yaaaaawn. (Score:4, Insightful)
It is done for the same reason women, including me, enjoy fretting about rape: they're flattering themselves.
One thing the internet's sheer size teaches you: you are just another nobody, who'd have to dig deep to find some trait that is simultaneously unique and valuable. On the one hand this is a Good Thing, because it blasts from Earth forever the notion that one might be a freak in some way. On the other hand, now we have to struggle to differentiate ourselves, even in our own minds.
Static Content Server (Score:4, Informative)
When not working or browsing Slashdot, a friend and I will exchange URLs to profile pics of "interesting" looking women. If the profile is private, the URL to the private JPG is not protected and we would exchange those instead. I haven't spent any time trying to find a pattern in the seemingly-random JPG names, so it appears difficult to pull the private images of any one person, but in general everyone's pics are available if you know the URL.
Re: (Score:3, Interesting)
It's not a big deal in the case of MySpace and Facebook; the images are randomly-enough named that I don't think anyone's figured out the scheme (if there is one). Basically all it does is let you and your friend trade images of people one of you already knows, which isn't too bad considering that anyone who posts
Submitter should RTFA, bug was known for months (Score:5, Informative)
No it didn't. MySpace let this thing go on for months. From TFA:
The irony (and scandal) is that they not only failed to uphold their privacy policy despite being in the public spotlight over the last 2 years precisely for privacy issues, but that they didn't bother to acknowledge or fix this bug until a high traffic site reported on it.
Re: (Score:2)
I have no idea how or what it was... but these are what I suspect.
Re: (Score:3, Informative)
Looking for technical details... anyone?
Having not read TFA or anything about this, let me venture some educated guesses:
- The URI for the pics are based on a timestamp ... a combination of the above
- The URI for the pics are based on a sequential number
-
- The pics are not access-controlled in any other way than not being listed on a user's page
The hack was discovered when a user cut and pasted the URI of one of his private pictures, noticed one of the above and attempted to change a digit of the URI, then automated the process with a garde
Re: (Score:3, Funny)
Archiving != compression (Score:3, Informative)
2) You can use zip with no compression for plain archiving
3) Since tar isn't that popular on Winblows it's pretty natural to use zip instead
There are plenty of benefits to using an archive
1) integrity checks
2) directory structures
3) single file vs thousands
etc
Re: (Score:3, Insightful)
In case you're new at this: a torrent file can contain more than one file, organized unto subdirectories. There's no need for any encapsulation.
What makes even less sense, though, is where a single large (compressed) file is split into a bunch of .RAR files and then all the .RAR files are repackaged into a single torrent. The resulting torrent is no smaller or resistant to corruption, and requires exter
Re: (Score:3, Insightful)
The multi-part
Re: (Score:3, Informative)
Re:Dueling compression algorithms (Score:5, Informative)
Sure there is. Ignoring the way BitTorrent actually encodes the information, and assuming that somehow every file name could be stored as one byte (ignoring the obvious flaw with that), by keeping all of them at the torrent level you'd require "more than 560,000" bytes just devoted to file names. Since the general rule of thumb is to keep the actual .torrent file around 100KB, give or take, that's right out.
Now, throwing in the way the .torrent file actually stores the list of file names, you're looking at at least 21 bytes per file. Assuming 560,000 files, that bloats the .torrent file to over 11.2MB - and that's still not realistic, because it requires every file to be less than 10 bytes in size and all of them to have empty path names. (Which is obviously not valid.)
Throw in realistic constraints, and you're adding another 15 bytes, bringing us to a total of 36 bytes per file - bloating the .torrent to 19.2MB, just for file names.
So, in short, the reason to place them in a ZIP file and not use the multi-file feature is because using the multiple file feature would massively bloat the .torrent file. Now the final .ZIP file has similar requirements per file in the ZIP file, but that becomes payload as part of the BitTorrent download and not something that has to be downloaded via non-BitTorrent means first.
Finally, for an explanation of where those numbers above come from, the "smallest possible" form for a file would be:
"d6:lengthi0e4:pathlee" (21 bytes)
The "more realistic constraints" brings that to:
"d6:lengthi100000e4:pathl8:0000.JPGee" (36 bytes)
Yes, the .torrent file is essentially "plain text" although the piece hashes are stored as binary strings. It's encoded using "Bencoding [wikipedia.org]" - which isn't the most compact of formats.
Re:Dueling compression algorithms (Score:5, Interesting)
The
Re: (Score:3, Informative)
0.zip, 1.zip, 2.zip, 3.zip, 4.zip, 5.zip, 6.zip, 7.zip, 8.zip, 9.zip, a.zip, b.zip, c.zip, d.zip, e.zip, f.zip - The pictures, or so it seems. Haven't downloaded the pictures, yet. Each zip is ~1GB.
html.zip contains html files that link, supposedly, to the original pictures. It's ~30MB.
Out of sheer curiosity, I viewed the source of a couple of the html files - wanted to see if they contained any friendID's or anything else that could
Re: (Score:3, Insightful)
It's almost like there's more than one of us here, isn't it...