Two things in this story that are not new, but still amazing to me.
1) A significant portion of people love taking pictures of themselves naked. This portion seems to be growing.
2) Another significant potion of people love publishing and making fun of people for whatever reason they can find. These people will dig through your trash, hack your servers, socially-engineer your passwords, etc. The more they can publicly debase you the happier they are. This portion of the population is also growing.
Yes, I understand the technical angle to this story is whacked security. I'm just amazed at the comments over on reddit (I don't visit reddit very often) From reddit I surfed over to a couple of other links (drama-a-pedia or something?) and the festival of public debasement continues. Somebody even mentioned hacking some girl's senior picture and uploading her naked pics. Man that has to make you feel really special to do something like that.
1) ... of which a significant portion is underage. I wouldn't be comfortable hosting such a service.
2) It's not clear to me this portion of the population is growing, but it does bother me that those people don't get the disdain they deserve (according to me).
That said, I think the company in question should be held liable for these kind of breaches. It's your responsibility as an online service to protect the privacy of your users. Even if the service is free you're still obligated to properly secure the service, and if you don't have the expertise to secure it yourself hire somebody to do it for you or don't run the service!
I don't expect most of you here to agree with me, in fact, I expect most of you to vehemently disagree. And web services? Reddit: didn't hash passwords, database got stolen. HN? Still doesn't hash passwords, as far as I know. 37signals? Same. The list goes on.
Yes, it sucks that people take advantage of lousy security, but in the end I think it's the web service that's been grossly negligent, and I think that we shouldn't accept this kind of malpractice.
I think they get the disdain they deserve; it just isn't expressed online. (You didn't log in to reddit to chastise them, did you? Neither did I.) Whoever these people are, they shouldn't treat their online reception as a guide to what people really think of their behavior.
That phones have put personal private cameras in more hands than even Polaroid certainly contributes. But I think a 30, 50 or 100% increase in cameras is nothing compared to the exponential increase in perfect digital copies and transfers of any given image.
The evidence can no longer be counted on to get lost, get damaged, decay, etc - and it duplicates and multiplies as a default behavior at every step of an exchange.
1 naughty polaroid = 1 naughty image
1 naughty cell-phone pic = 1 pic on camera, 1 pic on home PC, 1 pic in thumbnail cache, 1 pic on flickr, 1 pic in uploader's browser cache, 1 pic in recipient's browser cache, 1 pic on recipient's machine, 1 pic in recipient's thumbnail cache, etc.
Even if an image is never intentionally distributed, it's effectively distributed.
I think it also feels more informal/no-big-deal than with Polaroid: a cell-phone snapshot feels casual, while taking a naked picture with a Polaroid camera feels more like producing amateur porn.
People don't change. Everybody is a pervert or a sadist or something. Everybody does something weird when they think nobody is looking. The population is growing, and so there is certainly more going on at any one time, but I doubt the portion is really growing.
To be fair, sending naked photos of yourself over the phone to your partner is hardly "pervert or sadist or something", maybe a bit kinky but that's it.
I was trying to infer that making fun of people from behind the Internet veil of anonymity is sadistic, and it's a temptation for a lot of people at some point or another.
I think it's more like "people like treating other people outside their reach as objects without regards to consequences and when there are bad consequences they feel a bit guilty about it but it's too late anyway."
Seems they had no security at all (just a random 5 character hash)..
Reddit users are seemingly busy sharing nsfw pictures and linking them to facebook accounts, will probably result in a couple of suicides when all is said and done :(
A random hash is actually fine -- the problem is that they are using only 5 characters. Had the programmers decided to go with a single additional character, this vulnerability would be much, much less severe. If they chose seven characters, it would be difficult to even grab a single random image. Ten characters, and it would take half a century per image.
The reddit thread contained many direct links to photos, and compressed archives of several thousand photos. Some of the archives contained NSFW photos of girls of very questionable age. Reddit and 4chan may be different sites, but there is a significant cross over of users (both literally, and in the "type of users" sense).
It's interesting how quickly the wolves jump on an easy target. Some of the comments on reddit and elsewhere I've read are talking about making throw-away Facebook accounts to confront/embarrass people with their private pictures. I've already seen a few names posted. I'm willing to cut people some slack for looking at the pictures (a harmless crime, human nature) but doing the leg work to connect anonymous pictures to a real identity to simply embarrass them is taking it way too far.
I like reddit so I'm a little saddened to see this behavior there but this is another reminder that the internet isn't as segregated as we think it is. Reddit is no gated community. Its best and worst feature.
If you launch something like QuipTxt, make it obvious to people that their images are public, so that the idiots who harbour the impression that stuff uploaded on a public URL on a free website don't come running at you with pitchforks.
Additional benefit: more network effects.
I don't really see the difference between this service and Twitpic (hard to tell since the site is down, though).
The users aren't the idiots here, they had no reason to assume their private pictures would be shared (and even if you put a disclaimer on there, you can't expect people to read that). Besides, the admins of the service must have been fully aware people were sharing sensitive pictures, and they did nothing about it! And it wasn't a public URL, it was a URL secured by a lousy hash. Virtually indistinguishable from a URL generated by Google Docs.
I think your statement (where you call the users idiots) represents everything that's wrong with the current security-lax web services crowd.
If you launch something like QuipTxt, make it obvious to
people that their images are public
Google Picasa stores images as public URLs without any such warning. Because with random URL's, you effectively have passworded each image. Even more secure than if they were all locked into a nice MySQL database, because then they would all be behind only a single password.
I think you don't have to freak out users with too much information. The images are effectively password controlled.
The problem here is that the passwords were too short (and sent in plain text via SMS).
Yes, but passwords are typically used as a form of authentication (i.e. something you know) - to prove the identity of the user.
Once a user has authenticated themselves then it is a separate problem to decide what they are authorized to see.
Even really complex keys in links are still a big problem as they are far too easy to pass around - I've seen multiple problems on commercial systems and products where documents didn't require authentication before access and "security" relied on having an obscure key value directly represented in a link.
Sure. When you leave passwords floating around in plain text, bad things will happen too. It's too easy to forget that an obfuscated URL needs to be treated as a password.
The average Google Docs link has more entropy than the average username/password combination. So unless you want to argue that everything online is public to some extent, I don't think your claim makes much sense.
the google docs links arent stateless logins, you cant login to google as me because you guessed the hash of my word doc (or more likely, I gave it to you).
A password is not a magic spell. It's a set of letters and numbers that, if guessed correctly, will give me access to something you wanted kept private.
An obfuscated URL is a set of letters and numbers that, if guessed correctly, will give me access to something you wanted kept private.
Because one uses a MySQL database, and the other uses a file system, is irrelevant. They are functionally identical when directory listing is disabled, as it can be for Amazon S3.
I'd be interested in knowing what the length a hash needs to be to communicate "you should not attempt to circumvent this and post the nude pictures behind it", and also how secure a lock needs to be to communicate "you should not attempt to jimmy this with a credit card and post the nudie pictures behind it."
Well, to tell the truth, if there's a 'lock', it's pretty obvious you shouldn't be doing it. If there's just a hash, it strikes me as simply a bad idea in the first place, no matter how long it is. Someone can just do 'copy image url' and have it work, with no challenge from the application. A shorter hash is especially bad because it makes them easy to guess at. I'm not saying it's "right" to copy images protected only with a hash, but it's like leaving an expensive bicycle unlocked on a college campus in the US - it's simply not very prudent. Of course in this case the users probably weren't aware of the problem, and the people who made the application are at fault.
Edit: like daleharvey says, the point is really that the hash simply happens to be difficult to find, whereas a proper application will challenge everyone who attempts to access the resource. For instance, say Alice looks at Bob's picture, and does "copy image url", and sends it to Carol. Carol has no way of knowing whether it's supposed to be private or not, since Alice didn't communicate that information.
A password can usually be changed if compromised, and a password system usually contains measures to prevent brute-forcing; like cooldown times and a lockout after three guesses for example.
If you build those same measures into your URL then they have the same level of security; plus you can make your URL key a lot longer than would be comfortable for a password.
its not about filesystem vs database, where the data is stored is arbitrary, its about how much information you need to access it, apart from the increased entropy in using 2 bits of information (a username + a password (depending on the link size)), you can also implement things like locking accounts when someone guesses the password wrong X times, something that is impossible with a single entry point.
A thought experiment for the large minds here: how long a string _would_ be sufficient? I wonder if any string is long enough if you don't also implement some sort of access control lockdown to prevent people poking your system endlessly, but what do you think?
S3 offers privacy protections with the ability to require an expiring token in the URL. The theory is the web site should authenticate a user, and only generate a valid token for that user (for a fuzzy definition of "that" user) that works only for a limited time.
Adding a single character to the length (from five to six) would probably have been enough to keep them off the radar by making it dramatically harder to bruteforce. I would not be surprised if this single extra character would have completely diverted the attack, since the miss rate would be so high, it would trigger S3's DoS protection.
Doubling the characters to 10 would pretty much completely solve the problem. It would take many, many years to find a single image. Far below the threshold where Amazon S3 would ban you.
Assuming we're assuming SSL, then a string in the URL could be more secure than a password because it could be longer than a human could comfortably remember. Longer = harder to brute force, plus you can block (or teergrube, or whatever) any IP's that try to guess a URL and fail.
You can add an option to delete/rekey the image too. At that point the URL is exactly as secure as the method you use to send the URL -- just like a password.
If the past is any indication, they fix the hole and everybody forgets about it. Then Quiptxt grows to hundreds of millions of users, just like that other site that used only 4 random digits: http://www.allfacebook.com/2009/02/facebook-photos-warning/
This is why you shouldn't sent or say over the internet anything that you wouldn't show your mother and why you should try to keep your private life separate from your internet live. If I was a user I would never again use this service. This wasn't even a security flaw it was plain incompetence as some redditors mentioned.
It seems like we should be careful here - depending on the age of those involved (which we cannot determine for sure) these photos might legally be child pornography.
Less than six months ago, some internal (non-confidential, non-critical, but, none the less, internal) documents of a client of mine showed up on Google. The reason? They were public files in a folder on the webserver, and someone turned on Indexes in Apache. It is the exact same problem.
Not even the shadow of a cloud (pun intended) was involved.
Pardon my SEO: Google uses both heuristics and partial execution of Javascript these days. Linking to things only through JS is not a good method to prevent Googlebot from stumbling upon them. I only mention this because a lot of people I know think that apparently Google's colony of well-paid supergeniuses has not written anything since like 2004.
No, this is a brand new site, on it's first index through Google. I'm very confident that they went through the JS. Nobody else had any link to the site at all yet. Not really on topic, here, but the parents comment inspired me to share.
1) A significant portion of people love taking pictures of themselves naked. This portion seems to be growing.
2) Another significant potion of people love publishing and making fun of people for whatever reason they can find. These people will dig through your trash, hack your servers, socially-engineer your passwords, etc. The more they can publicly debase you the happier they are. This portion of the population is also growing.
Yes, I understand the technical angle to this story is whacked security. I'm just amazed at the comments over on reddit (I don't visit reddit very often) From reddit I surfed over to a couple of other links (drama-a-pedia or something?) and the festival of public debasement continues. Somebody even mentioned hacking some girl's senior picture and uploading her naked pics. Man that has to make you feel really special to do something like that.