Two things in this story that are not new, but still amazing to me.
1) A significant portion of people love taking pictures of themselves naked. This portion seems to be growing.
2) Another significant potion of people love publishing and making fun of people for whatever reason they can find. These people will dig through your trash, hack your servers, socially-engineer your passwords, etc. The more they can publicly debase you the happier they are. This portion of the population is also growing.
Yes, I understand the technical angle to this story is whacked security. I'm just amazed at the comments over on reddit (I don't visit reddit very often) From reddit I surfed over to a couple of other links (drama-a-pedia or something?) and the festival of public debasement continues. Somebody even mentioned hacking some girl's senior picture and uploading her naked pics. Man that has to make you feel really special to do something like that.
1) ... of which a significant portion is underage. I wouldn't be comfortable hosting such a service.
2) It's not clear to me this portion of the population is growing, but it does bother me that those people don't get the disdain they deserve (according to me).
That said, I think the company in question should be held liable for these kind of breaches. It's your responsibility as an online service to protect the privacy of your users. Even if the service is free you're still obligated to properly secure the service, and if you don't have the expertise to secure it yourself hire somebody to do it for you or don't run the service!
I don't expect most of you here to agree with me, in fact, I expect most of you to vehemently disagree. And web services? Reddit: didn't hash passwords, database got stolen. HN? Still doesn't hash passwords, as far as I know. 37signals? Same. The list goes on.
Yes, it sucks that people take advantage of lousy security, but in the end I think it's the web service that's been grossly negligent, and I think that we shouldn't accept this kind of malpractice.
That phones have put personal private cameras in more hands than even Polaroid certainly contributes. But I think a 30, 50 or 100% increase in cameras is nothing compared to the exponential increase in perfect digital copies and transfers of any given image.
The evidence can no longer be counted on to get lost, get damaged, decay, etc - and it duplicates and multiplies as a default behavior at every step of an exchange.
1 naughty polaroid = 1 naughty image
1 naughty cell-phone pic = 1 pic on camera, 1 pic on home PC, 1 pic in thumbnail cache, 1 pic on flickr, 1 pic in uploader's browser cache, 1 pic in recipient's browser cache, 1 pic on recipient's machine, 1 pic in recipient's thumbnail cache, etc.
Even if an image is never intentionally distributed, it's effectively distributed.
People don't change. Everybody is a pervert or a sadist or something. Everybody does something weird when they think nobody is looking. The population is growing, and so there is certainly more going on at any one time, but I doubt the portion is really growing.
Seems they had no security at all (just a random 5 character hash)..
Reddit users are seemingly busy sharing nsfw pictures and linking them to facebook accounts, will probably result in a couple of suicides when all is said and done :(
A random hash is actually fine -- the problem is that they are using only 5 characters. Had the programmers decided to go with a single additional character, this vulnerability would be much, much less severe. If they chose seven characters, it would be difficult to even grab a single random image. Ten characters, and it would take half a century per image.
It's interesting how quickly the wolves jump on an easy target. Some of the comments on reddit and elsewhere I've read are talking about making throw-away Facebook accounts to confront/embarrass people with their private pictures. I've already seen a few names posted. I'm willing to cut people some slack for looking at the pictures (a harmless crime, human nature) but doing the leg work to connect anonymous pictures to a real identity to simply embarrass them is taking it way too far.
I like reddit so I'm a little saddened to see this behavior there but this is another reminder that the internet isn't as segregated as we think it is. Reddit is no gated community. Its best and worst feature.
If you launch something like QuipTxt, make it obvious to people that their images are public, so that the idiots who harbour the impression that stuff uploaded on a public URL on a free website don't come running at you with pitchforks.
Additional benefit: more network effects.
I don't really see the difference between this service and Twitpic (hard to tell since the site is down, though).
The users aren't the idiots here, they had no reason to assume their private pictures would be shared (and even if you put a disclaimer on there, you can't expect people to read that). Besides, the admins of the service must have been fully aware people were sharing sensitive pictures, and they did nothing about it! And it wasn't a public URL, it was a URL secured by a lousy hash. Virtually indistinguishable from a URL generated by Google Docs.
I think your statement (where you call the users idiots) represents everything that's wrong with the current security-lax web services crowd.
If you launch something like QuipTxt, make it obvious to
people that their images are public
Google Picasa stores images as public URLs without any such warning. Because with random URL's, you effectively have passworded each image. Even more secure than if they were all locked into a nice MySQL database, because then they would all be behind only a single password.
I think you don't have to freak out users with too much information. The images are effectively password controlled.
The problem here is that the passwords were too short (and sent in plain text via SMS).
A thought experiment for the large minds here: how long a string _would_ be sufficient? I wonder if any string is long enough if you don't also implement some sort of access control lockdown to prevent people poking your system endlessly, but what do you think?
Adding a single character to the length (from five to six) would probably have been enough to keep them off the radar by making it dramatically harder to bruteforce. I would not be surprised if this single extra character would have completely diverted the attack, since the miss rate would be so high, it would trigger S3's DoS protection.
Doubling the characters to 10 would pretty much completely solve the problem. It would take many, many years to find a single image. Far below the threshold where Amazon S3 would ban you.
Assuming we're assuming SSL, then a string in the URL could be more secure than a password because it could be longer than a human could comfortably remember. Longer = harder to brute force, plus you can block (or teergrube, or whatever) any IP's that try to guess a URL and fail.
You can add an option to delete/rekey the image too. At that point the URL is exactly as secure as the method you use to send the URL -- just like a password.
If the past is any indication, they fix the hole and everybody forgets about it. Then Quiptxt grows to hundreds of millions of users, just like that other site that used only 4 random digits: http://www.allfacebook.com/2009/02/facebook-photos-warning/
This is why you shouldn't sent or say over the internet anything that you wouldn't show your mother and why you should try to keep your private life separate from your internet live. If I was a user I would never again use this service. This wasn't even a security flaw it was plain incompetence as some redditors mentioned.
It seems like we should be careful here - depending on the age of those involved (which we cannot determine for sure) these photos might legally be child pornography.
Less than six months ago, some internal (non-confidential, non-critical, but, none the less, internal) documents of a client of mine showed up on Google. The reason? They were public files in a folder on the webserver, and someone turned on Indexes in Apache. It is the exact same problem.
Not even the shadow of a cloud (pun intended) was involved.
[+] [-] DanielBMarkham|16 years ago|reply
1) A significant portion of people love taking pictures of themselves naked. This portion seems to be growing.
2) Another significant potion of people love publishing and making fun of people for whatever reason they can find. These people will dig through your trash, hack your servers, socially-engineer your passwords, etc. The more they can publicly debase you the happier they are. This portion of the population is also growing.
Yes, I understand the technical angle to this story is whacked security. I'm just amazed at the comments over on reddit (I don't visit reddit very often) From reddit I surfed over to a couple of other links (drama-a-pedia or something?) and the festival of public debasement continues. Somebody even mentioned hacking some girl's senior picture and uploading her naked pics. Man that has to make you feel really special to do something like that.
[+] [-] gizmo|16 years ago|reply
2) It's not clear to me this portion of the population is growing, but it does bother me that those people don't get the disdain they deserve (according to me).
That said, I think the company in question should be held liable for these kind of breaches. It's your responsibility as an online service to protect the privacy of your users. Even if the service is free you're still obligated to properly secure the service, and if you don't have the expertise to secure it yourself hire somebody to do it for you or don't run the service!
I don't expect most of you here to agree with me, in fact, I expect most of you to vehemently disagree. And web services? Reddit: didn't hash passwords, database got stolen. HN? Still doesn't hash passwords, as far as I know. 37signals? Same. The list goes on.
Yes, it sucks that people take advantage of lousy security, but in the end I think it's the web service that's been grossly negligent, and I think that we shouldn't accept this kind of malpractice.
[+] [-] roc|16 years ago|reply
That phones have put personal private cameras in more hands than even Polaroid certainly contributes. But I think a 30, 50 or 100% increase in cameras is nothing compared to the exponential increase in perfect digital copies and transfers of any given image.
The evidence can no longer be counted on to get lost, get damaged, decay, etc - and it duplicates and multiplies as a default behavior at every step of an exchange.
1 naughty polaroid = 1 naughty image
1 naughty cell-phone pic = 1 pic on camera, 1 pic on home PC, 1 pic in thumbnail cache, 1 pic on flickr, 1 pic in uploader's browser cache, 1 pic in recipient's browser cache, 1 pic on recipient's machine, 1 pic in recipient's thumbnail cache, etc.
Even if an image is never intentionally distributed, it's effectively distributed.
[+] [-] jcromartie|16 years ago|reply
[+] [-] wesley|16 years ago|reply
Reddit users are seemingly busy sharing nsfw pictures and linking them to facebook accounts, will probably result in a couple of suicides when all is said and done :(
[+] [-] jeff18|16 years ago|reply
[+] [-] markbao|16 years ago|reply
[+] [-] tomjen2|16 years ago|reply
[deleted]
[+] [-] jsz0|16 years ago|reply
[+] [-] naner|16 years ago|reply
I like reddit so I'm a little saddened to see this behavior there but this is another reminder that the internet isn't as segregated as we think it is. Reddit is no gated community. Its best and worst feature.
[+] [-] frognibble|16 years ago|reply
The application is described in the iTunes store: http://itunes.apple.com/app/quip-free-photo-texting/id291358...
[+] [-] prog|16 years ago|reply
[+] [-] brown9-2|16 years ago|reply
[+] [-] swombat|16 years ago|reply
If you launch something like QuipTxt, make it obvious to people that their images are public, so that the idiots who harbour the impression that stuff uploaded on a public URL on a free website don't come running at you with pitchforks.
Additional benefit: more network effects.
I don't really see the difference between this service and Twitpic (hard to tell since the site is down, though).
[+] [-] gizmo|16 years ago|reply
I think your statement (where you call the users idiots) represents everything that's wrong with the current security-lax web services crowd.
[+] [-] cryptnoob|16 years ago|reply
I think you don't have to freak out users with too much information. The images are effectively password controlled.
The problem here is that the passwords were too short (and sent in plain text via SMS).
[+] [-] oogali|16 years ago|reply
I figured since these messages were being passed around via txt, forwarded e-mails, etc., there was no real benefit in shortening them.
[+] [-] gcanyon|16 years ago|reply
[+] [-] unknown|16 years ago|reply
[deleted]
[+] [-] alecco|16 years ago|reply
S3 hosting of private images was a terrible idea. It doesn't provide any kind of protection.
[+] [-] jeff18|16 years ago|reply
Doubling the characters to 10 would pretty much completely solve the problem. It would take many, many years to find a single image. Far below the threshold where Amazon S3 would ban you.
[+] [-] xsmasher|16 years ago|reply
You can add an option to delete/rekey the image too. At that point the URL is exactly as secure as the method you use to send the URL -- just like a password.
[+] [-] prog|16 years ago|reply
[+] [-] brlewis|16 years ago|reply
[+] [-] jorgecastillo|16 years ago|reply
[+] [-] prog|16 years ago|reply
It would also include other services by the same management to the list :-)
[+] [-] donohoe|16 years ago|reply
[+] [-] chanux|16 years ago|reply
[+] [-] Willie_Dynamite|16 years ago|reply
[+] [-] mseebach|16 years ago|reply
Not even the shadow of a cloud (pun intended) was involved.