Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Get HideMyAss! VPN, PC Mag's Top 10 VPNs of 2016 for 55% off for a Limited Time ×
Cloud

Photobucket Hackers Nabbed, Face Serious Charges From US Authorities 142

The U.S. Department of Justice said in a statement released Friday that two men, Brandon Bourret, and Athanasios Andrianakis, of Colorado Springs, Colorado and Sunnyvale, California, respectively, were arrested for their sale of software designed to breach the security of photo-sharing site Photobucket.com; their "Photofucket" app, says the linked Register report, was used "to plunder Photobucket's users' private and password-protected information, images and videos, it has been alleged ... The charge sheet against Bourret and Andrianakis details one count of conspiracy and one count of computer fraud, aid and abet – both of which carry a maximum prison sentence of five years and a fine of up to $250,000. In addition, the men stand accused of two counts of access device fraud, which carries a higher prison sentence of up to 10 years and a fine of up to a quarter of a million dollars, per count." The indictment, filed in Federal District Court in Colorado, is far easier to read than many.
This discussion has been archived. No new comments can be posted.

Photobucket Hackers Nabbed, Face Serious Charges From US Authorities

Comments Filter:
  • by Anonymous Coward on Sunday May 10, 2015 @12:36AM (#49656395)

    "...their "Photofucket" app, says the linked Register report, was used "to plunder Photobucket's users' private and password-protected information, images and videos, it has been alleged .."

    Sounds exactly like any one of the many NSA programs that have been pointed out over the past year after Snowden relased info.

    • by SumDog ( 466607 )

      Exactly what I was thinking. None of those people are in jail. Congress hasn't done a damn thing....probably because the spy program benefits the federal government greatly in expanding the American Empire.

  • by Anonymous Coward on Sunday May 10, 2015 @12:36AM (#49656399)

    The assets in question were not "protected" by passwords, they were stored on publicly accessible and easily guessable URLs. I mean, if by protected by password they mean anyone without the password could take common camera file names and type in an easily guessable URL without the password then well ya.
     

    • by Anonymous Coward

      It may not be wise to not protect yourself from stupid thugs, and their little exploit as expected, was neither ingenious, nor damaging in and of itself. What was unexpected was that morons that pound away at keyboards don't think conspiring to commit a crime, fully intending to cause damage aren't smart enough to know that the law treats assholes like criminals and criminals like assholes. I expect to hear the full range of liberal excuses offered in defense of these jerks, but it won't mitigate the next

      • Balancing the budget? :-p

      • Ask Hillary Clinton what Bill is most famous for. Ask anyone. See what I mean?

        NOT starting a war
        NOT campaigning on ending war related atrocities by his predecessor and then changing his mind.

        That is what many people think of when they think of Bill Clinton. The guy who just did his job.
        If someone's biggest complaint about how you did a job is something not related to the job, you are doing alright.

    • by Sqr(twg) ( 2126054 ) on Sunday May 10, 2015 @04:12AM (#49656881)

      So, the question is: Is it illegal to issue HTTP GET requests (that conform to all specifications and obey the robots.txt of the site in question) if the owner of the site didn't intent for the content at that URL to be available to you?

      In other words: Is requesting a (non password-protected) webpage equivalent to representing yourself as someone who is authorized to access than page?

      • by AmiMoJo ( 196126 )

        The question is not how bad the security has to be. If you put up a "no entry" sign but otherwise don't lock your doors, it's still trespassing. If it is clear that the pages are supposed to be private, accessing them is illegal regardless of how lame the security is.

        Unlisted pages that are marked as private by the user are clearly not supposed to be public. These guys advertised the software as being able to access private pages. It's pretty cut and dry.

        • by mrbester ( 200927 ) on Sunday May 10, 2015 @05:29AM (#49657017) Homepage

          Enough with this shit about "trespass". Property laws ate irrelevant. If a page is publicly available then it is public. If it isn't meant to be public then the onus is on the provider to make it private as in contrast to your house, the web is default public by design.

          • by Anonymous Coward

            While this is true, it doesn't seem to matter in "computer security" cases. I think in part because "a jury of your peers" is not what you get, a jury of my peers would know how HTTP works, instead you get a jury of users who don't know the difference between HTTP and HTTPS and the lawyers spinning the story to make the company in to a victim even though all the fault falls on them.

          • by tomhath ( 637240 )

            Property laws ate irrelevant. If a page is publicly available then it is public.

            If I can break the window of your car and pop the trunk open, does that make your laptop "publicly available" for me to take?

            • Cars are public? Didn't think so.

              Even if someone else popped the trunk, the car is still private. And this still has nothing to do with accessing a public URL.

          • Agreed, these "private property" analogies fall apart badly. I could easily say something stupid like "If I put a sign on my house that says 'Do not look at my house under penalty of law.' and there is no fence or anything", is it enforcable? Of course not.

        • by Sqr(twg) ( 2126054 ) on Sunday May 10, 2015 @05:30AM (#49657019)

          What if the sign [photobucket.com] doesn't say "no entry", but instead "feel free to request any URL that you want" ?

          • by AmiMoJo ( 196126 )

            The robots.txt and http server don't represent the legal intent of the users, and measures had been taken to keep unwanted people out, hence the need for the software. Nothing else matters, technical issues and poor security don't excuse these guy's actions. The fact that the server handed the images over is not an invitation to take them, legally speaking. It's like a petrol pump will fill your car up if you push the lever, but that isn't an invitation to take some free petrol.

        • By that logic you're guilty of "trespassing" if your browser, even without your interaction, loads a picture from one such area. So all a shyster has to do is send you a mail with such an image attached, your average "modern" mail client loads the pic when you preview the mail (or, worse, again without your interaction) and the next mail you get from him is a cease and desist letter (with a friendly "please pay this sum to settle this out of court" note attached).

          Let's be grateful that the average lawyer wh

          • by tomhath ( 637240 )

            Trespassing means entering without the owner's permission; whether it was done intentionally or not doesn't matter.

            So GP's logic is correct.

          • by AmiMoJo ( 196126 )

            The law isn't that dumb, it's clearly different if you accidentally stumble into an area you are not supposed to be in, or the warning sign isn't visible or whatever. That's clearly not what happened here though, these guys knew what they were doing. It was the only purpose of their software.

            • And now you try to convince a judge and a jury who can't tell one from the other. Good luck. I mean it.

            • by TWX ( 665546 )
              So is it a crime to find a book or magazine in a huge library that isn't listed in the public library's card catalog system?

              As I see it, if all they're doing is changing URLs to see what they find, that's what they're doing. Finding something that's in the public library, but not in the catalog.

              Posting content on the Internet is publishing. Lots of content on the Internet is indexed by search engines or by the websites that publish it themselves, but not all of it is. If the content is accessible w
        • by AK Marc ( 707885 )
          So is it trespass if you put up a "no entry" sign, and someone reads your house number from the street?
      • The question is, is the line:

        robots=off

        in my ./.wgetrc file illegal?

  • Pointing out a flaw in someone else's software should not, by itself, be a criminal act. Once the information is public, automating the exploit could be done by anyone proficient in the art.

    But selling a tool that uses the vulnerability? They crossed a line, but throwing the book at them seems a little harsh.

    • Re:Seems a bit harsh (Score:4, Interesting)

      by rtb61 ( 674572 ) on Sunday May 10, 2015 @12:54AM (#49656433) Homepage

      If you read the indictment, they did not just create the code, they actually used it themselves and showed others how to use it by demonstrating it. Now of course comes much greater consequences, their customer base is also in the firing line and they will all be turned over for a reduced sentence. This could lead to a whole bunch of crimes being exposed.

      • Re: (Score:1, Flamebait)

        by Opportunist ( 166417 )

        Then I guess I'm a criminal too. My job is to find flaws in security and show how to exploit them. Of course this entails creating tools that allow me to demonstrate it.

        Great. Is the ITSEC industry supposed to come alphabetically, by size or by importance? We don't want to cause a traffic jam at the jail gates.

      • If you read the indictment, they did not just create the code, they actually used it themselves and showed others how to use it by demonstrating it. Now of course comes much greater consequences, their customer base is also in the firing line and they will all be turned over for a reduced sentence. This could lead to a whole bunch of crimes being exposed.

        If you remember the Aaron Barr/HBGary e-mails, which preceded the Snowden revelations by years, it was already obvious that there was a whole subculture of businesses who bought and *sold* 0-day exploits (HBGary's boss called them 'Juicy Fruits"), of course with the obvious intent of being used against non-censenting targets. So if these Photobucket guys are guilty, let's start filing suits against the dark "security businesses" of this world.

  • So Chinese college students are reading Obama's unclassified emails and these guys are busted for hacking ebay photos. :-D
    • Re:Bigger Fish (Score:4, Insightful)

      by St.Creed ( 853824 ) on Sunday May 10, 2015 @09:00AM (#49657453)

      The Chinese students were probably smart enough to do it from outside the USA's jurisdiction...

    • So Chinese college students are reading Obama's unclassified emails and these guys are busted for hacking ebay photos. :-D

      No, they were busted for selling software that let others hack eBay photos. I'm not sure how this is any different than the guy who created the website that helps you break into Master padlocks. Both have legitimate uses as well as nefarious ones.

      • I guess I should have read the indictment beforehand. Apparently they also hacked into Photobucket themselves and sold the access or photos to others. That's very different.
  • by koan ( 80826 )

    Those penalties seem overly harsh.

  • by Anonymous Coward

    What the hell is wrong here? These guys are going to do time for an attack based on a jurrassic flaw? Isn't this crap in books on the subject with titles like "don't ever set up a website like this"!

  • by hawguy ( 1600213 ) on Sunday May 10, 2015 @01:09AM (#49656475)

    How much jail time did Photobucket executives get for allowing such lax security in their app in the first place? Must be at least twice the 5 years that these two are getting. Maybe more. Right?

    • How much jail time did Photobucket executives get for allowing such lax security in their app in the first place? Must be at least twice the 5 years that these two are getting. Maybe more. Right?

      In the eyes of justice, the intention is worth more than the act.

    • I mean when someone breaks in to your house, you should go to jail right? After all, your home security sucks. I don't care if you think it is good, it sucks. Virtually nobody bothers with good home security.

      So you should go to jail if someone breaks in... ...or maybe you should reexamine this "blame the victim" attitude so many geeks have with regards to hacking.

      • Re: (Score:3, Insightful)

        by mrbester ( 200927 )

        Your home is by default private. The web is by default public. The assumption that a public page is private just because it has your name on it is risible.

      • by AK Marc ( 707885 )
        If someone walks into an open store, tries on some clothes, taking photos in the fitting room, and puts everything back and leaves, is that "theft"?
  • by future assassin ( 639396 ) on Sunday May 10, 2015 @01:18AM (#49656493) Homepage

    you get more time for hacking a corporation then you do for manslaughter.

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      As should be the case. the hacking is a malicious, intentional act, with forethought and planning. Manslaughter by definition is neither intentional nor malicious and was done without forethought. One is a crime you intentionally set out to do the other is circumstance/random/accidental.

      • by l0ungeb0y ( 442022 ) on Sunday May 10, 2015 @03:07AM (#49656741) Homepage Journal
        By that definition, shoplifters should get 20-30 years. You are one fucked up individual if you think these twerps deserve what amounts to a life sentence over grabbing some nudies. Three to Five years? Sure -- but people like you who support these totalitarian policies are the reason why our country is turning into a Fascist Police State. So fuck you very much for helping to burn our freedoms to the ground you fuck.
        • You are one fucked up individual if you think these twerps deserve what amounts to a life sentence over grabbing some nudies.

          The thing you need to understand is that Big Data needs us to trust that it's safe to put all our stuff on their servers. These 'twerps' erode that trust badly. How is Google going to mine our data if we don't put it out there because we've been scared off by their little brothers in the surveillance business. So obviously these guys need to be made an example of.

    • Here manslaughter is a Class 2 Felony. That means 4 years minimum sentence (or 3 years minimum if there are mitigating circumstances), 10 year maximum (12.5 if there are aggravating circumstances). This is presuming first time offence, and only one count. A repeat offence can bring it up to as much as 35 years.

      So no, doesn't look higher to me. Remember there's a difference between maximum and minimum. When a sentence is "up to" that means "the absolute maximum a court may sentence for a given offence." Usua

      • by Ramze ( 640788 )

        Depending on the state, sentences can even be active (prison time), probation, and/or community service. They can also be commuted so that the record shows you're guilty and sentenced to X years, but you serve no actual time. North Carolina has a "Prayer for Judgement Continued" option for judges to basically accept a guilty plea for even some felonies, yet give no punishment or sentence, so the person is guilty, but not convicted because a conviction requires a sentence. (This works by pleading guilty,

  • by Anonymous Coward

    These assholes did things they had no moral right to do. They deserve to be punished because they actually committed intrusions, which is
    behavior that is fundamentally different from merely exposing a security flaw.

    To those of you who are spouting off the bullshit "moral relativism" arguments about how the NSA or Obama or some other government entity does things which are wrong "therefore anyone else who does similar stuff should not be punished" : Your thought processes are deeply in need of repair and you

    • by Anonymous Coward

      These assholes did things they had no moral right to do.

      Morality can fuck right off. What matters is Legality.

      A decent human being doesn't look for excuses which will justify or excuse bad behavior ; a decent human being does what is right because it is the right thing to do and avoids doing what is wrong simply because it is wrong, even if no one is watching

      Ah, the "no true Scotsman" fallacy alive and well I see. Pray tell, what is the 100% agreed-upon criteria amongst all people for what "right" and "moral" means?

      they actually committed intrusions

      Technically no they did not. They accessed URL's which were publicly accessible, but which were not publicly published. It's somewhat of a gray area legally, but from a purely technical viewpoint since the resources were publicly accessible with no protections the access is not really 'unauthorize

      • Re: (Score:2, Interesting)

        by Anonymous Coward

        It hardly seems more serious than a search engine that fails to look at robots.txt and indexes content anyway.
        They went about it in kind of a nasty way, but “Unauthorized access into a secure computer system” should require at least a remedial level of security. Otherwise, I could just put up a public web site, post a bunch of "private" photos on it without publishing the links, and then watch the logs for all these unauthorized criminals to commit a federal crime by accessing them... Profit?

        • I can put the line:

          robots=off

          in my ~/.wgetrc file and it will happily hoover all the data on your web server. As intended. I can even change the user agent so you don't know I am connecting with wget.

          Responsible server operators can block the IP of clients who do stuff like that. Some even block dynamically, i.e. if you're obviously mirroring their whole site they cut you off midpoint.

      • by CanEHdian ( 1098955 ) on Sunday May 10, 2015 @08:18PM (#49660879)

        Welcome to the Star Trek: We're Back fan movie website!

        Episode downloads:

        1. www.strekwb.test/episode1.mp4
        2. www.strekwb.test/episode2.mp4
        3. www.strekwb.test/episode3.mp4

        Episode 4 is ready and we sent the download link to a few people who we think are better than you and get to see it first!

        You're a foul, devious, stinking criminal if you think of trying www.strekwb.test/episode4.mp4 just for the heck of it.

    • Punishment is not the question, what's questionable is the length of the possible punishment. How fucked up is your law that something like this can carry a two digit jail time?

    • So let's punish the NSA first, because we know they have it all. And they are watching.

      Decent human beings... Insightful.

  • by l0ungeb0y ( 442022 ) on Sunday May 10, 2015 @01:29AM (#49656521) Homepage Journal
    So it only goes that they receive a fate worse than death. Place them under house arrest and block all network access except to 4chan -- which they shall be forced to moderate. To ensure they actively moderate, they will wear a shock collar around their neck which will administer increasingly painful jolts to prod them into action
    • So it only goes that they receive a fate worse than death. Place them under house arrest and block all network access except to 4chan -- which they shall be forced to moderate.

      Prisoners usually receive some token payment for their work, though. 4chan janitors do it for free.

  • one count of computer fraud, aid and abet – both of which carry a maximum prison sentence of five years and a fine of up to $250,000

    that sounds familiar. [ytimg.com]

  • Although the maximum penalties are, in my opinion, way too high I'm just happy they're not adding on the dozens of fraud, cracking, and illegal access charges I'm so used to seeing. One charge of violating each actually applicable law is a refreshing change. I wonder if this is a signal the abuse of plea bargaining and DA threats has stopped?
    • I'd rather say that it's a sign the DA doesn't know how to apply those charges.

      Never attribute to sanity what can sufficiently be explained by incompetence.

  • Why does anybody, anyone at all, still believe in this "cloud" thing? Any person or company that stores anything personal/private/confidential/valuable in "cloud space" is Just Asking For It.

    I speak as a person with 50 years experience in IT. The lesson of those years is - You cannot, must not, trust Other People with your precious jewels. The human race does not just have malicious individuals; it is 80% composed of lazy incompetents who don't pay attention and can't keep promises.
    • The cloud deal is living, even thriving. The car and boat payments of countless fucks depend on us trusting it forevah. My company recently replaced the Exchange servers with gmail. We all had to install Chrome and we log into the googleplex each morning.

      I now use IE at work (imagine the irony in this!) for most browsing, explicitly not logged into Google, as a privacy practice.

  • From what I read there: http://photofucket.software.in... [informer.com]

    It appears that Photofucket is a backup tool for downloading pictures from your Photobucket account, if you have the login/password.

    Otherwise, it will simply bruteforce all urls (probably by using counters with base filenames) in order to grab the pictures.

    Unless they collected the passwords entered by their users, I don't see any crime here, except the offensive name for Photobucket.
    WTF ?

You know you've landed gear-up when it takes full power to taxi.

Working...