Photobucket Hackers Nabbed, Face Serious Charges From US Authorities 142
The U.S. Department of Justice said in a statement released Friday that two men, Brandon Bourret, and Athanasios Andrianakis, of Colorado Springs, Colorado
and Sunnyvale, California, respectively, were arrested for their sale of software designed to breach the security of photo-sharing site Photobucket.com; their "Photofucket" app, says the linked Register report, was used "to plunder Photobucket's users' private and password-protected information, images and videos, it has been alleged ... The charge sheet against Bourret and Andrianakis details one count of conspiracy and one count of computer fraud, aid and abet – both of which carry a maximum prison sentence of five years and a fine of up to $250,000.
In addition, the men stand accused of two counts of access device fraud, which carries a higher prison sentence of up to 10 years and a fine of up to a quarter of a million dollars, per count." The indictment, filed in Federal District Court in Colorado, is far easier to read than many.
When is the NSA going to be held accountable? (Score:5, Insightful)
"...their "Photofucket" app, says the linked Register report, was used "to plunder Photobucket's users' private and password-protected information, images and videos, it has been alleged .."
Sounds exactly like any one of the many NSA programs that have been pointed out over the past year after Snowden relased info.
Re: (Score:2)
Exactly what I was thinking. None of those people are in jail. Congress hasn't done a damn thing....probably because the spy program benefits the federal government greatly in expanding the American Empire.
"Hacking" goes a little far here.. (Score:4, Informative)
The assets in question were not "protected" by passwords, they were stored on publicly accessible and easily guessable URLs. I mean, if by protected by password they mean anyone without the password could take common camera file names and type in an easily guessable URL without the password then well ya.
Re: (Score:1)
It may not be wise to not protect yourself from stupid thugs, and their little exploit as expected, was neither ingenious, nor damaging in and of itself. What was unexpected was that morons that pound away at keyboards don't think conspiring to commit a crime, fully intending to cause damage aren't smart enough to know that the law treats assholes like criminals and criminals like assholes. I expect to hear the full range of liberal excuses offered in defense of these jerks, but it won't mitigate the next
Re: (Score:1)
Balancing the budget? :-p
Re: (Score:3)
Balancing the budget? :-p
Close, but no cigar.
Re: (Score:1)
Ask Hillary Clinton what Bill is most famous for. Ask anyone. See what I mean?
NOT starting a war
NOT campaigning on ending war related atrocities by his predecessor and then changing his mind.
That is what many people think of when they think of Bill Clinton. The guy who just did his job.
If someone's biggest complaint about how you did a job is something not related to the job, you are doing alright.
Re:"Hacking" goes a little far here.. (Score:5, Interesting)
So, the question is: Is it illegal to issue HTTP GET requests (that conform to all specifications and obey the robots.txt of the site in question) if the owner of the site didn't intent for the content at that URL to be available to you?
In other words: Is requesting a (non password-protected) webpage equivalent to representing yourself as someone who is authorized to access than page?
Re: (Score:2)
The question is not how bad the security has to be. If you put up a "no entry" sign but otherwise don't lock your doors, it's still trespassing. If it is clear that the pages are supposed to be private, accessing them is illegal regardless of how lame the security is.
Unlisted pages that are marked as private by the user are clearly not supposed to be public. These guys advertised the software as being able to access private pages. It's pretty cut and dry.
Re:"Hacking" goes a little far here.. (Score:5, Insightful)
Enough with this shit about "trespass". Property laws ate irrelevant. If a page is publicly available then it is public. If it isn't meant to be public then the onus is on the provider to make it private as in contrast to your house, the web is default public by design.
Re: (Score:1)
While this is true, it doesn't seem to matter in "computer security" cases. I think in part because "a jury of your peers" is not what you get, a jury of my peers would know how HTTP works, instead you get a jury of users who don't know the difference between HTTP and HTTPS and the lawyers spinning the story to make the company in to a victim even though all the fault falls on them.
Re: (Score:2)
Property laws ate irrelevant. If a page is publicly available then it is public.
If I can break the window of your car and pop the trunk open, does that make your laptop "publicly available" for me to take?
Re: (Score:1)
Cars are public? Didn't think so.
Even if someone else popped the trunk, the car is still private. And this still has nothing to do with accessing a public URL.
Re: (Score:2)
Agreed, these "private property" analogies fall apart badly. I could easily say something stupid like "If I put a sign on my house that says 'Do not look at my house under penalty of law.' and there is no fence or anything", is it enforcable? Of course not.
Re:"Hacking" goes a little far here.. (Score:4, Informative)
What if the sign [photobucket.com] doesn't say "no entry", but instead "feel free to request any URL that you want" ?
Re: (Score:1)
The robots.txt and http server don't represent the legal intent of the users, and measures had been taken to keep unwanted people out, hence the need for the software. Nothing else matters, technical issues and poor security don't excuse these guy's actions. The fact that the server handed the images over is not an invitation to take them, legally speaking. It's like a petrol pump will fill your car up if you push the lever, but that isn't an invitation to take some free petrol.
Re: (Score:2)
By that logic you're guilty of "trespassing" if your browser, even without your interaction, loads a picture from one such area. So all a shyster has to do is send you a mail with such an image attached, your average "modern" mail client loads the pic when you preview the mail (or, worse, again without your interaction) and the next mail you get from him is a cease and desist letter (with a friendly "please pay this sum to settle this out of court" note attached).
Let's be grateful that the average lawyer wh
Re: (Score:2)
Trespassing means entering without the owner's permission; whether it was done intentionally or not doesn't matter.
So GP's logic is correct.
Re: (Score:2)
The law isn't that dumb, it's clearly different if you accidentally stumble into an area you are not supposed to be in, or the warning sign isn't visible or whatever. That's clearly not what happened here though, these guys knew what they were doing. It was the only purpose of their software.
Re: (Score:2)
And now you try to convince a judge and a jury who can't tell one from the other. Good luck. I mean it.
Re: (Score:2)
As I see it, if all they're doing is changing URLs to see what they find, that's what they're doing. Finding something that's in the public library, but not in the catalog.
Posting content on the Internet is publishing. Lots of content on the Internet is indexed by search engines or by the websites that publish it themselves, but not all of it is. If the content is accessible w
Re: (Score:2)
Re: (Score:1)
The question is, is the line:
robots=off
in my ./.wgetrc file illegal?
Re: (Score:1)
damn, it's in my ~/.wgetrc file. Not sure what that *other* file is for.
Seems a bit harsh (Score:2)
Pointing out a flaw in someone else's software should not, by itself, be a criminal act. Once the information is public, automating the exploit could be done by anyone proficient in the art.
But selling a tool that uses the vulnerability? They crossed a line, but throwing the book at them seems a little harsh.
Re:Seems a bit harsh (Score:4, Interesting)
If you read the indictment, they did not just create the code, they actually used it themselves and showed others how to use it by demonstrating it. Now of course comes much greater consequences, their customer base is also in the firing line and they will all be turned over for a reduced sentence. This could lead to a whole bunch of crimes being exposed.
Re: (Score:1, Flamebait)
Then I guess I'm a criminal too. My job is to find flaws in security and show how to exploit them. Of course this entails creating tools that allow me to demonstrate it.
Great. Is the ITSEC industry supposed to come alphabetically, by size or by importance? We don't want to cause a traffic jam at the jail gates.
Re: (Score:2)
If you read the indictment, they did not just create the code, they actually used it themselves and showed others how to use it by demonstrating it. Now of course comes much greater consequences, their customer base is also in the firing line and they will all be turned over for a reduced sentence. This could lead to a whole bunch of crimes being exposed.
If you remember the Aaron Barr/HBGary e-mails, which preceded the Snowden revelations by years, it was already obvious that there was a whole subculture of businesses who bought and *sold* 0-day exploits (HBGary's boss called them 'Juicy Fruits"), of course with the obvious intent of being used against non-censenting targets. So if these Photobucket guys are guilty, let's start filing suits against the dark "security businesses" of this world.
Re: (Score:3)
Olives. Have you got anything else?
Re: (Score:2)
Olive oil isn't bad in this corner of the earth either.
Re: (Score:1)
Olives. Have you got anything else?
No olives for you barbarian... only cheeseburger [youtube.com]!
Bigger Fish (Score:2)
Re:Bigger Fish (Score:4, Insightful)
The Chinese students were probably smart enough to do it from outside the USA's jurisdiction...
Re: (Score:3)
So Chinese college students are reading Obama's unclassified emails and these guys are busted for hacking ebay photos. :-D
No, they were busted for selling software that let others hack eBay photos. I'm not sure how this is any different than the guy who created the website that helps you break into Master padlocks. Both have legitimate uses as well as nefarious ones.
Re: (Score:3)
Huh (Score:1)
Those penalties seem overly harsh.
those doods should walk (Score:1)
What the hell is wrong here? These guys are going to do time for an attack based on a jurrassic flaw? Isn't this crap in books on the subject with titles like "don't ever set up a website like this"!
Photobucket's punishment? (Score:5, Insightful)
How much jail time did Photobucket executives get for allowing such lax security in their app in the first place? Must be at least twice the 5 years that these two are getting. Maybe more. Right?
Re: Photobucket's punishment? (Score:1)
Wrong car analogy. Let me fix it for you:
If I pay you to park my car, and you leave it on the street, unlocked, with the Windows down. Then yes. You should pay damages to the owner.
Re: (Score:2)
And what if your only objective is price, and you give the keys to the shady guy who claims to offer a free service?
Re: (Score:2)
Then we will laugh at you and mock you and ridicule you for being a gullible moron.
But the shady guy still goes to jail if he gets caught.
Re: (Score:3)
Re: (Score:3)
How much jail time did Photobucket executives get for allowing such lax security in their app in the first place? Must be at least twice the 5 years that these two are getting. Maybe more. Right?
In the eyes of justice, the intention is worth more than the act.
Same amount you get for your lax home security (Score:3, Insightful)
I mean when someone breaks in to your house, you should go to jail right? After all, your home security sucks. I don't care if you think it is good, it sucks. Virtually nobody bothers with good home security.
So you should go to jail if someone breaks in... ...or maybe you should reexamine this "blame the victim" attitude so many geeks have with regards to hacking.
Re: (Score:3, Insightful)
Your home is by default private. The web is by default public. The assumption that a public page is private just because it has your name on it is risible.
Re: (Score:1)
Put your shit on a publicly accessible site? Fuck you if you have a problem with people accessing it.
The web doesn't belong to you. The server your shit is on doesn't belong to you. If you don't want personal stuff being publicly accessible don't have it somewhere that enables that.
Fuck off with your "mine" schoolyard bullshit. You're like the tossers who think Twitter is a private chatroom with invites for participation who have the nerve to get annoyed that their conversations can be interrupted by anybod
Re: (Score:2)
Man talk about straight out if Sci FI (Score:4, Interesting)
you get more time for hacking a corporation then you do for manslaughter.
Re: (Score:3, Insightful)
As should be the case. the hacking is a malicious, intentional act, with forethought and planning. Manslaughter by definition is neither intentional nor malicious and was done without forethought. One is a crime you intentionally set out to do the other is circumstance/random/accidental.
Re:Man talk about straight out if Sci FI (Score:5, Interesting)
Re: (Score:1)
You are one fucked up individual if you think these twerps deserve what amounts to a life sentence over grabbing some nudies.
The thing you need to understand is that Big Data needs us to trust that it's safe to put all our stuff on their servers. These 'twerps' erode that trust badly. How is Google going to mine our data if we don't put it out there because we've been scared off by their little brothers in the surveillance business. So obviously these guys need to be made an example of.
Re: (Score:2)
Actually, a bank robber's ability to crack a safe amazes me heaps more than being able to crack a password. Not only are these things usually much tougher to break than passwords, it's also something I can't do, and I do admire people who have skills I lack.
Re: (Score:3)
The relative length. Punishment should be on par with the crime. Else, things escalate. Allow me to give you an example.
Time and again I hear people call for people who rape, especially if the victim is underage, to be charged like murderers. I can only say that this is a very dangerous proposition. If the charge for rape is the same as for murder, every rape victim WILL be murdered if the culprit is smart. The chance for detection goes down (one less witness) while the punishment stays the same. There woul
Re: (Score:2)
If the charge for rape is the same as for murder, every rape victim WILL be murdered if the culprit is smart
So one murder, one rape, working out to consecutive live sentences without parole is fine, and everyone committing rape/murder is thinking clearly and logically at the time.
I think I see some holes in your logic.
Re: (Score:2)
If more than "one whole lifetime" matters to you, you must be a very religious person.
If I'm already going to jail for life once, why the fuck would I care for another sentence on top of that?
Re: (Score:2)
Also, nobody contemplates the penalties before deliberately choosing to commit a crime, aside from corporations. Most throw a first major felony into "ruins my life" category, and the minutia of rape vs rape+murder sentencing wouldn't be a thought. Not to mention that very few crimes are committed by a first-time offender, so the problem is the prisons breeding criminals, not the "good" people acting up
Not sure where you live (Score:3)
Here manslaughter is a Class 2 Felony. That means 4 years minimum sentence (or 3 years minimum if there are mitigating circumstances), 10 year maximum (12.5 if there are aggravating circumstances). This is presuming first time offence, and only one count. A repeat offence can bring it up to as much as 35 years.
So no, doesn't look higher to me. Remember there's a difference between maximum and minimum. When a sentence is "up to" that means "the absolute maximum a court may sentence for a given offence." Usua
Re: (Score:2)
Depending on the state, sentences can even be active (prison time), probation, and/or community service. They can also be commuted so that the record shows you're guilty and sentenced to X years, but you serve no actual time. North Carolina has a "Prayer for Judgement Continued" option for judges to basically accept a guilty plea for even some felonies, yet give no punishment or sentence, so the person is guilty, but not convicted because a conviction requires a sentence. (This works by pleading guilty,
No sympathy is deserved for these idiots. (Score:2, Interesting)
These assholes did things they had no moral right to do. They deserve to be punished because they actually committed intrusions, which is
behavior that is fundamentally different from merely exposing a security flaw.
To those of you who are spouting off the bullshit "moral relativism" arguments about how the NSA or Obama or some other government entity does things which are wrong "therefore anyone else who does similar stuff should not be punished" : Your thought processes are deeply in need of repair and you
Re: (Score:2)
You won't play tough keyboard guy anymore with that keyboard lodged up your ass.
sayeth Anonymous Coward.
Re: (Score:1)
Your comment is 20% less anonymous.
Re: (Score:1)
These assholes did things they had no moral right to do.
Morality can fuck right off. What matters is Legality.
A decent human being doesn't look for excuses which will justify or excuse bad behavior ; a decent human being does what is right because it is the right thing to do and avoids doing what is wrong simply because it is wrong, even if no one is watching
Ah, the "no true Scotsman" fallacy alive and well I see. Pray tell, what is the 100% agreed-upon criteria amongst all people for what "right" and "moral" means?
they actually committed intrusions
Technically no they did not. They accessed URL's which were publicly accessible, but which were not publicly published. It's somewhat of a gray area legally, but from a purely technical viewpoint since the resources were publicly accessible with no protections the access is not really 'unauthorize
Re: (Score:2, Interesting)
It hardly seems more serious than a search engine that fails to look at robots.txt and indexes content anyway.
They went about it in kind of a nasty way, but “Unauthorized access into a secure computer system” should require at least a remedial level of security. Otherwise, I could just put up a public web site, post a bunch of "private" photos on it without publishing the links, and then watch the logs for all these unauthorized criminals to commit a federal crime by accessing them... Profit?
Re: (Score:1)
I can put the line:
robots=off
in my ~/.wgetrc file and it will happily hoover all the data on your web server. As intended. I can even change the user agent so you don't know I am connecting with wget.
Responsible server operators can block the IP of clients who do stuff like that. Some even block dynamically, i.e. if you're obviously mirroring their whole site they cut you off midpoint.
Re:No sympathy is deserved for these idiots. (Score:4, Insightful)
Welcome to the Star Trek: We're Back fan movie website!
Episode downloads:
Episode 4 is ready and we sent the download link to a few people who we think are better than you and get to see it first!
You're a foul, devious, stinking criminal if you think of trying www.strekwb.test/episode4.mp4 just for the heck of it.
Re: (Score:2)
Punishment is not the question, what's questionable is the length of the possible punishment. How fucked up is your law that something like this can carry a two digit jail time?
Re: (Score:2)
So let's punish the NSA first, because we know they have it all. And they are watching.
Decent human beings... Insightful.
This is a crime worse than murder (Score:4, Funny)
Re: (Score:2)
He does it for free (Score:2)
So it only goes that they receive a fate worse than death. Place them under house arrest and block all network access except to 4chan -- which they shall be forced to moderate.
Prisoners usually receive some token payment for their work, though. 4chan janitors do it for free.
Re: (Score:2)
Re: (Score:2)
Of course they won't. Even Stalin and Mao never sold their mass murders as anything other than "War on {criminal flavor of the day}".
Re: (Score:1)
What do you mean, 'Even Stalin'? His acts were as mainstream as it gets at the time, and the people running the Western Media were enthusiastic about covering it up.
Mao had a very closed up environment to work in. Western Journalists weren't touring through China in useful idiot mode during the worst of his atrocities, like the dupes in Russia.
sounds firmiliar (Score:2)
one count of computer fraud, aid and abet – both of which carry a maximum prison sentence of five years and a fine of up to $250,000
that sounds familiar. [ytimg.com]
Re: (Score:2)
They were not too successful in selling that app. Otherwise it would be multiple counts.
Throwing the book (Score:1)
Re: (Score:2)
I'd rather say that it's a sign the DA doesn't know how to apply those charges.
Never attribute to sanity what can sufficiently be explained by incompetence.
Riddle me this... (Score:2)
I speak as a person with 50 years experience in IT. The lesson of those years is - You cannot, must not, trust Other People with your precious jewels. The human race does not just have malicious individuals; it is 80% composed of lazy incompetents who don't pay attention and can't keep promises.
Re: (Score:1)
The cloud deal is living, even thriving. The car and boat payments of countless fucks depend on us trusting it forevah. My company recently replaced the Exchange servers with gmail. We all had to install Chrome and we log into the googleplex each morning.
I now use IE at work (imagine the irony in this!) for most browsing, explicitly not logged into Google, as a privacy practice.
Photofucket (Score:2)
From what I read there: http://photofucket.software.in... [informer.com]
It appears that Photofucket is a backup tool for downloading pictures from your Photobucket account, if you have the login/password.
Otherwise, it will simply bruteforce all urls (probably by using counters with base filenames) in order to grab the pictures.
Unless they collected the passwords entered by their users, I don't see any crime here, except the offensive name for Photobucket.
WTF ?
Re: (Score:1)
I believe their "hack" was just guessing (common) filenames on urls, trying them and moving to the next guess.
Re: (Score:1)
Yeah, I'm a 'wingnut' alright... the OXCART type, but I support the non military application of it..
Re: (Score:1)
Alrighty then, what would be your reasoning for the implementation of fascism and the resulting wide spread corruption?
Or... (Score:2)
Or...It's bad enough when Obama/Bush/Hillary but here we have two yahoos who would let anyone do it.
Re: (Score:1)
Hillary's email server is very secure.
They didn't have yahoo hosting it. Bill said they were too expensive.
Re: (Score:1)
I'm royal.
So what is YOUR connection to the Spencer family? or is it just a 'royal PITA' you are accepting credit for? If so, the Hollywood fire hydrant, and duct tape is for you dude, your fantasy's fulfilled. Now go away and let the people sort this shit out.
Re: (Score:2)
Don't worry, the next ones will do just that. As you said, it's "cheaper" if you get caught. And probably easier to pull off, too.