Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Man Mines Facebook For Security Questions, Nabs Nude Photos From Email

timothy posted more than 3 years ago | from the oh-it's-that-easy-eh dept.

Crime 257

itwbennett writes "George Bronk, 23, has pleaded guilty to charges that he broke into the e-mail accounts of thousands of women, scouring them for nude photos that he then posted to the Internet. How he did it: He searched his victims' Facebook pages for answers to common security questions and then logged in to their e-mail accounts. In one case he persuaded a victim to send him even more explicit photographs by threatening to post the ones he'd stolen if she didn't. Bronk faces 6 years in prison on felony hacking, child pornography and identity theft charges."

cancel ×

257 comments

Sorry! There are no comments related to the filter you selected.

Obligatory (5, Funny)

Anonymous Coward | more than 3 years ago | (#34895960)

Pics or it didn't happen

Re:Obligatory (5, Funny)

ian_from_brisbane (596121) | more than 3 years ago | (#34895986)

Pics or it didn't happen

Here you go... http://www.msnbc.msn.com/id/41082627/ns/technology_and_science-security/ [msn.com]

Re:Obligatory (3)

macraig (621737) | more than 3 years ago | (#34896150)

Not THAT one! My eyes, my EYES!

All I can say is (2, Insightful)

drinkypoo (153816) | more than 3 years ago | (#34895968)

Torrent?

(ObDisclaimer: No, I don't want to receive child porn.)

Re:All I can say is (0)

Anonymous Coward | more than 3 years ago | (#34896484)

This isn't even a little bit offtopic

Think of the children too (5, Insightful)

Anonymous Coward | more than 3 years ago | (#34895970)

Well, I sure hope all of the girls who took pictures of themselves got child pornography charges against them too.

Re:Think of the children too (0, Flamebait)

gnasher719 (869701) | more than 3 years ago | (#34896002)

Well, I sure hope all of the girls who took pictures of themselves got child pornography charges against them too.

Why would you hope that? Are you yourself into hacking computers, and hoping that some victims would be afraid to be witnesses against you in a court? I cannot imagine any other reason.

Re:Think of the children too (0)

Anonymous Coward | more than 3 years ago | (#34896024)

I cannot imagine any other reason.

Which says more about you than it does about the OP.

Re:Think of the children too (0)

Anonymous Coward | more than 3 years ago | (#34896030)

Whoooooooooooooooosh.

Re:Think of the children too (1)

Anonymous Coward | more than 3 years ago | (#34896044)

Well, I sure hope all of the girls who took pictures of themselves got child pornography charges against them too.

Why would you hope that? Are you yourself into hacking computers, and hoping that some victims would be afraid to be witnesses against you in a court? I cannot imagine any other reason.

That is what has happened in past. Kids taking photos of themselves and sending them out to other kids of own age were charged with CP. The poster is being sarcastic.

Re:Think of the children too (5, Insightful)

crow_t_robot (528562) | more than 3 years ago | (#34896122)

No, because producing child pornography and distributing it on the internet is producing child pornography and distributing it on the internet. If a 16 year old girl sends a picture of her tits to your phone you are now in possession of child pornography and in direct danger of having your life destroyed and everyone you know hating you.

This is akin to weaponry. This shit needs to stop.

Re:Think of the children too (0, Insightful)

Anonymous Coward | more than 3 years ago | (#34896292)

Yes. Legalize child porn.

Re:Think of the children too (5, Insightful)

Anonymous Coward | more than 3 years ago | (#34896332)

Pictures of naked people should not be classified as porn simply because of the lack of clothes.

Re:Think of the children too (2, Insightful)

Anonymous Coward | more than 3 years ago | (#34896440)

16 year olds are not children. That is the most insane part of all of this. Naked pictures of 6 year olds on your phone, sure, those are children at least. A 16 year old is most definitely not a child though.

Re:Think of the children too (0)

Anonymous Coward | more than 3 years ago | (#34896520)

If a 16 year old girl sends pictures of her tits to your phone, you should delete them and you should not be charged with any crime for that. The law at fault here is not the one that fails to prosecute teenagers for all that malicious child porn distribution that's always happening and isn't at all a figment of anyone's imagination, it's the law prosecutes someone for possessing child porn, even if they acquired it against their will and deleted it straight away.

Painting men as hapless victims of slutty little girls in cases like this is horrifically misogynistic. Face reality. Men are the guilty party in the vast majority of child sex crimes. This sort of camaraderie is badly misplaced.

Reminds me... (0)

RichiH (749257) | more than 3 years ago | (#34896550)

...of this guy, living in the USA of course, who is a convicted felon for underage sex with a 16(?) year old girl. Her dad objected and went to the police.
They have been married for about a decade now, with three kids. And his status makes sure that he can not get proper jobs to support the woman who was "protected" by all this.

Re:Think of the children too (1)

martas (1439879) | more than 3 years ago | (#34896612)

Give up hope now, save yourself a bunch of turmoil. It won't stop, simply because laws on topics like CP tend to be more powerful than the lawmakers themselves. At this point, I doubt anyone has the political arsenal necessary to "stop this shit."

Re:Think of the children too (1)

Anonymous Coward | more than 3 years ago | (#34896128)

Because he doesn't believe in stupid "think of the children" bullshit, perhaps?
These kids are breaking anti child porn laws as much as he was, and should be punished just as equally for them.

I don't give a damn if they are 8, or 16, facts are, they took pictures of themselves in an illegal manor and were distributing them.
If he gets punished, they should get punished.
Ignorance of the law is no excuse, neither is the innocence of childhood an excuse, children are innocent and regularly abuse their position in law. (from reckless endangerment to rape, it happens and it is wrong)

Re:Think of the children too (3, Funny)

Starfleet Command (936772) | more than 3 years ago | (#34896344)

>>>they took pictures of themselves in an illegal manor Perhaps if they had photographed themselves in a chalet, or perhaps even a brownstone walk-up?

Re:Think of the children too (1)

freedumb2000 (966222) | more than 3 years ago | (#34896354)

You are kidding, right?

Re:Think of the children too (1)

the_womble (580291) | more than 3 years ago | (#34896582)

Congratulations! You think the right way to be a politician! You must punish people to protect them from themselves!

Re:Think of the children too (5, Insightful)

CAIMLAS (41445) | more than 3 years ago | (#34896130)

You have very little imagination.

Girls have boyfriends. They also have female friends. They are not solely keeping these pictures on their hard drives and cameras for personal use (more than likely).

Funny thing about pictures on the Internet: they're trivially copied. Boyfriend copies the picture to his friends (or just one friend), or posts it to a forum: the picture is out, and will live forever on hundreds of 'porn agregators' (lacking a better term), presuming the girl isn't a skag. Likewise, girls are/can be catty: what's stopping them from spreading the nude pictures in a bitter attempt at becoming more popular themselves (thinking it would ridicule the origin)? We're talking about virally social teens, here, not top secret data on government networks: there's literally a thousand and one ways for such pictures to spread to the Internet At Large.

So, in short: it's entirely possible that hundreds of thousands of men and women have viewed, downloaded, etc. child porn and not even be aware of the fact that it is child porn, simply on the basis of "some women look like children and some girls look like women". I recall a couple girls in high school who looked significantly older than 16-18 - and no, I'm not just talking about curves (though that applies too).

It's just like "honest, I thought she was 18, officer!" scenario, except the evidence never disappears and the so-called 'victim' can never grant consent. I would not be surprised if there is legal child porn floating about the internet right now, on "valid" sites which the US federal law enforcement agencies knows about, but allow to exist -so that they can use it as an added charge for someone down the line, if they ned something to vilify them further/want to make sure the charges stick.

Re:Think of the children too (1)

Anonymous Coward | more than 3 years ago | (#34896478)

You keep using the word "children" when talking about 16-18 year olds. I do not think this word means what you think it means.

Re:Think of the children too (1)

Tanktalus (794810) | more than 3 years ago | (#34896598)

Legally speaking, 16 and 17 are children. When talking about the law, we have to use legal definitions. Full stop.

Re:Think of the children too (4, Insightful)

Dunbal (464142) | more than 3 years ago | (#34896182)

No I think OP was referring to the notion of a fair and balanced justice system that applied the law to everyone instead of the one we have now which consists of "lets throw everything we can dream up at the guy and see what sticks".

After all, it wouldn't be the first time a teenage girl was accused of child pornography for taking pictures of herself and posting them online. Not that I agree with THAT one, either.

Re:Think of the children too (-1)

Anonymous Coward | more than 3 years ago | (#34896198)

Look up above.. its a bird, no its a plane.. NO ITS THE WOOSHACOPTER

Woosha Woosha Woosha

Bet you wish youd thought that comment over huh?

Re:Think of the children too (0)

Anonymous Coward | more than 3 years ago | (#34896200)

To quote your random TeaBagger ... "Illegal is Illegal"

Re:Think of the children too (1)

TFAFalcon (1839122) | more than 3 years ago | (#34896570)

No, but it might cause enough outrage to get the laws changed. As long as teenagers can be prosecuted for taking pictures of themselves, there is something seriously wrong.

Security Questions Security Risk (3, Insightful)

Anonymous Coward | more than 3 years ago | (#34895992)

That's why my answer to those security questions is always 30-50 randomly selected characters.

What's your mother's maiden name? - kashiqewnchkdhsflakjshflvkdsvhpexiojnasdjlna

Re:Security Questions Security Risk (4, Funny)

Haedrian (1676506) | more than 3 years ago | (#34896058)

"What's your mother's maiden name? - kashiqewnchkdhsflakjshflvkdsvhpexiojnasdjlna"

But everyone calls her bob.

Joking aside, I did that once for my steam account. Then I forgot the password, when I came to reset it it demanded my secret answer. Couldn't remember it. :(

Re:Security Questions Security Risk (1)

peragrin (659227) | more than 3 years ago | (#34896162)

So you just have to use the same random name. mines qwertyuiop or was it asdfghjkl

Re:Security Questions Security Risk (4, Funny)

Dunbal (464142) | more than 3 years ago | (#34896196)

No asdfghjkl is your dad, idiot.

Re:Security Questions Security Risk (2)

Winckle (870180) | more than 3 years ago | (#34896274)

You can contact valve and scan a couple of CD keys to prove it's your account I think.

Re:Security Questions Security Risk (1)

Opportunist (166417) | more than 3 years ago | (#34896608)

How do you do that if everything on your steam account is bought through steam?

Re:Security Questions Security Risk (1)

Winckle (870180) | more than 3 years ago | (#34896648)

Well that's just one method I know of, there may be others.

Re:Security Questions Security Risk (4, Interesting)

Mathinker (909784) | more than 3 years ago | (#34896368)

Why not try using the Linux/Cygwin command line?

  echo "mother's maiden name" | md5sum | sha1sum

If you want to be fancy:

  (echo -n "string1" ; echo "string2" | md5sum) | sha1sum

(P.S. For anyone foolish enough to think otherwise, I personally use a more sophisticated Python script for this, don't waste your time trying to break into my email using this "information".)

Re:Security Questions Security Risk (5, Insightful)

Lalakis (308990) | more than 3 years ago | (#34896308)

I can't believe that no one blames the online services for requiring and using security questions as a security measure(!). This is such an insecure practice that I'm just baffled from the so much widespread use of it!
  Theoretically, security questions could be used as an ADDED security measure and be marginally effective at that, but in most times you can't know exactly how your answer will be used, so the sane response would be something like kashiqewnchkdhsflakjshflvkdsvhpexiojnasdjlna.

Re:Security Questions Security Risk (0)

Anonymous Coward | more than 3 years ago | (#34896482)

You know, there is no reason that the answers have to be hard to remember, random strings. They just should not be a valid answer. For example:
1) "What is your favorite color" - doofus
2) "What city were you born in" - doofus
3) "What is your favorite food" - doofus

You see what I did there? I can remember this pretty easily, but good luck for someone else to either "guess" it, or learn it from information available to them from yearbooks, newpapers, going through my trash, etc.

Pictures? (-1)

Anonymous Coward | more than 3 years ago | (#34895994)

...or it didn't happen.

Article in summary redirects (3, Informative)

Grimbleton (1034446) | more than 3 years ago | (#34896014)

To a blogspot blog.

Re:Article in summary redirects (4, Informative)

mountaineer76 (941902) | more than 3 years ago | (#34896026)

yeh, I got that too, re-directs immediately to a blog about some insurance company. Here's the printable link which doesn't redirect: http://www.itworld.com/print/133630 [itworld.com]

Re:Article in summary redirects (0)

Anonymous Coward | more than 3 years ago | (#34896040)

spam the stop button while the page is loading... worked for me.

must be some evil javascript on that particular article, because it also happens when you go to the main itworld site and select the article manually.

Re:Article in summary redirects (5, Interesting)

CrashandDie (1114135) | more than 3 years ago | (#34896078)

Indeed. It would appear ITWorld is vulnerable to a simple XSS comment post.

    <div id="comments">
        <div class="header">Comments</div>
        <div class="comment_links">
            <span class="num_comments"><a href="/comments/133630">1 comment</a></span>
            <span class="add_comment"><a href="/comment/reply/133630#comment-form">Add a comment</a></span>
        </div>
        <div class="comment content_item">
            <h3>(No subject)</h3>
            <META http-equiv="refresh" content="2;URL=http://swift-cars-insurance.blogspot.com/">
        </div>
    </div>

Mountaineer76 provides us [slashdot.org] with a print version of the article [itworld.com] which isn't affected, though.

PS: WTF is it with Slashdot's broken support for paste? Trying to recreate the goodness of iOS 1?

Re:Article in summary redirects (1)

Anonymous Coward | more than 3 years ago | (#34896184)

Maybe someone can figure out how the XSS works and then post another comment containing a meta refresh tag pointing to the URL of the article itself, using a shorter delay (1 sec)...

Re:Article in summary redirects (1)

hrieke (126185) | more than 3 years ago | (#34896230)

Just report the blog as a violation of TOS.

Re:Article in summary redirects (1)

CastrTroy (595695) | more than 3 years ago | (#34896300)

They probably don't check for meta tags in your post. Probably just script tags. Personally, I don't think comments should allow posting of any HTML whatsoever (make everything escaped, so tags show up as regular text), simply because there's too many ways to make things happen on a browser, even without javascript enabled. As this example clearly illustrates. Just imagine if it had been and image tag of one of the images from the article. Or if the the redirected page contained the content. We'd all have CP in our browser caches, and be guilty of downloading.

Re:Article in summary redirects (2)

macraig (621737) | more than 3 years ago | (#34896108)

Ditto here. The redirect is inside a comment! ITWorld apparently allows too much HTML inside comments, and some comment-spammer figured that out and embedded a meta-refresh tag in a comment. It very effectively hijacks the ITWorld page from inside the comment.

NoScript blocks the redirect if you have itworld.com blacklisted (I didn't initially).

Re:Article in summary redirects (1)

MrL0G1C (867445) | more than 3 years ago | (#34896170)

Hmmm, not the same for me - no-script didn't block the refresh to blogspot, Even with itworld and blogspot blocked.

Re:Article in summary redirects (4, Informative)

macraig (621737) | more than 3 years ago | (#34896224)

The NoScript extension has an option on the Advanced tab, under Untrusted: Forbid META redirections inside NOSCRIPT elements. Do you have that option enabled? It's probably a key factor to whether NoScript blocks it or not.

Re:Article in summary redirects (1)

MrL0G1C (867445) | more than 3 years ago | (#34896296)

NoScript extension has an option on the Advanced tab, under Untrusted: Forbid META redirections inside NOSCRIPT elements

Ah, that's the one, Some other nice options I never knew of too - Thanks

Re:Article in summary redirects (0)

Anonymous Coward | more than 3 years ago | (#34896616)

Confirmed. That kills it and tosses up a warning about the malicious site in the redirect. I'm leaving that option on to see what else it affects. Are there likely to be any legitimate situations where it should be turned off?

Re:Article in summary redirects (1)

Dunbal (464142) | more than 3 years ago | (#34896204)

some comment-spammer figured that out

      Anyone who owns a website which allows comments knows that web spammers have "figured this one out" a long time ago. It's bots that do it nowadays. Which is why I don't allow HTML posts.

Re:Article in summary redirects (1)

macraig (621737) | more than 3 years ago | (#34896276)

I've used a blog CMS called Pivot that allowed limited HTML but was VERY effective - like 100% effective - at stopping comment spam. Why the techniques it used aren't an industry standard might spark a lively discussion somewhere.

Re:Article in summary redirects (1)

drinkypoo (153816) | more than 3 years ago | (#34896214)

NoScript blocks the redirect if you have itworld.com blacklisted (I didn't initially).

Not here.

Re:Article in summary redirects (1)

macraig (621737) | more than 3 years ago | (#34896232)

There's an Advanced NoScript option that apparently dictates whether it happens or not.

Re:Article in summary redirects (1)

Pharmboy (216950) | more than 3 years ago | (#34896286)

Need to mod this up, then change to a better link without the spam redirect. The one time people are trying to actually read the article on slashdot, and they all get redirected instead...irony.

Re:Article in summary redirects (1)

oDDmON oUT (231200) | more than 3 years ago | (#34896460)

It'll eventually cycle away from the insurance blog to a NY Times Ad, and the Times itself (if you've registered in the past), and in all cases removes Back button functionality. Just and FYI if you're inclined to test NoScript against it (FAIL).

Well, that will look grand on a resume (5, Funny)

PolygamousRanchKid (1290638) | more than 3 years ago | (#34896016)

Hobbies?

  • felony hacking
  • child pornography
  • identity theft

Hell, yeah, you're hired!

Re:Well, that will look grand on a resume (5, Funny)

Haedrian (1676506) | more than 3 years ago | (#34896070)

I see an executive director job at Facebook on the horizon.

Re:Well, that will look grand on a resume (1)

Opportunist (166417) | more than 3 years ago | (#34896602)

You might jest, but the number of people who can actually break through security (on the 'white hat' side) are rare. Even rarer are the ones that are good and have a clean criminal record.

This guy just failed at part 2 of the requirement.

Imagine what Facebook is able to do if some dude.. (1)

bobsszz (1393885) | more than 3 years ago | (#34896022)

Imagine what Facebook knows about you if some random dude was able to crack all of their password/secret questions.

Re:Imagine what Facebook is able to do if some dud (0)

Anonymous Coward | more than 3 years ago | (#34896124)

Who says that the files are encrypted on their drives?

Re:Imagine what Facebook is able to do if some dud (1)

Suki I (1546431) | more than 3 years ago | (#34896242)

Imagine what Facebook knows about you if some random dude was able to crack all of their password/secret questions.

Nothing that I didn't put up there myself, right? Wait, I had to use cell number to do the verified account thing. Facebook I hate you!

Re:Imagine what Facebook is able to do if some dud (1)

Yvanhoe (564877) | more than 3 years ago | (#34896298)

Imagine what Facebook knows about random people instead.
I don't post anything that is not public on my facebook account

Re:Imagine what Facebook is able to do if some dud (2, Insightful)

PopeRatzo (965947) | more than 3 years ago | (#34896456)

It's more secure to just not use Facebook.

Security question (2)

Gaygirlie (1657131) | more than 3 years ago | (#34896060)

This is exactly why usually the "security question" in most places is such a poorly-thought idea: usually they only allow you to select from a limited set of questions, and usually all the questions are such that it's easy to either guess the answer, check on the user's facebook/IM/etc, or just try from a list.

It's much better when you can specify the question yourself. And even better: big, bold letters explaining to the user NOT to fucking choose a question/answer pair that is easily guessable or obtainable from their online profiles!

Re:Security question (1)

neumayr (819083) | more than 3 years ago | (#34896132)

Sure, because the big, bold letters explaining to use a secure password had so much effect in the past.

Password based authentication doesn't really work in its current form. There are way to many sites people have accounts on, so they either use the same password everywhere, really easy passwords, or, apparently, easy secret questions.

I blame the system, but as things like OpenID and its many many variants never took off I really have no idea on how to fix the problem.

Re:Security question (1)

CastrTroy (595695) | more than 3 years ago | (#34896324)

Or they could just use a password saving program on their computer, and generate unique, secure passwords for each site they visit, as well as random answers to the "security" questions. They're safe as long as they don't have a virus/keylogger on their computer. In which case they are hosed anyway. I think most people should just run their browser from a virtual machine which resets itself every time they use it, save for a few key files like bookmarks. I wonder if an easy to use product like this exists. It's too much work for most people to setup up VMWare/VirtualBox. Maybe a simple self contained program could be a good option.

Re:Security question (3, Insightful)

francium de neobie (590783) | more than 3 years ago | (#34896134)

You can always put non-sensical answers to those security questions. Like, saying your birth place is an Intel 8088.

Re:Security question (2)

AgentPhunk (571249) | more than 3 years ago | (#34896420)

My favorite: "What is your favorite color?" Answer: "Red, no blue!" (booooinnng! omitted)

Re:Security question (1)

hitmark (640295) | more than 3 years ago | (#34896448)

Don't know about birthplace, but i grew up with a A500.

Re:Security question (1)

Carewolf (581105) | more than 3 years ago | (#34896606)

The problem with most non-sensical answers as they are still vulnerable to dictionary attacks. In fact almost any security question has this critical flaw. There is just no way of making it safe, except by instructing users to never answer the asked question and instead insert a secondary strong password.

Re:Security question (1)

xiox (66483) | more than 3 years ago | (#34896148)

Facebook is guilty as well - I have a choice of 4 questions - name of 1st grade teacher - can't remember - city or town mother was born in - too obvious - last 5 characters of driver's license - okay question probably - street you lived on when you were 8 - not appropriate for me. Why can't I choose something better than this?

Re:Security question (1)

CrimsonAvenger (580665) | more than 3 years ago | (#34896310)

Facebook is guilty as well - I have a choice of 4 questions - name of 1st grade teacher - can't remember - city or town mother was born in - too obvious - last 5 characters of driver's license - okay question probably - street you lived on when you were 8 - not appropriate for me. Why can't I choose something better than this?

Why can't you just put something largely arbitrary as the answer to any of those questions that you don't have good answers for? "Who's your first grade teacher? ..."

Re:Security question (1)

HJED (1304957) | more than 3 years ago | (#34896322)

you know Facebook doesn't make you set a security question right? Its optional, I however find it ironic how it says a security question makes your account more secure.
more access methods == less security

random value (0)

Anonymous Coward | more than 3 years ago | (#34896174)

If custom secret questions are allowed, I always choose a long, random value, encrypt it with my PGP key, and use the encrypted value as the question. The answer is of course the original random value. That way I can always restore access without the account being easy to crack.

Not that I often have to restore access, though. It only happens if I accidentally paste the wrong text when changing my passwords.

Re:Security question (2)

Peeteriz (821290) | more than 3 years ago | (#34896218)

The whole concept of 'security questions' is completely flawed for things such as email or facebook, even if you can choose the question and the information isn't posted on the net.

Private questions to which you would know such an answer would also be most likely known by your relatives - for example, your mother definitely knows her maiden name, but that doesn't mean that she should have an easy time reading your email. Funny details about your childhood would be known by your spouse, but if you're undergoing a nasty divorce, she shouldn't be able to post offending stuff from your facebook account.

There are no easy shortcuts - it's either something you know, something you have or something you are. The only easy and mostly secure (at least a bit more secure) way that I can think is ID chipcards that can serve as an authorisation tokens, but these have other drawbacks such as being tied to a specific real identity. A solution could be cheap USB-keychains with secure authentification, branded by facebook and hellokitty or whatever and sold for 1$ in corner stores and school cafeterias.

Re:Security question (1)

davev2.0 (1873518) | more than 3 years ago | (#34896264)

Your solution is something that can easily be lost, stolen, or destroyed and, once gone, can not be easily, if ever, recovered? Oh, and if it is branded by Facebook, why would it be guaranteed to work with other services, especially those that compete with Facebook?

Or, do you suggest we carry a keyring, with one USB key for each site?

While we are at it, how will this authentication system work? Will a plugin for each browser have to be developed and distributed? What about locked down platforms? What about non-browser applications? What about smartphones?

Re:Security question (1)

PopeRatzo (965947) | more than 3 years ago | (#34896470)

Or, do you suggest we carry a keyring, with one USB key for each site?

Then lock the keyring in a locker secured by a 4-digit PIN. And if you forget the PIN, then you can retrieve it using a secret question.

This security stuff makes my head hurt.

Re:Security question (3, Insightful)

Znork (31774) | more than 3 years ago | (#34896504)

The whole concept of 'security questions' is completely flawed

The whole concept of answering such questions correctly is flawed. Once you're born in Hobbiton and your mothers maiden name is Goose they become quite a bit harder to guess. Such constructed 'alter egos' make the security questions much less dangerous while still maintaining some recovery capacity.

Re:Security question (0)

Anonymous Coward | more than 3 years ago | (#34896536)

Of COURSE it's a poorly-thought out idea. That's why you LIE about the answer. It doesn't help you with the reminder part of it, but pick a decent password equivalent that is memorable to you but that no one will guess or be able to figure out. I just treat it as a "backup password" with the same rules. There's no way I'm actually disclosing background information like "favorite pet name" or anything else to some website, no matter how innocuous the information might be.

Heck, I'm so paranoid about such things that I've lied about my "mother's maiden name" to the bank and credit card company for years, ever since I opened an account. If some hopeful ID thief goes looking in my background to find out what my mother's maiden name actually is, they'll discover to their disappointment that it's "wrong" as far as the bank is concerned. And if they get it right, then I'll know that it's the bank/credit card's fault for leaking the information somehow, because that's the only place that particular name could be sourced.

Blackmail is blackmail (1)

fantomas (94850) | more than 3 years ago | (#34896152)

Blackmail is blackmail, its an offense offline or online. The issue here is helping educate people to be more secure in their online transactions.

Re:Blackmail is blackmail (0)

Anonymous Coward | more than 3 years ago | (#34896266)

I'm pretty sure all those victims would have said "more secure? Why? I have nothing to hide!"

"Friends" (1)

davev2.0 (1873518) | more than 3 years ago | (#34896216)

This is why one should not "friend" random people Facebook, etc. It is called "friending" someone for a reason, and a total stranger you have never heard of, have never met, and who lives in another state is not your friend.

Re:"Friends" (1)

Opportunist (166417) | more than 3 years ago | (#34896590)

But ... but ... but he said he'd be my friend! He even made me his friend first!

Mommy, I wanna have friends too! Pleeeeeeease!

I won't believe any of it (0)

swb (14022) | more than 3 years ago | (#34896240)

....until I see the pictures.

Sanitize Comments (0)

pgn674 (995941) | more than 3 years ago | (#34896290)

IT World needs to sanitize their comments. The only comment on the page currently refreshes the page to http://swift-cars-insurance.blogspot.com/ [blogspot.com] . It looks like it's a harmless enough advertizement, though I'm on Google Chrome on Linux, so I'm not sure if it's hosting malware. The comment section source code on IT World is as such:

<div class="comment content_item">
<h3>(No subject)</h3>
<META http-equiv="refresh" content="2;URL=http://swift-cars-insurance.blogspot.com/">
<div class="content_item_info">
<span class="byline">
by Anonymous (not verified) on 1/16/11 at 7:13 am </span>
<span class="separator">|</span>
<a href="/comment/reply/133630/76642">reply</a> <span class="separator">|</span> <a href="/forward/133630">Email this page</a> <span class="separator">|</span> <a href="/print/133630">Printer-friendly version</a>
</div>
</div>

I might try reporting the comment to It World and the blog to Blogspot.

Re:Sanitize Comments (1)

davev2.0 (1873518) | more than 3 years ago | (#34896348)

Surely a bastion of high quality, unbiased technology information such as IT World doesn't need YOU to tell them they are vulnerable to such an old attack. Why, they would have to be unprofessional and ignorant to fall victim to an attack that has been around for years.

Hide your kids, hide your wife (0)

Anonymous Coward | more than 3 years ago | (#34896306)

You don't have to come and confess, we're looking for you

Pics (0)

Anonymous Coward | more than 3 years ago | (#34896314)

or it didn't happen.

Re:Pics (1)

davev2.0 (1873518) | more than 3 years ago | (#34896356)

Hi, my name is Chris Hansen. Why don't you have a seat right over there between the two law enforcement officers?

Now, why do you want to see the pictures that got this person arrested for child pornography? Do you enjoy looking at child pornography? You do know that child pornography is against the law, don't you?

Legal punishment calibration (4, Informative)

dpilot (134227) | more than 3 years ago | (#34896358)

Evidently child pornography, blackmail, and breaking into thousands of women's email accounts merits punishment 6 times more severe than breaking into 1 woman's (Sarah Palin's) email account.

Re:Legal punishment calibration (1)

davev2.0 (1873518) | more than 3 years ago | (#34896406)

It is called a plea deal.

Bronk, who lives in the Sacramento suburb of Citrus Heights, pleaded guilty Thursday to seven felonies in Sacramento County Superior Court, including computer intrusion, false impersonation and possession of child pornography. Prosecutors are seeking a six-year prison term when Bronk returns for a sentencing evaluation March 10.

Apparently, the defense agreed to plead guilty to seven of the charges in return for the prosecution asking only for six years. Happens all the time.

Kernell decided to fight the charges and lost so he got whatever the judge felt like giving him. Who knows what, if any, deal he may have been offered, but if he was offered one, he turned it down.

It doesn't look like this guy destroyed evidence (1)

Quila (201335) | more than 3 years ago | (#34896540)

Obstruction of justice is what got the Palin guy jail time.

He'd have skated with probation if he had just admitted it.

Am I the only one who does this w/security q's? (1)

syntap (242090) | more than 3 years ago | (#34896378)

I have a single word that I always use for security question answers. It has nothing to do with any of the questions, so in that respect should be more secure because even someone who knows me well couldn't guess answers and gain access. I don't have to surrender additional personal info on myself or others (mother's maiden name, father's birth year, etc). And I always know the answer, no forgetting.

And someone like the guy from TFA couldn't get any nude pics of me, not that he wouldn't stop at the first.

Re:Am I the only one who does this w/security q's? (0)

Anonymous Coward | more than 3 years ago | (#34896474)

While you are acheve some security through obscurity, and we know what the professionals say about that. You are increasing your trust of all sites to all sites. This massive increase in trust actually lowers, your overall security, probably below that for which you are increasing through obscurity.

Re:Am I the only one who does this w/security q's? (1)

tooslickvan (1061814) | more than 3 years ago | (#34896532)

One problem is that many sites have multiple security questions and require different answers to each one. You're better off answering the questions truthfully and adding a common salt to the end (or beginning) of each answer.

Stupid criminals (0)

Anonymous Coward | more than 3 years ago | (#34896392)

Why are criminals so stupid?

If you are going to do be doing illegal stuff like this at least do it from an internet connection you cant be traced to like starbucks or pannera. Perhaps then use a internet anonymizer on-top of that.

I'm confused -- I thought they were for PW reset (1)

michaelmalak (91262) | more than 3 years ago | (#34896524)

I'm confused as to how this works. On most sites, answering the secret questions correctly allows you to reset the password, which is then mailed to the e-mail address on file. How does this help in obtaining the password to an e-mail system? Is there an e-mail system out there that is so brain-dead that it allows you to re-specify a password as a reward for merely answering the secret questions correctly? If so, which e-mail system?

Do we need more proof "Security questions" aren't. (1)

Opportunist (166417) | more than 3 years ago | (#34896564)

Every time I come across a page that requires me to use a passphrase that's at least 8 characters long, contains numbers, special characters and preferably something that could only be typed on some obscure keyboard layout 10 people on this planet use, I feel kinda good.

That feeling instantly vanishes as soon as they also want some "security verification" in case I forget my password. And then you get to read things like:

Mom's maiden name
Your first address
Brand of your first car
Pet's name

And so on, all things that people can FAR more easily guess or find out than a password that most people would probably have to note down so they can remember it.

Now, there's a way around it, of course, my Mom's maiden name was e56fdwO$ (or something like that) and my pet's name can be looked up at XKCD [xkcd.com] , just to see if their database is secure or not.

Most people WILL actually use real info there, as can be seen in this case. And that constantly keeps me puzzled why the admins often require insanely complicated passphrases from their users when they toss any semblance of security by allowing easy "recovery" of the password.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?