Slashdot Mirror
MySpace Private Pictures Leak
Martin writes "We all heard about the MySpace vulnerability that allowed everyone to access pictures that have been set to private at MySpace. That vulnerability got closed down pretty fast. Unfortunately though (for MySpace) someone did use an automated script to run over 44,000 profiles that downloaded all private pictures which resulted in a 17 Gigabyte zip file with more than 560,000 pictures. The zip file is now showing up on popular torrent sites across the net."
fetch!
Trolling is a art,
It's p2p diversion... It was the RIAA. Brittney Spears or Brittney next door? Curiosity and perversion are certainly more powerful than greed.
Ask 'Who cares?'
Then ask 'why?'
Then ask 'so?'
Then keep asking 'so?' until you realize it's not that big of a deal.
Problem solved.
A unique way to learn a language: http://languageloom.com
Oh lord...there are gonna be some angsty teenagers with real reasons to cry soon...
I personally have better things to do than waste 17gb of space -- and a large amount of time -- looking through other people's pictures.
Title says it all...
How to Download YouTube Videos
No way would I touch that torrent.. all it takes is one underage myspace kid to have posted one nipple.. cue child pornography charges/public outcry/p2p filtering mandated/end game. It's the wet-dream of the **AA crowd.
I understand the general idea of privacy...but to expect any sort of privacy by putting your pictures online onto a server out of your control isn't exactly the smartest thing to do. I say if you've voluntarily uploaded it on one of the social networks, it can't be THAT private.
I know, I know, the myspace demographic doesn't know any better.
Although I do think people should have a reasonable expectation of privacy when marking/tagging pictures as private though services like MySpace, I think it's a risk anytime you upload a picture or document or anything else to any computer that isn't physically your own property.
If anyone was actually exposed by this, it's their own fault.
the power of bored horny teenaged males
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Looking through all the junk is going to take too long.
Yeah. Good grief, just what I need - 17Gb of pictures of other peoples cats.
But on the plus side, you could head over to Fark and be a LOLCAT GOD.
Weaselmancer
rediculous.
Somebody is going to write it.
activestudios web design
If you want to keep something "private," DO NOT PUT IT ON THE INTERNET.
- The URI for the pics are based on a timestamp ... a combination of the above
- The URI for the pics are based on a sequential number
-
- The pics are not access-controlled in any other way than not being listed on a user's page
The hack was discovered when a user cut and pasted the URI of one of his private pictures, noticed one of the above and attempted to change a digit of the URI, then automated the process with a garden variety for() loop.
Crappy analogy: Even unlisted telephone numbers can be discovered by telemarketing wardialers.
"Um, Anybody concerned with internet privacy along with everybody who had a myspace account with pictures posted privately they did not intend the public to see."
I thought one of the first rules on the internet was that anything you put out there can fall into the wrong hands / become public?
I certainly wouldn't trust MySpace with personal affairs - if not because of technical glitches / hackers, then because of a disgruntled employee who decides offering the entire database up is so much more rewarding than going postal.
Though the whole idea of using MySpace - a site where everybody openly shares information about themselves.. that's the whole point, after all - for *anything* private at all sounds ridiculous to me in its very premise.
Just my 2cts.. I do feel sorry for those who are/will be affected, especially in the days to come as the juicier bits are filtered out and plastered all over the web and into youtube videos for truly everybody to see, as even though my opinion is that there's no reasonable expectation for true privacy on those sites, that doesn't mean they asked for some stupid hacker and a scriptkiddie to go running amok with it.
By covering this story, Slashdot has exponentially accelerated the spread of these images, and the number of seeders.
Wow, 17 gbs of pubescent girls doing the "Blue Steel" face. What a mind numbingly waste of bandwidth and time.
Oh, for the days when sig's didn't have to be cute...hey, wait a sec.
So, when you used MySpace, were you (a) a middle school/high school girl, (b) a guy, or (c) a stalker?
In case you're new at this: a torrent file can contain more than one file, organized unto subdirectories. There's no need for any encapsulation.
What makes even less sense, though, is where a single large (compressed) file is split into a bunch of .RAR files and then all the .RAR files are repackaged into a single torrent. The resulting torrent is no smaller or resistant to corruption, and requires external tools that most people don't have to reassemble.)
"The state is that great fiction by which everyone tries to live at the expense of everyone else." - Bastiat
1) There's a subtle difference between archiving and compression
2) You can use zip with no compression for plain archiving
3) Since tar isn't that popular on Winblows it's pretty natural to use zip instead
There are plenty of benefits to using an archive
1) integrity checks
2) directory structures
3) single file vs thousands
etc
I'm sorry if I haven't offended anyone
CATS: All ur cheezbergr r belong to us
/got nuthin'
//slashies!
The torrent (myspacepicstorrent) is ~17.5GB. The torrent contains 17 zips:
:)
:P
0.zip, 1.zip, 2.zip, 3.zip, 4.zip, 5.zip, 6.zip, 7.zip, 8.zip, 9.zip, a.zip, b.zip, c.zip, d.zip, e.zip, f.zip - The pictures, or so it seems. Haven't downloaded the pictures, yet. Each zip is ~1GB.
html.zip contains html files that link, supposedly, to the original pictures. It's ~30MB.
Out of sheer curiosity, I viewed the source of a couple of the html files - wanted to see if they contained any friendID's or anything else that could link the pics to the user.
The links do not contain a friendID or anything else that would tie the picture back to the user. Unless, of course, there is a rainbow table floating around that contains the hashes of the pics and the associated friendID's?
The html files, however, do contain FriendFinder spam. (iFrame, of course. pid=g872417-pmem, if anyone cares.)
Sorta stoopid, if you think about it. All the authorities would have to do, if they are interested, is contact FriendFinder (or the parent company[1]), and get the contact details for the affiliate.
Anywho. I hope this answers the size comment. I'm sure every prevert from here to China is part of the torrent's swarm.
[1] I don't know if FriendFinder is an indy company or owned by someone else. I don't even care enough to visit the site. Sorry. I'm tired and I've got a toothache.
"The fight for freedom has only just begun." - Geert Wilders
I downloaded the first zip, which is the first GB of images. I unzipped it, and I looked at the first 4500 images before falling asleep. 999 out of 1000 are crappy cellphone pics of ugly people drinking a beer and flipping off the camera, or vacation pics, or pics of someone's crappy car, or just simply snapshots of people (the vast majority).
So far out of 4500 images, I found exactly zero images that I think anyone would give a crap about. I'm not even sure why the vast majority of them are even bothered marking private; nobody would care about them at all.
Myspace appears to use a static content server that does no validation of who you are before returning JPGs.
When not working or browsing Slashdot, a friend and I will exchange URLs to profile pics of "interesting" looking women. If the profile is private, the URL to the private JPG is not protected and we would exchange those instead. I haven't spent any time trying to find a pattern in the seemingly-random JPG names, so it appears difficult to pull the private images of any one person, but in general everyone's pics are available if you know the URL.
I went to eat some animal crackers and the box said, "Do not eat if seal is broken." I opened the box and sure enough..
I'm not sure how torrent handles this, but having a large number of small files can cause internal fragmentation (wasted space) and substantial additional overhead. It's fairly standard practice, from a convenience standpoint, to package large numbers of files into a single .zip -- especially if you plan on supporting having the data shared via a system that doesn't graciously handle multiple files organized into subdirectories.
.rar business is historical -- either it's data designed for distribution by a different medium that's mirrored onto bittorrent, or it's someone who's emulating the other distribution format for some reason. (Data posted to newsgroups used multipart archives, for example.)
The multi-part
Sure there is. Ignoring the way BitTorrent actually encodes the information, and assuming that somehow every file name could be stored as one byte (ignoring the obvious flaw with that), by keeping all of them at the torrent level you'd require "more than 560,000" bytes just devoted to file names. Since the general rule of thumb is to keep the actual .torrent file around 100KB, give or take, that's right out.
Now, throwing in the way the .torrent file actually stores the list of file names, you're looking at at least 21 bytes per file. Assuming 560,000 files, that bloats the .torrent file to over 11.2MB - and that's still not realistic, because it requires every file to be less than 10 bytes in size and all of them to have empty path names. (Which is obviously not valid.)
Throw in realistic constraints, and you're adding another 15 bytes, bringing us to a total of 36 bytes per file - bloating the .torrent to 19.2MB, just for file names.
So, in short, the reason to place them in a ZIP file and not use the multi-file feature is because using the multiple file feature would massively bloat the .torrent file. Now the final .ZIP file has similar requirements per file in the ZIP file, but that becomes payload as part of the BitTorrent download and not something that has to be downloaded via non-BitTorrent means first.
Finally, for an explanation of where those numbers above come from, the "smallest possible" form for a file would be:
"d6:lengthi0e4:pathlee" (21 bytes)
The "more realistic constraints" brings that to:
"d6:lengthi100000e4:pathl8:0000.JPGee" (36 bytes)
Yes, the .torrent file is essentially "plain text" although the piece hashes are stored as binary strings. It's encoded using "Bencoding" - which isn't the most compact of formats.
You are in a maze of twisty little relative jumps, all alike.
Those multiple .RAR files most likely originated on Usenet, where corruption-resistance is very important (indeed, the .RAR files are often accompanied by .PAR parity files as well).
.torrent was probably just created from a usenet download, omitting the .PAR files (which are unnecessary when using Bittorrent).
The
Reinvent the wheel only at either a lower cost, greater effectiveness, or your own personal enrichment and satisfaction.
No.
No it didn't. MySpace let this thing go on for months. From TFA:
The irony (and scandal) is that they not only failed to uphold their privacy policy despite being in the public spotlight over the last 2 years precisely for privacy issues, but that they didn't bother to acknowledge or fix this bug until a high traffic site reported on it.
parasight.de
Doug Stanhope - MySpace Pedophiles http://youtube.com/watch?v=8APlx9btTn8
I'm sick of following my dreams. I'm just going to ask where they're goin' and hook up with 'em later.
Just watch. Queue the countdown.
I didn't realize .zip compresses each file seperately. I would have expected it to be able to optimize the compression across multiple files (which would net a better compression ratio than doing each file seperately).
The two faced attitude of Slashdot rears it's ugly head again.
It's almost like there's more than one of us here, isn't it...
0 1 - just my two bits
"999 out of 1000 are crappy"
What's that 1 out of 1000 you are holding back on?
It is done for the same reason women, including me, enjoy fretting about rape: they're flattering themselves.
One thing the internet's sheer size teaches you: you are just another nobody, who'd have to dig deep to find some trait that is simultaneously unique and valuable. On the one hand this is a Good Thing, because it blasts from Earth forever the notion that one might be a freak in some way. On the other hand, now we have to struggle to differentiate ourselves, even in our own minds.
FATMOUSE + YOU = FATMOUSE
I only stalk other hermaphrodites. It's just not as good being only one gender you know.
I redefine getting the best of both worlds.
The torrent itself - as in the peer to peer data transmission - is done at a piece level and the stream is logically equivalent to concatenating all files and transmitting them as a whole. Obviously, this never happens at a filesystem level. However, even though the actual filesystem data is split into files, the logical stream that is what gets shared is effectively the result of the concatenation of all files (this happens in real time: when someone requests a piece, it is done by position in the "whole of the torrent" and then the client determines which file(s) it has to read to find the data). The point is that there is no internal fragmentation on the transmitted data: (essentially) the exact same number of actual data bytes will be transmitted whether you split the torrent into files or tar it up into one big file (assuming no compression for the tar and ignoring overhead for it). It's not like downloading files over HTTP where there is an overhead per file. The bittorrent wire protocol doesn't even know about the existence of multiple files.
.torrent file is a separate issue, and it can get large with large amounts of files. However, it's not like you're saving bandwidth: the file names and info will just happen to be inside the rar files (as part of the rar format), instead of the torrent file, but you'll still have to download them. Having them in the rar files is arguably a better solution in this case, since it keeps the .torrent file small and transmits the relatively bulky file list over BT, but that's a different issue.
This is why if you download a single file out of a torrent, you will often get a certain percentage of the previous and following files completed even though you never checked them for download: the edges of the pieces weren't aligned with the file boundaries. If you uncheck, say, a "downloaded from foo" txt file, more often than not you'll get it anyway (the client stores the file anyway because it needs to store that portion of the block to be able to upload it to peers, since blocks are sent as full units).
The
There is no /. crowd. Get this stupid idea out of your head, you got Bill Gates lovers and Steve Jobs fanboys. You got MSCE's and real engineers. You got Window monkeys, linux users and BSD weido's.
There is everything here from rocket scientists to people who clean toilets for a living. Age varies from almost dead to just old enough to sit upright.
We even have rumors of women visiting this place.
So how can you have a /. crowd?
Answer you don't. Sure there are some trends, there are probably a few more MS haters here and a few more Jobs lovers then in society as a whole, but read any article on Apple/MS and you will find people who go against the flow.
The reason I point this out is that it is VERY dangerous to think that all people from a certain part of society are the same.
And it is very relevant in this discussion. SOME kids using myspace are stupid enough to send private information on a public network, therefore YOU seem to conclude ALL kids using myspace are stupid enough to send private information on a public network.
This leads to nanny state rules, where because 1% of the populatin is unfit to live 99% has their freedoms restricted.
Myspace is a tool some people will get it wrong, though shit. This has nothing to do with generations or whatever, there have ALWAYS been stupid people who do stupid things, society survives.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.