Man Mines Facebook For Security Questions, Nabs Nude Photos From Email

itwbennett writes "George Bronk, 23, has pleaded guilty to charges that he broke into the e-mail accounts of thousands of women, scouring them for nude photos that he then posted to the Internet. How he did it: He searched his victims' Facebook pages for answers to common security questions and then logged in to their e-mail accounts. In one case he persuaded a victim to send him even more explicit photographs by threatening to post the ones he'd stolen if she didn't. Bronk faces 6 years in prison on felony hacking, child pornography and identity theft charges."

Obligatory

[Anonymous Coward]

Pics or it didn't happen

Re:Obligatory

[ian_from_brisbane]

Pics or it didn't happen

Here you go... http://www.msnbc.msn.com/id/41082627/ns/technology_and_science-security/ [msn.com]

Re:Obligatory

[macraig]

Not THAT one! My eyes, my EYES!

All I can say is

[drinkypoo]

Torrent?

(ObDisclaimer: No, I don't want to receive child porn.)

Think of the children too

[Anonymous Coward]

Well, I sure hope all of the girls who took pictures of themselves got child pornography charges against them too.

Re:Think of the children too

[crow_t_robot]

No, because producing child pornography and distributing it on the internet is producing child pornography and distributing it on the internet. If a 16 year old girl sends a picture of her tits to your phone you are now in possession of child pornography and in direct danger of having your life destroyed and everyone you know hating you.

This is akin to weaponry. This shit needs to stop.

Re:

[Anonymous Coward]

16 year olds are not children. That is the most insane part of all of this. Naked pictures of 6 year olds on your phone, sure, those are children at least. A 16 year old is most definitely not a child though.

Re:

[Shikaku]

What happens when you turn 18 that magically makes you an adult?

Re:

[rwa2]

Um, you have to register with the selective service so they can decide to throw your ass in a war? Something like that.

You're innocent until you're old enough to vote and (legally) kill people.

Re:

[Grimbleton]

Only if you have a penis.

Re:Think of the children too

[milkmage]

same thing that makes you a responsible drinker at 21

Re:

[martas]

Give up hope now, save yourself a bunch of turmoil. It won't stop, simply because laws on topics like CP tend to be more powerful than the lawmakers themselves. At this point, I doubt anyone has the political arsenal necessary to "stop this shit."

Think of the children laws.

[0100010001010011]

In some states, the age of consent and child porn statutes have the same age limits.

For instance, a quick read of NV law shows the AOC to be 16. Child porn is defined as sexually explicit blah blah blah involving a person under 16. Federal law makes it a crime with a person under 18, but there may be some state line/interstate commerce nexus that needs to be fulfilled.

I didn't feel like looking at too many states, but found this same AOC/CP thing with NH-16/16.

Many states forbid distributing/exhibiting obscenity to people under 18, regardless of their AOC/CP statutes.

So, excluding the feds, it's not a crime to have sex with a 16 year old or film it. But, she can't watch the tape afterwards. It's a crime to allow her 16 year old friend to watch the act as it occurs, but not a crime to have her join. Neither of them can smoke a cigarette or have a beer afterwards. If either one were to rob,beat,kill one of their fellow particpants, they would be tried as an adult in every state in the country.

Re:Think of the children too

[Anonymous Coward]

Pictures of naked people should not be classified as porn simply because of the lack of clothes.

Re:Think of the children too

[Pharmboy]

Pictures of naked people should not be classified as porn simply because of the lack of clothes.

If God® wanted you naked, he would have made you born that way.

Re:Think of the children too

[Schadrach]

Actually, legalize possession of child porn, and step up the penalties for production (or just for child abuse, since using a child to produce child pornography is itself abuse) and purchase/sale. That removes the "weaponry" portion of child porn (if I send you a CP picture, you have committed a crime is a *bad* thing) and makes those who receive such pictures accidentally (mislabeled P2P files, for example) or against their will (as in the sending a picture to your phone example) more willing to openly provide them to authorities as a way to help the producers get caught, as well as making being involved in the financial promotion of the production of child pornography still a crime.

Re:Think of the children too

[Lord Kano]

Actually, legalize possession of child porn, and step up the penalties for production (or just for child abuse, since using a child to produce child pornography is itself abuse) and purchase/sale. That removes the "weaponry" portion of child porn (if I send you a CP picture, you have committed a crime is a *bad* thing) and makes those who receive such pictures accidentally (mislabeled P2P files, for example) or against their will (as in the sending a picture to your phone example) more willing to openly provide them to authorities as a way to help the producers get caught, as well as making being involved in the financial promotion of the production of child pornography still a crime.

Back in the early 90s, before the explosion of the web, I used to use AOL. I used to trade in pictures of naked women. Some guys used to send out pictures of their wives. I was 18-19 years old and had no interest in 35-40 year old housewives. I asked one guy if he had anything of someone "younger". Apparently that's a keyword for child porn. Next thing I knew I was getting inboxes full of the stuff, this was also back in the days before broadband so I had some people that I used to automatically share anything I got with before I downloaded it myself. On the first inboxing, I forwarded all of the contents to some of my trading partners. And THEN I downloaded the pictures and saw things that no normal person should ever have to see.

I deleted the jpgs and gifs from my computer, deleted the emails from my inbox, and at that time AOL allowed you to unsend an email if it had not been read. I believe that I was able to unsend them all, but if I hadn't been, I shudder to think of the things I could have been charged with. All because I wanted to see naked 18-24 year old girls...

LK

Re:Think of the children too

[Anonymous Coward]

What you said:

Actually, legalize possession of child porn, and step up the penalties for production (or just for child abuse, since using a child to produce child pornography is itself abuse) and purchase/sale.

What every politician and journalist in America would hear:

... legalize ... child abuse ...

Sorry, but no penalty is going to be reduced. The only changes that are ever going to happen in the forseeable future will be increased penalties for whichever specific things are involved in the next few child abuse cases to hit the news. (Oh, you possessed child porn that was produced using a smartphone? That means you get an extra fifty years in jail, because clearly that's more of a deterrent than the 490 years you were already going to get.)

We are no more able to have a rational and objective debate about child pornography than McCarthy was about communism, or the citizens of Salem about witchcraft. This is our generation's moral panic and it is not going to die until we do, so you'd better get used to it.

Re:

[TheLink]

If it was consensual but statutory rape, maybe they should just jail the "rapist" till the "child" reaches legal age. Then if the now adult "victim" still thinks it's consensual and not rape, the "rapist" gets that charge wiped totally clean.

If the victim changes her/his mind and thinks it's rape or the "victim" is threatened the "rapist" gets the full rapist sentence.

Re:

[RichiH]

That would open up the child to massive repression by any and all rapists. It's not an easy-to-fix problem.

Re:Reminds me...

[tragedy]

Also, it would open up anyone fully consenting to massive repression by family. If they insist that it was consensual, in many cases, they'll receive counseling tantamount to brainwashing for years. There will be guilt trips and threats of excommunication from the family. She will be made to feel that, if she affirms her consent, she'll be releasing a monstrous sexual predator who will rape someone not so willing next time and she'll be to blame for that girls suffering, etc.

I'm sure everyone here is familiar with the concept of "honor killings". It's not a phenomenon unique to Muslims as many people seem to think. It's a cross-cultural set of attitudes about the importance of a girls "virtue" and reputation and her obligation to her family and society in regards to it. In some places and among some people it's still taken to the extreme of murder for transgressions, but the exact same behavior, just to a lesser degree exists just about everywhere. I've met plenty of fathers of daughters of various ages in the US who are almost psychotically overprotective and who insist, in all seriousness, that their daughters have no sexual relations whatsoever and sometimes that they not date, etc. The behavior is always hypocritical with regards to their own behavior when they were younger and frequently their behavior as adults (with regards to enjoying pornography of young women, etc.). But they seem to view it as an obligation. Feeling protective of your child is, of course, not a shameful thing, but far too many tie such behavior to possessiveness and a form of objectification that denies their children their humanity.

Society in general seems to at least subconsciously share these values. A young woman, whether above or below the various ages of consent/adulthood/etc. who expresses her sexuality in some way, especially publicly, has to be either a victim, or a slut. Generally there is no middle ground, and when there is, it's often given by people who think that she's both a victim _and_ a slut.

So, an underage girl who chooses to have sex before her society says she's ready, whose older partner is arrested and who has a few years to decide whether to re-affirm consent or not, is going to have to spend that time under a lot of pressure. She will, essentially, have to decide whether to call herself a victim or a slut. Whether to be the dedicated family member protected from the outsider, or the prodigal child who shunned her families protection.

Re:Think of the children too

[Schadrach]

Interestingly enough, I've actually met a "slutty little girl" as you described it. She was a friend of one of my nieces several years ago. Girl was ~10, and was....precocious and direct. Very, very, direct regarding what men she found attractive and exactly what she wanted from them (or more specifically wanted them to do to her). It was actually really creepy. She moved a couple months after her and my niece started hanging out though, so I don't know what happened to her in the long run, or any real details as to her background.

I'd never found a girl coming on to someone quite so disturbing though, before or since.

Re:Think of the children too

[JWSmythe]

    Depending on the level of detailed dialogue you are describing, she may have been a victim of sexual abuse. They may have rationalized that the sexual abuse has positive results. For example, a bad adult does sexual acts, and then rewards the child. The child may associate the act with the result, and try to initiate the act with others for similar rewards.

    Most 10 year olds can't carry on an unsupported dialogue of sexual matters. For most (and yes, the average have has been growing younger), they simply have no interest. For others, they've had no exposure. Most (but not all) parents keep their children away from what they perceive as dangers for the childs development, which includes movie violence and sexuality. If the dialogue was beyond what you may see in a R or NC17 movie, you should consider that there is something pretty serious going on. Talk to a professional about it. Ask the simple questions, "This happened. Should I notify someone?" If you have school age children, a call to the schools child psychologist may be helpful, or your local child protective services. The child protective services call may start unwanted actions, but if there is something bad going on, they should definitely be involved.

    Most importantly, don't be involved. It's not up to you to investigate such things. Besides tainting evidence, being too involved can be bad for your health (i.e., the bad adult may seek to silence you). Leave investigations up to the experts. For the sake of your safety and mental health, it's better to give the anonymous tip, than to become a witness. If you get too involved, you may become a suspect, rather than just a witness.

Re:Think of the children too

[bennomatic]

Of course, sometimes things can be misinterpreted. When I was in college, my girlfriend and I took a day off to help out her mother, who was a kindergarten teacher. We spent the morning reading to and playing with the little ones, and during the art part of the day, one little girl decided to confide in me that she and her father "do a secret dance when mommy goes to work."

As you suggest above, I knew it wasn't my place to investigate, but that sounded pretty serious, so I told my GF's mother, who immediately went to the principal and school counselor, and they took the girl out to question her right away.

In the retelling later, my GFM said that the little girl clammed right up, refused to talk, until finally, out of exasperation, she explained that her mother is a dancer at a club, and doesn't want her little girl to follow her career path, so she forbids her to dance. At all. But she (the little one) loves to dance, so as soon as mommy goes to work in the evenings, she and daddy put on a record and dance all over the house. Clothes on, no touching.

I was soooo relieved to hear that it was nothing.

Re:

[JWSmythe]

There are plenty of misunderstandings with children. Years ago, someone I was dating had a son who was about 5 at the time. He refused to take a bath without help. The "help" was standing there waiting for him to wash up. Lots of "wash your face", "no really, wash your face", "wash your hair ... with shampoo this time". The door was opened the whole time, and mom could hear exactly what was happening. I wasn't entertained by it. I had better things to do, like flirt with mom. :)

Re:Think of the children too

[Archangel Michael]

For the sake of your safety and mental health, it's better to give the anonymous tip, than to become a witness. If you get too involved, you may become a suspect, rather than just a witness.

This is why our society is going to hell in a handbasket. Chickenshit pussies afraid of the boogie man of bad people might do something bad.

If you're a real man, stand up and be counted. Real men will protect the innocent and defenseless with everything they have, including their life. I know I would.

I have no room for child predators (real ones), nor pussies that hide behind self preservation at the expense of taking one off the streets.

Re:Think of the children too

[CAIMLAS]

You have very little imagination.

Girls have boyfriends. They also have female friends. They are not solely keeping these pictures on their hard drives and cameras for personal use (more than likely).

Funny thing about pictures on the Internet: they're trivially copied. Boyfriend copies the picture to his friends (or just one friend), or posts it to a forum: the picture is out, and will live forever on hundreds of 'porn agregators' (lacking a better term), presuming the girl isn't a skag. Likewise, girls are/can be catty: what's stopping them from spreading the nude pictures in a bitter attempt at becoming more popular themselves (thinking it would ridicule the origin)? We're talking about virally social teens, here, not top secret data on government networks: there's literally a thousand and one ways for such pictures to spread to the Internet At Large.

So, in short: it's entirely possible that hundreds of thousands of men and women have viewed, downloaded, etc. child porn and not even be aware of the fact that it is child porn, simply on the basis of "some women look like children and some girls look like women". I recall a couple girls in high school who looked significantly older than 16-18 - and no, I'm not just talking about curves (though that applies too).

It's just like "honest, I thought she was 18, officer!" scenario, except the evidence never disappears and the so-called 'victim' can never grant consent. I would not be surprised if there is legal child porn floating about the internet right now, on "valid" sites which the US federal law enforcement agencies knows about, but allow to exist -so that they can use it as an added charge for someone down the line, if they ned something to vilify them further/want to make sure the charges stick.

Re:

[Tanktalus]

Legally speaking, 16 and 17 are children. When talking about the law, we have to use legal definitions. Full stop.

Re:Think of the children too

[witherstaff]

They're children unless they're being prosecuted, then they're usually adults. I don't get that double standard.

Re:Think of the children too

[Anonymous Coward]

It's a US thing. Over there:
- You're presumed innocent until proven guilty. Except for terrorism, in which case the rule is "If you were innocent, you wouldn't be a suspect".
- Sexual assault is a horrendous crime. Except if the perpetrator is wearing a TSA uniform.
- The Constitution stops the government from abusing it's authority and power. But only as long as the government agrees.
- Infringing copyright on music steals copyright holders of thousands of dollars. Except for the music industry, they only steal 60 cents per song from artists.
- Child Porn is illegal in order to protect victims of child abuse. Unless if children willingly make and send pictures of themselves, in this case they're not victims but vicious pedophiles. So vicious, they abuse themselves!
- You're too young to drink beer at 21 but you're old enough to die for your country.

Re:Think of the children too

[Dunbal]

No I think OP was referring to the notion of a fair and balanced justice system that applied the law to everyone instead of the one we have now which consists of "lets throw everything we can dream up at the guy and see what sticks".

After all, it wouldn't be the first time a teenage girl was accused of child pornography for taking pictures of herself and posting them online. Not that I agree with THAT one, either.

Re:

[TFAFalcon]

No, but it might cause enough outrage to get the laws changed. As long as teenagers can be prosecuted for taking pictures of themselves, there is something seriously wrong.

Re:

[Starfleet Command]

>>>they took pictures of themselves in an illegal manor Perhaps if they had photographed themselves in a chalet, or perhaps even a brownstone walk-up?

Re:

[freedumb2000]

You are kidding, right?

Re:

[the_womble]

Congratulations! You think the right way to be a politician! You must punish people to protect them from themselves!

Re:

[black6host]

"Choose the more obscure questions that only you and your family know the answers to."

Or better yet, use an answer that is totally unrelated to any of the security questions. If one of the security questions is: "what high school did you attend?" a good answer would be aZ333addkwe467. Just need to keep track of it like you do your passwords. These things are usually only used when you forget your password, or as in this case, someone is trying to gain access to your account. Since you rarely would need

Security Questions Security Risk

[Anonymous Coward]

That's why my answer to those security questions is always 30-50 randomly selected characters.

What's your mother's maiden name? - kashiqewnchkdhsflakjshflvkdsvhpexiojnasdjlna

Re:Security Questions Security Risk

[Haedrian]

"What's your mother's maiden name? - kashiqewnchkdhsflakjshflvkdsvhpexiojnasdjlna"

But everyone calls her bob.

Joking aside, I did that once for my steam account. Then I forgot the password, when I came to reset it it demanded my secret answer. Couldn't remember it. :(

Re:

[Winckle]

You can contact valve and scan a couple of CD keys to prove it's your account I think.

Re:

[Opportunist]

How do you do that if everything on your steam account is bought through steam?

Re:

[Winckle]

Well that's just one method I know of, there may be others.

Re:Security Questions Security Risk

[Mathinker]

Why not try using the Linux/Cygwin command line?

  echo "mother's maiden name" | md5sum | sha1sum

If you want to be fancy:

  (echo -n "string1" ; echo "string2" | md5sum) | sha1sum

(P.S. For anyone foolish enough to think otherwise, I personally use a more sophisticated Python script for this, don't waste your time trying to break into my email using this "information".)

Re:

[jecblackpepper]

Or you could use a proper unique password for each security question and store it in KeePass against the site (oblig BBC: other password storage tools are available)

Re:Security Questions Security Risk

[Dunbal]

No asdfghjkl is your dad, idiot.

Re:Security Questions Security Risk

[Lalakis]

I can't believe that no one blames the online services for requiring and using security questions as a security measure(!). This is such an insecure practice that I'm just baffled from the so much widespread use of it!
  Theoretically, security questions could be used as an ADDED security measure and be marginally effective at that, but in most times you can't know exactly how your answer will be used, so the sane response would be something like kashiqewnchkdhsflakjshflvkdsvhpexiojnasdjlna.

Re:

[Chelloveck]

Theoretically, security questions could be used as an ADDED security measure and be marginally effective at that, but in most times you can't know exactly how your answer will be used, so the sane response would be something like kashiqewnchkdhsflakjshflvkdsvhpexiojnasdjlna.

Hey! How did you know my response?!

Seriously, when I'm required to give an answer to one of these I just use my regular password generator to create another password for the site, then use that. "What was your first pet's name?" "w8ZRjky

Re:

[TheLink]

The attackers will still succeed in targeting the sheep who will give the obvious answers to such "security" questions.

Worse - some sites have security questions that require a drop-down selection box for the security answers! Yep, only a few limited answers. DailyWTF contenders.

Article in summary redirects

[Grimbleton]

To a blogspot blog.

Re:Article in summary redirects

[mountaineer76]

yeh, I got that too, re-directs immediately to a blog about some insurance company. Here's the printable link which doesn't redirect: http://www.itworld.com/print/133630 [itworld.com]

Re:Article in summary redirects

[CrashandDie]

Indeed. It would appear ITWorld is vulnerable to a simple XSS comment post.

    <div id="comments">
        <div class="header">Comments</div>
        <div class="comment_links">
            <span class="num_comments"><a href="/comments/133630">1 comment</a></span>
            <span class="add_comment"><a href="/comment/reply/133630#comment-form">Add a comment</a></span>
        </div>
        <div class="comment content_item">
            <h3>(No subject)</h3>
            <META http-equiv="refresh" content="2;URL=http://swift-cars-insurance.blogspot.com/">
        </div>
    </div>

Mountaineer76 provides us [slashdot.org] with a print version of the article [itworld.com] which isn't affected, though.

PS: WTF is it with Slashdot's broken support for paste? Trying to recreate the goodness of iOS 1?

Re:

[hrieke]

Just report the blog as a violation of TOS.

Re:

[CastrTroy]

They probably don't check for meta tags in your post. Probably just script tags. Personally, I don't think comments should allow posting of any HTML whatsoever (make everything escaped, so tags show up as regular text), simply because there's too many ways to make things happen on a browser, even without javascript enabled. As this example clearly illustrates. Just imagine if it had been and image tag of one of the images from the article. Or if the the redirected page contained the content. We'd all ha

Re:

[Idbar]

Someone did it already and it's now pointing to the printed version suggested by the parent! You gotta love /.

Re:

[macraig]

Ditto here. The redirect is inside a comment! ITWorld apparently allows too much HTML inside comments, and some comment-spammer figured that out and embedded a meta-refresh tag in a comment. It very effectively hijacks the ITWorld page from inside the comment.

NoScript blocks the redirect if you have itworld.com blacklisted (I didn't initially).

Re:

[Dunbal]

some comment-spammer figured that out

      Anyone who owns a website which allows comments knows that web spammers have "figured this one out" a long time ago. It's bots that do it nowadays. Which is why I don't allow HTML posts.

Re:

[macraig]

I've used a blog CMS called Pivot that allowed limited HTML but was VERY effective - like 100% effective - at stopping comment spam. Why the techniques it used aren't an industry standard might spark a lively discussion somewhere.

Re:

[drinkypoo]

NoScript blocks the redirect if you have itworld.com blacklisted (I didn't initially).

Not here.

Re:

[macraig]

There's an Advanced NoScript option that apparently dictates whether it happens or not.

Re:Article in summary redirects

[macraig]

The NoScript extension has an option on the Advanced tab, under Untrusted: Forbid META redirections inside NOSCRIPT elements. Do you have that option enabled? It's probably a key factor to whether NoScript blocks it or not.

Re:

[The MAZZTer]

That only works if there is a surrounding <noscript&gtl tag, typically only used when NoScript is blocking JS on a page (otherwise noscript tags are ignored).

Re:

[Pharmboy]

Need to mod this up, then change to a better link without the spam redirect. The one time people are trying to actually read the article on slashdot, and they all get redirected instead...irony.

Re:

[oDDmON oUT]

It'll eventually cycle away from the insurance blog to a NY Times Ad, and the Times itself (if you've registered in the past), and in all cases removes Back button functionality. Just and FYI if you're inclined to test NoScript against it (FAIL).

Well, that will look grand on a resume

[PolygamousRanchKid]

Hobbies?

• felony hacking
• child pornography
• identity theft

Hell, yeah, you're hired!

Re:Well, that will look grand on a resume

[Haedrian]

I see an executive director job at Facebook on the horizon.

Re:

[Opportunist]

You might jest, but the number of people who can actually break through security (on the 'white hat' side) are rare. Even rarer are the ones that are good and have a clean criminal record.

This guy just failed at part 2 of the requirement.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Security question

[francium de neobie]

You can always put non-sensical answers to those security questions. Like, saying your birth place is an Intel 8088.

Re:

[AgentPhunk]

My favorite: "What is your favorite color?" Answer: "Red, no blue!" (booooinnng! omitted)

Re:

[hitmark]

Don't know about birthplace, but i grew up with a A500.

Re:

[Carewolf]

The problem with most non-sensical answers as they are still vulnerable to dictionary attacks. In fact almost any security question has this critical flaw. There is just no way of making it safe, except by instructing users to never answer the asked question and instead insert a secondary strong password.

Re:

[TheGratefulNet]

intel 8088?

wow.

was that union or confederacy?

Re:

[xiox]

Facebook is guilty as well - I have a choice of 4 questions - name of 1st grade teacher - can't remember - city or town mother was born in - too obvious - last 5 characters of driver's license - okay question probably - street you lived on when you were 8 - not appropriate for me. Why can't I choose something better than this?

Re:

[CrimsonAvenger]

Facebook is guilty as well - I have a choice of 4 questions - name of 1st grade teacher - can't remember - city or town mother was born in - too obvious - last 5 characters of driver's license - okay question probably - street you lived on when you were 8 - not appropriate for me. Why can't I choose something better than this?

Why can't you just put something largely arbitrary as the answer to any of those questions that you don't have good answers for? "Who's your first grade teacher? ..."

Re:

[HJED]

you know Facebook doesn't make you set a security question right? Its optional, I however find it ironic how it says a security question makes your account more secure.
more access methods == less security

Re:

[mehrotra.akash]

For facebook, account security == not losing access to your account.
Thats why it asks me to add multiple cell phone numbers,etc.. so that I can recover my password.
They would prefer that someone gets access to my account, and then I am able to recover my access to it, rather than I forget my password, and my FB account goes inactive/disabled

Re:

[Peeteriz]

The whole concept of 'security questions' is completely flawed for things such as email or facebook, even if you can choose the question and the information isn't posted on the net.

Private questions to which you would know such an answer would also be most likely known by your relatives - for example, your mother definitely knows her maiden name, but that doesn't mean that she should have an easy time reading your email. Funny details about your childhood would be known by your spouse, but if you're undergo

Re:Security question

[Znork]

The whole concept of 'security questions' is completely flawed

The whole concept of answering such questions correctly is flawed. Once you're born in Hobbiton and your mothers maiden name is Goose they become quite a bit harder to guess. Such constructed 'alter egos' make the security questions much less dangerous while still maintaining some recovery capacity.

Re:Security question

[Peeteriz]

In that case, why not call it what it is, forget about the whole concept of security questions, and call it 'backup password', 'secondary password' or something like that?

Re:

[metacell]

Making up facts makes the security questions pointless, since you have to remember your made-up facts. The "security questions" become merely a second, alternate password which has to be remembered.

So the security questions are either horribly insecure (if we answer them truthfully), or completely pointless (if we answer them with made-up facts). I'd call that a flawed concept.

Re:

[PopeRatzo]

Or, do you suggest we carry a keyring, with one USB key for each site?

Then lock the keyring in a locker secured by a 4-digit PIN. And if you forget the PIN, then you can retrieve it using a secret question.

This security stuff makes my head hurt.

Re:

[0100010001010011]

Nothing requires the "real" answer.

Use an MD5 or SHA1. If you're afraid a hacker is going to do that, salt it with your favorite food.

$ echo -n Pasta Kennedy | md5sum
d579c75318c3f0635c5b897a86eedad4 -

Use that as your mother's maiden name.

Re:

[CastrTroy]

Or they could just use a password saving program on their computer, and generate unique, secure passwords for each site they visit, as well as random answers to the "security" questions. They're safe as long as they don't have a virus/keylogger on their computer. In which case they are hosed anyway. I think most people should just run their browser from a virtual machine which resets itself every time they use it, save for a few key files like bookmarks. I wonder if an easy to use product like this exis

Blackmail is blackmail

[fantomas]

Blackmail is blackmail, its an offense offline or online. The issue here is helping educate people to be more secure in their online transactions.

Re:

[betterunixthanunix]

The issue here is helping educate people to be more secure in their online transactions.

Doubtful; if that were the case, people would be talking about PGP and S/MIME. If the victims in this case had encrypted the messages with the pictures, there would have never been any problem.

Of course, that would be slightly less convenient, so it will never happen.

Legal punishment calibration

[dpilot]

Evidently child pornography, blackmail, and breaking into thousands of women's email accounts merits punishment 6 times more severe than breaking into 1 woman's (Sarah Palin's) email account.

It doesn't look like this guy destroyed evidence

[Quila]

Obstruction of justice is what got the Palin guy jail time.

He'd have skated with probation if he had just admitted it.

Am I the only one who does this w/security q's?

[syntap]

I have a single word that I always use for security question answers. It has nothing to do with any of the questions, so in that respect should be more secure because even someone who knows me well couldn't guess answers and gain access. I don't have to surrender additional personal info on myself or others (mother's maiden name, father's birth year, etc). And I always know the answer, no forgetting.

And someone like the guy from TFA couldn't get any nude pics of me, not that he wouldn't stop at the first

Re:

[el3mentary]

I have a single word that I always use for security question answers.

Shibboleth?

Re:

[syntap]

For a regular password that is true for obvious reasons, but I don't believe so for security questions. Making the answer to a security question not even guessable is more secure. Those like the guy in TFA know the great majority of people answer those questions truthfully, probably based on some expectation that the info would have to survive some kind of verification. That is the most likely attack vector, read the article and that is what it says because he looked for common answers to those questions

I'm confused -- I thought they were for PW reset

[michaelmalak]

I'm confused as to how this works. On most sites, answering the secret questions correctly allows you to reset the password, which is then mailed to the e-mail address on file. How does this help in obtaining the password to an e-mail system? Is there an e-mail system out there that is so brain-dead that it allows you to re-specify a password as a reward for merely answering the secret questions correctly? If so, which e-mail system?

Do we need more proof "Security questions" aren't.

[Opportunist]

Every time I come across a page that requires me to use a passphrase that's at least 8 characters long, contains numbers, special characters and preferably something that could only be typed on some obscure keyboard layout 10 people on this planet use, I feel kinda good.

That feeling instantly vanishes as soon as they also want some "security verification" in case I forget my password. And then you get to read things like:

Mom's maiden name
Your first address
Brand of your first car
Pet's name

And so on, all thin

It would seem...

[betterunixthanunix]

So, it would seem that people do have an expectation of privacy when it comes to their email. Well, glad to know there won't be any warrantless surveillance now.

Dumbass

[flyingfsck]

Why go to all that trouble to find nude pics when you can get all the nude pics and live webcams you want on the net without any hacking required?

How's that Cloudy Data Security Thingy...

[couchslug]

...working out for ya? (runs)

Simple fix

[IGnatius T Foobar]

It wouldn't be difficult for Facebook to automatically reject (or at least warn you about) status updates that contain strings which match either your password or the answers to any of your security questions. At least force the user to think about it.

Re:

[Suki I]

Imagine what Facebook knows about you if some random dude was able to crack all of their password/secret questions.

Nothing that I didn't put up there myself, right? Wait, I had to use cell number to do the verified account thing. Facebook I hate you!

Re:

[Yvanhoe]

Imagine what Facebook knows about random people instead.
I don't post anything that is not public on my facebook account

Re:

[PopeRatzo]

It's more secure to just not use Facebook.

Re:Imagine what Facebook is able to do if some dud

[betterunixthanunix]

That was, in fact, the first thing Mark Zuckerberg used Facebook to do: gain access to others' email.

http://www.businessinsider.com/how-mark-zuckerberg-hacked-into-the-harvard-crimson-2010-3 [businessinsider.com]

Re:

[Opportunist]

But ... but ... but he said he'd be my friend! He even made me his friend first!

Mommy, I wanna have friends too! Pleeeeeeease!