what i can't quite understand
is why the hell you'd want to?
A week after Facebook executives introduced new security features to great fanfare, a glitch on the popular social networking site has exposed private pictures of Paris Hilton to anyone with an internet connection. The Associated Press, which broke the story, was able to use the same, er, hole to view Italian vacations, office …
... I'd bet the "security" in question would be simple JavaScript checks, and no server-side checking.
Typical for apps that don't factor in security from the beginning. Its like those sites with the easily circumvented "disableRightClick()" functions, or the "password protected" sites using only JavaScript. Oops!
My favorite ones are the ones that overlap phony invisible images over the "real" one, so right-clicking and saving the image gets the fake one... only for me to fire up my local proxy and get the *real* URL for the pic. (Or check the HTML source.)
But then, this is Facebook we're talking about, what should we expect from this?
This has been about a fair bit longer than a few weeks... I remember being able to use this hack quite a few months ago, when people I knew would send me links to photos on Facebook where I wasn't friends with the person concerned (who either took or featured in the photo). Just presumed it was a feature of Facebook so to speak (security through obscurity) as opposed to a gaping security flaw, which it apparently now is.
In reference to an earlier post, I just think there was no particular checking (server-side or javascript) for photo.php at all. It just served up whatever ID you gave it, assuming the user was directed to the URL from a legitimate, internal source.
I've been looking at people's private pics for ages probably. If one of your friends comments on some other random person's photo it will pop up on their feed - you just click and scroll through the whole album. I actually kind of assumed till now that the pics weren't actively designated private but it was just that I wasn't 'friends' with that person and so I couldn't access their stuff by 'normal means', ie through their prorile....ouch, maybe they are... I think I should disable comments on my pics then...
There are so many privacy holes in this it's pretty insane. Makes you almost want to believe the stories....the making of it seems to have been a bit of a one-hit wonder. I guess there's always real one-hit wonders though, maybe we're only allowed one really good idea each. There's bands like that as well...Milli Vanilli, uhhhh....
(Seriously showing my age here, lol)
But a nice clean way is to use mod_rewrite and pass them through a script.
I typically setup something like:
www.site.com/pics/x/y/id.jpg
Where x = width, y = height and id is the db reference to the image link or similar. The whole thing is mod_rewritten to an image handling engine like PHP Thumb but with the inclusion of user security so you can tell unauthorised users to go stick it.
Easy peasy.
/ducks waiting for abuse from someone that knows better.
Well if the site tells you it will keep the images private then I don't see why you wouldn't/shouldn't.
Webservers are used for lots of Private data. On-line banking anyone!?
You CAN make data secure and private on a webserver. What you absolutely shouldn't do is claim privacy when there is none or what is there is badly written. This does so much damage to consumer confidence.
Your private data does NOT belong on a machine owned by someone else, no matter how much the pushers of those machines are imploring you. Private data you keep on a machine that YOU own, and can turn off if need be.
Facebook can legally search for, look at, disclose or delete any picture that you choose to upload to their site because it's THEIR computer. Just because they can, doesn't mean thet should, of course, but the safety-conscious Internaut keeps his/her cards close to his/her chest, especially if that chest is the subject of much public interest.
Social networking sites are really great for bringing home to people that the normal English vocabulary (i.e. "Private", "Friends", "Security") do not mean on the Internet what they mean out there in the wetworld.
Paris icon for obvious reasons...
I dont know why people join it anyway. I set up an account a few weeks ago so that I could view a friends wedding photos. I set up an account under my name, but everything else was blank or a lie, and the email address was one of my throw away hotmail ones I use for signing up to anything I don't trust (like hotmail :-)). Oh, and I put one note on it for people to read, saying "I will not be using this account. Please don't try to contact me here as you will get no reply and will think Im being rude. Im not, I just think that my conversations are mine, and so are my Pics, not Facebooks".
Now Im getting every person I have ever met wanting to be my friend. Im glad to know (again) I was doing the right thing. Now If they would just Fuck off and stop filling my inbox with Junk.
See post previous to yours with online banking destroying your argument.
I have plenty of private information maintained by various companies, solicitors, banks, insurance companies, etc... Much of it is accessible via the internet for my convenience, but it is secure (I hope) by design, rather than written in a script kiddies language that is difficult to secure if they'd even thought about it.
"I have plenty of private information maintained by various companies, solicitors, banks, insurance companies, etc..."
Me too, but I'd wager firstly that none of them have pictures of your privates and secondly that they are all based within the same legal jurisdiction as you so if they mis-use it or lose it then you can sue *their* privates off.
(The UK's NHS IT backbone might break both rules of course. But any fule can see that it's a really bad idea.)
"I have plenty of private information maintained by various companies, solicitors, banks, insurance companies, etc..."
Well yes, agreed. But what I was thinking of was the folly of putting your unmentionables on a publicly-available website like Facebook, MySpace and LiveJournal. Those things are designed specifically to rape your privacy and bomb you with unwanted cruft. I moved my witterings^Wblogging from LJ to my own server in the wake of a number of liberties LJ seemed to be taking with people's writings. I never was on the others. I'm Too Cool For Facebook/MySpace. Don't think I'm bragging. Things live in my rain water barrel that are too cool for MySpace/Facebook.
Banks and insurance companies are not allowed by law to disclose, say, your saldo or what kinds of policy you have. (Unless a Bigger Law shows up). Which is not to say that they don't mess up occasionally, so there is still some kind of risk involved.
Anyway, since I'm at work, I haven't looked at these Paris pics yet - are they actually worth looking at or are they the usual Paris-Hilton-seen-through-the-Hubble-telescope-with-her-top-off that the Sun willingly pays thousands for?