He faked letters to the judge, using a computer in violation of the terms of his bail? O-kay, he’s an idiot. The judge will throw the book at him. Kiss bye-bye to sunlight, boyo, you ain’t gonna be seeing it for a while.
This scumbag stole and traded victims' nude pics and vids after guessing their passwords, security answers
A college graduate has admitted hacking into the email and online accounts of female students, stealing their nude photos and videos, and trading them with others. Nicholas Faber, 25, on Tuesday pleaded guilty to one count of computer intrusion causing damage, and one count of aggravated identity theft. He is scheduled to be …
COMMENTS
-
Thursday 11th February 2021 03:10 GMT Falmari
Computer++ sentence
The computer intrusion offence carries a maximum sentence of 10 years.
Not saying the maximum sentence is too high also I really don’t know much about sentencing in the US. But is that comparable to old fashion burglary and stealing nude photos and films? I maybe wrong but it seems put computer in the mix and up the penalty goes.
-
-
-
Thursday 11th February 2021 07:54 GMT Falmari
Re: Computer++ sentence
@IGotOut you have a point. But what’s to stop you selling to someone that uploads to a porn site. The computer intrusion and how much and what you steal is the crime the same for burglary. Does how you enjoy your ill-gotten gains make a difference to the sentence. If I spend it alcohol and fast women will I get a heavier sentence than spending it on real estate and travel?
But yes, you have a point I just wondered as it seems to me that breaking into a computer carries a heavier penalty than breaking into a house stealing the same value of property.
Just my observation from the UK which may be wrong.
-
Thursday 11th February 2021 11:08 GMT low_resolution_foxxes
Re: Computer++ sentence
In the UK, if the police catch you 3 times for domestic burglary, it is generally a 2-4 year sentence. Although frankly the 1st time you'll probably get away with a court order.
Amusingly, you have to think how many times/how bad the thief was, if they managed to be caught 3 separate times by the police. I mean, it's not like the police actively chase you down for it. You literally have to be caught on camera and recognised with a full name and address, in order to get them to arrest you (I recognise it is a hard job btw).
-
Thursday 11th February 2021 12:06 GMT Arthur the cat
Re: Computer++ sentence
You literally have to be caught on camera and recognised with a full name and address, in order to get them to arrest you
In a recent case round here the very considerate burglar left his wallet, complete with (his own) credit cards and driver's license, at the scene of the crime. I bet the copper knocking on his door had a bit of fun: "excuse me sir, did you recently lose your wallet?".
-
Thursday 11th February 2021 18:02 GMT Cynic_999
Re: Computer++ sentence
Although the burglar could have said that his wallet had been recently stolen, and any court would find it quite plausible that the unknown wallet thief then went on to commit burglary. Thus unless he was stupid, the wallet alone would not have been enough to convict.
-
Friday 12th February 2021 23:47 GMT MachDiamond
Re: Computer++ sentence
"In a recent case round here the very considerate burglar left his wallet, complete with (his own) credit cards and driver's license, at the scene of the crime. "
Not as good as the one that broke into an off-license, cracked open a bottle and got so pissed he passed out. The police didn't have a hard time tracking him down as he was sprawled out on a table when they finally made it around.
-
-
Thursday 11th February 2021 13:03 GMT DrewWyatt
Re: Computer++ sentence
A few years ago I was looking in to putting in a CCTV system. I asked the local old bill about it and they told me that they would not accept any images from private CCTV systems as evidence, as there was no chain of custody. Basically, I couldn't prove that the location, date and time were correct. If I wanted them to accept the footage as evidence it had to be installed by a qualified and certified installer and run by an approved and certified company.
In the end I didn't bother.
-
Thursday 11th February 2021 13:57 GMT Anonymous Coward
Re: Computer++ sentence
I asked the local old bill about it and they told me that they would not accept any images from private CCTV systems as evidence
Seems a little odd then, how many times police actually ask for CCTV images and how often it is shown in news items where some crime is involved.. evidence is evidence whatever form it takes. Not only that but CCTV is useful for reasons other than anything to do with whether your local police think it is useful to them or not. I think most detectives would find it useful even if it's inadmissible in a court.
-
Thursday 11th February 2021 18:10 GMT Cynic_999
Re: Computer++ sentence
You cannot always prove time & date, but you can usually prove the location from the image itself. And if the police were willing to make the effort, time & date can often be proven from things such as the weather, shadow angle and questioning the owners of vehicles and innocent passers-by seen on the CCTV image.
Plus if the owner of the CCTV testifies that the recordings were made at a certain time & date, or that he checked the system time and date soon afterwards and found it to be correct, while not being absolute proof, the testimony is just as much evidence as the testimony of an assault victim or eye witness.
-
Thursday 11th February 2021 20:10 GMT Jonathan Richards 1
Re: Computer++ sentence
> time & date can often be proven
I've thought of this off and on for years. One used to be able to get a document notarized, i.e. certified by a trusted professional as having been dated at a point in time. What we could do with is a digitally-signed time signal service which yields an encrypted stream that could be incorporated into e.g. surveillance video, which would (a) place it in time exactly, and even (b) prove that the image had not been tampered with.
Now someone will kindly reply that this is already A Thing, and I shall be grateful.
-
Thursday 11th February 2021 23:19 GMT doublelayer
Re: Computer++ sentence
It depends how you want it done. If a stream is generated and sent to a system for it to be embedded by that system, there are two possible problems. The first is that someone wishing to forge a time could get the stream and store it, later to overlay the stream as it was released at the desired fake time. They can also wait until the time they want and overlay a future time. The second problem is that such a stream would require a consistent network connection. If power or network failed but the camera continued recording, there would be no way to continue adding the time until those came back. This might not be important.
I can solve the first problem but not the second. The way to solve the first one is to set up a system which can accept hashes and store them in a database. The video for a given time can be hashed and that hash submitted to the remote service, which timestamps the entry. That would prevent someone specifying an earlier time, which is the most often deliberate adjustment. They could provide an old hash to make something look like it happened later than it did, but they'd have to do it consistently because the chunks before and after the occurrence could be verified true as well. That still requires a network connection and someone external who stores the database. Given the worth to a police department of unverified images, I don't think I'd bother going to that extent on private security cameras.
-
-
-
Thursday 11th February 2021 21:54 GMT John Brown (no body)
Re: Computer++ sentence
"In the end I didn't bother."
If you had, and there was an "incident" in the neighbourhood that may have been caught by your CCTV or even a possible suspect walking past your house, you can bet they'd have been around asking to view it though. Chain of custody or not.
-
Friday 12th February 2021 14:37 GMT Morat
Re: Computer++ sentence
I installed the CCTV at work, I'm not a qualified installer. The police have made successful convictions on the back of "my" CCTV evidence.
Our system does incorporate the time/date into the video. I guess you could argue about whether our NTP is correctly configured but it hasn't been challenged so far.
-
-
-
Thursday 11th February 2021 22:09 GMT Michael Wojcik
Re: Computer++ sentence
The simple fact is that sentencing guidelines don't make a lot of sense. And when they do, it's the wrong kind of sense: crimes for which poor people and minorities are disproportionately convicted often have disproportionately high sentences, for example.
Congress and state legislatures don't deliberate proportional responses to various categories of crimes. Someone decides to grind a particular ax and gets a section stuffed into a bill raising the sentence for a particular category of criminal activity. Then for whatever reason that bill gets enough support to pass.
We could assign penalties by throwing darts, but that might prove too equitable.
-
-
-
Thursday 11th February 2021 09:28 GMT My-Handle
Re: Computer++ sentence
Theoretically speaking, a longer sentence acts as more of a deterrent.
Burglary may have a shorter sentence because less of a deterrent is needed. In most cases it's much harder to physically break into someone's house than hack their computer and you're likely to leave a lot more evidence behind. You're more easily caught, and that risk will act as a deterrent in itself.
Hacking, on the other hand, is much easier for a certain subset of people. The perceived risk is much lower, so there's less deterrent in committing the crime itself. So a harsher sentence may be needed to add that deterrent.
-
Thursday 11th February 2021 09:53 GMT Blazde
Re: Computer++ sentence
I think 10 years is a fairly typical maximum sentence for non-aggravated residential burglary (the kind most likely to lead to nudes being physically stolen). It will vary between States of course.
If you broke into a data centre and physically stole a hard-drive with nudes on I think you might get off more lightly since it's only burglary from a commercial building. (Or maybe they'd find a way to do you for computer offences anyway, I don't know).
-
Friday 12th February 2021 23:44 GMT MachDiamond
Re: Computer++ sentence
"I maybe wrong but it seems put computer in the mix and up the penalty goes."
Stealing things from an online repository breaks the myth of how safe it is to commit all of your information to "the cloud". We all know that a home can be broken into through years of news reports.
They® want people to put all of their private information online with an emphasis on financial records. The more information that is digitized, the easier it is to have a squizz without actually kicking in a door.
-
-
Thursday 11th February 2021 05:01 GMT Joe W
"Security" questions....
Yeah, right. Those actually decrease the security of the account, as much of the information can be found online, like the town you grew up in, pets (for me not the first pet, as the internet was still very much in its infancy, as was I), former girlfiend-/boyfriends and where you met them, cars, favourite books or movies, you name it, the internet's got it. Maybe not for me, not too easily found at least (I hope), but for the kids (everybody under the age of 30 ;-p ) today. Everything is likely archived on facebook, easy to search for (I guess, but I don't use FB, so I don't know).
I hate these "security" questions. "A lot" (as Brian of Nazareth said)
-
Thursday 11th February 2021 06:33 GMT Jan 0
Re: "Security" questions....
Who says you have to give the correct answers when setting up an account? No amount of internet searching would suggest that I was born in a town called Yzsssphftt or that my first pet was called Z9%4ë. Mind you, you won't find my nude vids on any internet connected server!
-
Thursday 11th February 2021 11:21 GMT MyffyW
Re: "Security" questions....
"Mind you, you won't find my nude vids on any internet connected server!"
Well indeed, and whilst I'm perfectly up for getting my kit off with the right partner it never even occurred to me to be photographed in such a state. For which the world should be very thankful.
-
Thursday 11th February 2021 12:07 GMT arachnoid2
Re: "Security" questions....
Yes why do people take such questions so literally, adding your own spin on the responses is an extra layer to the onion.Its like everyone and his dog wants to know your date of birth as part of their security (looks up your media account oooh there it is), pick an obscure date not related to your own.
-
Thursday 11th February 2021 22:02 GMT John Brown (no body)
Re: "Security" questions....
"Who says you have to give the correct answers "
Unless you are consistent or keep careful note, what's the odds of most people remembering which fake details they gave to a specific site? The reality is that you just creating multiple passwords for the same site. The vast majority pf people will create real answers to so-called security questions simply because that's what's easiest to remember.
-
Thursday 11th February 2021 08:39 GMT Anonymous Coward
Re: "Security" questions....
I always give weird and irrelevant answers to the security questions. This usefully ensures that no-one else can guess them, but also means I have no idea either! [1]
-
[1] Well, naturally I do keep notes containing hints to the answers. But what may have been an obvious & giveaway hint two years ago when I made up the answer is typically of less use when I actually *need* it. :-)
-
Thursday 11th February 2021 11:29 GMT Anonymous Coward
Re: "Security" questions....
Another problem is that a large portion of the attacks come from people that know the victim anyways (disgruntled ex, pranking friends, employees, horny students, ...).
Even if you don't share anything on the internet, these people will often already know the answers to many of these questions or can simply ask without raising too much suspicion.
Most of the answers are also easily guessed (especially with some knowledge of the victim).
There are only about 700 birthdays in a two year period, most pet names will be from a set of a few dozen and the top ten lists for a few years likely cover favorite shows, books and movies for lots of people...
-
-
-
Thursday 11th February 2021 11:29 GMT Anonymous Coward
Re: It isn't a excuse, but
I'd guess that they didn't transmit the photos by email but rather connected their email address to the services where they did send them (Snapchat, Messengers, ...) and the attacker simply used access to their email address to reset the associated passwords.
Or perhaps the attacker gained access to their iCloud or Google Account where their phones synchronize and/or backup every picture they take automatically...
Your email account(s) provide access to almost all of your other online accounts through password reset features and conveniently your stored emails typically reveal where those other accounts are as well.
-
Thursday 11th February 2021 22:07 GMT John Brown (no body)
Re: It isn't a excuse, but
According to the article, the files were stored on their university cloud portal. Without trying to victim-blame, if I was tempted to create nude photos or videos of myself, I'd sure as hell not be saving the files to my university account, or anywhere else not in my direct physical control!
-
Friday 12th February 2021 15:33 GMT FrogsAndChips
Re: It isn't a excuse, but
The article isn't that specific. The uni portal gave access to "email, a cloud storage account, college billing and financial aid information, coursework, grades, and other personal information". The attacker used that information to gain access to other social media accounts, which is probably where he found the pics and vids, rather than on the uni cloud storage.
-
-
-
-
Thursday 11th February 2021 08:03 GMT deadlockvictim
Blame
Article» The two broke in either by guessing passwords or answering a security question correctly, then used the portal's information to try again for external email, cloud, and social media accounts.
The two on trial are clearly bad eggs.
I won't blame those accused on the grounds that they followed the rules laid down by the uni.
Does this demonstrate that the security laid down by the university is insufficient and should be tightened? For example, Time-based One-Time Passwords.
[TOTP (1)]
By having a portal, the university greatly increased the value of breaking the password.
I wonder if the rules regulating the pasword were too weak and allowed easy-to-guess passwords.
To what extent, though, is the university to blame?
[1] https://www.youtube.com/watch?v=ed5n5I7L2x4
-
Thursday 11th February 2021 22:11 GMT John Brown (no body)
Re: Blame
"To what extent, though, is the university to blame?"
That's an interesting concept. I'd say no blame if the password could be long and complex, but still allowed a short, simple password. On the other hand, if the University limited how long and/or complex the password could be, then yes, they deserve some blame.
Some people might say the university should enforce a long and complex password, but in this day and age, complex passwors should be a "given" by now and not something users need to be forced to do.
-
-
-
-
Thursday 11th February 2021 10:24 GMT Ben Tasker
Re: If you don't want people to see you in your birthday suit
> ut I doubt the pix that were purloined came from people worried about other people seeing their goods... I mean they stored them on a Uni Portal?
Re-read the article ;)
These 2 hacked the uni portal, which led to other student's email. Those email addresses were then used to try and "rest" access to cloud storage. Also, having guessed someone's password correctly, you can try it on other services to see if they've reused passwords.
There's no suggestion that the nudes were stored on the uni portal
-
Thursday 11th February 2021 18:44 GMT chivo243
Re: If you don't want people to see you in your birthday suit
So, they did store a breadcrumb trail in their uni account? Used and reused passwords etc, uni using other auth services and getting stung, sounds about right. Regardless of which portal... all paths lead to Rome.
I remember a saying, Posting something once on the internet and then getting it back is like trying to get pee out of the swimming pool. I guess we have to assume that "storing" anything on the cloud.... is like offering your neck up to Dracula?
-
-
-
Thursday 11th February 2021 10:27 GMT Ben Tasker
Re: If you don't want people to see you in your birthday suit
- If you don't want to get robbed, don't have nice stuff.
- If you don't want to get raped, don't wear a short skirt.
Don't seem quite as reasonable do they?
Having pictures/videos of yourself naked increases the chance of them being seen (because they can't be seen if they don't exist - deepfakes not withstanding), but that doesn't make it the victims to blame for the fact some moralless dicks decided to help themselves.
"Don't take pictures of yourself" does nothing but try and deprive people of agency over their own bodies, whilst giving others an excuse to go "oh it's their own fault".
It doesn't matter whether they're nudes or pictures of your gran in iCloud, they are not there for someone else to peruse and distribute. Just as a short skirt isn't an invitation to grab her arse.
-
Thursday 11th February 2021 11:20 GMT Christoph
Re: If you don't want people to see you in your birthday suit
Unfortunately bad people exist. And bugs in software exist. Yes, you should be able to store whatever you want on your private account. Yes, it ought to be safe there. But just as you have to have high-security locks on your house if you live somewhere there's lots of burglars even though you should be able to leave it open if you want, if you store your photos on the net then you've put them somewhere there are a lot of hackers. The only way to be certain something isn't stolen off the public net is to not put it on there. Saying it's victim blaming doesn't change the fact that there are some extremely nasty people out there.
-
Thursday 11th February 2021 12:16 GMT Ben Tasker
Re: If you don't want people to see you in your birthday suit
> Saying it's victim blaming doesn't change the fact that there are some extremely nasty people out there.
There are.
And yet, on any news story about nudes getting nicked, there's always some eejit saying "shouldn't take nude pictures" or similar, as if that was the solution.
People are going to take photos of themselves, and should have the right to do so.
When one of those nasty people comes along, we should perhaps be focusing on the fact that person is nasty rather than "oh well, you shouldn't have taken pictures of yourself". Otherwise, you are - quite literally - shifting a portion of the blame onto the victim.
Which is a particularly dickish thing to do, particularly given that people who've had their nudes circulated tend to be feeling quite vulnerable anyway.
-
-
Thursday 11th February 2021 18:04 GMT yetanotheraoc
Re: If you don't want people to see you in your birthday suit
Sometimes I blame the perpetrator and the victim *both*. I found your statements to be incomplete:
* "If you don't want to get robbed, don't have nice stuff." ... and go flashing it in a rough neighborhood.
* "If you don't want to get raped, don't wear a short skirt." ... and get drunk alone in a sailor's bar at 3 AM.
* "Don't take pictures of yourself" ... and save them in the cloud.
There's a local bar on the corner. When I walk to the market, I cut through a field so I don't have walk past the driveway to the bar. Because, if I were to be run over by an auto operated while "under the influence", I would blame the drunk driver and myself *both*. So I take the necessary precautions every time.
If the law says that I, as a bystander, have to take action to prevent foreseeable harm coming to another individual, then I don't see why I shouldn't be able to expect other people to take action to prevent foreseeable harm coming to *themselves*.
-
Thursday 11th February 2021 18:16 GMT Cynic_999
Re: If you don't want people to see you in your birthday suit
You'll find that insurance companies are very quick to do similar "victim blaming" Try claiming for a stolen vehicle that you had left parked in an ally with keys in the ignition and the engine running ...
Yes, the car thief is the only criminal. But you'd not be exactly blameless.
-
Thursday 11th February 2021 20:22 GMT yetanotheraoc
Re: If you don't want people to see you in your birthday suit
With a handle like Cynic_999, I doubt you downvoted me.
Usually I try to avoid being downvoted, but in this case I don't care. Shooting the messenger? There are bad people out there, maybe someone thinks my attitude is making things worse for the victims, but you have the wrong guy. I work in Risk and Controls and spend a significant part of my time helping my *managers* comply with their own risk policies. I spend a significant part of my conversations helping my friends be safe in an unsafe world. "Please don't go visit your parents and bring them covid." Etc. At a family reunion I am the one discreetly watching someone else's kids. At a party I am watching that some guy isn't asking the drunk girl to "go for a walk".
I know all about victim blaming. It's wrong when it's done to deflect blame away from the perpetrator. It's right when it's about helping people make safe choices in a dangerous world. Wishing potential victims didn't have to worry about those things doesn't make it so. You want to blame me for victim blaming? I think it's *your* attitude is making things worse. Bring on the downvotes.
-
-
-
Tuesday 16th February 2021 09:55 GMT Danny 2
Re: If you don't want people to see you in your birthday suit
Thankin' you Ben.
-
-
-
Thursday 11th February 2021 16:58 GMT Pirate Dave
Kids today...
Eh, do they ALL take pics of themselfs naked these days? I mean, these guys successfully broke into what, 10 accounts total? And that was enough to find substantial numbers of nekkid pics? Jeesh. And then there's the whole "why did they have those pics into their school account" question, although maybe that was from device backups?
-
Thursday 11th February 2021 19:07 GMT doublelayer
Re: Kids today...
"what, 10 accounts total?"
The article gives numbers. You didn't pay attention.
"He and accomplice Michael Fish, also a former graduate, worked together for two years afterwards to break into dozens of students' accounts in the university's MyPlattsburgh portal and steal their data.": More than ten, surely. Let's see how many.
"Fish also posted some pictures online, later finding graduation photos of the same students and creating edited versions of them alongside the nude photo, naming the 100 students whose photos he had stolen.": Just to make sure it's clear, that's 100 students with compromised information deemed worthy of releasing, not 100 accounts attacked.
"Faber also admitted asking others to break into another 50 or so accounts, providing them with specific names and sometimes email addresses.": We don't know what happened to those people, but they're not in the previous count.
"He tried to break into over 24 accounts himself and was successful with around 10 of them, using a VPN to try and cover his tracks.": I'm assuming this is where you got the 10 from? You should have read the whole sentence to realize that that's just one of the two and the stuff he admitted rather than the truth. Perhaps the sentences above it to get more accurate totals too.
-
-
Tuesday 16th February 2021 17:20 GMT EnviableOne
Hacked ?
so guessing passwords and security questions is Hacking now?
yeah they shouldnt have been doing it, but the victims should have chosen better passwords and/or security answers.
And to top it all, follow the Bruce's advice
"if you wouldn't put it in the local paper, Don't Put It Online"