back to article Perv raided college girls' online accounts for nude snaps – by cracking their security questions

Jonathan C. Powell, who hacked into over 1,000 email accounts in search of sexually explicit images and videos of college-aged women, was jailed for six months for computer fraud, the US Department of Justice said on Thursday. Arrested in November, 2016, Powell, a resident of Phoenix, Arizona, pleaded guilty last August in a …

  1. Anonymous Coward
    Anonymous Coward

    I want to see the picture evidence... ummmmm you know, so I can, ummm decide his guilt for myself!

    (Trundling off to usenet and darkweb, in search of Powell's hidden booty!)

    1. Robert Carnegie Silver badge

      Helpfully the news story was illustrated with one of the pictures... or not exactly, but, I think that was a bad decision.

  2. Anonymous Coward
    Anonymous Coward

    You were at that men-only charity ball the other night, weren't you?

    1. Anonymous Coward
      Anonymous Coward

      use reply to

      or just ask whoever happens to post above you....

      1. Anonymous Coward
        Anonymous Coward

        Re: use reply to

        One day, people will use the reply button.

        1. Anonymous Coward
          Anonymous Coward

          Re: use reply to

          I thought I did. But it's that Reg functionality flaw, where if you're not logged in, it invites you to do so, but then creates your reply as a new post.

          One day, the Reg will fix that. And provide a direct link back to the article from the "Reply to" screen. But it is not that day! An hour of trolls and shattered web interfaces when the age of Men comes crashing down! But it is not this day! This day we type! By all that you hold dear on this good Earth, I bid you stand! Commentards of ElReg!

  3. ThaumaTechnician

    Everytime I see "Mother's maiden name" on the list of security question...

    I get all twitchy like Inspector Dreyfus's left eye.

    1. Andy Non Silver badge

      Re: Everytime I see "Mother's maiden name" on the list of security question...

      I know what you mean. I never use the real answers to these common security questions. The downside is that I need to keep encrypted files for each organisation I deal with listing all my different mother's maiden names, pet's names, schools attended etc. I guess most people don't give a second thought nowadays to liberally sharing personal information all over the net, facebook etc. Can't say as I keep any nude photos online either, not that anyone would be interested in seeing the naughty bits of a sixty year old bloke.

      1. Anonymous Coward
        Anonymous Coward

        Re: Everytime I see "Mother's maiden name" on the list of security question...

        "[...] not that anyone would be interested in seeing the naughty bits of a sixty year old bloke."

        My 90 year old neighbour would have considered you a cute toy boy. IIRC nowadays she would be called a "cougar". The internet has surely taught us that YMMV has a universal application to every human taste, aesthetic, or experience.

        1. Androgynous Cow Herd

          Re: Everytime I see "Mother's maiden name" on the list of security question...

          That's not a Cougar. That's a Sabretooth.

      2. Alistair
        Windows

        Re: Everytime I see "Mother's maiden name" on the list of security question...

        @Andy Non:

        Somewhere, hidden in a dark corner of the interwebs is a Gilf site. Because, it is the internet.

      3. HellDeskJockey

        Re: Everytime I see "Mother's maiden name" on the list of security question...

        >Can't say as I keep any nude photos online either, not that anyone would be interested in seeing the >naughty bits of a sixty year old bloke.

        You mean those young attractive women on the internet who tell me they like older umm larger men are lying to me? I'm in shock.

    2. Anonymous Coward
      Anonymous Coward

      Re: Everytime I see "Mother's maiden name" on the list of security question...

      So do I.

      It is a wonderful experience every time I listen to an Indian call centre agent trying to pronounce a Slavic name transliterated into English.

    3. Robin

      Re: Everytime I see "Mother's maiden name" on the list of security question...

      Some security questions are terrible.

      On the phone, HSBC ask for your sort code and account number first off. Then as one of the security questions, they ask you to confirm which branch the account is held in. You know, that publicly-searchable sort code lookup information?

      1. Ian Johnston Silver badge

        Re: Everytime I see "Mother's maiden name" on the list of security question...

        The Co-Op bank ring you up and ask you to answer one of your security questions, then give two digits of your telephone banking PIN. I emailed them to explain how easily exploitable this is (Scammer: "Sorry, that didn't get accepted, we'll have to try again. Can you tell me your first school, please, and this time the second and third digits of your PIN?) but they seemed to think it was wholly secure. So I started reporting every call from them to their own fraud hotline. I understand that they still make these calls, but I don't get them any more ...

        Curious aside: Their old internet banking system used to ask me for my first school (out of five security questions) about 80% of the time.

        1. TrumpSlurp the Troll
          Trollface

          Re: Everytime I see "Mother's maiden name" on the list of security question...

          First school?

          Perhaps they were using old skool software?

    4. Anonymous Coward
      Anonymous Coward

      Re: Everytime I see "Mother's maiden name" on the list of security question...

      What really annoys me with regards to mothers maiden name and other such related security questions is when a work application asks for them. Understandably I never give the correct answer and usually use an expletive so if anyone with control over said database ever accesses it then my feeling will be rather clear.

      1. Mage Silver badge
        Facepalm

        Re: Everytime I see "Mother's maiden name" on the list of security question...

        a) Most big companies are rubbish at security

        b) Why expect ordinary people to be better? In about 30 years of PCs in schools, almost nothing is taught about creating and managing passwords. Telling people to have up to date AV software is not security training.

        c) "… obtaining private sexually explicit photos, which people apparently store in their email accounts without much thought about security. It's not immediately clear why the large number of such images on the internet did not suffice*." Why do people take sexually explicit photos (of themselves)? They did it in film days too. Yes, labs made extra prints. Why then store them on so called "Cloud"?

        d) Well, no matter about the level of stupid of a-c above, he does deserve suitable punishment.

        [* For the miscreant breaking in or the people taking and storing the photos?]

    5. quartzie

      Re: Everytime I see "Mother's maiden name" on the list of security question...

      Ay, there's the rub.

      These questions are a stupid "solution" to a practical problem - Passwords, and their (often moronic) implementation.

      Case in point: My reasonably computer-literate parents already struggle with the idea of keeping separate complex passwords for every account they use - and they use far fewer than I do. Remembering said passwords is a lost cause.

      I'm trying to get them used to the idea of a password manager, but they are more likely to use pen and paper, so the complexity of the password is going to suffer.

      Want to bet how many people don't really have anyone with at least rudimentary understanding of computer security they could ask for advice?

      1. Cuddles

        Re: Everytime I see "Mother's maiden name" on the list of security question...

        "These questions are a stupid "solution" to a practical problem - Passwords, and their (often moronic) implementation."

        The problem is that there's really no way around this, no matter how you try to implement things. No matter what method you use for authentication, it will always be possible for it to be lost, damaged, forgotten, or otherwise compromised in some way. When that happens, you need a backup method of authentication in order to fix or replace the original. That provides an additional attack surface, and there's simply no way to avoid that. Bad password policies and weak security questions certainly don't help matters, but there's almost always going to be someone with legitimate access to whatever information you want to use, which makes it almost impossible to protect against a malicious insider or simply another big hack releasing it all into the wild.

      2. Mage Silver badge
        Coat

        Re: password manager, but they are more likely to use pen and paper

        Well, only the non-financial passwords should be in the password manager, which should NEVER be on the cloud.

        ALL passwords should be in an indexed address notebook, with user name, website, what it's for, email used, security questions / PIN etc if applicable, password. And NEVER EVER kept in same jacket / handbag as phone if it is used for main internet (DON'T use it for anything important and then you don't need password book for it.) Never keep with Laptop/Tablet.

        Then too, if you get knocked down, struck by lightning, heart attack, assassinated etc, the survivors can access your computer/laptop/phone and the internet accounts etc.

        If you have a really important domain, consider creating a trust to manage it and hosting. Will should give Executor location of password book, main pass for main gadget and its browser password manager etc.

        1. Hans 1

          Re: password manager, but they are more likely to use pen and paper

          @Mage

          You are almost there, but I downvoted ... because sensitive accounts (HMRC, banks) should be kept in two separate physical locations if they need be recorded somewhere else than one's brain.

          Also, the jacket phone thing .... women will keep phone and diary in their handbag ... then again, handbag snatchers are usually after money and ID, so they grab ID/Passport/Driver's license, any cash and the credit/debit card(s), search for papers stored in same location as cards for pin's ...I doubt they would go through the diary for online account passwords ... not their business model, yet ...

      3. Hans 1
        Thumb Up

        Re: Everytime I see "Mother's maiden name" on the list of security question...

        but they are more likely to use pen and paper, so the complexity of the password is going to suffer.

        Not really, if you explain a little ...

        E.g. https://xkcd.com/936/

        Simple passwords, almost impossible to guess, straight forward to write down.

        Written-down passwords are safer than software password managers, try and hack their diary/appointment book ...

      4. Robert Carnegie Silver badge

        Good passwords

        Password strength test https://www.my1login.com/resources/password-strength-test/

        Random data generator https://www.random.org/ - I favour a string of 20 capital letters.

        Both to take with a pinch of salt. I either shuffle the random letters before use, or devise a novel way of reading them into a password e.g. every 3rd letter skipping any that don't fit.

        Alternatively I pick letters from a page of the bible, again not just a straight reading.

        As to "fit": I've seen passwords rejected by assorted rules including "includes actual word" (reasonable-ish, but the risk is up to me) and "uses the same letter twice" (what the actual foolishness). So I pick:

        Consonants only.

        The first capital, the rest lower case.

        No repeats.

        6 letters then 2 numerals, also no repeat. The random generator includes a timestamp that can provide numbers, or, convert from letters.

        If a site insists on a non-alphanumeric symbols then I add !

        So for instance: Nsytrh35!

        On the other hand, I suspect that at least one system that I use doesn't recognise the ! symbol. Fortunately it doesn't also require it.

        Nsytrh35! is rated "Strong", which is a bit of a worry since that formula usually provides "Very Strong".

        Incidentally... I am finding these harder to remember now. It could be Oldtimer's Disease.

        For public use I set and hand out a password in format of ABCD-EFGH-IJKL-MNOP-QRST which is the 20 letters with places to stop for a rest. After jumbling it first.

    6. Kane
      Thumb Up

      Re: Everytime I see "Mother's maiden name" on the list of security question...

      "I get all twitchy like Inspector Dreyfus's left eye."

      Everyday in every way I am getting better and better!

    7. Just a geek

      Re: Everytime I see "Mother's maiden name" on the list of security question...

      I had a phone call with O2 the other day, I was asked to give an answer to a security question not too dissimilar to "mothers maiden name", for all of these I just use random letters and numbers stored in a password tool.

      The women on the phone seemed genuinely impressed that I could remember all of those random numbers and letters..........

      Also, all the calls are recorded so these "security questions" and all bollocks.

    8. david 12 Silver badge

      Re: Everytime I see "Mother's maiden name" on the list of security question...

      Security experts recomend that the name of your first dog should contain at least 8 characters, with a mixture of uppper case , lower case, and numbers. Also, it should contain no common characters or subsets of your own name....

    9. Robert Carnegie Silver badge

      Security question...

      My password hint is "There is no hint."

      That saves thinking of something cute, although It's a little tempting to put something like "Underwear row - Sun skewers old soldier (6, 4)". This is from the crossword puzzle in Private Eye 1461 which I haven't done any of, but the answer almost certainly isn't my password. A possible catch is that a hacker gets encouraged and then frustrated and insists on actually finding out what my password is in order to get closure, and eventually they would. But I think most of them prefer low-hanging fruit.

      The answer seems to be due to be printed in Private Eye 1462 anyway (20 down and 23 down), now on sale.

      1. Robert Carnegie Silver badge

        Re: Security question...

        ...apparently the puzzle answer is "string vest" but I have no idea why except that a "string vest" is underwear... wait: maybe "row" = "string", "old soldier" = "vet" (veteran), and "Sun skewers" means somehow "insert letter S in the middle of the word", thus, "vest".

        I would not have got that, and there is a prize but you wouldn't make a living from this.

  4. NanoMeter

    The internet is already full of girl's leaked photos. There was no need for the horny toad to do this.

    1. Anonymous Coward
      Anonymous Coward

      Hell, the internet is full of intentionally published naughty photos, by willing people even. (and sometimes they are even accessible for free!)

    2. Anonymous Coward
      Anonymous Coward

      Humans are an animal with curiosity. Forbidden fruits are always considered more tempting - an idea that recurs in the stories of our ancestors.

      As D.H. Lawrence wrote in his poem about figs: the leaves are not a covering of shame - but an adornment to pique curiosity. Salome's dance may not have used the seven veils of Victorian literary imagination - but the suggestion is similar.

    3. Jason Bloomberg Silver badge
      Paris Hilton

      There was no need for the horny toad to do this.

      I am wondering how many successes he expected to get. And how many he actually got.

      It wouldn't be the first route I'd choose if I were planning to take the bishop out for a bashing.

  5. Stuart Halliday

    I suspect he got off on the hack rather than what he found.

    1. chivo243 Silver badge
      Happy

      @Stuart Halliday

      I would tend to think it was a bit of both. First the thrill of the hacking, and then the thrill of whacking or jacking... depending where you're from. Happy endings for all you hackers!

  6. DNTP

    The very definition of "security by obscurity"

    Your pet's name? Your city of birth? Your grandmother's middle name? All of this is great security. Until you or anyone connected to you puts it up on Facebook. How do people who know anything about what social media is still insist on relying on this kind of security by obscurity authentications? Oh, right, administrators and managers.

    1. Nick Ryan Silver badge

      Re: The very definition of "security by obscurity"

      Security questions reduce the overall level of security, not increase it. I've yet to see the moron tracked down who came up with this stupid idea in the first place but they deserve a thorough beating for introducing something so dumb.

      1. fnusnu

        Re: The very definition of "security by obscurity"

        Easiest solution:

        Use your password manager (e.g. Keepass) to generate 'passwords' for these fields and store the questions and answers in the notes box attached to username and password.

        e.g.

        Where were you born? e)\I7l}$=c&T@Pin+{m]

        What is your mother's maiden name? Zg%N7al:Y2#R+fmwnc)C

        etc, etc

        1. Loud Speaker

          Re: The very definition of "security by obscurity"

          Use your password manager (e.g. Keepass) to generate 'passwords' for these fields and store the questions and answers in the notes box attached to username and password.

          You are ignoring the people using Meltdown to access your password manager. This is not a good plan. Use Post-it notes. The old ways are the best!

    2. Robert Moore
      Coat

      Re: The very definition of "security by obscurity"

      I have been thinking about this for a while. I think it is time fro me to make up some fake biographical information for these types of questions. EG:

      Mother maiden name: Stalin

      City of birth: Hiroshima

      Pets name: Cujo

      Elementary school: Goebbels Elementary

      You get the idea. Obviously I would need to store these in my password manager.

      1. wyatt

        Re: The very definition of "security by obscurity"

        I've started doing this, password managers are very useful. You do get some pauses after you answer sometimes, I have to remind them that they're only looking for the correct answer not one that makes sense.

        1. Alan Brown Silver badge

          Re: The very definition of "security by obscurity"

          " I have to remind them that they're only looking for the correct answer not one that makes sense."

          Having a pet's name of "PhuckyMcPhuckyourself" is both valid and cathartic

      2. Hans 1
        Happy

        Re: The very definition of "security by obscurity"

        Makes me think of my English SSID, the password is a succession of German words ... why German ? Nouns in German take a capital letter, so you automatically get case right ... of course, who in France would think an English SSID would have German words in its password ...

      3. Anonymous Coward
        Anonymous Coward

        Re: The very definition of "security by obscurity"

        i STORE all my passwords on a piece of paper , but I go one better by typing this list up on my computer so that the caps and special numbers are legible. I dont ahve any illusions about how secure this is , but I see no alternative, tryied a password manager once but after using a laptop with NO caps lock indicator, the pain became unbearable, printed list on paper for me +2fa + no facebook ....

      4. Anonymous Coward
        Anonymous Coward

        Re: The very definition of "security by obscurity"

        Some time ago I set up an account (I don't remember which) that requested my mother's maiden name. So in disgust at being adked to provide such irrelevant personal information, I typed 'bollocks', not realising I would be asked for this information by the girl on customer support. Fortunately she had a good sense of humour. She also thought I was the born in 1999 and my first name is 'po'.

        I now have to keep this sort of false information written down, ever since it took two attemots at false mother's maiden name before one support agent would deal with my query.

    3. eldakka

      Re: The very definition of "security by obscurity"

      For starters, at the very least, you use different answers to what the questions are asking.

      e.g. Mother's maiden name? Main Street (i.e. street where you first lived)

      Favourite Author? Spot (name of first pet)

      Favourite sports team? Victoria's Secret (where you work).

      Anyone who answers the questions with the correct values for the question itself is stupid and shouldn't be allowed unsupervised on the internet.

      Better than mixing up the answers would be to use either totally random words or treat each of them like a password field:

      Mothers maiden name? Trombone (random word)

      Mothers maiden name? jnk0dS@t(es (just like another password).

      1. werdsmith Silver badge

        Re: The very definition of "security by obscurity"

        Just come up with set of strong passwords and use them as the answers.

        It is a moronic way of doing things, just as moronic as the banks that send out "Your Statement is ready to view" emails with a masked link button to your account login page.

        At one job they set a self service password recovery system up using this three question system and one of our guys demonstrated how to socially engineer the answers out of people and change passwords.

        Then the company attempted to discipline him until we brought them to their senses.

  7. JLV
    FAIL

    Dude, pornhub is free.

    2nd fail: if only the question pool, across most institutions, wasn't limited to a dozen or so. Some of which can probably be researched or guessed. Ranks right up there with mom's maiden name.

    Good idea the 1st time someone thought of it. Stupid by the time the 2nd person copied it.

  8. Barry Rueger

    Inevitable Consequence

    Whenever I'm presented with one of these I find two things.

    First, inevitably three-quarters of the questions could be answered by anyone with access to my Facebook account (assuming I actually gave FB the info) or even LinkedIn or a dozen other common sites.

    Second, I invariably find that the sites with the most boneheaded "Security" questions are also the ones with the most boneheaded password rules, and are often the sites that wind up being hacked.

    I seriously doubt that any authentication scheme like this is at all secure. Anything that relies on publicly available information is by definition insecure. And these days almost everything is publicly available if you know where to look, especially because so many sites insist that you log in using Facebook, Google, or other shared log ins.

    1. Allan George Dyer

      Re: Inevitable Consequence

      @Barry Rueger - "the questions could be answered by anyone with access to my Facebook account (assuming I actually gave FB the info)"

      It's worse than that, you don't even need a FB account if your maternal grandparents post that you visited them on their FB account. These questions are inherently leaky.

    2. herman

      Re: Inevitable Consequence

      The funniest thing is when the password field limits the characters that can be used, but the questions do not. The obvious improvement then is to treat all these fields as random passwords stored in KeepassX.

    3. 's water music

      Re: Inevitable Consequence

      because so many sites insist that you log in using Facebook, Google, or other shared log ins

      Perhaps you and I browse a different set of resources but whilst many sites offer such common login platforms I can't think of any off the top of my head that require their use. I never use them so I would have noticed.

  9. g00se
    Facepalm

    Yur pr0nz are belong to us

    Powell's interest in all this was obtaining private sexually explicit photos, which people apparently store in their email accounts without much thought about security. It's not immediately clear why the large number of such images on the internet did not suffice.

    Wouldn't an obvious possible reason be yet-to-emerge coercion/blackmail?

    1. Rich 11

      Re: Yur pr0nz are belong to us

      College students aren't the wealthiest of people. There'd also be a good chance in that environment that any woman threatened with coercion would have a couple of large friends overflowing with testosterone who were willing to go along to any proposed meeting and resolve the issue.

      1. DavCrav

        Re: Yur pr0nz are belong to us

        "There'd also be a good chance in that environment that any woman threatened with coercion would have a couple of large friends overflowing with testosterone who were willing to go along to any proposed meeting and resolve the issue."

        This being America, it's likely that someone involved has a gun, probably the blackmailer, so I'm sure that will end well.

  10. Slx

    Multi-factor security should be required.

    In my opinion, any site holding personal data would be required to use multi-factor security. These hacks are becoming too frequent, and it's fairly obvious that a significant % of users do not understand how insecure their data is, if they don't take adequate precautions.

  11. JWLong

    Maybe,

    These dumb ass college c*nts should learn not to post their porno pictures on a college email server that's protected with the same security questions that blowme.cum uses.

    1. rmason

      Re: Maybe,

      I think it's time to consider the fact that you, JWLong, might be the c*nt.

      1. Sir Runcible Spoon
        Coat

        Re: Maybe,

        Never say c*nt, it's cannot, and it has an apostrophe when abbreviated.

  12. Francis Boyle Silver badge

    "It's not immediately clear why the large number of such images on the internet did not suffice"

    Because like the rapists and the Harvey Weinsteins of this world he gets off on the violation of his victims not the literal sexual element.

    1. Anonymous Coward
      Anonymous Coward

      Re: "It's not immediately clear why the large number of such images on the internet did not suffice"

      What do you do when you know someone's right but feel you have to disagree anyway?

      Click that downvote button then scuttle away before anyone can ask you why!!!

      1. This post has been deleted by its author

      2. Anonymous Coward
        Anonymous Coward

        Re: "It's not immediately clear why the large number of such images on the internet did not suffice"

        "Click that downvote button then scuttle away before anyone can ask you why!!!"

        It is possible to switch between up/down votes later - but not to cancel both completely. To my mind a second click on the same option should toggle it to a neutral state.

        People who have down voted a posting may wish to change their minds later when they realise they misread or in some way misunderstood. However they may feel that they still don't want to actually approve the posting.

        On the other hand people who vote possibly don't always revisit the thread later to see if any replies cast a new light on the original posting.

        Down votes can be an expression of "me too" to align with the content of a later reply posting. However for what appear to be factual subjects then one would expect at least one of them to post a reply expounding their objection for the benefit of everyone.

        I do wonder at the posters who attract large numbers of down votes based largely on their previous controversial stances. It can become mob rule if people are trying to browbeat anyone into silence. If you are tired of a particular poster's attitude - if you aren't going to contest their view then just ignore them. If you approve of someone else's considered reply then up vote them.

  13. Daedalus

    Which character are you?

    No mention here of the various Facebook "fun" pages where you enter various bits of personal info to discover which Simpsons character you are. You know, stuff like you pet's name, your mother's maiden name etc. For all we know this guy was behind some of those.

  14. js6898

    If you know someone's date of birth (even approximately) and where they were born you can get the mother's maiden name from the GRO - indexed on FREEBMD.

  15. Brian Allan 1

    No device is really safe from hacking, just depends on the determination of the hacker! I hope the pix he acquired were worth six months in jail and the huge fine!?

  16. Maelstorm Bronze badge
    FAIL

    No Proxy

    Those who don't use a proxy when doing nefarious things are just asking to get caught. The police's job would be much harder if criminals weren't as stupid as this guy seems to be.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like