backtop

Print 43 comment(s) - last by iNGEN2.. on Jul 13 at 12:54 PM

After losing 4 million emails, and information on its admins, The Pirate Bay has been taken down for maintenance (screenshot of cached homepage).
Researcher involved said he briefly considered selling the data to the RIAA/MPAA but decided not to

In an interview with security blog Krebs on Security, Argentinian researcher Ch Russo revealed that he and two of his associates discovered multiple SQL injection vulnerabilities on the world's most popular torrent siteThe Pirate Bay.  They successfully exploited these vulnerabilities to gain 4 million users user names, e-mail, and internet addresses.

While the vulnerability exploited is quite different, the leak is very reminiscent of the recent snatch of iPad buyers' email addresses by Goatse Security.  Unlike that incident, though, the purloined information has the potential to put a number of people in sticky legal water if it falls into certain hands (i.e. the Recording Industry Association of America (RIAA) and the Motion Picture Association of America (MPAA)).

Russo said he briefly considered how much the RIAA and MPAA would give him for the info, but decided against selling it.  He states, "Probably these groups would be very interested in this information, but we are not [trying] to sell it.  Instead we wanted to tell people that their information may not be so well protected."

Brian Krebs -- apparently a TPB user himself -- verified that Russo had this info by sending him his username, in exchange for the gathered email and password hash.  Krebs verified these items were indeed correct, validating Russo's claims.

Russo says he made no alterations or deletions to the records in the system.

He did, however, gain some even more valuable information than the massive record of average Joe and Jane users.  He also looted a list of the user names and MD5 hashed passwords of the top administrators and moderators for the site.  That list would be particularly of interest to the RIAA and its international sister organization, IFPI, which have long fumbled over attempts to try to shut the site down.

Russo contacted The Pirate Bay about his findings, but has received no response.  The site did remove the insecure component, though, safeguarding itself from future attacks of this nature.  Russo, who is only 23, is leveraging the incident as a bit of a publicity stunt of sorts in order to promote his security exploit software package Impassioned Framework.  He hopes to sell that to business as a tool to perform simulated attacks on their networks and verify security, similar to what the popular Eleonore exploit kit does.

The Pirate Bay has released no official response to the news of the breach.  The latest development is that the homepage appears to be down and displays this message:

Upgrading some stuff, database is in use for backups, soon back again.. Btw, it's nice weather outside I think.

Apparently they took the leak pretty seriously.

Comments     Threshold


This article is over a month old, voting and posting comments is disabled
researcher?
By Drag0nFire on 7/8/2010 10:55:22 AM , Rating: 5
I would hardly call him a "researcher". Rather, he's a hacker and a thief. Selling the database to the RIAA would constitute sale of stolen goods.




RE: researcher?
By SSDMaster on 7/8/10, Rating: -1
RE: researcher?
By Aloonatic on 7/8/2010 11:26:49 AM , Rating: 5
They can be considered to be "goods" as "goods" are anything that can be traded. Maybe it's a word used in Britain a lot more to describe merchandise?

Now why you'd put any information worth trading on the pirate bay is another matter :o)


RE: researcher?
By Lerianis on 7/8/2010 8:23:26 PM , Rating: 2
True.... the only thing of 'worth' that I put on there myself for my account is the name of a 'throwaway' e-mail address.


RE: researcher?
By OUits on 7/8/2010 11:41:39 AM , Rating: 3
Read some privacy policies.

In a lot of them, the service counts your personal information among their assets, so if the service is sold, the value of their company will also reflect the value of their members personal info.

From the privacy policy on LinkedIn:
quote:
We may also disclose your personal information and other information you provide to another third party as part of a reorganization or a sale of the assets of LinkedIn Corporation, a subsidiary or division. Any third party to which LinkedIn transfers or sells LinkedIn’s assets will have the right to continue to use the personal and other information that you provide to us.

http://www.linkedin.com/static?key=privacy_policy
Section 2: "Uses of personal information"
Item L: "Disclosure to others"

Personal information is very much considered "goods".


RE: researcher?
By Reclaimer77 on 7/8/2010 4:33:24 PM , Rating: 4
quote:
How can someone's information be considered "goods".


Well by that logic pirated media isn't "goods" either, so hey, what's all the fuss about right?


RE: researcher?
By chick0n on 7/8/2010 11:10:54 AM , Rating: 3
ever heard of "double standard" ?

in this case, if he would sell the info over, RIAA/MPAA/IFPI would call this "do(ing) the right thing"

I dont use TPB cuz I don't download anything (I pay for all my shit) but I think this hacker actually did the right thing by NOT selling the info out to those greedy fucks at RIAA/MPAA/IFPI


RE: researcher?
By BZDTemp on 7/8/10, Rating: 0
RE: researcher?
By Obujuwami on 7/8/2010 1:32:35 PM , Rating: 2
I doubt TPB would get them in court as Apple is pretty much doing the same thing to Gizmodo but no charges have been filed. Plus, in that particular case, Gizmodo is the David to Apple's Goliath, which means that TBP would be crushed under the fanatical boot of the RIAA/MPAA Giant.

I would love to see the RIAA/MPAA take a beating in court, and have to burn its valuable resources on legal defenses or by settling out of court with a massive class action, but TPB wouldn't get any justice even if the RIAA/MPAA bought it. At most they would get a slap on the wrist for purchasing stolen goods, pay a $1000 fine, and get on with their barrage of law suits that will only help to cripple the economy.

You know, in the long run, if people just stop buying stuff from them and attending concerts/movies then we might actually do some damage. Until people as a whole are united to do that, they will continue to rake in millions of dollars and be given free reign to krush, kill, n' destroy the populace as they feel.


RE: researcher?
By BZDTemp on 7/8/10, Rating: 0
RE: researcher?
By HostileEffect on 7/9/2010 11:07:31 AM , Rating: 2
The key words being "long run". It took a long time of the piracy tantrum and DRM to get me to stop buying, I also avoid piracy. The whole mess turns me off to games, movies, gaming magazines, and other frivolous items. The damage isn't limited to just their industry.

let them piss off enough people, eventually, the people who don't normally care, will. Time and money will be shifted to more meaningful things.


RE: researcher?
By iNGEN2 on 7/13/2010 12:54:43 PM , Rating: 2
Very true.

I haven't bought a new video game in quite a long time and used to be a heavy gamer. I only play the old ones I already own (Still playing COD1). When they said I couldn't use a NO-CD to make the games I bought run faster and quieter I got thoroughly annoyed. When they said I couldn't play the same copy on both my PC and my laptop, I stopped buying. I was never a big music lover, but it's the same thing.

DRM is just smiley speak for "we decide what you can do with what you own".


RE: researcher?
By boobo on 7/8/2010 11:27:40 AM , Rating: 1
Technically not a thief since he's not preventing TBP from continuing to use those usernames and passwords. Copyright infringement is not the same as theft. :D


RE: researcher?
By MrTeal on 7/8/2010 12:18:21 PM , Rating: 4
It's not really a copyright, the usernames and passwords would be more of a trade secret. It'd be the same thing if Pepsi stole Coke's formula and started using it. It doesn't prevent Coke from using their formula, but it's theft. Similarly, this would be theft.

http://www.law.cornell.edu/uscode/18/1832.html


RE: researcher?
By Aloonatic on 7/9/2010 2:09:18 AM , Rating: 2
Maybe I'm way off base here, but I almost rated them down and posted a comment reply too, until I realised that they were probably just joking, and deploying a little irony.

If that is the case, +1 boobo :o)


RE: researcher?
By raumkrieger on 7/8/10, Rating: -1
RE: researcher?
By TeXWiller on 7/9/2010 3:19:45 AM , Rating: 1
It is nice to see somebody still remembering the right meaning of the words hacker and cracker.


RE: researcher?
By drycrust3 on 7/8/2010 1:50:24 PM , Rating: 2
Wouldn't this information be copyright? As I see it, that information is copyrighted by TPB. If so, this guy is already in breach of copyright by getting the information without the permission of the owner (TPB), and if this guy sells it to RIAA, then RIAA would have to take him and themselves to court for breach of copyright.


RE: researcher?
By rcc on 7/8/2010 2:15:44 PM , Rating: 3
Let me get this straight. You want TPB to have a copyright on your name and email, etc. ????


RE: researcher?
By Carl B on 7/8/2010 10:01:02 PM , Rating: 2
Uh, I mean isn't it a little difficult to be getting righteous about this guys' "thievery" when the information he's stolen is the names and identities of four million thieves?

In a world where IP isn't sacred to begin with, I don't think anyone is deserving of tears - it's a harsh digital world out there, and the this guy is no more or less guilty than are TPB users themselves, than are the RIAA for their actions.


RE: researcher?
By tastyratz on 7/8/2010 10:48:44 PM , Rating: 2
Good point.
Sale of stolen goods. Lets think for a second here.

"copying a song is stealing 1 song" Against the will of the riaa
sound familiar?

This guy copied their content against their will and made a copy. He did not destroy or change original data but just made a digital copy.

Does anyone else think he should not sell to the RIAA - but pray the RIAA approaches him to attempt to purchase said information? Can you imagine what kind of juicy leverage that would be against them in court by the defendants?

I don't want them to get the data... but I would love to see them try.


Who's still uses Pirates bay??
By Makaveli on 7/8/2010 8:13:22 PM , Rating: 2
To any noobs reading this don't use Public Torrents sites or you are asking for it!




By Lerianis on 7/8/2010 8:36:31 PM , Rating: 2
Using public torrent sites is NO MORE OR LESS safe than using private sites. You just have to be smart and run something like PeerBlock or PeerSavage (yes, that is a real program).


RE: Who's still uses Pirates bay??
By bigboxes on 7/8/2010 11:27:53 PM , Rating: 2
You're a n00b if you think you are any more anonymous on a private site. Tell me how these "private" sites keep out anyone that wants to get inside.


RE: Who's still uses Pirates bay??
By cs1323 on 7/11/2010 10:49:45 AM , Rating: 2
"Private Sites" require invites, they're exclusive.

Enlighten us if you think there's a way to bypass that.


RE: Who's still uses Pirates bay??
By bigboxes on 7/11/2010 2:55:16 PM , Rating: 2
If you can get an invite then someone "working" for an anti-piracy group, govt agency, **AA agent can get an invite. Are you that naive to think only you are that talented or charming as to procure an invite? LOL


RE: Who's still uses Pirates bay??
By bigboxes on 7/11/2010 3:04:32 PM , Rating: 2
I mean how hard is it to gain access? I have access to six private sites. You think that anyone working for one of those law firms working against piracy can't do the same? What great security measures are they going to employ? Make you provide an e-mail addy? Trust me, every private torrent site has or will be infiltrated. Ooooh... it's a private site. Guess I'll just leave them alone to freely trade their warez. LOL


Oops
By Beenthere on 7/8/2010 11:51:52 AM , Rating: 2
Bet there are some unhappy TPB fans.




RE: Oops
By Exodite on 7/8/2010 12:08:46 PM , Rating: 4
Can't see why, it's not like login information is in any way admissible as evidence of any copyright infringement in their own right.

Besides, why anyone would register any form of personal information at such a site in the first place is beyond me.


RE: Oops
By Camikazi on 7/8/2010 4:16:20 PM , Rating: 2
This is the RIAA/MPAA we are talking about, real evidence means nothing to them, they work on theoretical. All those people were on a torrent site so they all COULD have downloaded and in doing so COULD have uploaded their material to millions so all should be fined for $10,000,000 each to make up for the losses they had.


I didn't know a login was needed there.
By PAPutzback on 7/8/2010 10:57:58 AM , Rating: 2
Does it just give you the ability to leave comments or rate downloads or something?




By BZDTemp on 7/8/2010 12:54:21 PM , Rating: 1
It gives some more search options, access to the forum and so.

Oh, and btw. tpb is up again :-)


By kmmatney on 7/8/2010 12:58:59 PM , Rating: 2
I would personally never open an accounton TPB, but I think it gives you the ability to leave comments, and I would guess you need an account to create torrents, get skulls, etc...


Who the hell
By JonnyBlaze on 7/8/2010 12:44:46 PM , Rating: 2
signs up there? if you don't need to use login information why would you.




RE: Who the hell
By sprockkets on 7/8/2010 1:37:39 PM , Rating: 2
so u can post stuff, and uh, of course, search for pr0n


missing anyone?
By Lecalim on 7/8/2010 7:11:00 PM , Rating: 2
you know, im a pretty average user, but i have to tell you, if someone came out publicly saying that they had hacked a site like TPB, then publicly announced they had EVERYONE'S details. Id be very very concerned about my safety. Ive seen way to many movies and this sort of global stuff would/could see this guy end up in a bin in Prague...considering the content that is available for download off that site, if i was an uploader, id be the Jackal in a second...you don't mess with people on such a level, then go public about it




RE: missing anyone?
By Lerianis on 7/8/2010 8:33:29 PM , Rating: 2
True. They can probably track who did the hacking RIGHT BACK TO THE GUY'S HOME! If I hacked a board, I wouldn't make it public unless I used DOZENS of re-routed proxies to obfuscate what the hell I was doing!


Playing with fire....
By createcoms on 7/8/2010 1:58:04 PM , Rating: 2
I hope this guy's own stuff is locked down, revenge is so very sweet. Yes indeed.




oh he is in deep s*** now
By vapore0n on 7/8/2010 3:36:45 PM , Rating: 2
Lets see how long it takes the RIAA, MPAA, and their European counterpart to either buy out this guy's stash, or get the Argentinean government to force him to give it up.

He just struck gold, and the big guys will want some of it.




By JonnyDough on 7/9/2010 2:12:23 PM , Rating: 2
because they couldn't use it in court to show how they had obtained the names and addresses of the users because they obtained them illegally.




Or...
By Kyanzes on 7/11/2010 1:14:02 PM , Rating: 2
Perhaps they just sold the data and had to make it look like a real job.




By rcc on 7/8/2010 2:19:56 PM , Rating: 1
and doesn't actually use it or promote it, it's ok with everyone, right?

Isn't that the excuse for TPB?




"We are going to continue to work with them to make sure they understand the reality of the Internet.  A lot of these people don't have Ph.Ds, and they don't have a degree in computer science." -- RIM co-CEO Michael Lazaridis











botimage
Copyright 2012 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki