
Anti-piracy outfit hires VPN expert to help track down The Pirate Bay - Cantbekhan
https://torrentfreak.com/anti-piracy-outfit-hires-vpn-expert-to-help-track-down-the-pirate-bay-200821/
======
hcrean
They can do this without keeping any meaningful information quite easily: They
sign a client certificate with an expiry date at time of purchase using their
CA private key (that the court obviously can't force them to give up, HSM
etcetera).

Into the client certificate's DN or extended field they write the allocated
public IP.

The only information they need to store is that that IP is spoken for and not
to be allocated again. They could also work this out on the fly.

When the client comes to connect, they note that the certificate is signed and
presented, and they route the public IP to the in-tunnel address of the peer,
which they will have standardized to something meaningless like 10.0.0.2

As long as they don't log anywhere in the process, the signing of certificates
means you don't have to remember the client at all.

~~~
mindslight
The certificate approach has the advantage of the server storing nothing at
all, but a standard username+password could accomplish something similar. It's
not a big deal if the result of the query is a username and password. The
central question is what type of records they kept for the payment.

~~~
lstamour
Username and password doesn’t inherently have an HMAC+timestamp, so it has to
be kept alongside payments. A certificate could be a one-time transaction, so
the payment could be logged while the certificate is issued, the only worry
after is if timestamps are present in the transaction method and timestamps
are present (obviously) in the certificate, then correlation is still
possible. Perhaps a workaround would be to take orders at any time but process
orders in batches, where payment for all customers and certificate issuance
for all customers happen at the same time/date. Or decouple certificate
issuance from payment such that payment can occur any time and what is
provided is a certificate that was previously generated/allocated at the start
of the month or year. The downside to the preallocation is that the
certificate private key would also have to be known in advance, it weakens
security, but is perhaps an acceptable trade off for privacy. If transaction
proof is possible, perhaps again with an hmac secret, you could provide proof
of transaction at the start of the next month to keep the certificate issuance
secure by presenting and issuing key material at a later date from when the
transaction occurred. Actually, an hmac probably isn’t tamper-resistant enough
given its value, unless you include a timestamp and correlate to transaction
dates, or use a really long secret, or both and rotate the secret, perhaps. So
you’d exchange payment for tokens, and tokens for certificates, decoupling the
two. If your tokens are trusted, you could sell multi-year certificates or
multiple tokens at the same time at the cost of reduced privacy if different
features or timestamps are present in the tokens or transaction cost.

~~~
mindslight
> _Username and password doesn’t inherently have an HMAC+timestamp, so it has
> to be kept alongside payments._

I don't follow your logic here. A userdb record could simply consist of
user+pass, service level, static public IP, and an expiration date -
essentially the same information that a certificate would carry.

The existence of a user record is certainly more legible to the legal system,
and might help support a court order to actively surveil that "user's"
activity. But from a technical perspective of what information can be gleaned
here, they're the same.

~~~
lstamour
I don’t think we’re disagreeing? :) An expiration date and username is a type
of payment record?

~~~
mindslight
I was referring to a payment record as something that would be useful to
follow a trail, such as a cc auth# or transaction IP address.

------
capableweb
> “Although [OVPN] strive to store as little data as possible, there must be
> data connecting users and identities to make the VPN service work. In this
> case, a user has paid for a VPN account with the ability to connect a public
> static address to OVPN which the user has then chosen to link to the file
> sharing site ‘the piratebay’, i.e the user has configured his VPN account to
> point to the given domain.”

The article doesn't seem to go into why a VPN service _must_ have data
connecting users and identities. AFAIK, Mullvad allows you to be completely
anonymous with your purchase, granted they throw away the IP who made the
purchase, which doesn't seem impossible to do. Simply store no data about the
transactions and you have no data about it. Not sure I see the reason there
has to be data about it.

~~~
ubercow13
I think the article covers that. They are hosting a website at a static IP, so
a mapping of public IP -> secret IP must be stored somewhere. They are hoping
that knowing this secret IP will let them find their true hosting provider.

~~~
javajosh
That's true - even if it's in memory somewhere the record exists, and is
readable.

~~~
capableweb
Not entirely sure what I'm talking about now, but couldn't you in theory
implement this in Intel SGX and therefore be unable to read it unless from
code running inside the enclave itself?

~~~
saagarjha
Possibly, if SGX actually worked.

------
TekMol
Do I understand it correctly, that torrents are sent directly from user to
user and that the Pirate Bay is only needed so the users find each other?

Like someone wants to know "Which user that is online now has The Matrix?" and
then queries PB to get IPs of such users?

~~~
toomuchtodo
Correct, the Pirate Bay simply hosts magnet links, which contain cryptographic
hashes for the torrent contents and where to bootstrap the transfer from.

[https://en.wikipedia.org/wiki/Magnet_URI_scheme](https://en.wikipedia.org/wiki/Magnet_URI_scheme)

------
Yc4win
TPB has been successfully hiding for ages, I sincerely doubt just hiring an
expert opinion on the matter will stop them.

Long live the Jolly Rodger! :)

------
CraneWorm
Is TPB relevant? I feel like it's gone stale and the knowing crowd moved to
other sites (or has been using private trackers since always).

This is very much a witch-hunt for publicity.

~~~
akvadrako
The Pirate Bay is still relevant for me; I’ve even setup my own proxy to avoid
ISP blocks. It’s not stale - new stuff is added within a day or two of
release.

But it’s less important than it used to be.

~~~
CraneWorm
Thanks for chiming in!

Myself, I had trouble accessing it often enough to seek alternatives.

Would you be able to comment on the accounts? Can you still register one? Do
new releases have comments/larger discussions?

~~~
Yc4win
Helpful tip to anyone not able to access TPB over the clearnet due to any
number of issues is they host an official tor onion:

[http://piratebayztemzmv.onion](http://piratebayztemzmv.onion)

Edit: Just want to reiterate. This is an actual _official_ tor onion mirror.
TPB has had problems with an assortment of proxies over the years doing
nefarious things, such as while hosting a copy of TPB, the malicious proxy
would inject JS/start crypto-mining in your browsers background. The link I
included is from TPB official site and doesn't have said issues.

------
flyGuyOnTheSly
I don't understand how various governments cannot simply seize the domain at
the registrar level?

Why chase them around the world through VPN providers if you can cut them off
at the knees?

~~~
wongarsu
It appears like actual court orders to force registrars to take down domains
are hard to come by in Canada (where the registrar is incorperated), and their
registrar famously refuses to take down domains just because someone writes a
sternly worded letter asking for it [1]

Plenty of countries block or blocked the domain at ISP level.

[https://en.wikipedia.org/wiki/EasyDNS#Controversies](https://en.wikipedia.org/wiki/EasyDNS#Controversies)

------
bsaul
Why not hit at the DNS registrar ?

~~~
TheNorthman
I'm not sure what you mean, that is where they started. The full story is as
follows: Their DNS registrar stores the following A records for
`thepiratebay.org`:

    
    
      ;; ANSWER SECTION:
      thepiratebay.org. 300 IN A 162.159.136.6
      thepiratebay.org. 300 IN A 162.159.137.6
    

Those IPs are owned by Cloudflare. The Rights Alliance then asked Cloudflare
what IP address those IPs redirect cache-misses to. Cloudflare then gave them
an IP address that belongs to a Swedish ISP. In turn, that ISP pointed to the
VPN provider `OVPN.se` as the user of that IP address.

This article then updates on a lawsuit between the Rights Alliance and the VPN
provider, since they're refusing to give out the VPN user of that IP address
(because they can't).

~~~
cosarara
Who's paying the registrar? Can DNS records be paid for anonymously?

~~~
TheNorthman
The DNS records in this case are hosted on Cloudflare servers, so presumably
for free.

If looking at the domain registrar instead, we find the registrar
`easyDNS.com`. Their payment options aren't public, so I can't say for sure. I
can however say that there is no requirement for domains to be paid through an
identifiable mean.

Take for example the registrar `njal.la`, a service founded by Peter Sunde,
that accepts payment in various crypto-currency.

~~~
bsaul
That was my original question. I had no idea one could register a domain name
without providing identification.

~~~
salawat
Contrary to popular belief, not everyone is on board with systems aiming to
create identifiers that map 1:1 with people. That's a _very_ politically
driven philosophy generally intended to enforce a means of auditability or
control.

The thing that makes it seemingly inevitable to give up identifying
information as part of financial transactions is the nature of Credit/Payment
processing/Anti-Money Laundering regulations enforcing a KYC (Know-Your-
Customer) component to being a legally operating financial transaction
processor.

Do note, this audit trail creation is a big portion of the push to obviate and
disincentivise cash transactions. The thinking goes, if you can only use the
financial system by identifying your endpoints, there should be a clear audit
trail if anything hinky is going on. Unfortunately, the much less well
publicized corollary to that is that suddenly payment processors become an
effective population scale control mechanism.

This should hopefully cause discomfort on further reflection, but to each
their own.

------
dependenttypes
TPB used to host db dumps at
[https://thepiratebay.org/static/dump/](https://thepiratebay.org/static/dump/)
which would be useful in case it was ever taken down but it seems that they
removed them.

------
biolumonix
But aren't there multiple hosts for TPB?

------
evo_9
I’ve wondered for a while why eztv.it doesn’t get any such attention and
they’ve been around for nearly as long.

~~~
crtasm
Less of a cool brand? Plus it had a hostile takeover some years ago, original
operators are no longer involved.

------
josho
This illustrates just how hard it is to stay anonymous while conducting
commerce. Ie. the pirate bay has been de-anonymized across several political
jurisdictions and is one VPN bug or compromise away from being exposed and
being shutdown again.

And is interesting to contrast to how seemingly easy it is for the wealthy
(people and corporations) to Legally hide their wealth to minimize their
taxes.

It’s telling who really has the power.

~~~
Fezzik
Let’s be honest, The Pirate Bay exists and is primarily used to illegally
download porn, movies, video games, and other software. You can try to sugar
coat what PB can theoretically be used for, but that’s not what it is actually
used for. A fraction of a fraction of the data transactions that originate
from the PB are for “conducting commerce”. I have no idea what that has to do
with people legally following tax codes in multiple jurisdictions for their
own financial gain... that just seems smart.

Edit, to add: given what the PB is generally used for, people should not be
surprised that content creators are hiring people to try to disrupt its
existence.

~~~
sixothree
I have Netflix, Youtube TV, Tivo with OTA, Amazon Prime, Apple TV (from new
iphone). I have no problem acquiring new subscriptions.

I still grab stuff off TPB just because it's easier, faster, and more
convenient. I cannot stand this cluster-f of gimped interfaces (eg. youtube on
pretty much any device), dangling boxes, remote controls, and hdmi switches.

I don't have time for all that crap. TPB downloads appear right at the top of
the list of my primary device.

I don't mind paying. But we have to admit television is a mess right now and
tpb fixes that mess.

edit: obvious caveat I'm sure many people on tpb are pirate

~~~
lobster45
Try newline or vanced on Android. They are frontend apps for YouTube that
resolve most of the issues

~~~
Forbo
Minor correction, it's "NewPipe".

------
LifeLiverTransp
Anti-Piracy wont save any industry which falls for revenue into the panem and
circensis category. Your products price-points are capped by a political
consesus to keep the population peacefull.

