

Pirate Bay Hack Exposes User Booty - ukdm
http://krebsonsecurity.com/2010/07/pirate-bay-hack-exposes-user-booty/

======
epochwolf
> I also sought comment from a Pirate Bay representative at the organization’s
> official IRC channel, but was unceremoniously kicked and banned from the
> channel after pasting the user names and hashed passwords of the site
> administrators and moderators.

Uh... that's not how you ask for comment in IRC. That's being a douchebag.
Every chatroom I've been in would ban you for posting that information in a
public chatroom.

~~~
oozcitak
From the comments:

> I idled on TPB irc channel for probably 5 hours before I pasted those
> usernames/md5′d passwords. I also checked the major rainbow tables and
> available Md5 decryptor sites to make sure they weren’t easily reversible,
> before pasting them. I just wanted to get someone’s attention. I was told
> several times that no one was in charge, and then some admin started
> taunting me, saying he couldn’t believe I was a journalist b/c I couldn’t
> put two words together.

~~~
epochwolf
Context is important. That comment wasn't on the site when I was writing my
response. I was careful to check the comments before making an ass out of
myself. I wish it had been there. :)

That said, unless he sent the data via private message I'd still support an
immediate kickban. You don't post that publicly, even if it's not immediately
crackable. You never know who has full automatic logging turned on in their
irc client. (I'm always logging and I always assume everyone else is too.)

~~~
ErrantX
Getting sensible discourse in the Pirate Bay IRC channel is not exactly easy.
Mostly you just get abuse :)

(but, yeh, posting it publicly was a bit silly)

------
rick888
I guess the piratebay is getting a taste of their own medicine. A third-party
is sharing their data without their consent. Boo Hoo.

I remember hearing a speech a couple of weeks ago from one of the guys that
runs the Piratebay. He talked about how he remembered when he was a little kid
and he was taught to share. He believed that everything online should be given
out for free for the goodness of mankind.

I hope this guy shares all of the usernames/email addresses and password
hashes as a torrent. After all, it's just data. Data is only 1s and 0s (and
can't be stolen).

~~~
chc
There is a very big difference between "We should share generously" and "All
data should be public." The Pirate Bay doesn't advocate leaking credit card
numbers or anything.

~~~
rick888
"There is a very big difference between "We should share generously" and "All
data should be public."

If they were advocating the sharing of their own property, that's one thing.
However, they advocate (and facilitate), the sharing of other people's
intellectual property without their consent. I have heard many reasons as to
why this should be okay. "Data can't be stolen, only copied", "Information
needs to be free", etc.

So, going by their own rules, this is fine because email, password hashes, and
usernames are just data. Information that can be freely copied and distributed
without any harm to the original owner (they still have a copy of it. It's not
like it's stealing).

"The Pirate Bay doesn't advocate leaking credit card numbers or anything"

No, but if I had their credit cards on an open forum, I wouldn't expect them
to take legal action (unless of course they are hypocrites). Credit card
numbers, like torrents, are just 1s and 0s that could be used for harm (IE:
downloading illegal information).

I find the people from the piratebay very hypocritical. They have this new
service coming out that allows you to give donations (I can't remember the
name.but I saw a video on it). They charge a 10% service fee, which is
enormous compared to many alternative services out there right now. Why not
charge $0? Yes, it may cost money to run such a service, but it also costs
money to create many of the software applications, games, and movies that they
seem to have no problem "sharing" (yes, I know they don't actually host the
file..only torrents..but they host readme files on almost every torrent which
explain exactly what the file is. They also run many of the trackers out
there.).

~~~
chc
This is not copyright violation. This is the sharing of sensitive user data.
You may find both abhorrent, but they are not at all the same thing. You're
making a straw man argument with all this "sharing data" nonsense, essentially
trying to paint The Pirate Bay as supporting any illegal use of a computer
just because they support one illegal use.

TLDR: _If_ The Pirate Bay were getting upset over having their intellectual
property shared freely, that would be hypocrisy. But they're not. They're
trying to stop people from hacking their site.

------
binarymax
Would have been amusing if they'd have gone into covert talks with RIAA and
MPAA under the guise of selling them the data illegally, while documenting the
whole thing. Then in the end not sell the list, and out the documentation.

~~~
pavel_lishin
I wonder what would happen if they'd done that, and then sold them a fake
list.

------
dhyasama
If these guys have the proven ability to modify user records, could you use
that as a defense in court? What's to say I didn't create an account, never
downloaded anything, and someone else modified my account to say I did?

~~~
bradleyland
Prosecution that relies on a single piece of evidence rarely make it to trial.
Prosecution is all about the chain of evidence. In addition to the user
account they'd identified on the Pirate Bay, any successful prosecution
attempt would have previously seized your computer, imaged the drive, and
uncovered all the torrent files and copyrighted material lying around on your
hard drive.

~~~
ovi256
Yeah, but all the evidence pursued from a false basis can be thrown out of
court. I remember a landmark case sometime ago where cops imaged a house using
infrared, and those images, purportedly showing a pot grow house, were the
basis for a subsequent entry warrant. However, the court (may have gone all
the way up to the Supreme Court) found that the initial infrared imaging was
invasive, infringing and illegal, and thus all evidence coming from it was
tainted and had to be thrown out. Therefore, it seems to me that a single weak
link in the chain will nullify all the next links.

IANAL.

~~~
bradleyland
This would only apply if the existence of a Pirate Bay account were the
impetus for the investigation. There is just as much a possibility that the
driving factor was the observation of your IP obtained through a standard
torrent client. In your example, the IR evidence was the grounds by which they
obtained a warrant. I'm not saying this wouldn't be the case in our
hypothetical prosecution here, but the distinction is important.

The bottom line is that suing individual file-sharers is an inane idea to
begin with. The RIAA/MPAA are using this only as a shock & awe tactic. The
rolling back of the file sharing tide will not come from the direct
prosecution of every file-sharer. Their hope is that many people will become
fearful of prosecution, thus resulting in a reduction of piracy.

------
ronnier
It looks like the passwords were stored as straight MD5 hashes, which is just
slightly better than storing plain text passwords.

------
arnorhs
The title should be more accurate. Maybe change it to "security weakness
exposes information of 4 million Pirate Bay users"

~~~
epochwolf
Pirate Bay _Exploit_ Exposes User Booty

I like creative titles. :)

~~~
arnorhs
maybe, but first when I saw it I wasn't sure if there was a user called Booty
that was exposed, or that there was an actual ass that was exposed (as in a
picture of it).. I didn't realize until I checked it out that it was the
user's personal info :)

------
mikecane
Hm. They wondered how much the info would have been worth to the MPAA and
RIAA. But wouldn't that have been thrown out of court as evidence gotten
illegally?

~~~
smokinn
If it got to court. They usually never do.

MPAA/RIAA don't want a court case, they just extort money from people. They
know they can because it's completely irrational to pay more to defend
yourself in court with a chance of losing than to just pay the protection fee
and never be charged with anything.

~~~
mikecane
Hmmm... so maybe a defense would be "How do you know this, MPAA/RIAA?" If they
can't present legal evidence in court, they'd lose. They can't extort people
who know the evidence is illegal.

