Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Anti-piracy outfit hires VPN expert to help track down The Pirate Bay (torrentfreak.com)
136 points by Cantbekhan on Aug 22, 2020 | hide | past | favorite | 84 comments


They can do this without keeping any meaningful information quite easily: They sign a client certificate with an expiry date at time of purchase using their CA private key (that the court obviously can't force them to give up, HSM etcetera).

Into the client certificate's DN or extended field they write the allocated public IP.

The only information they need to store is that that IP is spoken for and not to be allocated again. They could also work this out on the fly.

When the client comes to connect, they note that the certificate is signed and presented, and they route the public IP to the in-tunnel address of the peer, which they will have standardized to something meaningless like 10.0.0.2

As long as they don't log anywhere in the process, the signing of certificates means you don't have to remember the client at all.


The certificate approach has the advantage of the server storing nothing at all, but a standard username+password could accomplish something similar. It's not a big deal if the result of the query is a username and password. The central question is what type of records they kept for the payment.


Username and password doesn’t inherently have an HMAC+timestamp, so it has to be kept alongside payments. A certificate could be a one-time transaction, so the payment could be logged while the certificate is issued, the only worry after is if timestamps are present in the transaction method and timestamps are present (obviously) in the certificate, then correlation is still possible. Perhaps a workaround would be to take orders at any time but process orders in batches, where payment for all customers and certificate issuance for all customers happen at the same time/date. Or decouple certificate issuance from payment such that payment can occur any time and what is provided is a certificate that was previously generated/allocated at the start of the month or year. The downside to the preallocation is that the certificate private key would also have to be known in advance, it weakens security, but is perhaps an acceptable trade off for privacy. If transaction proof is possible, perhaps again with an hmac secret, you could provide proof of transaction at the start of the next month to keep the certificate issuance secure by presenting and issuing key material at a later date from when the transaction occurred. Actually, an hmac probably isn’t tamper-resistant enough given its value, unless you include a timestamp and correlate to transaction dates, or use a really long secret, or both and rotate the secret, perhaps. So you’d exchange payment for tokens, and tokens for certificates, decoupling the two. If your tokens are trusted, you could sell multi-year certificates or multiple tokens at the same time at the cost of reduced privacy if different features or timestamps are present in the tokens or transaction cost.


> Username and password doesn’t inherently have an HMAC+timestamp, so it has to be kept alongside payments.

I don't follow your logic here. A userdb record could simply consist of user+pass, service level, static public IP, and an expiration date - essentially the same information that a certificate would carry.

The existence of a user record is certainly more legible to the legal system, and might help support a court order to actively surveil that "user's" activity. But from a technical perspective of what information can be gleaned here, they're the same.


I don’t think we’re disagreeing? :) An expiration date and username is a type of payment record?


I was referring to a payment record as something that would be useful to follow a trail, such as a cc auth# or transaction IP address.


Your method is probably the best you can do. I think the security firm claims, that while the tunnel is up, there is a connection - actual TCP connection, or UDP stream - that associates the client IP to the socket in the VPN infrastructure. If you could intercept that data and track it inside their infra, you could discover what IP PirateBay has on their backend.


> “Although [OVPN] strive to store as little data as possible, there must be data connecting users and identities to make the VPN service work. In this case, a user has paid for a VPN account with the ability to connect a public static address to OVPN which the user has then chosen to link to the file sharing site ‘the piratebay’, i.e the user has configured his VPN account to point to the given domain.”

The article doesn't seem to go into why a VPN service _must_ have data connecting users and identities. AFAIK, Mullvad allows you to be completely anonymous with your purchase, granted they throw away the IP who made the purchase, which doesn't seem impossible to do. Simply store no data about the transactions and you have no data about it. Not sure I see the reason there has to be data about it.


I think the article covers that. They are hosting a website at a static IP, so a mapping of public IP -> secret IP must be stored somewhere. They are hoping that knowing this secret IP will let them find their true hosting provider.


> They are hosting a website at a static IP, so a mapping of public IP -> secret IP must be stored somewhere.

Not necessarily. The stored mapping could also be public IP -> username, plus a separate mapping username -> password or username -> key; with a mapping public IP -> TCP connection or public IP -> UDP connection existing only in memory and only while the connection is active. And from what I understood from the article, and from an earlier article linked to by the first link in this article, the connection has last been active in June.


That's true - even if it's in memory somewhere the record exists, and is readable.


Not entirely sure what I'm talking about now, but couldn't you in theory implement this in Intel SGX and therefore be unable to read it unless from code running inside the enclave itself?


Possibly, if SGX actually worked.


If you pay with a credit card, then they at least need to keep track of which account to deactivate when the card stops paying.


Depends on the implementation. Not sure exactly how OVPN works, but with Mullvad it works by top-up the account, so no need to keep track of CC <> Account number. When the account runs out, the VPN simply stops working until you refill.


Mullvad at least used to take cash by mail, too. Pretty tough to correlate that.


OVPN also takes cash by mail.


Any thoughts on OVPN vs. Mullvad in terms of your preference for using one instead of the other?


My personal reasons: been using Mullvad for a couple of years. Team and company based in Sweden, country known for it's strong privacy laws (FRA non-with-standing). One of the first VPN companies to launch Wireguard support with tons of their edge servers supporting it. Anonymous payments and finally super easy to use, even for non technical users.


But...OVPN is also based in Sweden: https://www.ovpn.com/en/about


Not if you just buy credits in advance for an account.


Sure, that works for outgoing connections. Incoming, though? Not so much; it has to know where to send the data.


> AFAIK, Mullvad allows you to be completely anonymous with your purchase

I paid for Mullvad with Paypal and they used my Paypal email as the login email! Strange that they done that. Never assume a Paypal email is the one a user will use for the login. I like to compartment my emails for different things, so one dedicated to Paypal, another specifically for Mullvad etc


> I paid for Mullvad with Paypal

Well, there's your problem. If you want to be anonymous don't use payment methods that aren't.

> they used my Paypal email as the login email!

Mullvad has no login email at all. You seem to be mistaken.


> they used my Paypal email as the login email

Login email? There is no such thing in Mullvad. All you have is a Account Number, and there should be no identifiers beyond that. Where do you even find any inputs to enter your email?


Sorry I meant they sent some link to login at the email I use for Paypal. They probably have some new system. I done that about 2 years ago to try them out


So they sent you login information to the email address you gave them to send you login information?


Yeah. They had instructions there to create my account using a unique identifier.


Do I understand it correctly, that torrents are sent directly from user to user and that the Pirate Bay is only needed so the users find each other?

Like someone wants to know "Which user that is online now has The Matrix?" and then queries PB to get IPs of such users?


Correct, the Pirate Bay simply hosts magnet links, which contain cryptographic hashes for the torrent contents and where to bootstrap the transfer from.

https://en.wikipedia.org/wiki/Magnet_URI_scheme


That’s what’s so crazy, TPB doesn’t host or distribute any content. All they do is serve you a “magnet link” which means when you put “Titanic” in the search box they give you a string that uniquely identifies one specific copy of the movie. You then paste it into other peer-to-peer software.


It's based on Kademlia[1], a distributed hash table for P2P networks. It's pretty neat, and used by other software as well.

[1]: https://en.wikipedia.org/wiki/Kademlia


No, TPB doesn't do that. Normally you would have a .torrent file which is a small file containing metadata (name, files in torrent) and a list of trackers which are servers that keep track of the peers. You acquire a .torrent, open it with a torrent client, and it connects to the trackers to get a list of peers and start p2p sharing. Peers can also directly exchange more peer information when connected.

Instead of a .torrent file you can instead use a magnet link which is a magnet://... that contains the same information. TBP hosts a lot of magnet links. Basically like if you made a webpage with a list of a bunch of hyperlinks to websites like google.com, and allowed people to submit more hyperlinks. You're not distributing the google.com page content, just links to the location of the information. Except instead of links that tell you where to find http webpages it's links that tell you where to find a torrent.


Pirate Bay is only needed to find the metadata for a given torrent so that users can then find each other.


TPB has been successfully hiding for ages, I sincerely doubt just hiring an expert opinion on the matter will stop them.

Long live the Jolly Rodger! :)


Is TPB relevant? I feel like it's gone stale and the knowing crowd moved to other sites (or has been using private trackers since always).

This is very much a witch-hunt for publicity.


The Pirate Bay is still relevant for me; I’ve even setup my own proxy to avoid ISP blocks. It’s not stale - new stuff is added within a day or two of release.

But it’s less important than it used to be.


Thanks for chiming in!

Myself, I had trouble accessing it often enough to seek alternatives.

Would you be able to comment on the accounts? Can you still register one? Do new releases have comments/larger discussions?


Helpful tip to anyone not able to access TPB over the clearnet due to any number of issues is they host an official tor onion:

http://piratebayztemzmv.onion

Edit: Just want to reiterate. This is an actual official tor onion mirror. TPB has had problems with an assortment of proxies over the years doing nefarious things, such as while hosting a copy of TPB, the malicious proxy would inject JS/start crypto-mining in your browsers background. The link I included is from TPB official site and doesn't have said issues.


> Is TPB relevant?

Its relevance, by now, is more political than practical.


For me, TPB became irrelevant once high-speed broadband and cheap multi-terabyte storage became available. Today (and really for the past decade) there is no reason not to torrent full-size Blu-ray images or remuxes, but TPB never abandoned an overall culture of sharing only small-size and usually low-resolution transcodes.


there's a world of people without that broadband and storage.


True, I don't have any traffic numbers but based on some content lacking on TPB and present on other sites, I'd say the current king is somewhere else.


What other sites?


there is a sub-reddit, the name rhymes with privacy ;)


I don't understand how various governments cannot simply seize the domain at the registrar level?

Why chase them around the world through VPN providers if you can cut them off at the knees?


It appears like actual court orders to force registrars to take down domains are hard to come by in Canada (where the registrar is incorperated), and their registrar famously refuses to take down domains just because someone writes a sternly worded letter asking for it [1]

Plenty of countries block or blocked the domain at ISP level.

https://en.wikipedia.org/wiki/EasyDNS#Controversies


This issue is due to copyright claims being enforced by Rights Alliance on behalf of big studios.

The Pirate Bay has a different view on copyright, file sharing and civil liberties.

This different in points of view is mainly ideological or political.

Governments and political views _should_ stay out of internet management, otherwise the remaining independence will be gone very soon


Furthermore, DNS isn't necessary. From the inception of computer networking, it has only ever been a usability and discovery aid, that has arguably introduced more centralized control mechanisms than anyone intended.

If you think TPB is hard to legally pin down now, I can't wait to see the come-to-Jesus moment when authorities (in the U.S. in particular) have to come to terms with "the Pirate Bay" being nothing more than a nominative signpost passed between users, and the entity merely existing as a set of services popping up for a while on one IP address or another, with news of transfers spread by word of mouth, and someone has the chutzpah to challenge enforcement on free speech grounds.

This is why this Pirate Bay crusade is a losing gambit. Everyone isn't going to start using the abusive service providers in town just because you shut down one tunnel or branch of the local speakeasy.

Squash one, another pops up, because information wants to be free. You've already got private trackers that are very particular about the people they support, and actively forbid easy onboarding in order to keep the edifice from being trivially subverted by adversaries.

The natural state of human beings is change from the now to the ideal. Content creation companies are guilty of demanding the overly ambitious carve outs that lead to things like TPB existing at all. Get things more reasonable, and work on being better at making content on demand quickly accessible and cross-referenceable and you have a service that people will generally pay for either straight up, or by other means such as time and awareness. Clamp down on information dissemination, and watch as the castle sinks as the sand that would otherwise buoy it up screw off elsewhere where artificially barriers to getting things done aren't erected.


piratebayztemzmv.onion


Why not hit at the DNS registrar ?


I'm not sure what you mean, that is where they started. The full story is as follows: Their DNS registrar stores the following A records for `thepiratebay.org`:

  ;; ANSWER SECTION:
  thepiratebay.org. 300 IN A 162.159.136.6
  thepiratebay.org. 300 IN A 162.159.137.6
Those IPs are owned by Cloudflare. The Rights Alliance then asked Cloudflare what IP address those IPs redirect cache-misses to. Cloudflare then gave them an IP address that belongs to a Swedish ISP. In turn, that ISP pointed to the VPN provider `OVPN.se` as the user of that IP address.

This article then updates on a lawsuit between the Rights Alliance and the VPN provider, since they're refusing to give out the VPN user of that IP address (because they can't).


These IP addresses are also routed through so-called premium PoPs of Cloudflare. I get never routed through IST when connecting to websites on Free plan. Seeing that Cloudflare accepts card payments and PayPal only, why the adversary is not focusing on the payment method that made the purchase?


In theory, one could pay for Cloudflare using prepaid (gift) debit cards paid for with cash. Whether that’s practical or not is a different question.


> one could pay for Cloudflare using prepaid (gift) debit cards paid for with cash.

I think most places require an ID to buy one of those, with cash or otherwise. This may just be a US thing though.


Who's paying the registrar? Can DNS records be paid for anonymously?


The DNS records in this case are hosted on Cloudflare servers, so presumably for free.

If looking at the domain registrar instead, we find the registrar `easyDNS.com`. Their payment options aren't public, so I can't say for sure. I can however say that there is no requirement for domains to be paid through an identifiable mean.

Take for example the registrar `njal.la`, a service founded by Peter Sunde, that accepts payment in various crypto-currency.


That was my original question. I had no idea one could register a domain name without providing identification.


Contrary to popular belief, not everyone is on board with systems aiming to create identifiers that map 1:1 with people. That's a very politically driven philosophy generally intended to enforce a means of auditability or control.

The thing that makes it seemingly inevitable to give up identifying information as part of financial transactions is the nature of Credit/Payment processing/Anti-Money Laundering regulations enforcing a KYC (Know-Your-Customer) component to being a legally operating financial transaction processor.

Do note, this audit trail creation is a big portion of the push to obviate and disincentivise cash transactions. The thinking goes, if you can only use the financial system by identifying your endpoints, there should be a clear audit trail if anything hinky is going on. Unfortunately, the much less well publicized corollary to that is that suddenly payment processors become an effective population scale control mechanism.

This should hopefully cause discomfort on further reflection, but to each their own.


IIRC, they have had their DNS entry cancelled before and at one point was briefly registered in North Korea. Not sure this is the best course of action especially since it can be abused for other purposes once a system is in place for making it possible.


TPB used to host db dumps at https://thepiratebay.org/static/dump/ which would be useful in case it was ever taken down but it seems that they removed them.


But aren't there multiple hosts for TPB?


I’ve wondered for a while why eztv.it doesn’t get any such attention and they’ve been around for nearly as long.


Less of a cool brand? Plus it had a hostile takeover some years ago, original operators are no longer involved.


This illustrates just how hard it is to stay anonymous while conducting commerce. Ie. the pirate bay has been de-anonymized across several political jurisdictions and is one VPN bug or compromise away from being exposed and being shutdown again.

And is interesting to contrast to how seemingly easy it is for the wealthy (people and corporations) to Legally hide their wealth to minimize their taxes.

It’s telling who really has the power.


> is one VPN bug or compromise away from being exposed

You assume they use one vpn, after the sort of attack they suffered in the past? That's naïve.

TPB, by now, is likely a marvel of security engineering. They've definitely put too much trust in legal systems in the past, but I bet they won't make that mistake again.


It would be neat if they could document their setup so that others could benefit and replicate it, but in doing so, that would likely expose them.


Let’s be honest, The Pirate Bay exists and is primarily used to illegally download porn, movies, video games, and other software. You can try to sugar coat what PB can theoretically be used for, but that’s not what it is actually used for. A fraction of a fraction of the data transactions that originate from the PB are for “conducting commerce”. I have no idea what that has to do with people legally following tax codes in multiple jurisdictions for their own financial gain... that just seems smart.

Edit, to add: given what the PB is generally used for, people should not be surprised that content creators are hiring people to try to disrupt its existence.


I have Netflix, Youtube TV, Tivo with OTA, Amazon Prime, Apple TV (from new iphone). I have no problem acquiring new subscriptions.

I still grab stuff off TPB just because it's easier, faster, and more convenient. I cannot stand this cluster-f of gimped interfaces (eg. youtube on pretty much any device), dangling boxes, remote controls, and hdmi switches.

I don't have time for all that crap. TPB downloads appear right at the top of the list of my primary device.

I don't mind paying. But we have to admit television is a mess right now and tpb fixes that mess.

edit: obvious caveat I'm sure many people on tpb are pirate


I 100% agree and am in the same boat - I have many subscriptions and still use TPB at least weekly. I’m just not surprised when I hear that big corps are actively trying to dismantle TPB, nor do I think they are doing anything untoward in actively trying to protect their IP and profit from their media. I wish they would put that money and energy into making their products better and more accessible even when I am trying to pay for them, but that’s just my view. I try to give my money away to watch a number of Euro soccer leagues and nobody will take it. So I pirate all those streams.


Try newline or vanced on Android. They are frontend apps for YouTube that resolve most of the issues


Minor correction, it's "NewPipe".


Bah. The powers that be are abusing their influence over the legislative to completely pervert the original intent of the copyright system. I have not problem whatsoever with TPB existing and applaud its continued presence on the web.

I guess with "Content creators" you mean the multinational corporations that bind the artists, rob them of their creations and strip them of their ability to ever be able to make money from their art?


Just because it's illegal, doesn't mean it's wrong.


Just like a lot of other life pleasures ;)

Remember, it's only external, artificial entities who say something is illegal for you. And often they do not have your best interest at heart. Therefore, live life the way you want to as long as it doesn't infringe on the rights of others.

A true libertarian society would be Heaven on Earth.


It's an odd time to tackle PB for these issues, however. The convenience of streaming services is well worth the cost to most people. Credential sharing is likely a much bigger issue for these markets.


Continuous monitoring via FaceID FTW...


> Let’s be honest, The Pirate Bay exists and is primarily used to illegally download porn

The plebs have digital porn, the rich have Epstein's phone number. A lot of resources is spent investigating the former...


>illegally download porn

People use torrents to download porn? Actually? Why? Why would someone spend the time to torrent porn when there's a bajillion instantaneous free ways of seeing porn?


Quality, niche, continuity of collection after legal/moral societal changes.


Not all porn is equal, I guess?


Huh? I would assume that "conducting commerce" means TPB selling ad space..


Once you stop trying to shove DRM into everything, maybe people will pirate less.


Anti-Piracy wont save any industry which falls for revenue into the panem and circensis category. Your products price-points are capped by a political consesus to keep the population peacefull.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: