Major Private Torrent Sites Have a Security Disaster to Fix Right Now

At least three major torrent sites are currently exposing intimate details of their operations to anyone with a web browser. TorrentFreak understands that the sites use a piece of software that grabs brand-new content from other sites before automatically uploading it to their own. A security researcher tried to raise the alarm but nobody will listen. From the report: To get their hands on the latest releases as quickly as possible, [private torrent sites, or private trackers as they’re commonly known] often rely on outside sources that have access to so-called 0-Day content, i.e, content released today. The three affected sites seem to have little difficulty obtaining some of their content within minutes. At least in part, that’s achieved via automation. When outside suppliers of content are other torrent sites, a piece of software called Torrent Auto Uploader steps in. It can automatically download torrents, descriptions, and associated NFO files from one site and upload them to another, complete with a new .torrent file containing the tracker’s announce URL. The management page [here] has been heavily redacted because the content has the potential to identify at least one of the sites. It’s a web interface, one that has no password protection and is readily accessible by anyone with a web browser. The same problem affects at least three different servers operated by the three sites in question.

Torrent Auto Uploader relies on torrent clients to transfer content. The three sites in question all use rTorrent clients with a ruTorrent Web UI. We know this because the researcher sent over a whole bunch of screenshots and supporting information which confirms access to the torrent clients as well as the Torrent Auto Uploader software. The image [here] shows redactions on the tracker tab for good reason. In a regular setup, torrent users can see the names of the trackers coordinating their downloads. This setup is no different except that these URLs reference three different trackers supplying the content to one of the three compromised sites.

Rather than publish a sequence of completely redacted screenshots, we’ll try to explain what they contain. One begins with a GET request to another tracker, which responds with a torrent file. It’s then uploaded to the requesting site which updates its SQL database accordingly. From there the script starts checking for any new entries on a specific RSS feed which is hidden away on another site that has nothing to do with torrents. The feed is protected with a passkey but that’s only useful when nobody knows what it is. The same security hole also grants direct access to one of the sites tracker ‘bots’ through the panel that controls it. Then there’s access to ‘Staff Tools’ on the same page which connect to other pages allowing username changes, uploader application reviews, and a list of misbehaving users that need to be monitored. That’s on top of user profiles, the number of torrents they have active, and everything else one could imagine. Another screenshot featuring a torrent related to a 2022 movie reveals the URL of yet another third-party supplier tracker. Some basic queries on that URL lead to even more torrent sites. And from there, more, and more, and more — revealing torrent passkeys for every single one on the way.

Read more of this story at Slashdot.

Torrent Site User Who Transferred 120TB of Pirated Content Avoids Prison

A torrent site user accused of downloading and uploading at least 120TB of movies, TV shows, eBooks, music and software, has avoided an immediate prison term. The 28-year-old was arrested as part of a police operation against DanishBytes. A member of the same site was sentenced earlier this month after he uploaded Netflix content obtained using hacked credentials. TorrentFreak reports: Early November 2021, Denmark’s Public Prosecutor for Special Economic and International Crime (SOIK) announced that six people had been arrested following criminal referrals by Rights Alliance. All were members and/or operators of ShareUniversity and DanishBytes. Prosecution of site operators is not uncommon but when it’s deemed in the public interest, pirate site users can also face charges. Every case is unique so criteria differ, especially across national borders, but when evidence shows large volumes of infringement, successful prosecutions become more likely. That was the case when a former DanishBytes user was sentenced last week. According to Danish anti-piracy group Rights Alliance, the 28-year-old man was a regular site member and wasn’t involved in running the site. That being said, evidence showed that for the period January 2021 to November 2021, he downloaded and/or uploaded no less than 3,000 copyrighted works, including movies, TV shows, music, books, audiobooks and comics.

Information released by the National Unit for Special Crimes (NSK), a Danish police unit focused on cybercrime, organized crime, and related financial crime, reveals that the user’s traffic statistics interested prosecutors. “During the period, the man downloaded no less than 100 TB and uploaded no less than 20 TB of copyrighted material,” NSK says. BitTorrent trackers operating a ratio model usually insist on a better ratio of downloads to uploads but DanishBytes’ situation was out of the ordinary.

The site launched in January 2021 in the wake of other sites being shut down, so had to get going from a standing start with no users. Even when arrests were being made, the site still had a relatively small userbase, which can limit opportunities to upload more. That may have been a blessing in disguise. Faced with the evidence, the man decided to plead guilty and was sentenced last week at the Court in Vibourg. In common with similar prosecutions recently, he received a suspended conditional sentence of 60 days’ probation, 80 hours of community service, and confiscation of his computer equipment. The case against the DanishBytes user began with a Rights Alliance investigation and a referral to the police. As part of his sentence, the man must pay the anti-piracy group DKK 5,000 (US$600) in compensation but Rights Alliance director Maria Fredenslund is focused on the deterrent effect of another successful prosecution.

Read more of this story at Slashdot.

US Navy Forced To Pay Software Company For Piracy

The U.S. Navy was found guilty of piracy and is ordered to pay a software company $154,400 for a lawsuit filed back in 2016. Gizmodo reports: The company, Bitmanagement Software GmbH, filed a complaint against the Navy, accusing the military branch of copyright infringement. GmbH claimed they had issued 38 copies of their 3D virtual reality software, BS Contact Geo, but while they were still in negotiations for additional licenses, the Navy installed the software onto at least 558,466 machines between 2013 and 2015. In the court filing (PDF), GmbH claimed, “Without Bitmanagement’s advance knowledge or consent, the Navy installed BS Contact Go onto hundreds of thousands of computers. Bitmanagement did not license or otherwise authorize these uses of its software, and the Navy has never compensated Bitmanagement for these uses of Bitmanagement’s software.”

The company sued the Navy for nearly $600 million for “willful copyright infringement” of the software which, according to the vendor’s website, is a 3D viewer that “enables you to visualize and interact with state of the art 2D/3D content,” and is based on digital data captured from “various sources (land surveys, CAD, satellite imagery, airborne laser scanning, etc).” The court filings stated that after GmbH filed the lawsuit in July 2016, the Navy uninstalled the BS Contact Geo software from all of its computers and “subsequently reinstalled the software on 34 seats, for inventory purposes.” GmbH wrote in the court filing, “The government knew or should have known that it was required to obtain a license for copying Bitmanagement software onto each of the devices that had Bitmanagement software installed. The government nonetheless failed to obtain such licenses.”

Read more of this story at Slashdot.

Court Upholds Piracy Blocking Order Against Cloudflare’s 1.1.1.1 DNS Resolver

The Court of Rome has confirmed that Cloudflare must block three torrent sites through its public 1.1.1.1 DNS resolver. The order applies to kickasstorrents.to, limetorrents.pro, and ilcorsaronero.pro, three domains that are already blocked by ISPs in Italy following an order from local regulator AGCOM. TorrentFreak reports: Disappointed by the ruling, Cloudflare filed an appeal at the Court of Milan. The internet infrastructure company doesn’t object to blocking requests that target its customers’ websites but believes that interfering with its DNS resolver is problematic, as those measures are not easy to restrict geographically. “Because such a block would apply globally to all users of the resolver, regardless of where they are located, it would affect end users outside of the blocking government’s jurisdiction,” Cloudflare recently said. “We therefore evaluate any government requests or court orders to block content through a globally available public recursive resolver as requests or orders to block content globally.” At the court of appeal, Cloudflare argued that DNS blocking is an ineffective measure that can be easily bypassed, with a VPN for example. In addition, it contested that it is subject to the jurisdiction of an Italian court.

Cloudflare’s defenses failed to gain traction in court and its appeal was dismissed. DNS blocking may not be a perfect solution, but that doesn’t mean that Cloudflare can’t be compelled to intervene. […] Cloudflare believes that these types of orders set a dangerous precedent. The company previously said that it hadn’t actually blocked content through the 1.1.1.1 Public DNS Resolver. Instead, it implemented an “alternative remedy” to comply with the Italian court order.

Read more of this story at Slashdot.

RIAA Flags ‘Artificial Intelligence’ Music Mixer As Emerging Copyright Threat

The RIAA has submitted its most recent overview of notorious markets to the U.S. Trade Representative. As usual, the music industry group lists various torrent sites, cyberlockers and stream-ripping services as familiar suspects. In addition, several ‘AI-based’ music mixers and extractors are added as an emerging threat. TorrentFreak reports: “There are online services that, purportedly using artificial intelligence (AI), extract, or rather, copy, the vocals, instrumentals, or some portion of the instrumentals from a sound recording, and/or generate, master or remix a recording to be very similar to or almost as good as reference tracks by selected, well known sound recording artists,” RIAA writes.

Songmastr is one of the platforms that’s mentioned. The service promises to “master” any song based on the style of well-known music artists such as Beyonce, Taylor Swift, Coltrane, Bob Dylan, James Brown and many others. The site’s underlying technology is powered by the open-source Matchering 2.0 code, which is freely available on GitHub. And indeed, its purported AI capabilities are prominently in the site’s tagline. “This service uses artificial intelligence and is based on the open source library Matchering. The algorithm masters your track with the same RMS, FR, peak amplitude and stereo width as the reference song you choose,” Songmastr explains.

Where Artificial Intelligence comes into play isn’t quite clear to us. The same can be said for the Acapella-Extractor and Remove-Vocals websites, which the RIAA lists in the same category. The names of these services are pretty much self-explanatory; they can separate the vocals from the rest of a track. The RIAA logically doesn’t want third parties to strip music or vocals from copyrighted tracks, particularly when these derivative works are further shared with others. While Songmastr’s service is a bit more advanced, the RIAA sees it as clearly infringing. After all, the original copyrighted tracks are used by the site to create derivative works, without the necessary permission. […] The RIAA is clearly worried about these services. Interestingly, however, the operator of Songmastr and Acapella-Extractor informs us that the music group hasn’t reached out with any complaints. But perhaps they’re still in the pipeline. The RIAA also lists various torrent sites, download sites, streamrippers, and bulletproof ISPs in its overview, all of which can be found in the full report (PDF) or listed at the bottom of TorrentFreak’s article.

Read more of this story at Slashdot.

Court Orders Telegram To Disclose Personal Details of Pirating Users

The High Court in Delhi ordered Telegram to share the personal details of copyright-infringing users with rightsholders. The messaging app refused to do so, citing privacy concerns and freedom of speech, but the court waved away these defenses, ordering the company to comply with Indian law. TorrentFreak reports: Telegram doesn’t permit copyright infringement and generally takes swift action in response. This includes the removal of channels that are dedicated to piracy. For some copyright holders that’s not enough, as new ‘pirate’ channels generally surface soon after. To effectively protect their content, rightsholders want to know who runs these channels. This allows them to take action against the actual infringers and make sure that they stop pirating. This argument is the basis of an infringement lawsuit filed in 2020.

The case in question was filed by Ms. Neetu Singh and KD Campus. The former is the author of various books, courses, and lectures, for which the latter runs coaching centers. Both rightsholders have repeatedly complained to Telegram about channels that shared pirated content. In most cases, Telegram took these down, but the service refused to identify the infringers. As such, the rightsholders asked the court to intervene. The legal battle culminated in the Delhi High Court this week via an order compelling Telegram to identify several copyright-infringing users. This includes handing over phone numbers, IP addresses, and email addresses.

The order was issued despite fierce opposition. One of Telegram’s main defenses was that the user data is stored in Singapore, which prohibits the decryption of personal information under local privacy law. The Court disagrees with this argument, as the ongoing infringing activity is related to Indian works and will likely be tied to Indian users. And even if the data is stored elsewhere, it could be accessed from India. Disclosing the personal information would not be a violation of Singapore’s privacy law either, the High Court adds, pointing out that there is an exception if personal details are needed for investigation or proceedings.

Telegram also brought up the Indian constitution, which protects people’s privacy, as well as the right to freedom of speech and expression. However, that defense was unsuccessful too. Finally, Telegram argued that it is not required to disclose the details of its users because the service merely acts as an intermediary. Again, the Court disagrees. Simply taking infringing channels offline isn’t good enough in this situation, since infringers can simply launch new ones, as if nothing had happened.

Read more of this story at Slashdot.

Pirate Site Blocking Is Making Its Way Into Free Trade Agreements

The new free trade agreement between Australia and the UK includes a site blocking paragraph. The text requires the countries to provide injunctive relief to require ISPs to prevent subscribers from accessing pirate sites. While this doesn’t change much for the two countries, rightsholders are already eying similar requirements for trade deals with other nations. TorrentFreak reports: The inclusion of a blocking paragraph in the copyright chapter of the trade deal was high on the agenda of various copyright holder groups. Following a series of hearings and consultations, both countries settled on the following text:

1. Each Party shall provide that its civil judicial authorities have the authority to grant an injunction against an ISP within its territory, ordering the ISP to take action to block access to a specific online location, in cases where:
(a) that online location is located outside the territory of that Party; and

(b) the services of the ISP are used by a third party to infringe copyright or related rights in the territory of that Party.

2. For greater certainty, nothing in this Article precludes a Party from providing that its judicial authorities may grant an injunction to take action to block access to online locations used to infringe intellectual property rights in circumstances other than those specified in paragraph 1.

This hasn’t gone unnoticed by the Alliance for Intellectual Property, which represents rightsholder organizations such as the MPA, BPI, and the Premier League. The group repeatedly urged the UK Government to include site-blocking powers in the agreement. In a recent submission to the UK Government, the Alliance once again stresses the importance of site blocking, while also hinting at broadening the current anti-piracy toolbox. “It has become a hugely valuable tool in the armory of rights holders looking to protect their IP. It is vital that the UK Government ensures the preservation of the no-fault injunctive relief regime,” the Alliance writes. “We would also encourage the opening of dialogue, wherever possible, to share experience around UK practices and to encourage faster, more efficient website blocking procedures, whether through civil, criminal, administrative or voluntary means.”

The site-blocking language is already included in the latest trade deal draft but the Alliance is also looking ahead at future agreements with other countries. In this context, the blocking paragraph will send a clear message. “We would therefore urge the UK Government to include reference to the site blocking legislation in the FTA with Australia as it will send an important message to future countries that we might chose [sic] to negotiate trade agreements with.” The Alliance for Intellectual Property doesn’t mention any other countries by name. However, it specifically references a report from the U.S. Copyright Office where site blocking was mentioned as a potential future anti-piracy option. In the same report, the Copyright Office also stressed that further research would be required on the effect and impact of a U.S. site-blocking scheme, but the idea wasn’t dismissed outright.

Read more of this story at Slashdot.

ACE Shuts Down Massive Pirate Site After Locating Owner In Remote Peru

As part of its global anti-piracy mission, the Alliance for Creativity and Entertainment (ACE) has been trying to shut down Pelisplushd.net, a massive pirate streaming site with roughly 70 million visits per month. After tracking down its operator in the remote countryside of Peru, the anti-piracy group says the site is no more. TorrentFreak reports: In a statement published Wednesday, ACE officially announced that it was behind the closure of Pelisplushd.net. The anti-piracy group labeled the platform the second-largest Spanish-language ‘rogue website’ in the entire Latin American region with 383.5 million visits in the past six months and nearly 75 million visits in February 2022. In Mexico alone, the site had more visitors than hbomax.com, disneyplus.com and primevideo.com, a clear problem for those platforms which are all ACE members.

“This is a huge win for the ACE team based in Latin America as we work to protect the legitimate digital ecosystem throughout the region,” said Jan van Voorn, Executive Vice President and Chief of Global Content Protection for the Motion Picture Association. “The successful action against the operator of Pelisplushd.net was only made possible because of evidence that we gathered from previous operations conducted in other countries in Latin America. “This speaks volumes about ACE’s ability to crack current cases utilizing years of past gathered intelligence and highlights the global, strategic approach that determines our actions around the world.”

The operator of Pelisplushd is yet to be named but ACE reveals that after a positive identification, the anti-piracy group tracked him down to the “remote countryside of Peru.” That took place in March and soon after, ACE says the operator agreed to turn over his domains. As far as we can tell the main domain at Pelisplushd.net is not yet completely in ACE/MPA hands but a full transfer will probably take place later.

Read more of this story at Slashdot.

TorGuard Settles Piracy Lawsuit, Agrees To Block Torrent Traffic On US Servers

TorGuard has settled a copyright infringement lawsuit filed by several movie companies last year. The VPN provider stood accused of failing to take action against subscribers who were pirating films. As part of the settlement, TorGuard agrees to block BitTorrent traffic on U.S. servers; however, it stresses that user privacy is in no way affected by this decision. TorrentFreak reports: “Pursuant to a confidential settlement agreement, Plaintiffs have requested, and Defendant has agreed to use commercially reasonable efforts to block BitTorrent traffic on its servers in the United States using firewall technology,” a joint statement reads. This is quite a far-reaching measure as a broad BitTorrent blockade will also affect legal traffic, which includes software updates from Twitter and Facebook. That said, people can still use BitTorrent on servers in other regions. […]

The company confirms that it’s blocking torrent traffic on U.S. servers, but that doesn’t change anything for the privacy of users. “TorGuard has not been forced to log network usage data. Due to the nature of shared IP’s and related hardware technicalities of how TorGuard’s network was built it is impossible for us to do so,” the VPN provider writes. “We have a responsibility to provide high quality uninterrupted VPN and proxy services to our client base at large while mitigating any related network abuse that should arise. This commitment to user privacy and service reliability is the reason we have taken measures to block Bittorrent traffic on servers within the United States.”

Read more of this story at Slashdot.