Off-the-cuff bravado aimed at internet pranksters has led to what must already rank as one of the worst ever data leaks, by the anti-filesharing solicitors ACS:Law. The personal details of thousands of ISP customers accused of unlawfully sharing pornography, as well as video games, are now freely available online. The …
No hack involved blunders all round.
Nice and brief El Reg!
It must go into the books somewhere I'd suggest somewhere near JS after all 4chan couldn't hit an elephant at that dist.....
I presume that not only can the Data protection Dude do them for £500k, there will be a lot of rather pissed off downloaders who can sue them as well.
Oh whoa. What a shame for them.
New icon please
Can we have a Guy Fawkes Mask icon now, please?
YES YES YES
AND MORE YES
+1 cowbell as well please.
Given the amount of /b/tards /i/nsurgents and assorted anons I see posting here it'd make a lot of people happy.
And no, I didn't break rules 1 & 2 saying that!
Stupidity or malice?
While the fellow in charge of ACS:Law was clearly unaware of the temperature of the pot he was stirring with his comments, I am surprised that a website restoration would go THAT badly awry, and another fairly obvious explanation would be that a particularly adept 4chan type got into their network and surreptitiously "adjusted" ACS:Law's website with the private data. Certainly if I were ACS:Law that'd be my defense, anyway.
If that were the case,
how did the hypothetical 4chaner get hold of that data, if it wasn't exposed through their website, without adequate protection?
Perhaps I'm being misinterpreted. I'm agreeing that their data was clearly inadequately protected, and that they do deserve whatever legal punishment they face. What I'm wondering was who specifically exposed the data to the website? A stupid ACS:Law person, or a malicious 4chaner?
Or a malicious ACS:Law person....?
"I am surprised that a website restoration would go THAT badly awry"
Upload last backup to web directory. Restore.
Whoops, I didn't kill the webserver first.
I would say that such processes should be automated but that brings its own possibilities...
Need you ask
While the media likes to make out that 4Chan is just a bunch of teenagers playing silly pranks, some of its members are extremely skilled hackers. If they put their heads together there's probably enough hacking talent on 4Chan to get into just about any system, let alone into the off the shelf website commissioned by that particular company.
The odds are that their security procedure was to turn automatic updates on and then leave to get on with things itself.
They probably just installed a web server package onto a second sever and plugged that into the net to cope with the extra demand caused by the DDOS, not realizing that the second server had sensitive information on it.
Or a stupid 4channer?
(oh. bugger. don't hack me bro)
for the idiots who can't see what's going to try to happen next..
Not going to spell it out entirely but, use your imagination...
Speaking to BBC News, Mr Crossley said there were "legal issues" surrounding the leak.
wriggle wriggle wriggle
Nothing so complex
You guys think way to technically for this.
ACS dont have their own servers or anything of the sort, their account was previously hosted on a shared cPanel hosting account at Dataflame (probably costing them about a fiver a month) - When Dataflame cancelled their account following the DDoS they will have provided to ACS a backup of the account (cPanel will generate restorable account backups, including all email content) which ACS will have then uploaded to their new account with whoever their new shared cPanel host is, to then restore the backup into a working account.
Stupidity, however, meant that instead of uploading the backup to the account's root to be restored from there (which is not publicly accessible) they uploaded it to the account's public_html folder (which is).
Some mention on IRC that ACS paid TalkTalk £20 per customer and Sky a sum of £7899.76, maybe court orders not in place for all cases? Could just be rumour though.
You can get a court order asking for the details to be released, but you have to pay reasonable administrative costs for the efforts entailed in releasing such details. Much like the £10 cover charge to get your own details from a company under the DPA.
To quote a comment in a previous Reg article about this ....
Thank you Chris for being the first of the higher profile news outlets to come out and say it. There was no hack involved. This was sheer incompetence. I've spent 24 hours trying to get other 'hacks' to correct their reporting of this and have finally given up now that the consensus appears to be that "4Chan hacked the site and stole the data"
It's was not even 4Chan which is just a means these people use to co-ordinate information.
So how do you know no hack was involved? If they were stupid enough to have done such a crap restore job in the first place, they were stupid enough to have crap security allowing a hack of that sort. All we're agreed upon, it seems, is that they were stupid.
ok, enough is enough
IglooDude and some others (The Other Steve), you're really having lots of problems understanding this aren't you...
you get that wound up about this sort of thing that you go around emailing journos to get them to change their articles? Seriously?
4chan gets WAY too much credit and news time these days
True. And 4chan as an entity gets way too much credit for being behind stuff like this. It may be that one member of 4chan has some noobish "hacking" skills and manages to pull off a stunt and post the results to 4chan. However, in the press the whole community gets credit as some kind of elite hacking group rather than what it really is: a loose-knit community of mostly socially maladjusted teenage misfits looking for validation among other equally socially maladjusted teenage misfits, and not forgetting free pr0n.
It's amazing what a group of unremarkable people with unremarkable ideas can achieve simply when there is enough of them working together; however, even the few decent memes originating from 4chan are the result of one or two half bright individuals whose work just gets repeated ad infinitum by the millions of dullards that hang out on the boards until people can't help but take notice. OK so they invented LOLcats (for which I do have some appreciation) but you'd think they invented the Internet the way some people go on about them!
At least some 4chan members are self-aware enough to recognise and acknowledge they are the scum of the Internet and prefer it that way, rather than pretending they are its saviours.
If any of the news reporters spent more than 5 minutes on this site and giving it some independent scrutiny rather than slavishly following whatever they think will get them page views and Internet credibility they'd realise this and stop giving this website credibility and news time it doesn't deserve.
"dont mess with 4chan", eh?
Because even if you dont mess with 4chan, they might just shit on you anyway.
It's like a hornet's nest
...best not to whack it with a stick, but that's no guarantee it won't sting you.
For some reason your comment made me think of the Epilepsy Foundation forum raid... there's not always a noble intent to the actions of the "Internet Hate Machine"
Not only ACS can be sued
But it looks like all of the BT customers could also sue them too.
Might make for any court cases brought by ACS interest as well. The leaking of the data could well be considered to prejudice a fair trial, so the judge might well just chose to throw out all the cases.
Then there would be the reliability of the data, if the data can not even be handled in a legal way by the ISP who is to say that it was acquired is a way which includes sufficient safe guards to be used as evidence in a court case. Without strong encryption and signing there could be no proof that the data hasn't been modified. So again this would make a trial difficult.
Then of course ACS' clients might feel that that have screwed up any chance of their seeking legal redress and they might feel that they should sue ACS for professional incompetence. Hmmm the list goes on.
Maybe he should be glad of the long queues at the coffee shop. The legal profession are after him, the ICO are after him, his victims will probably be after him and now his clients. He might well need a job in a coffee shop when all this is said and done.
Only all the people I come across in coffee shops are better than that.
I found myself wondering, does he eat croissants with his coffee? Only this could explain why he was away for long enough to be, um, p\/\/|\|d, j00 kn0\/\/ \/\/hat I mean? ;-)
1 D0nt kn0w wHat U Mean.
Speak English or be quiet.
I th||\|k j00 me|\|t j00 |\| you. Pip, pip old boi.
Just gets better.
And I couldn't honestly be that hard on the techies who bungled putting the site back up while under pressure.
But what idiots thought leaving documents like that unprotected on the website was a good idea? The only thing protecting them was people didn't know there were there. No doubt some idiot solicitor demanded he be able to access them anywhere, passwords were too hard to remember and it had to be NOW.
All works fine until you rebuild your Apache and have the wrong default document configured.
You are absolutely correct
“Ali, just one more thing concerning the LoC generation, would you kindly remove password protection on the PDFs, as requested by the fufilment centre during the last run of data. Thanks.”
By all means, remove passwd protection on the PDF’s. That way, if the backup ends up in the webroot someday, the world will be able to see everything ))
Hoist by his own petard, perhaps?
Couldn't have happened to a nicer man...
Under investigation by the SRA.
Facing possible fines of £500K.
Can we possibly hope that these things come in threes, and these scumbags face criminal proceedings of some sort?
So now we can look into the mirky pool
that is ACS:LAW and their relationship with our ISP's and the courts according some sources.
I'll bet a few ISP are wringing their hands as well. It will be interesting to see when everything has been read and analysed who really is fighting our corner and who is stiffing us.
That is where the rubber hits the road, and it may be a major factor in determining which ISPs come out of the recession with their user base intact. BT already had Phorm.
Bruce Schneier wrote the book on email encryption
So why didn't BT read it?
If they had encrypted the data sent to ACS:Law, of simply used a password protected link to an SSL site, sensitive details of their customers downloadng habits would not be all over the internet.
It is not just ACS:Law who should be paying fines of £500,000.
Ian Livingston should be digging deep into his pockets too. Their incompetence is inexcusable.
I haven't read Bruce's book. Despite having implemented some email encryption solutions... But I expect BT could argue that they transmitted the document in question over an encrypted TLS channel and that further encryption wasn't required.
Many email servers now use TLS first and fall back on plain text.
Whether a company as large as BT has sufficient log history to prove that is debatable.
Whether the connection was forced to be TLS (if indeed it was) or if it was just "luck" is also debatable.
Whether anyone has ever checked certs from both ends is unlikely.
The fact that ACS Law stored and published highly sensitive data unencrypted on their own web server doesn't imply or mean that this data wasn't sent to them securely by ISPs who provided this data, presumably because it would have been illegal not to do so because a court warrant was obtained.
ACS:Law : "Criminal" attack on website
The "criminal" attack on their website is different to their criminal breach of Data Protection Laws by ACS:Law. Thank you, El Reg, for making this so clear.
Andrew Crossley knows this, I'm sure, but is trying to spin for PR (in my humble opinion).
It was serendipity on that part of Anons, from all corners of the net, not just 4chan but anti-anti-piracy activists and good people who never/rarely to go 4chan. Never underestimate the creativity or a bored bunch of teens.
Partyvan.info has always been the main hub, but as it's very decentralised, there are lots of little hubs.
I would remind people with weak stomachs not to peruse the 4chan boards.
Everyone talks about 4chan as if it only has one board, it has plenty of boards that are completly safe for work. It even has a bunch of text only boards. Unless they got rid of all the work safe boards in the last four or so years.
Never underestimate the creativity or a bored bunch of teens?
Are you sure that they're teens? Not middle aged men pretending to be teens?
There appear to be more teens on the web than there are teens in the world. Half of them are little kids pretending to be older, and the other half a adults pretending to be younger. There's probably a couple of real teens there. Just by pure chance. They are the ones who are sitting around looking confused while everybody around them talks about Hannah Montanna and The Who.
>Middle Aged men pretending to be teens
There seems to be something about supposed anonymity on the net which reduces the mental age and social conscience of many males to be somewhere between 13 and 15.
There's a lot of us teens online because we have a shitload of free time as compared to adults doing say a typical 9-5, and we've grown up with technology so are for the most part familiar with it's basic workings (unlike some people, I'm not going to go so far as to say understand it...)
Well, I would say it depends.
As you rightly say not all content on 4Chan is sufficiently disturbing to be considered NSFW...
BUT... let me just put it this way, would you want your superiors noting you had visited a place like 4Chan?
I find it rather odd that this only "could" cost them up to £500K. A breach like this could actually bring some real harm to those named, yet the firm responsible has only the relatively toothless ICO to answer to, while filesharers are pursued for many thousands per song.
I'm not arguing that filesharing is right or wrong, but it's a nice demonstration of the the complete lack of a sane perspective on things.
If a company destroys the privacy of thousands, they might get a (very) tiny dent in their end of year bottom line, but an individual who torrents an album will be dragged through the courts for years or bullied into payment.
I would assume (but IANAL) that this is a penalty that is imposed in addition to damages claimed in any civil cases brought by people harmed by the disclosure. In this instance I would imagine a couple of ambulance chaser lawfirms have downloaded the lists and are currently approaching potential clients in a class action case.
True. How about, given the nature of the data, 500K per infraction? Now, um... how many names were there? :-)
I'll bet ACS is really regretting what they've been up to now with a possible £500k fine and possible other lawsuits from everyone at risk now =]
This has really made my day, they deserved this 100%
his train was late too. Poor fellow.