Tis better
No hack involved blunders all round.
Nice and brief El Reg!
It must go into the books somewhere I'd suggest somewhere near JS after all 4chan couldn't hit an elephant at that dist.....
Off-the-cuff bravado aimed at internet pranksters has led to what must already rank as one of the worst ever data leaks, by the anti-filesharing solicitors ACS:Law. The personal details of thousands of ISP customers accused of unlawfully sharing pornography, as well as video games, are now freely available online. The …
While the fellow in charge of ACS:Law was clearly unaware of the temperature of the pot he was stirring with his comments, I am surprised that a website restoration would go THAT badly awry, and another fairly obvious explanation would be that a particularly adept 4chan type got into their network and surreptitiously "adjusted" ACS:Law's website with the private data. Certainly if I were ACS:Law that'd be my defense, anyway.
Perhaps I'm being misinterpreted. I'm agreeing that their data was clearly inadequately protected, and that they do deserve whatever legal punishment they face. What I'm wondering was who specifically exposed the data to the website? A stupid ACS:Law person, or a malicious 4chaner?
You guys think way to technically for this.
ACS dont have their own servers or anything of the sort, their account was previously hosted on a shared cPanel hosting account at Dataflame (probably costing them about a fiver a month) - When Dataflame cancelled their account following the DDoS they will have provided to ACS a backup of the account (cPanel will generate restorable account backups, including all email content) which ACS will have then uploaded to their new account with whoever their new shared cPanel host is, to then restore the backup into a working account.
Stupidity, however, meant that instead of uploading the backup to the account's root to be restored from there (which is not publicly accessible) they uploaded it to the account's public_html folder (which is).
While the media likes to make out that 4Chan is just a bunch of teenagers playing silly pranks, some of its members are extremely skilled hackers. If they put their heads together there's probably enough hacking talent on 4Chan to get into just about any system, let alone into the off the shelf website commissioned by that particular company.
The odds are that their security procedure was to turn automatic updates on and then leave to get on with things itself.
They probably just installed a web server package onto a second sever and plugged that into the net to cope with the extra demand caused by the DDOS, not realizing that the second server had sensitive information on it.
This post has been deleted by its author
Thank you Chris for being the first of the higher profile news outlets to come out and say it. There was no hack involved. This was sheer incompetence. I've spent 24 hours trying to get other 'hacks' to correct their reporting of this and have finally given up now that the consensus appears to be that "4Chan hacked the site and stole the data"
It's was not even 4Chan which is just a means these people use to co-ordinate information.
True. And 4chan as an entity gets way too much credit for being behind stuff like this. It may be that one member of 4chan has some noobish "hacking" skills and manages to pull off a stunt and post the results to 4chan. However, in the press the whole community gets credit as some kind of elite hacking group rather than what it really is: a loose-knit community of mostly socially maladjusted teenage misfits looking for validation among other equally socially maladjusted teenage misfits, and not forgetting free pr0n.
It's amazing what a group of unremarkable people with unremarkable ideas can achieve simply when there is enough of them working together; however, even the few decent memes originating from 4chan are the result of one or two half bright individuals whose work just gets repeated ad infinitum by the millions of dullards that hang out on the boards until people can't help but take notice. OK so they invented LOLcats (for which I do have some appreciation) but you'd think they invented the Internet the way some people go on about them!
At least some 4chan members are self-aware enough to recognise and acknowledge they are the scum of the Internet and prefer it that way, rather than pretending they are its saviours.
If any of the news reporters spent more than 5 minutes on this site and giving it some independent scrutiny rather than slavishly following whatever they think will get them page views and Internet credibility they'd realise this and stop giving this website credibility and news time it doesn't deserve.
But it looks like all of the BT customers could also sue them too.
Might make for any court cases brought by ACS interest as well. The leaking of the data could well be considered to prejudice a fair trial, so the judge might well just chose to throw out all the cases.
Then there would be the reliability of the data, if the data can not even be handled in a legal way by the ISP who is to say that it was acquired is a way which includes sufficient safe guards to be used as evidence in a court case. Without strong encryption and signing there could be no proof that the data hasn't been modified. So again this would make a trial difficult.
Then of course ACS' clients might feel that that have screwed up any chance of their seeking legal redress and they might feel that they should sue ACS for professional incompetence. Hmmm the list goes on.
Maybe he should be glad of the long queues at the coffee shop. The legal profession are after him, the ICO are after him, his victims will probably be after him and now his clients. He might well need a job in a coffee shop when all this is said and done.
Only all the people I come across in coffee shops are better than that.
And I couldn't honestly be that hard on the techies who bungled putting the site back up while under pressure.
But what idiots thought leaving documents like that unprotected on the website was a good idea? The only thing protecting them was people didn't know there were there. No doubt some idiot solicitor demanded he be able to access them anywhere, passwords were too hard to remember and it had to be NOW.
All works fine until you rebuild your Apache and have the wrong default document configured.
You are absolutely correct
“Ali, just one more thing concerning the LoC generation, would you kindly remove password protection on the PDFs, as requested by the fufilment centre during the last run of data. Thanks.”
By all means, remove passwd protection on the PDF’s. That way, if the backup ends up in the webroot someday, the world will be able to see everything ))
that is ACS:LAW and their relationship with our ISP's and the courts according some sources.
I'll bet a few ISP are wringing their hands as well. It will be interesting to see when everything has been read and analysed who really is fighting our corner and who is stiffing us.
So why didn't BT read it?
If they had encrypted the data sent to ACS:Law, of simply used a password protected link to an SSL site, sensitive details of their customers downloadng habits would not be all over the internet.
It is not just ACS:Law who should be paying fines of £500,000.
Ian Livingston should be digging deep into his pockets too. Their incompetence is inexcusable.
I haven't read Bruce's book. Despite having implemented some email encryption solutions... But I expect BT could argue that they transmitted the document in question over an encrypted TLS channel and that further encryption wasn't required.
Many email servers now use TLS first and fall back on plain text.
Whether a company as large as BT has sufficient log history to prove that is debatable.
Whether the connection was forced to be TLS (if indeed it was) or if it was just "luck" is also debatable.
Whether anyone has ever checked certs from both ends is unlikely.
The fact that ACS Law stored and published highly sensitive data unencrypted on their own web server doesn't imply or mean that this data wasn't sent to them securely by ISPs who provided this data, presumably because it would have been illegal not to do so because a court warrant was obtained.
The "criminal" attack on their website is different to their criminal breach of Data Protection Laws by ACS:Law. Thank you, El Reg, for making this so clear.
Andrew Crossley knows this, I'm sure, but is trying to spin for PR (in my humble opinion).
It was serendipity on that part of Anons, from all corners of the net, not just 4chan but anti-anti-piracy activists and good people who never/rarely to go 4chan. Never underestimate the creativity or a bored bunch of teens.
Partyvan.info has always been the main hub, but as it's very decentralised, there are lots of little hubs.
I would remind people with weak stomachs not to peruse the 4chan boards.
Are you sure that they're teens? Not middle aged men pretending to be teens?
There appear to be more teens on the web than there are teens in the world. Half of them are little kids pretending to be older, and the other half a adults pretending to be younger. There's probably a couple of real teens there. Just by pure chance. They are the ones who are sitting around looking confused while everybody around them talks about Hannah Montanna and The Who.
There's a lot of us teens online because we have a shitload of free time as compared to adults doing say a typical 9-5, and we've grown up with technology so are for the most part familiar with it's basic workings (unlike some people, I'm not going to go so far as to say understand it...)
I find it rather odd that this only "could" cost them up to £500K. A breach like this could actually bring some real harm to those named, yet the firm responsible has only the relatively toothless ICO to answer to, while filesharers are pursued for many thousands per song.
I'm not arguing that filesharing is right or wrong, but it's a nice demonstration of the the complete lack of a sane perspective on things.
If a company destroys the privacy of thousands, they might get a (very) tiny dent in their end of year bottom line, but an individual who torrents an album will be dragged through the courts for years or bullied into payment.
I would assume (but IANAL) that this is a penalty that is imposed in addition to damages claimed in any civil cases brought by people harmed by the disclosure. In this instance I would imagine a couple of ambulance chaser lawfirms have downloaded the lists and are currently approaching potential clients in a class action case.