My I (possibly) be the first just to say...
Hackers have uploaded a leaked database of emails from anti-piracy law firm ACS:Law onto P2P networks and websites. ACS:Law was among a handful of entertainment industry-affiliated organisations to endure denial of service attacks by the denizens of 4Chan last week. A loose-knit collective of members of the notorious message …
I wouldn't bother with the Information Commissioner's Office if I was them.
By their own admission the Information Commissioner's Office doesn't do anything other than help the offender not make the same mistake in the future.
They do not prosecute. Even if the law has been broken.
They are toothless and should be on the list of useless Government organisations to be scrapped.
Privacy law won't say anything as they don't exist in the UK, either on statutes or in common law. There's the Data Protection Act, which is fairly toothless, Article 8 of the ECHR (covering "protection of private life... and communication") but that would involve an action being taken against the State, so not really helpful, and then there is "breach of confidence" which might work against whoever had set up the website.
As for people not wanting their details to be there... it doesn't really matter what the people want - the details were there because ACS Law asked a Court to hand over the details and the ISPs didn't bother to fight.
The hacking part was in trashing their server in the first place, requiring the subsequent restore from backups. Someone predicted that those doing the restore would be a bit panicked and might forget some precautions during their rush to restore service - and that prediction proved to be accurate.
Not good for those they poor 80 year-olds, who don't even know how to turn a computer on, who are "suspected" of downloading hardcore gay porn is it!
So I will mark them down for that, but they get top marks for getting hold of the idiot who runs the firms emails and for attracting the attention of privacy groups and hopefully the Information Commissioner!
Paris, 'cus even she aint this loose lipped!
"Big whoop. It was only down for a few hours. I have far more concern over the fact of my train turning up 10 minutes late or having to queue for a coffee than them wasting my time with this sort of rubbish." - Andrew Crossley, ACS: Law
I wonder how concerned he is over his coffee queue now.
it's just complete user error. the information commissioner should bust their balls. this is not a hack they just posted all this info to their website.
I'm actually hosted with the same company, also on a shared server, though i guess it's the same for all cpanel.... the only reason for the full backup to be in public_html is if you're too lazy or stupid to move the backup folder from the home directory by FTP and just stick it in there to download via http.
i have done this myself in the past.
Previously on El Reg re the recent DDoS attack on ACS:Law:
'Andrew Crossley, the head of ACS:Law, told The Register the attack was "typical rubbish from pirates". "Big whoop," he added.' '"...I have far more concern over the fact of my train turning up 10 minutes late or having to queue for a coffee than them wasting my time with this sort of rubbish."'
To quote Nelson Muntz: "HA HA!"
Yes, it really has to be stated very loudly that the leak of these emails was nothing to do with any kind of hack in any instance, ACS:Law published a copy of their unencrypted backup file in a public area of a public server.
This is not a hack and has nothing to do with hacking or cracking in any way
ACS:Law published their archive
Many places this story is being told are having trouble keeping the dDOS (which is not a hack in any case) seperate from the leak of the emails
C'mon get it right, in any event, if these emails had been stolen from a 'secure' are of the site it still wouldn't be a hack, it would be a crack.
One day, someone somewhere in the media will understand these differences, though I'll not hold my breath
"C'mon get it right, in any event, if these emails had been stolen from a 'secure' are of the site it still wouldn't be a hack, it would be a crack."
Meh, you coulda been a contender, up until that bit
Hack, crack, schmack. Get over it already. "DarkNerd" ? Snark. What is this 1982 ?
For the pedantic record though, the DDoS attack appears to have mostly been carried out by volunteers using a point and shoot DDoS toy with the rather racy and exciting monika "Low Orbit Ion Cannon" (LOIC), which amongst it's many features offers the user the ability to slave their running instance to a controlling IRC chan in order to become part of a voluntary botnet.
Amusingly, this is apparently known as "Hive mind mode", or some such. Gotta love those skiddies.
you seem to have commented on the wrong story, you need this one:
The DDoS is nothing to do with an unencrypted backup of emails being placed into a public area of a public server for any member of the public to download by clicking on a link
This is brilliant. I despise ACS:Law (I even despise the firm's stupid name) and I am absolutely delighted to see Andrew Crossley being forced to eat his words (how's the coffee now Andy) and to see his name further dragged through the mud.
How bad does someone have to be that even lawyers are ashamed to be associated with him. Nothing too bad can happen to Andrew Crossley and anyone associated with him.
...by being forced to limit the damage, Mr Crossley has gifted *anyone* who receives one of his firms extortion notices a perfect defence.
"All our evidence does is identify an internet connection that has been utilised to share copyright work," he told BBC News when pressed about the BSkyB database.
"In relation to the individual names, these are just the names and addresses of the account owner and we make no claims that they themselves were sharing the files,"
Now he *has* to say this. If he were to say anything to the contrary, then he would leave himself wide open to claims of libel from anyone one the list. However, if ACS:Law were to pursue a case as far as court (not that that will ever happen, as they would be scared of losing their gravy train) then any defendant simply needs to quote this, and ask ACS:Law to provide the *further* proof of who *did* share the files.
........just how much value these IP addresses seen 'in the swarm' have when most bit torrent clients will allow you to send any IP address you like to the servers.
How can they prove that any one IP address was actually sharing anything and not being spoofed by a skilled and unscrupulous hacker.
I mean this hacking thing is obviously very difficult and needs a lot of skill. These criminals are everywhere.
And a lot of free beer for Anonymous.
' "In relation to the individual names, these are just the names and addresses of the account owner and we make no claims that they themselves were sharing the files," he added. '
So basically this piece of slime has personal records from another company, on that company's customers, for no reason whatsoever? He's scum and so are Sky for letting him keep them, most likely after he asked a mate of a mate for the list! Glad I dumped Sky 3 months ago and went back to Virgin.
I never download movies, bongo-flicks or normal, if I get a nasty demand, Mr Corssley can go stick his head up the nearest cow's backside!
mmmmmm; backing up email archives to a webserver...
Can we have a 'What Could Possibly Go Wrong?' icon, please?
(to be applied when, say, using a torrent to acquire the digital data of a law firm which makes a living by tracking down people who have used a torrent to acquire digital data; WCPGW?)
I've seen some all-in-one hosting sites that put the maildir directories in a customer's file area, 1 level up (so you'd have 2 dirs, mail/ and httpdocs/)
if someone did a total backup and then stuck it in the wrong place... they'd still be total idiots, but at least it would explain what the emails were doing on the server in the first place
How the data escaped - was it "hacked" or was it simply "found" isn't really the question here. What on earth was the company doing storing internal documents on the same server that hosts their web site. I hope that the ICO looks into it deeply... not that the ICO ever does much.
ACS should have been a little slower to mock and claim 'no damage' from the recent attacks. If the ICO fancies rebutting the "toothless waste of space" tag by exercising his shiny new powers, this breach would be the one to do it with.
Couldn't have happened to a more appalling business.
Jesus... Language changes! Hacking *is* the correct term for exploiting security deficiencies because that's how language has changed to define it.
If you don't believe me feel free to walk up to a bunch of delirious football fans post-match and exclaim how gay you think they look....
In a BBC article Mr Crossley said to them "The business has and remains intact and is continuing to trade"
It strikes me that a company that deals with alleged internet copyright infringement should have a working website...
The articlealso says the ICO can't put them out of business (boo!) but may fine them £500,000 which is a real reputation damager. I think the leaked emailes provided the coffin and the fine may just be enough for the nails in the lid.
they'd make it half a million per breach. So that's the original 5000 Sky customers, plus the 8000 on the second list and the 500 BT customers.
That'd be £6,750,000,000 please.
It might not fill the black hole of debt in the economy, but it would let Lewis have his two carriers with electric catapults along with enough F-18's to blot out the sun.
Reading the comments, it looks as if the server was not actually hacked, but some dummy dumped the file into public_html where it was then visible to the world at large.
Given ACS:Law has something of a history of inventing truths, would it not be viable to suggest that *NO* hack actually took place, and that by placing said file into public_html, it was purposefully *published* to the public domain?
PS: Hasta la vista, baby...
Even better news (unless you're Andrew Crossley) - from the DPA :
55A (1)The Commissioner may serve a data controller with a monetary penalty notice if the Commissioner is satisfied that—
(a)there has been a serious contravention of section 4(4) by the data controller,
(b)the contravention was of a kind likely to cause substantial damage or substantial distress, and
(c)subsection (2) or (3) applies.
(2)This subsection applies if the contravention was deliberate.
(3)This subsection applies if the data controller—
(a)knew or ought to have known —
(i)that there was a risk that the contravention would occur, and
(ii)that such a contravention would be of a kind likely to cause substantial damage or substantial distress, but
(b)failed to take reasonable steps to prevent the contravention.
It's enough to show that they ought to have known, and failed to take reasonable precautions.
As to contravention, Principle 7 (Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data) seems fairly straightforward to show.
Given that the statute uses the term contraventions it would appear that it falls under administrative law, making the standard of proof "on the balance of probabilities" (i.e. 51%). Hardly difficult in the circumstances.
Whilst I don't have any sympathy for the folk being badgered by ACS as far as the badgering goes, I fully inderstand their distress at the (prima facie) illegal sharing of their personal data. Hopefully the ICO will finally grow some bal...err hit puberty and do the job Parliament gave them. I don;t see a £500k charge, but anything under 6 figures would seem absurd.
the court orders require BT etc to supply the data in encrypted form on CD or other media, presumably to minimise chance of loss, ... then this bunch of clowns go emailing the decrypted pain text about too and from between gmail and shared-server-hosted email accounts for gods sake... Why the hell didn't they at least have an in-house mail server for this sort of thing?
There are numerous instances of innocent people being wrongfully accused by ACS:Law, who have been frightened into paying up for something they didn't do.
Regardless of whether you take the moral high ground on piracy, Crossley's scattergun approach and bullying tactics have earned him all the trouble he's now suffering.
There's a nice Thunderbird Portable-included version floating about too. Makes it easy to browse :-)
Among the information included is the bank details for ACS Law client account ...Now we all know there is absolutely no danger of anybody misusing them to, say, make charitable donations..
Biting the hand that feeds IT © 1998–2019