None of these are major (private) torrent sites, torrentfreak is just hyping up bullshit as usual.
Just looking at the filenames makes it obvious that these can’t be from any major private tracker, there’s no way BTN or the likes would accept these files.
I think people are not understanding this story. This is a story about trackers who share content between them, not about users. The semi-open management panels expose networks of people who are working with each other to do something that is legally frowned upon.
> Another screenshot featuring a torrent related to a 2022 movie reveals the URL of yet another third-party supplier tracker. Some basic queries on that URL lead to even more torrent sites. And from there, more, and more, and more – revealing torrent passkeys for every single one on the way.
What is this torrent passkey used for? My understanding is that torrent trackers were all about sharing peers. You want tracker info to spread. I'm not understanding what this vulnerability exposes.
Edit: It looks like it's actually explained earlier:
> One begins with a GET request to another tracker, which responds with a torrent file. It’s then uploaded to the requesting site which updates its SQL database accordingly.
> From there the script starts checking for any new entries on a specific RSS feed which is hidden away on another site that has nothing to do with torrents. The feed is protected with a passkey but that’s only useful when nobody knows what it is.
> The same security hole also grants direct access to one of the sites tracker ‘bots’ through the panel that controls it.
So I think the issue is that keys to authorize control of the automated software to propagate tracker info is being leaked. It sounds like the end result is someone can write spoofed or spam info into torrent trackers.
Some torrent sites have ratios, eg you must upload as much as you download. The passkey allows the tracker to keep track of what you've uploaded and downloaded for your ratio.
These torrents also have peer discovery and DHT disabled on private trackers.
This is not correct, swarms on good private sites are way better than on public trackers.
With real world torrent clients, you’d much rather have a swarm with 100 dedicated servers on 1gbps+ connections than a swarm with a million Indian residential connections.
Because your torrent client will never find those dedicated servers, and instead wastes all of it’s connection slots on the Indian residential connections.
Also because there’s no incentive for anybody to seed public tracker content on servers. Your host will get abuse reports and you will not be rewarded in any way, on private sites you won’t receive abuse reports and you have to seed in order to maintain access.
Public trackers are the slums where people shit in the streets. You don't want to walk there and look for the things you want.
Private trackers are the communal libraries where enthusiasts work hard to improve the collective archives. They sort out the people who cannot behave and the whole experience is a lot better: rules regarding organization and filenames etc are being followed, tags are added so that you can search efficiently, requests are filled, quality is ensured, holes are plugged, people don't upload duplicates, you'll find help and exchange in forums about the tracker's topic etc etc, all because it's a private club which includes the possibility that your membership ends if you pee into the kitchen.
No, it's private libraries closed to the broader community. The millions of Indians in the aforementioned comment are precisely the people who'd benefit most from free flow of information, but they're excluded. This is like setting up a premium subscription library to keep poor people out - the "slums" are precisely the people who benefit from a public library the most. Tagging and removal of duplicates can be done without making a tracker private.
Public torrents have been plenty fast enough for me, I'm not sure why people are complaining. Maybe they're not sophisticated enough to up the connection limits on their torrent software, which is why slow peers are hampering their speeds.
> This is like setting up a premium subscription library to keep poor people out - the "slums" are precisely the people who benefit from a public library the most
With those people come automated abuse reports and law firms trying to collect money from downloaders.
> Public torrents have been plenty fast enough for me, I'm not sure why people are complaining. Maybe they're not sophisticated enough to up the connection limits on their torrent software, which is why slow peers are hampering their speeds.
Are you using a gigabit connection? If not, it’s not too surprising that you would not notice this.
"Community" means different things to different people. Your definition seems to include every human on earth, I don't.
> This is like setting up a premium subscription library to keep poor people out
No, it's not. The content is still redistributed to the public trackers. It just avoids the American idea that public libraries should also be homeless shelters.
> Tagging and removal of duplicates can be done without making a tracker private.
You'd have to massively increase moderation, and you'd constantly remove and change torrents which would disrupt the swarm. It's not useful.
> Public torrents have been plenty fast enough for me
I don't care about the speed. I care about the quality.
So how do we reason about rutracker, a site not as glorious as some of the true private trackers, but certainly not a slum like many of the public trackers?
The same way we'd speak about PLAB: runet is different. I don't know why, maybe it's the language barrier and relying on google translate is enough of a resistance so the english-speaking masses go elsewhere.
Not if all of those peers download their "free" movie then disappear. Compare the number of orphaned torrents on something like TPB to that of a private tracker. Private community allows rules that incentivise behaviour that allows the community and its content to persist long term.
I hate private trackers, but there is no deny in terms of both seeding sustainability and higher quality (or rarer) resource, they're miles above "public" trackers.
Seeding sustainability is contradictory in a lot of private trackers. The mandatory seed ratios is such that I often create new accounts just to download the torrents seeded by my main account to keep my ratio up. It's super easy to screw yourself by downloading a torrent nobody else wants to download, and thus lowering your seed ratio.
You must be on some garbage trackers if you're getting away with multiple accounts. On a good tracker, there will be good freeleech options you can use to build buffer.
I'm also not sure if you mean global ratio, or ratio per download. If you mean the latter, the majority of trackers will also have a minimum seed time you can hit instead of a 1.0 ratio.
Why hate private trackers? That’s where all the good quality content on public trackers comes from.
Without private trackers, it’s not obvious that anyone would have bothered to extract Widevine keys and set up decryption pipelines for all the streaming sites. (So far zero scene groups seem to have achieved this)
> Without private trackers, it’s not obvious that anyone..
The piracy scene (with 0-day FTP etc.) worked fine before BT was even well-known.
And there are more than enough groups directly release their content on public trackers for anything remotely popular (any Netflix series fall into this category). You (or they) don't need PT for that.
PT is kinda essential if you're interested in obscure/niche content though, I agree.
I hate private trackers purely due to (my personal) value. I think it's a violation of "piracy spirit", and it somehow enables lots of people/groups' superiority complex or unnecessary gatekeeping behaviors (emphasis on "unnecessary": I know by definition it's not gateless).
But I do acknowledge it's probably the most practical way nowadays.
> And there are more than enough groups directly release their content on public trackers for anything remotely popular (any Netflix series fall into this category)
Name one! Or link a torrent. I’m pretty sure you will only find shit quality webrips made with capture cards and not actual decrypted streams.
> The piracy scene (with 0-day FTP etc.) worked fine before BT was even well-known.
The TV scene has been reduced to nothing because none of the groups could figure out Widevine. Just look at any pre feed.
Private tracker groups did though, and now everybody depends on them.
They have, but it’s just not interesting. Similar to how the p2p scene doesn’t give a damn about software DRM.
Regarding WV: There is actually lots of open source software and even some discords where WV keys are being shared. FFMPEG is capable of decrypting it, so all you need as ffmpeg inputs is the netflix stream and a key and then dump it to disk.
Regarding pita DRM: the scene is the only capable group who still supply clean patches for modern DRM in games and applications. (Like denuvo)
Clean in the sense that they don’t just install a hypervisor and hook everything for big performance penalties, but actually patch the binary to remove the checks through static analysis. 3DM is the last p2p group I know which done that, but that was half a decade ago. I don’t think there are currently any p2p groups which take a look at this, because it’s just not interesting (effort vs reward) for them.
They might mean SiGMA not SiG, SiGMA releases on PrivateHD. EPSiLON used to also, but there was some issues between them and PHD and they are currently releasing on TorrentLeech I believe. SiGMA does Amazon/Netflix WebDLs, but EPSiLON only does BD remuxes.
wouldn't private trackers be more aligned with the original piracy spirit? They are just a group of people who knew each other and shared stuff.
Public trackers are actually more against the spirit of piracy imho - which has turned into publicly broadcasting content without the expectation of reciprocity.
Different people have different understanding of what the spirit should be like. With this said..
> just a group of people who knew each other and shared stuff.
I wish! The thing is, private trackers are not like that, at least not anymore. It's more like a bunch of people trying to show who has the biggest e-penis (ratio, highest upload, etc.); and they're definitely not "friends" or know each other. I was heavily involved in the PT scene for a while 15 years ago, and really hated how big the egos and how many the dramas were there. Now I just lurk.
To me, the best way, or the "spirit", is that you either share it with your friends only (which is what I typically do nowadays if I buy the stuff myself), or just publish it publicly (ideally anonymously), than only to some condescending pricks which somehow think being able to download "exclusive" content others share is a bragging right.
FWIW, this is basically how eMule and most Japanese P2P softwares worked, so it influenced me a lot. There is zero gatekeeping; once you share, the files are no longer "yours". People can't even tell who published them.
But again, that's just my value, and I keep it to myself. I totally see how this is not enough incentive for others to "share" their stuff.
> It's more like a bunch of people trying to show who has the biggest e-penis (ratio, highest upload, etc.
Literally nobody cares about that stuff anymore, most members have been on these sites for so long that things like ratios have become utterly meaningless.
Lurkers of course mostly just silently download without causing drama. But there are enough people stirring shit especially among "elite" uploaders and mods.
From my perspective as a torrent user not in "the scene", scene releases are usually trash tier and stuck in the '00s. Poorer visual quality encodes, and rules that dictate ludicrous behaviour like making the files a multi-part RAR then putting each part inside a ZIP.
They force you to create accounts and hand over personal info that can get you busted later when the site gets raided, or just silently handed off to the authorities who run it themselves for a time collecting data to go after the pirates later. Now they've got logs of your username, possibly your password, the email address you signed up with, and lists of every IP addresses you've used and when, interview questions/answers, detailed records of every single file you've ever downloaded/shared. It's gotten people caught many times.
A tracker/website shouldn't know anything about you other than the IP address of the VPN you're using (which should change every single time you connect) and whatever information they can collect from your BitTorrent client and the locked down dedicated browser you're using whose fingerprint should also change regularly. No logins/accounts. No need to have your download/IP address history tracked and tied to anything that could point back to you. Ideally the site you use shouldn't even know what files you're downloading since you should be able to simply copy the magnet link instead of clicking on the names of the files you want or downloading torrent files from the server.
> They force you to create accounts and hand over personal info that can get you busted later when the site gets raided
What tracker forces you to hand over personal info?
> just silently handed off to the authorities who run it themselves for a time to go after the pirates
This has literally never happened.
> It's gotten people caught many times.
MAFIAA groups don’t even bother to sue private tracker uploaders anymore, what do you mean by “caught”?
It’s like as if your comment was coming from a parallel universe where industry groups hadn’t stopped giving a shit about private trackers a decade+ ago.
> What tracker forces you to hand over personal info?
Every one I've ever seen. At a minimum they'll want an email address or to chat with you on some service like discord that requires a sign up. The process leaves breadcrumbs everywhere.
> This has literally never happened.
It absolutely has. It usually happens after the site operator has been identified. They offer reduced charges if the site operator agrees to continue to keep the site running like normal while they collect the data. When it works according to plan, you won't ever hear about it. The site just eventually shuts down one day and the people busted with the data they collect are contacted directly. Sometimes it gets out though. For example: https://torrentfreak.com/torrentspy-ordered-to-spy-on-its-us...
> MAFIAA groups don’t even bother to sue private tracker uploaders anymore, what do you mean by “caught”?
This is also dead wrong, lawsuits still continue to this day against uploaders, but the vast majority of them never make it to a courtroom since the person they caught is usually forced into settlements, the terms of which are rarely disclosed to the public, but nearly always involve paying large sums of money and an admission of guilt.
Their main focus isn't on targeting uploaders because they now know they can get billions from suing ISPs, but these site raids are huge wins for them and they aren't turning down opportunity when it lands right in their laps.
> Every one I've ever seen. At a minimum they'll want an email address or to chat with you on some service like discord that requires a sign up. The process leaves breadcrumbs everywhere.
It’s kind of trivial to get a throwaway email address, no? What tracker uses discord? All the big ones use IRC.
> When it works according to plan you won't hear about it, but it doesn't always. For example:
Your example is a very public lawsuit by the MPAA against a public tracker? Anyone with PACER access would see this.
> This is also dead wrong, lawsuits still continue to this day against uploaders
Give an example?
> but the vast majority of them never go to court since they're forced into paying settlements, the terms of which are rarely disclosed to the public.
> It’s kind of trivial to get a throwaway email address, no? What tracker uses discord? All the big ones use IRC.
Different sites use different means. You can create a throwaway email address, but it's just one more data point.
> Your example is a very public lawsuit by the MPAA against a public tracker?
If the site operator agrees to keep the site up while data is collected there is no court order. Every site operator who gets raided ends up facing some legal consequences but the details of the deals they work out with the industry are not made available for the public
> They won’t demand money from you unless you’re making a profit.
Not even remotely true. Please don't assume this. I'm aware that they have made exceptions in cases where people were literally impoverished but fines are typical in settlement offers.
This is about people downloading torrents from public trackers. These law firms do not care about private trackers, there is more money to be made on public trackers.
What these law firms definitely don’t care about is going after uploaders, that would obviously ruin their business model.
> This is about people downloading torrents from public trackers.
No. all lawsuits are about uploading. The nature of BitTorrent is that typically every file you download is also being uploaded at the same time and it's the uploading (the unauthorized distribution of copyrighted works) that gets people in trouble, not the downloading.
As I said, they're very much still suing people for uploading. Public trackers are the low hanging fruit, but when a private tracker gets raided they'll jump at the chance.
> What these law firms definitely don’t care about is going after uploaders, that would obviously ruin their business model.
The RIAA/MPA have zero concerns that they're going to run out of people to sue.
It will never happen. Their goal however, believe it or not, really is to try to slow down internet piracy though. Right now, their largest cash cow is at the ISP level, where they intend to force ISPs to permanently disconnect pirates from the internet and never allow them to have another account after nothing more than repeated and unproven claims that an infringement took place. If they wanted pirates to continue so they could drag them into court rooms they wouldn't bother with these "repeat offender" suits which will effectively cut people off from the internet entirely since people have limited options for ISPs.
> Do you have evidence to support this happening, or are you just speculating?
Public evidence is hard to track down (especially quickly) since raids on private trackers are so rare and like I said almost all of these issues get solved out of court in non-disclosed settlement offers, but this isn't just speculation either. It's clear from history and what we do know that they're very much interested in user data and willing to file lawsuits:
> Public evidence is hard to track down (especially quickly) since raids on private trackers are so rare
And why is that? It’s because nobody cares about private trackers. It’s not like it’s particularly difficult to find the people behind sites like BTN and PTP, one of the sysops uses their reddit account to discuss the tracker, their US tech job and frequently comments in their local city subreddit.
> The damage there was limited since according to the admins all site and user data was destroyed.
Maybe true, maybe not. The servers were at OVH and seized by French LE. Perhaps they were encrypted, but I rather doubt they had any hardening against DMA tools.
But what about BCG then? That was shut down by uk cops around the same time as What.CD, as far as I know nothing happened to the users.
Also, despite what that torrentfreak claims. Gay-torrents was not a private tracker, but a public (paid) site.
If people had started receiving letters after private trackers getting raided, there’d be a plenty of forum discussions to be found. This just hasn’t ever happened.
Somehow soothing to know that organizations small and large, legal and illegal, all suffer from something getting in the way of vital security information reaching those who would act on it.
Why would ISPs bother to serve torrents and join pools to get IPs that way when they can just use this method? I wonder how long this has been a possibility... ugh
Just go to https://iknowwhatyoudownload.com/en/peer/ and put anyones IP in, depending on how static it is, it will provide at least accurate recent data on public trackers.
That networks of trackers and their operations are being exposed in realtime. This isn't a security issue for tracker users, it's a security issue for the trackers themselves. It's very very bad, I don't know why people are making light of it. Also, the trackers have reacted and are fixing their management panel configs as we comment, so the story is accomplishing something.
The problem is that these administration tools were completely publicly accessible if you knew the URL. Yes, if you've got a torrent file from a site, you know the tracker URL and (your own) passkey. The issue here is someone could get the passkey that the admin tool uses to snatch from other private trackers.
If you can't see how that is an issue I have no words that can make that more clear for you.
Just looking at the filenames makes it obvious that these can’t be from any major private tracker, there’s no way BTN or the likes would accept these files.