How a BitTorrent Tracker Owner Hides from the MPAA/RIAA
Written by enigmax on February 06, 2008Apart from The Pirate Bay guys, most tracker administrators are acutely aware of the risks they expose themselves to, and do everything they can to hide in the shadows. We speak to a tracker owner to find out the kind of measures these guys take in order to protect their identities.
In most countries around the world, the legality of running a tracker is still uncertain, in that definitive court decisions have not been made. Even in the US, the last two big trackers to be shut down – LokiTorrent and EliteTorrents – weren’t shut down by a court, but thanks to the mainstream media, public perception is that these sites are operating illegally. The lawyers of the MPAA, RIAA and IFPI maintain they’re illegal so that’s often enough to cost an admin – if his identity is compromised – lots and lots of worry, and probably money too, regardless of his status under the law. It seems that being an admin these days is more about keeping an identity secret rather than acting within the law, as more often than not, old fashioned threats take down torrent sites, not legal action.
TorrentFreak spoke to the admin of a BitTorrent tracker to find out how he stays safe, not sorry.
Introduction
“I’m fairly paranoid and I find that’s a good start point” he told us. “I’m probably overly cautious, but if that’s what it takes for me to sleep right, that’s cool. I’m nothing special and not a huge target but I don’t leave much to chance, even though I don’t have much to worry about compared to the really big boys. I don’t claim to be an expert on security, I’m self taught only, but I’m happy to share my precautions with you (and happy to hear from others on where I need to improve!). I know of admins who run their trackers from their parents residential ISP account with little extra care at all, so any protection is better than nothing!”
Below, our admin gives a breakdown of some of the measures he takes to stay safe. Although an experienced security aware user might spot some holes in this series of measures, it’s interesting to see the lengths to which people will go to protect themselves when seemingly, others take few precautions. This article is entirely consistent with the admin’s message, but at his insistence, it has been re-written by TorrentFreak:
Identity is Everything – If you never tell anyone, no-one will ever know
If the authorities/MPAA/RIAA don’t know who I am or where I live, they can’t threaten me. When I’m working on the site I use either an encrypted connection via an Internet connection available in these premises (my name isn’t on the bill, adding another layer of confusion), or a secure VPN over a local open wireless network. For me, hiding my activities from any ISP accounts even remotely linked to me is important, as I don’t want any ISP to be able corroborate anything specific about what I do. If approached by a 3rd party for information (with a request like “can you confirm that such-and-such connected here at XX:XX time”, for example), they know little or nothing about what I’m doing, throwing any gathered evidence into doubt.
I think the recent OiNK bust was quite a wake up call. I for one was laboring under the misconception that copyright issues are mainly civil and I really only thought through evading civil actions. Once the police get involved, they can find out pretty much anything about you from anyone. Thanks to what we learned about the OiNK bust, my improved security measures should save me from the police too, in the small chance they are interested in a relatively small fish like me.
Registering a Domain
The WHOIS for the site’s main domain is protected, for that added layer of annoyance, although even this isn’t foolproof. Our main domain name isn’t owned by anyone who has anything to do with the site, so it’s pointless threatening that person, even if they find out who it is. It might not stop them making threats so just in case the domain owner complies, other domain names point to our server too and every user is aware of these. None of the domains are owned by me.
Paying for Stuff Online
When we need to pay for something we use disposable credit cards, and the same via PayPal. We also have a few other PayPal accounts scattered around which we run unverified, then dump when PayPal start asking questions. ‘We’ is a term I (we!) get into the habit of using often, it’s less focused than ‘I’.
Using Email
Use a few varied accounts and try not to ‘cross contaminate’ them by doing *any* personal stuff on them at all – site business *ONLY*! If your email address typed into Google returns results other than to do with the site, you are taking risks. Ideally a search would produce nothing at all. In addition, I always hide my IP when I pick up or send email.
Security When Using Other Sites
They’re not, but I act as if all file-sharing forums are insecure. I work on the basis that someone on the staff could be a security risk so I make a policy of never discussing site business on other sites, unless I’m asking general questions. I’d certainly never say “I’m the admin of etc-torrents, hi!” on an open forum and wherever possible I use other aliases.
Find a good host you can trust who doesn’t ask for much verification of identity
Our site has had a few hosts since it began a few short years ago. The first was a friend of a friend of a friend who accepted us with no formal contract or ‘paperwork’, paid from any old PayPal account. For a while we just got users to donate directly to the host which meant I didn’t need to get involved at all. The second and third hosts were people who had established (anonymous) reseller accounts with big ISPs. As long as they got their money, they didn’t ask any awkward questions like: ‘What’s your name and address and credit card number?’ I communicate with any host using disposable email addresses (or something like Hushmail) combined with some sort of anonymizing system previously mentioned. I guess even more precautions could be taken, but time is time and we all have to do some productive work in the end!
Server Location
I would never choose a host in my own country and I’d never put a server in a country where my worst anti-piracy enemy is located, the legal wheels turn too easily. But if the wheels do turn really easily and your host hands over your personal details, you will have been clever enough to make sure that they never had the correct information in the first place. Pay your host on time and be a good customer, you need him onside.
Online Identity
Ok, so I may be a proud super admin (j/k!) but I’m not too keen to spread my nick around carelessly or needlessly. I try to resist the ego trip, even though it can be fun using your ‘power’ to get stuff you wouldn’t normally have access to! Remember, even online nicknames can be a source of identification over time. In my opinion, any admin who features himself on Facebook or MySpace in a way that could be linked back to his torrent activities, really needs a psychiatric evaluation. But I know of a couple who do and so far, they’ve survived. Maybe I’m crazy, and they’re all sane. It’s possible!
Security on the Site, Choosing and Dealing with Staff
Any logging on the server or control panel info excludes staff members details, so a rogue moderator with a grudge can’t get any useful information, should someone try to make it worth their while to provide it. No-one on the site knows anything really useful about me, even within my own team. None of us have ever met in real-life, but I make it my business to learn as much about them as possible, just in case. The very closest people to me on the site know my first name, I guess that’s ok?
Wrong!
I never let anyone know anything important about me, no matter how small. Small clues can easily add up to answers when put together like a jigsaw. Let people think they know your real name if you like, it’s functional and no-one really gets hurt. For the survival of the site I believe it’s acceptable for me to lie about my country of origin, my age, marital status and even my sex, but beware, pretending to be a girl will get you LOTS of attention! Look after the small things and everything else looks after itself.
It’s also a good move to encourage my staff to be security conscious too but I don’t force my regime onto them. I find that when choosing staff it’s best to never let people with inflated egos get close to you - they tend to have big mouths too. They generate tension and trouble and YOU will become a target with their boasting and trigger happy attitude. I like quiet, considered staff because i’m paranoid!.. but this style doesn’t suit everyone.
Try making other forum accounts and act like a normal user on them. You’d be surprised at what people will tell you about your own site that you didn’t already know when they think they aren’t talking to anyone important.
Site Donations
Anonymous PayPal accounts (or in a 3rd party’s name) are completely desirable. Although I suggest a level of transparency in showing users how much money in donations are received, making these records public provides a level of evidence of financial income to the site and you just know that this would be used against you at some point, should the shit hit the fan. If you know and trust your host, why not let users donate directly to him?
Don’t Break the Law!
Running a tracker is a gray area in most country’s laws but I try to stick to some basic guidelines to not show blatant disregard for things that are surely illegal in most places. Under no circumstances would I seed any copyright works on my own tracker. I saw an admin recently who had uploaded 4tb of warez and was showing off his stats for all to see. Why take the risk?
If you get a DMCA type takedown request, take the torrent down! The Pirate Bay guys are going crazy at me now I guess (they’re entitled to hold their own style of course!) but I see no point in doing anything unnecessary to annoy copyright holders, especially us small guys who don’t have many resources.
Do unto others as you’d have done to you!
Try and make good contacts at other torrent sites as they can be a valuable source of information. Try to stay out of conflict with others and be known as a problem solver, not a problem maker. A good reputation is a must to maintain admin karma ;) No-one wants online enemies, especially in huge numbers! People with a grudge and keyboard can really fuck you up. Don’t badmouth people to others unnecessarily – you have no idea who they know, who they might tell and what it could lead to.
A few basic tips to hopefully keep the right side of the law
1. If you can’t be identified, they can’t do anything against you personally.
2. Always respond to proper takedown requests. Be courteous, don’t make enemies.
3. Never seed anything yourself and don’t operate a seedbox. If others operate them on your tracker, that’s up to them.
4. Don’t run any kind of pay-to-download service unless you like police attention.
5. See 1
Final Thoughts About Being Anonymous
Being as anonymous as I can is a must for me and it helps me feel safe. It’s probably already past a healthy stage and it does have drawbacks. A few of my staff I love, I really do, they’re great guys but I can never let them know my true identity, which is sad for me because maybe we could become more to each other than just text on a screen. If I thought even one person knew who I was, my confidence in security would fall dramatically.
Being anonymous can be a quite lonely experience as you struggle to keep the very things that make you an individual, private, while constantly having to view people that probably don’t deserve it, with suspicion. But in the end you gotta keep the torrents going, so it’s all good.
Previously: Pirated by iTunes, Artist Turns to BitTorrent
Next: The Pirate Bay Interrogations
121 Responses
Pages: « 1 2 3 4 [5] Show All
hey I’m not going to pay inflated prices on shit so “artists” can get their coke fix.
Piracy exists for graet justice.
#89 keo. Your so cool!!!…except not. (faggot)
[quote comment="283010"]pffft amaturs[/quote]
Pffft! trolls who can’t spell
@Plump Gelfling
Do you really think they are gonna get a name from some grainy video footage, not to mention they would need some valuable airtime on public tv to get a name which would be worthless for such a small offence. plus do the prepaid cards have serial numbers linked to the purchase id to find the time and date associated with it?
Im in jail because I didnt read this sooner. Stupid Cops. I went to the internet cops and told them someone was threatening my Torrent tracker site and Im going to court now.
[quote comment="282986"]Going through so much faff to hide you’re identity is tantamount to an admission of guilt if at any time someone does decide you are a worthwile target to persue. “I know what I’m doing is wrong so must take all any any steps to hide who I am”, basicaly the internet’s equivilent to a ski mask. Travker administrators who are of the opinion that what they are doing is legal have no objection to using their real names, becuase as far as they are concerned their activities are legitimate. If you believe that there is nothing wrong with bittorrent, stand up like a man, dont be a cloak and dagger super secret agent wannabe pussy about it.[/quote]
What an ignorant statement. Hiding from legal entities somehow equaling ‘guilt’ is untrue. Here let me ’stand up’ so I can level with the barrel of your gun, even though I could care less who you are holding the trigger or whether your pulling it is even justified.
What a retard.
Troy Anderson and Mike Kotter are pirates! yarr!
Thanks for the tips mate, I’ll probably need them really soon!
Reminds me of James Bond.
You guys are so dedicated.
fucking cheers to that!
alllotta work but thanks some1 gotta do it and besides things arnt gonna get easier over time. the farthest away from radar the betterbut as long as u stay small u should be good
man posting two posts in 45 min is too fast and my first was supposed to be up apprx 1minute? hmmm…. Help Im stuck in a time warp!
None of this really matters anyway, really what would they do if they caught you? They would take away all your toys and say “No no!” then maybe put you in time out, where you they give you other toys and bunch of friends to play with. You did say you were lonely right? And while you are in time out you could write a book or two on your experiences so others could try an become like you. You could make a small fortune the “old fashioned” way and buy a bunch of new toys once you get out of time out. Not to say that being paranoid and a super spy isn’t fun, cause I am a super spy and I always have fun. If I were to guess your “true” identity, assuming you’re a real person not just some made up character of the author of this article Id say you were associated with torrentportal ^_^ either way Kudos to this article writer I found it extremely entertaining to read about personalities that could be as crazy if not more so than my own.
Thanks again,
Adam
lookit that three post in a row Im on fire!
*_* hahahahah ^_^
More soup please!
Hey thats my spoon give it back!
Bad monky! Bad! I told you to stay out of my KY!
love love love
fuck fuck fuck
shit shit shit
rinse lather repeat….. mmmm…. lather….ahhhhhh…
I agree, these guys are risking a lot on our behalf. A big round of applause for these guys. though you know somethings wrong when guys like this half to risk their necks so much to avoid slaughter from the media. Again big round of applause for these guys a boo for shallow public opinion
this topic for test car
Probably the most intelligent sysadmin I’ve ever read words from.
Keep it up my man!
3 references to this post
Pages: « 1 2 3 4 [5] Show All
Responses are closed
All remaining responses will continue to be archived. Use the TorrentFreak forums if you want to discuss something.