Pass sharing sites - To all site owners

[martinsc]

just stumpled upon this...
http://www.villainess.com/
isn't there anything that can be done about these pass sharing sites?

AFF, cams.com seem to be the main sponsors ....

[bobby666]

see the same sites hacked as 3 years ago, when i still was far away of becomming a webmaster

i think the webmasters of the sites recognice what has happened when they view their daily bandwith stats

so i ask for the reason why staceys dungeon for instance is an open site for three years?

[SiMpLe]

Quote:

Originally Posted by martinsc

AFF, cams.com seem to be the main sponsors ....

SURPRISE!!!

[martinsc]

Quote:

Originally Posted by SiMpLe

SURPRISE!!!

[Anar_j]

[Roald]

same old shit

[Sinstar]

Pass sharing sucks.

[scottybuzz]

yeh truley sucks

[martinsc]

Quote:

Originally Posted by Anar_j

what are you happy about?

[tony286]

Can we sue the sponsors for supporting people who steal?

[martinsc]

Quote:

Originally Posted by tony404

Can we sue the sponsors for supporting people who steal?

interesting question..

[themanager]

I don't think that is right we should think of a way to stop it.

[martinsc]

Quote:

Originally Posted by themanager

I don't think that is right we should think of a way to stop it.

any ideas?

[Matt 26z]

Quote:

Originally Posted by themanager

I don't think that is right we should think of a way to stop it.

You are about 10 years too late on that one.

[Dirty Dane]

Quote:

Originally Posted by martinsc

any ideas?

Organize it.
If the porn industry had something like the music industry. But I don't think it will happen

[shack]

It's how some paysites drive traffic, they leak a password, or give the webmaster one, get the site listed, get a few people in, then kill the password.

Gets impression on your members area, and further traffic to the front end once you kill the password.

It's only bandwidth

[rotterdammer]

Thats pretty bullshit what you say, there are shit loads of wordlist in different niches that contain 10.000 passwords for bangbros. Sites like BB and Nastydollars dont even seem to care about their passes being cracked.

The only way paysite owners can stop this is to get as many wordlists as possible and ban all the words for people who want to signup.

Especially the following user:pass

december:januari
abcde:fghijk
username:password

Maybe bangbros doesnt care because of the promotion but i know that site you mention is only the top of the iceberg.

There are several password forums like passwordparadise.net that have 100.000 passes to paysites.

[fris]

or make the passwords harder, people that pick their own are too simple

[rotterdammer]

Yeah thats also very true fris!

[Pimpin_J]

The passwords arent the most weak point on an adultsite. Generated user/pass combinations are a good start but that doesnt protect you from so called "pass sharers".
The weakest point is the "human" webmaster!
They hack your site through any well known bug (adultcms/phpBB,whatever), place a shell (mostly .php / .gif / .jpg ) and search for your .htpass file or your sql details. Once your .htpass is stolen its easily decrypted with the right tools. (Generated user/pass combinations are also more hard to decrypt then normal combos like "user123 : 321user")
Bruteforcing was 1990...
So better keep your stuff updated and check for suspect files on your server.

[martinsc]

Quote:

Originally Posted by Pimpin_J

The passwords arent the most weak point on an adultsite. Generated user/pass combinations are a good start but that doesnt protect you from so called "pass sharers".
The weakest point is the "human" webmaster!
They hack your site through any well known bug (adultcms/phpBB,whatever), place a shell (mostly .php / .gif / .jpg ) and search for your .htpass file or your sql details. Once your .htpass is stolen its easily decrypted with the right tools. (Generated user/pass combinations are also more hard to decrypt then normal combos like "user123 : 321user")
Bruteforcing was 1990...
So better keep your stuff updated and check for suspect files on your server.

couldn't agree more...

[Beejeebers]

How are generated user/pass combos harder to encrypt?

If you have a user/pass/id number combo, you would screw over 95% of the scripts that script kiddies use to hack the sites in the first place.

[frakyou]

Seems like it would be easy to prevent this. Different people logging in under the same account would have different ip adresses.

[CaptainHowdy]

Quote:

Originally Posted by Anar_j

Uh ??

[Pimpin_J]

Quote:

Originally Posted by Beejeebers

How are generated user/pass combos harder to encrypt?

If you have a user/pass/id number combo, you would screw over 95% of the scripts that script kiddies use to hack the sites in the first place.

Its definatly harder to decrypt if its generated! Most sites use DES decryption and to decrypt it you need a good wordlist. Generated means more salts = takes much longer to decrypt. Now its getting to the math part where i have to pass course i always was stoned in math..
But i hope you get my point now, why its more usefull to use generated passwords to prevent hackers.


Easy example -> check the web for suze passes or for bangbros..youll find a shitload of passes. But try to get a pass for partyhardcore and/or perfect gonzo sites...
Youll see what i mean..

[martinsc]

Quote:

Originally Posted by Pimpin_J

Its definatly harder to decrypt if its generated! Most sites use DES decryption and to decrypt it you need a good wordlist. Generated means more salts = takes much longer to decrypt. Now its getting to the math part where i have to pass course i always was stoned in math..
But i hope you get my point now, why its more usefull to use generated passwords to prevent hackers.


Easy example -> check the web for suze passes or for bangbros..youll find a shitload of passes. But try to get a pass for partyhardcore and/or perfect gonzo sites...
Youll see what i mean..

[czarina]

Just do passwords away and invent something else, yeah, like what?

[nofx]

everone should img src it to death or packet it offline

[BIGTYMER]

Those passwords suck.

[BV]

it's free traffic guys
it's free traffic guys

there i said it twice

[germ]

i say we stop promoting the sponsors that pay the password sharing sites.

its always aff and cams.com. they know wtf is going on, but they dont do anything about it. if other people stopped promoting them because of it, it may make them sit up and take notice that keeping one affiliate is making them lose a hell of a lot more.

[UtahSaints]

hmmm. fucked up...

[aico]

Stop it? No!!!!!! I get mad hits from "leaked" passwords.

[Bro Media - BANNED FOR LIFE]

Quote:

Originally Posted by martinsc

[martinsc]

Quote:

Originally Posted by LOL :D

[fr0gman]

Quote:

Originally Posted by martinsc

any ideas?

Unplug the Internet.

[martinsc]

just another bump.
someone has to do something about this...

[bizarredollars]

How often does this shit keep coming up?? Invest in a script, and profit from the traffic.. easy as... I tested this a few years back, I posted a password to one of my own sites, left it working for a couple of days, blocked it and made a shit load of sales thanks to a well designed 401 page.

Good scripts don't cost much.. the investment is well worth it.

Fuck, I wrote my own.. I might start selling it at $25 per pop, lol.

[bizarredollars]

Quote:

Originally Posted by Pimpin_J

The passwords arent the most weak point on an adultsite. Generated user/pass combinations are a good start but that doesnt protect you from so called "pass sharers".
The weakest point is the "human" webmaster!
They hack your site through any well known bug (adultcms/phpBB,whatever), place a shell (mostly .php / .gif / .jpg ) and search for your .htpass file or your sql details. Once your .htpass is stolen its easily decrypted with the right tools. (Generated user/pass combinations are also more hard to decrypt then normal combos like "user123 : 321user")
Bruteforcing was 1990...
So better keep your stuff updated and check for suspect files on your server.

Very good points.. another good tip - alter your apache config to use a file other than .htaccess for access rights.. something more random. It is very easily done, and adds another lair of security.

The best thing to do is have a seperate server just for your members only section, random names for your htaccess file, and for your scripts.. only let your billing agent know where the real files are located.

Even then, there are scripts that can email/page you when bandwidth goes way beyond normal levels, so you are alerted when your bandwidth suddenly jumps to an unusually high level.

Keep your software up to date, use a tracker to monitor for advisories that are relevent to your setup. If in doubt, hire someone who knows what they are doing - they are worth their weight in gold.

[bizarredollars]

Quote:

Originally Posted by germ

i say we stop promoting the sponsors that pay the password sharing sites.

its always aff and cams.com. they know wtf is going on, but they dont do anything about it. if other people stopped promoting them because of it, it may make them sit up and take notice that keeping one affiliate is making them lose a hell of a lot more.

Be careful with this tho.. I for one plan to setup some 'password sites', that feature only links to 'hacked' sites that I have made and host myself.. I will be exploiting the password site traffic.. and I don't want the people I am sending traffic to getting pissed off, when I am not doing anything to hurt anyone.

I will of course inform my sponsors of my plans before putting their links up.. and will mostly be sending traffic to my own sites.

[jayeff]

Quote:

Originally Posted by tony404

Can we sue the sponsors for supporting people who steal?

Good question.

On content-stealing sites, "conspiracy to defraud" would apply, because breach of copyright is an established crime and the sponsors on those sites are (knowingly) profiting from the sites' activities. The practical problem in the UK (and therefore possibly in the US and elsewhere) is that this is a criminal offense and an interested party would have to convince the public prosecutor to pursue the case. Software companies have successfully gone this route, but porn operators...?

The additional issue with password sites is whether what they are doing is a criminal or a civil matter. AFAIK that hasn't been tested and given the state of this industry, I wouldn't hold your breath.

Quote:

Originally Posted by germ

i say we stop promoting the sponsors that pay the password sharing sites.

I'm in the middle of removing links to the sponsors who give TBP special discounts, but after seeing Lens' responses to the content-theft sites issue a couple of days ago, yes, when that is done I'm taking down my links to AFF and its associated sites. I have been promoting them since 1998 and I'm not under any illusion that my action, by itself, will make the slightest difference to AFF's policies. However, by promoting sponsors who support those who undermine this industry, we are also failing to back those who do work in an ethical manner. So in effect, that's score 2 for the bad guys each time we fail to act.

[Brujah]

Ohh noooess...