The structure of the modern pirate (warez) scene

    The site aboutthescene , which can only be seen on the Internet archive today, besides the history of the scene that I translated last time, also contained rather detailed information about the current at that time (2008) state of the scene, its hierarchy and principles of work. In this article I will try to summarize all this information along with the comments of people who know about the state of affairs today. Of course, there may be inaccuracies or errors in the terminology or structure, some information may seem, on the contrary, too well-known, but I tried to present all the information in the most complete volume, as it was on the above site.

    In addition to describing the scene itself, which today operates according to the principles that had been formed at the beginning “the stage is only for sceners” and “no business”, the article also contains information on “undesirable activities” related to making profit that inevitably arose in this global underground.

    The scene itself consists of release groups and a huge system of top-sites located around the world. Although “officially” it is believed that releases should only remain on stage, they are distributed elsewhere. These are FXP forums, newsgroups, IRC exchangers and scene torrent trackers. They were also described on the site, although, I emphasize again, they are not part of the scene.

    Release groups

    Release groups are the core of the scene, these are the people who make releases. The composition and number of participants can be very different, depending on what the group will release - films, music, games or programs. For example, an mp3 group can easily consist of just 1 person, and in a large group that produces software, there can be several dozen people. A group usually has its own server (dump), on which they store work files. The stage has strict standards, or the rules by which all releases are made. Rules rarely change, usually done by a meeting of the council of several top groups.

    The group takes material for releases from the supplier, which may or may not be a member of the group. In the latter case, after the transfer to the stage, the supplier can sell the material (for example, a film shot in a movie theater) to commercial pirates.

    The methods of suppliers in the early years did not differ too much from today. A man just went to the store and bought a program, or ordered software directly from the developer company. Money to buy during the BBS era usually came from official sysop fees, but sometimes through illegal methods such as carding. It was always preferable to have insiders. It's like spies inside corporations, they take programs directly from sources even before the official release. In this case, the group did not have to follow the release date and immediately run to the store, trying to overtake others. Moreover, it gives time to calmly open the program while other groups are waiting for the official release. Some groups were more inventive, for example, someone pretended to work in a magazine that reviews fresh software. At that time, companies were happy to provide copies for free,

    If a group releases a release that has already been released by another group, it is a double (dupe). Then release nuke. This means that it is marked as a "bad" release. Groups are trying to avoid this, as this creates a bad reputation for them. In addition to the take, the release may be nuked for other reasons. There are two types of nukes: global and local.

    Global ones depend on the release itself, that is, something is wrong with the release. For example: errors, double, jerking or jamming of the picture, interlacing, incorrect aspect ratio of the frame, incorrect conversion of the television sequence or frame rate, sound defects, rip curve, etc. If the group itself detects an error, they may request a nuke.

    Local depend on the environment. Some sites nyukat releases for violation of their rules, for example, TS, DVD in foreign languages, etc. may be prohibited on the site. But the release itself is correct. Locally nuked releases can naturally spread to other sites.

    When a group makes a release, it is automatically registered in the database. This is a huge database containing all the releases ever released on stage. It contains release names, release date and time, although the fields differ in different databases. For example, it can be music genres (for mp3 releases), sections, reasons nuke. Databases exist in order to provide groups with a service for checking already released releases, in order to avoid duplicates. It can also be used to check whether, for example, a movie has already been released, and when, etc. Release databases are updated automatically, either by bypassing top-sites (spidering), or by intercepting pre-messages on site channels.

    Sites / Topsites

    Each release group puts its releases on one or more topsites. Then the release is distributed throughout the scene. In fact, there are a lot of sites, but there is a rating system for them. The most prestigious sites that have the best operators, the fastest channels and agreements with top groups - have the highest rating. This is the top sites. All other sites are also part of the scene, if at least some couriers transfer releases to them, but less significant sites, especially those that do not participate in the ranking at all, of course no one calls top sites.

    Safety for top sites is very important, they are highly classified. A typical site is configured so that only users with a specific ident and host can enter it (or the ip range is checked), with SSL encryption for all sessions. To hide the real IP address of the topsite, FTP bouncers are used. Most users connect through a proxy. Thus, their real address is also not visible on the site.

    Sites have a fast network connection and a large amount of disk space. Often they are in schools, universities, in people at work, or in data centers. Some countries are preferable: the Netherlands and Germany - there is fast Internet and this is in the center of Europe. In Sweden, too, good speed, besides there it is very cheap. Such sites are called legal, in the sense that the owner of the computer knows that the site is located on it, unlike pubstro (see below). If you have fast Internet and you agree to keep the site, there will be people who will be happy to buy and send you a computer for the site, while they will not receive any commercial benefit from it. Website owners sometimes sell access for money, but this is not a frequent occurrence. The site installs FTPD and a bot that will advertise on the IRC channel, when the directory is created on the site and when the download is completed. He also provides information about the "race" - couriers try to transfer the release to other sites as quickly as possible. So they earn a rating.

    All who are on the site are registered on the IRC channel of the site. Most often they are located on private and very secure servers, the connection is through SSL. There are other security measures. You can’t just enter the channel, you must invite yourself using a special team, while you are on the site. Thus, those who are not on the site will not be able to enter the channel. Or a password is used. Often, channels are protected by the FiSH IRC encryption plugin. In order to read messages, you will need the appropriate fish key. On the IRC channel, site operators and participants can communicate with each other. On the same channel there is a bot announcing releases. Most sites have a separate channel for ads.

    All the people present on the sites are divided into Saytops, couriers and affiliates.

    Sites (site operators) are administrators. Usually on a site from 2 to 5 sites. One of them is often the owner of the site, the other is the one who found it and helped establish it. The rest are their friends and people from the stage. One or more of them are nukers. Their job is to remove fakes and takes.

    Couriers are people who transfer releases between sites. Typically, each of them has access to several sites and they try to transfer releases as quickly as possible, immediately after their release. The race is to overfill the most parts of the release at the highest speed. The race begins immediately after the PRE.

    Affiliates- These are representatives of release groups who publish their releases on the site. Each of them has access to a private hidden directory on the topsite. New releases are downloaded there before they become available to other users. When the new release is fully uploaded to all the sites with which the group collaborates, a special team is executed, which simultaneously copies the release to a directory accessible to everyone else and advertises on the IRC channel. This command is called PRE. PRE messages can also be sent to external channels for announcements to inform other couriers / users of sites / fxp that the new release is available for racing.

    The sites also have a rating system. Sites and affiliates are an exception to this rule; they can download freely. The most common system is 3: 1, that is, if you downloaded 3GB, you can download 9GB (or an FXP thread to another site). If a participant does not comply with the mandatory monthly upgrade plan, his account is automatically deleted. For downloading a bad release (if it is nuked), the rating can be reduced, and even with an increasing coefficient. (approx. transl. that is, if you filled in some kind of complete get along, you can count it in minus at 5 times the size, this practice came from the time of BBS)

    FXP Forums

    FXP stands for File eXchange Protocol. This is actually not a protocol, but simply a file transfer method that exploits a vulnerability in the FTP protocol. It allows you to transfer files between FTP servers. The first server is issued a command, and instead of transferring files to the client, it transfers them to another server. Typically, the speed of downloading files is very high.

    The existence of FXP forums is little known, so they are relatively safe. However, the hacker methods used by them are very illegal, and therefore dangerous. Usually, work is organized through a forum on a modified vBulletin engine. There is a rating system. It can be either active (when the user must have a certain rating in order to have access), or passive (when the admin simply periodically removes inactive users). All participants are divided into scanners, hackers and fillers. Scanner

    taskcombining IP addresses, where there may be low-security computers with a wide Internet channel (usually universities, companies, etc.). This is either password guessing or port scanning. Scanners often use other, slow, previously captured computers (they call them scanstro) to do this, on which they install programs for remote scanning. When the results are received, the scanner publishes them on the site. Hackers come into action.

    Hackers hack these computers. There are so many vulnerabilities (security holes) that are easy to exploit. In order to access the computer, a script is used - the so-called exploit. Which particular exploit to launch depends on the vulnerability that the scanner has discovered. Having gained access to the system, the hacker installs the rootkit (usually this is a modified version of Serv-U). Most often, he also installs a program for remote control (usually Radmin), so that later it will be easier to access this computer. When the server is ready, the hacker publishes the login on his FXP forum. Such a captured computer is called pubstro or stro. Depending on the connection speed and disk space, it is then used by either a filer or a scanner.

    Fillersthey are filling up captured servers with fresh warez. Filler takes warez from other pubstro filled with other people. Sometimes fillers have access to top sites, and shift releases from there. Such people are considered violators, and if the sceners find out about this, they will be banned on stage. Sceneban - simultaneous ban on all sites of the scene. It is said that this happens quite often. By transferring files, the filler publishes data on its FXP forum so that others can download. Everyone tries to be the first to announce a release, this is a race the same as on the stage - whoever wins receives an increase in rating.

    example of an ad on the scene of an intruder who transferred releases to FXP


    This technique has lost its relevance these days. The methods of past times, similar to the above scan / hack / fill, when many universities and companies on FTP servers were allowed anonymous access, including recording. Therefore, instead of hacking the system, you could just upload there and publish IP addresses. Once this practice was very popular, but for obvious reasons it gradually died out. It was done this way: FTP servers with anonymous write access were scanned (they were called “pub”). Found pubs were marked (a directory was created with the name ""). This was done so that no one else would use the already "tagged" pub. Apparently, this worked for some time, and people respected such “tags”, but not for long.

    Then people began to change labels on their own, which was called retagging. Against this, they began to use dir locking so that no one, except the one who first marked pub, could go into this directory. Different methods were used. The simplest is the creation of a “labyrinth” —thousands of subdirectories, so that it is difficult to find where the warez is located. Another method is UNIX tags. The magic symbol ÿ (alt + 0255), which was a special code on UNIX machines. If there is such a symbol in the directory name, it will not be displayed as it actually is. Only the creator of the directory can go there, because he knows the real name. There were methods for NT systems.

    News groups, IRC exchangers and scene trackers

    The NNTP protocol is one of the oldest on the Internet. Initially, it was used to communicate according to interests in the manner of message boards (like on BBS), but people quickly realized that it could be used to exchange files with it. Messages are stored on the news server for a certain time, usually not long, but there are servers (usually paid) that store data for a very long time. Fresh releases from the stage are distributed through the newsgroups today, at the same time you can find very old releases that have not been preserved anywhere else.

    There are warez channels on IRC servers supported by people who have access to releases. It can be people with FXP, paid sites, or sceners. There are two types of channels. The first are Fserve channels (user-to-user). They use certain IRC scripts and functions to transfer files between users directly. The second are XDCC channels (server-to-user). Usually they are closer to the scene. The server (usually iroffer) is installed on the hacked computer, in order to then distribute warez from there. Only a limited number of users can download a release at a time, so a queue is organized.

    There are specialized closed torrent trackers that exclusively release releases directly from the stage. They are called scene trackers or 0day trackers. The number of users on them is small, and ordinary users can not invite new participants, this is the administration. They follow the same principles by which the scene operates: no business — access must be free, and releases downloaded from the tracker are prohibited from being distributed anywhere. There is no advertising on such trackers, hosting costs are paid for by donations.


    The scene is a huge organization that includes tens of thousands of people of all ages and professions, united by a common sports interest - to get and release as much content as possible faster than anyone. And although the sceners themselves do this without any benefit, it is not surprising that there are many people who want to earn money from their activities.

    Sceners do not sell releases, but suppliers can. Scenors rarely keep sites themselves, as this is unsafe, but some site owners sell access. Even whole "fake" sites are created that pretend to be top-sites so that couriers upload releases from the stage there, although their only purpose is to sell access, or the content itself, which then crawls on the Internet from all the holes, hung with ads and offers "download to high speed, of course, for the money.

    If such facts are discovered, the violators are banned and the sites are outlawed, but is it possible to keep track of everything when there are thousands of sites scattered all over the world and tens of thousands of people on them? Nevertheless, the scene continues to live, and by its existence to prove that not everything in this world is ruled by money.

    Also popular now: