The average DaniWeb member if not already au fait with Pastebin.com is almost certainly aware of something like it. A pastebin has become, for many programmers, a default tool in the coding box and for very good reason: it makes sharing large quantities of code very easy indeed. Of course, any pastebin is essentially just a temporary text store and that means any type of text, not just code; and it's here that the problems for pastebin.com would appear to start. The service has been branded "a major trading place for exploits and passwords" according to recently released research.
Of course, the eagle-eyed amongst you will have picked up upon the fact that I used the word 'appear' in that last paragraph, and I did so for very good reason. There is a move by some parts of the media, driven largely by press releases and research from security vendors and other 'interested' parties, to suggest that pastebin.com is a vehicle for hackers, cybercriminals and even in some cases terrorists. That suggestion is, in my never humble opinion, poppycock. I mean, come on folks, it's right up there blaming pastebin.com for someone posting a list of compromised passwords and therefore enabling the hacking of accounts with blaming the Internet for paedophiles as they can use it to distribute their filth, or the mobile telephone for terrorism as they can use it for... well, you get the idea. Medium and message, old chap, simple as.
The research in question, which points to Pastebin.com as being an exploits and passwords trading post, comes from the direction of a Swiss infosecurity and computer forensics company called High-Tech Bridge. The research suggests that, during the last 12 months alone, Pastebin.com has seen 311,095 user credentials (login/password pairs) for various services, websites and emails published. In many cases, it says, other personal details such as credit card numbers, addresses and phone numbers of the victims were also published by the hackers. According to that research, the average leak record posted to Pastebin.com contained 1,000 user credentials. Email systems were the highest source of these leaks at 40.9% and the most popular of the compromised email systems targeted this way, and identified in the research, was gmail.com at 25.1%
High-Tech Bridge says that it believes the volume of data compromised via Pastebin.com "is just the tip of the iceberg" as many of the postings are being used by way of proof-of-concept with just a subset of the total compromised data being posted. "The posts are in effect, adverts for the attackers' capabilities" the company warns. No surprise, then, that news media picks up on this and routinely makes calls for Pastebin.com to be closed down, regulated, filtered or somehow otherwise punished for the terrors that it unleashes upon the world. These calls are, almost without exception, ill-informed at best and here's why.
Pastebin.com itself is massively popular, with that basic premise of managing clipboard contents locally and sharing them remotely via the simplest of web-based user interfaces seeing more than 43 million 'pastes' (not counting the spammy ones) since it went live in 2002. As I write this, Pastebin.com has had 42,302 pastes in the previous 24 hours alone. As with any popular service, think Twitter, Facebook, DaniWeb for example, some of the people who use it are actually only there to abuse it. And as with any such popular service there are terms and conditions of usage, there are rules to be followed and processes in place to deal with those who break them. Pastebin.com is no exception, and you only have to look at the Acceptable Use Policy to see them writ large:
"Broadly speaking, the site was created to help programmers. Any paste or usage pattern not related to that goal which results in unusually high traffic will be flagged for investigation" Pastebin.com advises, continuing "Your paste may be deleted and your IP blocked. In particular, please do not paste email lists, password lists or personal information." Pastebin.com has a report abuse feature that can be used to flag such pastes and they will be deleted. The service lists the following as things that should not be posted:
- email lists
- login details
- stolen source code
- password lists
- personal information / data
- pornographic information / data
- spam links (this includes promoting your own site)
Further, Pastebin.com warns that "if you do not comply with our Acceptable Use Policy we might ban your IP address from the website. Also, your IP address might be shared with authorities." So, to sum up, Pastebin does not have a problem; people who abuse it have a problem and those who report on this abuse without any real knowledge of the service itself have a problem. 'Nuff said...