Gnutella Copyright Enforcement?

horos1 writes "Is copyright protection on gnutella enforceable after all? I thought that gnutella users were better off (ie: more anonymous) than napster users in this regard, but this story on zdnet implies otherwise." As I understand it, this app can report user names and IPs of people who download boobie trapped files that the software pretends to serve. Yes, you to can be Lars!

But what would that username and IP mean?

[(void*)]

It means nothing. Anyone can create any username, and and IP's can be filtered, masqueraded; ports can be forwarded, and tunneled over in many different ways. Routers can be misconfigured even without bring down the traffic. What would that IP/username mean?

Sure.. why not?

[mindstrm]

Makes perfect sense to me.. I mean, when you do a file transfer, it happens peer-peer, so you do know who the other party is (or at least, their IP).
In fact.. as soon as search results are returned, those results contain the IP address of the host holding the data, no?

So... the only thing anonymous about gnutella is that searches are anonymous until you actually download something.

But really.. the whole point of gnutella wasn't that it was 'anonymous', but that it is decentralized. There is simply no easy way to 'stop' people from using gnutella. we can switch ports easily.. it really doeos need randomized ports....

Now.. personally, I would think that putting up material to be downloaded in order to finger people would ammount to entrapment, as you are basically going somewhere where you *KNOW* that people are tempted to download software, and put up software they might want...

Re:Sure.. why not?

[Tackhead]

> I would think that putting up material to be downloaded in order to finger people would ammount to entrapment,

Not really.

As I understand entrapment, it's only entrapment if you actively encourage the crim^H^H^H^Hvictim to commit the crime.

Gnutella users have plenty of opportunity, once they see that Metallica track on honeypot.riaa.com, to Just Say No.

If they walk away from the bait, they're not guilty -- even if they searched for "Metallica" to find the bait in the first place -- because there's no law against searching for infringing material.

Only when they elect (of their own free will) to download what they reasonably believe to be infringing material, have they committed a crime.

Unless there's a RIAA rep saying "hey man, download that Metallica song from my server, fuck the system man! Be an MP3 r3b3l d00d!" in some chatroom at the same time as the poor bugger finds his way to the honeypot, it's not entrapment.

From law.com:

entrapment, N.: in criminal law, the act of law enforcement officers or government agents inducing or encouraging a person to commit a crime when the potential criminal expresses a desire not to go ahead. The key to entrapment is whether the idea for the commission or encouragement of the criminal act originated with the police or government agents instead of with the "Criminal." Entrapment, if proved, is a defense to a criminal prosecution. The accused often claims entrapment in so-called "stings" in which undercover agents buy or sell narcotics, prostitutes' services or arrange to purchase believed to be stolen. The factual question is: "Would Johnny Begood have purchased the drugs if not pressed by the Narc."

While it's true that the potential criminal in the case of Gnutella has neither expressed nor not-expressed a desire not to go ahead with the crime, it's pretty clear that searching for "Metallica" and downloading "Metallica.mp3" on Gnutella are almost always things that originated with the soon-to-be-criminal, and not the cops, the RIAA, or NetPD.

I have no love for the RIAA and frankly think that this is a pretty disgusting tactic. But as repugnant as it is, it's probably not entrapment.

The moral of the story is that you need a distributed and chained network of anonymizing proxies, as well as strong crypto between each link, to make a truly bulletproof system. Any system where there's direct client-to-client contact renders you visible to the world.

Don't think that this is only a concern for cablemodem users and those with static IPs. If you're on dialup IP, remember that most of those dialup ports resolve to a geographical identifier. If there are 500 Metallica downloads and 400 Frank Sinata downloads from the class C block ipXYZ.yourcity.yourisp.com, odds are good that there are only two violators, and it's a simple process for your ISP, once subpoenaed, to prove it and nail them both.

Napster, GNUTella, et al all have this hole

[gavinhall]

Posted by 11223:

Any distributed file-sharing protocol that is non-encrypted is insecure in this fashion. The reason is simple: Your computer requests the serving computer for the file in question. The other computer obviously knows your IP, then, and a modified client can serve up that info. That's why the Freenet project is so essential.

Here's a simple precaution that can be taken when desiging such a protocol: One computer never directly requests to another. Instead, it gets a piece of information from the serving computer through the network (x, n, and x^y mod n for some x, y, n) and creates a key (x^y^z mod n for some z) and sends another piece of information indirectly (x^z mod n), so that the server can get this number (x^y^z mod n) itself. Then you can establish a two-way encrypted link securly while having your packets be passed through other clients (so that the server never knows your IP). (BTW the encryption is a diffie-hellman key exchange and is one of the neatest things in modern crypto).

Re:Napster, GNUTella, et al all have this hole

[tzanger]

No, I mean requests flowing across the network (and encryption to make it secure). If what I described were implemented:

• Servers would have no clue which requests came from which IP's, because the request was forwarded across a network.
• The forwarding computers (who know your IP) would have no idea which requests you put out because the request is encrypted.

Actually you can take it a step further... with all the gnutella clients out there, each one can serve bits and pieces of the file to the requestor once it is determined that they want file 'x' from server 'y'. You could do a bit of network analysis to find, say, your closest 10 neighbours and your most reliable (and distant) 10, and then spread the transfer through those 20 clients. (use more for less bandwidth impact on the scatterers but at the cost of more complexity). At the receiver's end, just reassemble the packets from all the scatterers.

Make it better by having several layers of this scattering. server --> scatter network --> scatter network 2 (now scatter impact is squared for the same size network) --> scatter network 3 (cubed impact now). Let's say you've got a scatter network of only 10 computers. That's now 1000 computers sending bits and pieces of what you want, at no (significant) bandwidth cost to themselves. Of course you'll have to set up levels of how many scatter networks you want to take part in.

Think of it as spread-spectrum TCP/IP networking. :-)

Re:Isn't it the file provider who's at fault?

[Eccles]

Whoop, I think CmdrTaco misread the story (and I misfollowed); this software doesn't fake files, it hunts for real ones on the net and IDs the provider.

Pissing in the Stream

[Johnath]

This, and the related problem of hacked clients giving back hits for any search that just link back to banner sites, has been a real impediment for me in using gnutella over something more centralized like napster. The problem with anything de-centralized like this is that while you have all the benefits of abandoning centralized control, you have all the headaches of abandoning centralized control too.

The best solution I've come across (in the oh so many hours I've thought about it... :) is to implement, either at the protocol level or the client level, a moderation-style system, or actually, more appropriate still: a web-of-trust setup.

Unfortunately, the protocol as it currently stands, does not have much room for carrying this kind of information, and implementing it in any kind of non-trivial-to-circumvent way would require a fair bit of work. I mean, you can have clients digitally sign their hits, and the hits of people for whom they vouch, but ugh - think about the kind of traffic that goes across one of these clients, and the overhead that would come from signing or otherwise authenticating each one.

Maybe something more akin to the spam blacklists would be more appropriate: have a hook in the client that allows it to grab the current blacklist and filter those people out of the hits. Unfortunately, since a gnutella request doesn't pick and choose it's recipients, you'd have all sorts of traffic moving around that was just being dropped by the recipient, but at least this contamination would be harder to pull off.

Any thoughts on these, or other ways to keep the S:N on something like this up? I think client-side implementation is important, since it allows the protocol to remain unscathed, and choice is of course, essential, just like browsing /. at -1. But if nothing gets implemented, we end up with a great distributed file sharing mechanism that is, much to the pleasure of Lars and his ilk, too contaminated to bother with.

Johnath.

Re:Pissing in the Stream

[deusx]

This article in the new Fortune issue is kinda illuminating. Asking for what possibly legitimate uses there could be for Gnutella? Here they are. Fortune seems to have published an article whose author gets it.

And as for the signal-to-noise problem... Dr. Lincoln Stein, of Perl CGI.pm fame and also a genetic researcher, is quoted in the above mentioned article about how Gnutella-style distributed sharing and searching could help him in his genetic research, and he suggests tagging the files with various criteria... such as, in his example, tagging the information as from and for genetic scientists to limit search range.

Seems like first generation Napster started the noise, second generation Gnutella gave it immortality (in theory)... and the third generation will probably bring metadata tagging facilities, more powerful searching and search path optimization. A lot of good stuff in that Fortune article.

So, how about we start working on Son of Gnutella with an XML-based protocol, meta-data rich, with optional anonymized distributed UDP-based transfers (anyone remember FSP?), and monster searching.

:)

Anonymity

[Signal+11]

The problem with anonymity is that on a peer-to-peer network, it is impossible. ISPs have more or less been forced to log who signs on when, if not simply for billing purposes. Given that you can easily get the IP address of the person requesting the file(s) off your server, GNUella offers no more anonymity than a webserver.

If you want real anonymity, you have three options:

• Proxy service
• Illegal proxy service
• broadcast network (ala MBone)

The first one can be had by anyone who will let you use their SOCKS5 server. With some servers, you may also be able to tunnel through an http proxy to obtain non-http service, however YMMV. Services exist online like Anonymizer.com or Freedom which will, for a small fee, happily remove all traces of your IP address from the request using one of their servers. Caveat emptor, however, as they likely need to keep logs as well to prevent absue.

Option #2, illegal proxying - crackers have known about this for a long time. Basically, grab yourself a copy of nmap and start scanning on ports 1080, 80, and 8080 and see how many proxies you can find. Scan for winproxies as well as they are often poorly configured.

Once you have your net of proxies up, or have compromised a bunch of computers and done the same, use those to relay your messages. Or just go down to a public terminal and install some proxy software.

Option 3, there is only one option here - MBone. It is basically an IP multicast network setup on top of IPv4 which allows one server to broadcast data to all other computers on the network.

I'd like to, at some point, start a project to create a self-healing mirroring network with crypto support do accomplish the same things GNUella does, but have it rely on multiple protocols and require no special software (ie, web servers, ftp servers, etc) for the clients to use to get information off the servers.

But I digress... in short, you have no privacy. Either do something illegal to get it back, or give up and accept it. No solutions exist at present to give you 100% anonymity. But.. there are projects in the works that aren't internet based that may be appearing in the not too distant future...

Filename = content?

[Shagg]

Once again, it seems that somebody is writing a search enging for Napster/Gnutella that makes the same mistaken assumption that the Name of the file will tell you everything about the contents. NetPD did the same thing in the Metallica search. Sure, they found 300K+ people who had a filename on their drives containing the word "metallica" or a close match to words in their song titles, but there's nothing illegal about naming a file "Sandman".

Yeah, I agree that pirating software via Napster/Gnutella sucks, but these search engines are just as stupid. It'd be similar for going to google.com and running a search on a common word. Sure, you turn up 3 million URLs, but how many of them really have the CONTENT you're looking for, rather than just contain the word out of context somewhere... how do you tell the difference?

Until somebody comes up with a way of knowing that the file you found contains an actual song, rather than just a filename that appears to describe a song (this may even be impossible), what use are these searches?

It seems that alot of music savy people are looking towards these searches to protect themselves, but they are definitely not computer savy enough to realise that these searches are meaningless. The problem is that the lawyers and courts aren't computer savy either (Ask the 300K people kicked off Napster because of a filename).

An MP3 Vigilante!

[Lita+Juarez]

I've had a look at the Media Enforcer website and the licensing of the software is interesting. The software is free (as in beer), but the freely downloadable version does nothing of use - it returns incorrect IP adresses. To get a working version, you have to convince the author that your reasons for having a copy are pure and honourable. This suggests that the author is setting himself up as some sort of vigilante, ready to defend musicians against the evils of piracy. (Of course, he wrote the software, it's up to him how he distributes it)

I can see how this software may be useful for successful artists with enough money to attempt to prosecute people they suspect of distributing pirate MP3s. But I get the feeling that the author is hoping it will be used by smaller, less successful artists to protect their copyright. This leads to the question, what are these musicians going to do once they've got a list of IP adresses which are hawking their music? Smaller artists are unlikely to have the money to attempt to prosecute the pirates, so all they're going to be left with is the knowledge that their music is being pirated. Big deal. This software is of use only to the rich musicians and record companies - the people who are so rich that they are the people least financially affected by piracy. If the author of this software is unconnected with the RIAA, I wonder if he realises that the people his software is protecting are the same people who have been fucking him over for years with artificially inflated prices for recorded music.

Big deal? Who you gonna sue?

[Otto]

So they can get an IP address. That's all fine and happy. But who you gonna sue? They'd have to:

a) trace down everyone serving those copyrighted files, using nothing but their IP.
b) sue each and every one of them.

Good luck, and more power to them. You can't sue Gnutella like you sue Napster, since there is no such entity as Gnutella. Decentralization is the key. Gnutella is essentially nothing more than bunches and bunches of people acting independently to share files.


---

Re:Anyone work for an ISP?

[mindstrm]

At every ISP I have worked at (chief sysadmin), the only way we would release a username was a) Police investigation (not necessarily a court order) b) When we had enough facts surrounding the case that we felt comfortable giving the information to the asking party. This is extremely *extremely* rare. Usually, it involved someone we actually knew, or someone running a neighboring ISP, and we were both trying to track down an abuser or something. In this case, we would share information. If joe Musician called up and asked us for this information, we would simply tell him that he needs a court order in order to do this.

Not for piracy

[Wah]

'cause piracy is the record industy buzzword as far as MP3 goes.

I mentioned this the last time /. posted a link about this software. Its usefulness, IMHO, won't be tracking down those evil bastards who like music, but finding out what exactly all those evil bastards are listening to. Ratings. Tracking. The same thing will be needed when the bandwidth to share moving pictures becomes commonplace. In a distributed media environment the loss of control scares a whole bunch of people, what they don't realize is that control is the expensive and difficult part of their jobs.

Oh, and we'll probably have to change some laws...or quit funding the folks who would rather sue and ignore new tech than compete.
--