Gnutella Copyright Enforcement?

horos1 writes "Is copyright protection on gnutella enforceable after all? I thought that gnutella users were better off (ie: more anonymous) than napster users in this regard, but this story on zdnet implies otherwise." As I understand it, this app can report user names and IPs of people who download boobie trapped files that the software pretends to serve. Yes, you to can be Lars!

Sure.. why not?

[mindstrm]

Makes perfect sense to me.. I mean, when you do a file transfer, it happens peer-peer, so you do know who the other party is (or at least, their IP).
In fact.. as soon as search results are returned, those results contain the IP address of the host holding the data, no?

So... the only thing anonymous about gnutella is that searches are anonymous until you actually download something.

But really.. the whole point of gnutella wasn't that it was 'anonymous', but that it is decentralized. There is simply no easy way to 'stop' people from using gnutella. we can switch ports easily.. it really doeos need randomized ports....

Now.. personally, I would think that putting up material to be downloaded in order to finger people would ammount to entrapment, as you are basically going somewhere where you *KNOW* that people are tempted to download software, and put up software they might want...

Re:Sure.. why not?

[Tackhead]

> I would think that putting up material to be downloaded in order to finger people would ammount to entrapment,

Not really.

As I understand entrapment, it's only entrapment if you actively encourage the crim^H^H^H^Hvictim to commit the crime.

Gnutella users have plenty of opportunity, once they see that Metallica track on honeypot.riaa.com, to Just Say No.

If they walk away from the bait, they're not guilty -- even if they searched for "Metallica" to find the bait in the first place -- because there's no law against searching for infringing material.

Only when they elect (of their own free will) to download what they reasonably believe to be infringing material, have they committed a crime.

Unless there's a RIAA rep saying "hey man, download that Metallica song from my server, fuck the system man! Be an MP3 r3b3l d00d!" in some chatroom at the same time as the poor bugger finds his way to the honeypot, it's not entrapment.

From law.com:

entrapment, N.: in criminal law, the act of law enforcement officers or government agents inducing or encouraging a person to commit a crime when the potential criminal expresses a desire not to go ahead. The key to entrapment is whether the idea for the commission or encouragement of the criminal act originated with the police or government agents instead of with the "Criminal." Entrapment, if proved, is a defense to a criminal prosecution. The accused often claims entrapment in so-called "stings" in which undercover agents buy or sell narcotics, prostitutes' services or arrange to purchase believed to be stolen. The factual question is: "Would Johnny Begood have purchased the drugs if not pressed by the Narc."

While it's true that the potential criminal in the case of Gnutella has neither expressed nor not-expressed a desire not to go ahead with the crime, it's pretty clear that searching for "Metallica" and downloading "Metallica.mp3" on Gnutella are almost always things that originated with the soon-to-be-criminal, and not the cops, the RIAA, or NetPD.

I have no love for the RIAA and frankly think that this is a pretty disgusting tactic. But as repugnant as it is, it's probably not entrapment.

The moral of the story is that you need a distributed and chained network of anonymizing proxies, as well as strong crypto between each link, to make a truly bulletproof system. Any system where there's direct client-to-client contact renders you visible to the world.

Don't think that this is only a concern for cablemodem users and those with static IPs. If you're on dialup IP, remember that most of those dialup ports resolve to a geographical identifier. If there are 500 Metallica downloads and 400 Frank Sinata downloads from the class C block ipXYZ.yourcity.yourisp.com, odds are good that there are only two violators, and it's a simple process for your ISP, once subpoenaed, to prove it and nail them both.

Napster, GNUTella, et al all have this hole

[gavinhall]

Posted by 11223:

Any distributed file-sharing protocol that is non-encrypted is insecure in this fashion. The reason is simple: Your computer requests the serving computer for the file in question. The other computer obviously knows your IP, then, and a modified client can serve up that info. That's why the Freenet project is so essential.

Here's a simple precaution that can be taken when desiging such a protocol: One computer never directly requests to another. Instead, it gets a piece of information from the serving computer through the network (x, n, and x^y mod n for some x, y, n) and creates a key (x^y^z mod n for some z) and sends another piece of information indirectly (x^z mod n), so that the server can get this number (x^y^z mod n) itself. Then you can establish a two-way encrypted link securly while having your packets be passed through other clients (so that the server never knows your IP). (BTW the encryption is a diffie-hellman key exchange and is one of the neatest things in modern crypto).

Re:Napster, GNUTella, et al all have this hole

[tzanger]

No, I mean requests flowing across the network (and encryption to make it secure). If what I described were implemented:

• Servers would have no clue which requests came from which IP's, because the request was forwarded across a network.
• The forwarding computers (who know your IP) would have no idea which requests you put out because the request is encrypted.

Actually you can take it a step further... with all the gnutella clients out there, each one can serve bits and pieces of the file to the requestor once it is determined that they want file 'x' from server 'y'. You could do a bit of network analysis to find, say, your closest 10 neighbours and your most reliable (and distant) 10, and then spread the transfer through those 20 clients. (use more for less bandwidth impact on the scatterers but at the cost of more complexity). At the receiver's end, just reassemble the packets from all the scatterers.

Make it better by having several layers of this scattering. server --> scatter network --> scatter network 2 (now scatter impact is squared for the same size network) --> scatter network 3 (cubed impact now). Let's say you've got a scatter network of only 10 computers. That's now 1000 computers sending bits and pieces of what you want, at no (significant) bandwidth cost to themselves. Of course you'll have to set up levels of how many scatter networks you want to take part in.

Think of it as spread-spectrum TCP/IP networking. :-)

Pissing in the Stream

[Johnath]

This, and the related problem of hacked clients giving back hits for any search that just link back to banner sites, has been a real impediment for me in using gnutella over something more centralized like napster. The problem with anything de-centralized like this is that while you have all the benefits of abandoning centralized control, you have all the headaches of abandoning centralized control too.

The best solution I've come across (in the oh so many hours I've thought about it... :) is to implement, either at the protocol level or the client level, a moderation-style system, or actually, more appropriate still: a web-of-trust setup.

Unfortunately, the protocol as it currently stands, does not have much room for carrying this kind of information, and implementing it in any kind of non-trivial-to-circumvent way would require a fair bit of work. I mean, you can have clients digitally sign their hits, and the hits of people for whom they vouch, but ugh - think about the kind of traffic that goes across one of these clients, and the overhead that would come from signing or otherwise authenticating each one.

Maybe something more akin to the spam blacklists would be more appropriate: have a hook in the client that allows it to grab the current blacklist and filter those people out of the hits. Unfortunately, since a gnutella request doesn't pick and choose it's recipients, you'd have all sorts of traffic moving around that was just being dropped by the recipient, but at least this contamination would be harder to pull off.

Any thoughts on these, or other ways to keep the S:N on something like this up? I think client-side implementation is important, since it allows the protocol to remain unscathed, and choice is of course, essential, just like browsing /. at -1. But if nothing gets implemented, we end up with a great distributed file sharing mechanism that is, much to the pleasure of Lars and his ilk, too contaminated to bother with.

Johnath.

Re:Pissing in the Stream

[deusx]

This article in the new Fortune issue is kinda illuminating. Asking for what possibly legitimate uses there could be for Gnutella? Here they are. Fortune seems to have published an article whose author gets it.

And as for the signal-to-noise problem... Dr. Lincoln Stein, of Perl CGI.pm fame and also a genetic researcher, is quoted in the above mentioned article about how Gnutella-style distributed sharing and searching could help him in his genetic research, and he suggests tagging the files with various criteria... such as, in his example, tagging the information as from and for genetic scientists to limit search range.

Seems like first generation Napster started the noise, second generation Gnutella gave it immortality (in theory)... and the third generation will probably bring metadata tagging facilities, more powerful searching and search path optimization. A lot of good stuff in that Fortune article.

So, how about we start working on Son of Gnutella with an XML-based protocol, meta-data rich, with optional anonymized distributed UDP-based transfers (anyone remember FSP?), and monster searching.

:)

An MP3 Vigilante!

[Lita+Juarez]

I've had a look at the Media Enforcer website and the licensing of the software is interesting. The software is free (as in beer), but the freely downloadable version does nothing of use - it returns incorrect IP adresses. To get a working version, you have to convince the author that your reasons for having a copy are pure and honourable. This suggests that the author is setting himself up as some sort of vigilante, ready to defend musicians against the evils of piracy. (Of course, he wrote the software, it's up to him how he distributes it)

I can see how this software may be useful for successful artists with enough money to attempt to prosecute people they suspect of distributing pirate MP3s. But I get the feeling that the author is hoping it will be used by smaller, less successful artists to protect their copyright. This leads to the question, what are these musicians going to do once they've got a list of IP adresses which are hawking their music? Smaller artists are unlikely to have the money to attempt to prosecute the pirates, so all they're going to be left with is the knowledge that their music is being pirated. Big deal. This software is of use only to the rich musicians and record companies - the people who are so rich that they are the people least financially affected by piracy. If the author of this software is unconnected with the RIAA, I wonder if he realises that the people his software is protecting are the same people who have been fucking him over for years with artificially inflated prices for recorded music.

Big deal? Who you gonna sue?

[Otto]

So they can get an IP address. That's all fine and happy. But who you gonna sue? They'd have to:

a) trace down everyone serving those copyrighted files, using nothing but their IP.
b) sue each and every one of them.

Good luck, and more power to them. You can't sue Gnutella like you sue Napster, since there is no such entity as Gnutella. Decentralization is the key. Gnutella is essentially nothing more than bunches and bunches of people acting independently to share files.


---