Slashdot Mirror
Surveillance on Peer-to-Peer Networks
n7lyg writes "Salon has an article by Janelle Brown that asks (and answers) the question 'Who is spying on your downloads?' It discusses the use of various P2P tracking tools by RIAA and IFPI and others to monitor file trading on both Napster and Gnutella networks. Freenet seems to be more or less immune to this sort of monitoring at the present time, due to the distributing the files throughout the network. More big brother tactics..."
Firstly, I'm pro-freedom. But everyone should be using Linux! Secondly, I am pro-American-way, even though I don't understand to whom the constitution applies.. oh, did I mention I support a Leftist system for licensing.. when I'm not making my 100 grand a year writing boilerplate perl for some company.
I am a nerd. Or at least, I *act* like a nerd. I am great at reading short snippets from some populist website and using them to form a complete and authoritative opinion. I have been known to stick to my guns even when it's clear I fire blanks.
I dislike commercialism and banner advertising. But I like Slashdot. I believe Slashdot's operation is far more than browsing other news sites and copy-pasting a few notes.
One day, I'm going to leave my parents' place, or my little student dig, and drive topless cars and spend time with topless chicks (without paying!).
I abhor hypocrisy, and believe in equality for minorities. But I _am_ better than everyone else!
I've been thinking about this for a while now.. gnutella search results currently contain the IP of the person with a match for the search request. But wouldn't it be great if there was a way to get the file back to the end user without revealing the posessor's IP address?
If one or more hosts between the file posessor and the requester supported a special extension whereby the search results were rewritten to traverse a HTTP proxy chain created on the fly, privacy would be improved. Furthermore, if those HTTP proxy chains supported caching, performance might be improved too.
Here's how it works:
Host X joins the network, connecting to host Y, which is connected to host Z. Host Y supports the new anonymous downloading feature. Host Z does not support the anonymous downloading feature.
Host A, which may or may not support anonymous downloading, connects to the gnutella network and searches for a document. The search request is broadcast to attached hosts B and C. Host C happens to be connected to host Z, which is connected to Y, and thus Z. Host X sees that it has received a search request for a document it has from host Y, and sends a routed message back through Y to the gnutellanet network. Host Y rewrites the search result to include its own IP address. It also makes an entry in a time-expired table and agrees to proxy the request to host X for anyone that asks. If for some reason Y can not agree to proxy the request (perhaps it is over its bandwidth cap) it will pass the search result unmodified to Z. When a request comes for that document, Y it will fetch it from X. Host Y hands off the rewritten packet to Z, which goes to C, B, and A. From host A's perspective, Y had the file, not Z. At Y's discression, Y will enter the file it got from X in its cache and also answer search requests matching it affirmatively.
Now the response is passed up the chain, eventually to host A. Host A requests the document from host Y, which proxies it to host X, which has the document. Who did the user get the document from? They think they got it from Y, but did they? No. They got it from X. Even if host Y leaves host X's IP in the response, how can we be sure host Y isn't just forwarding the request for someone else? Even when responding to requests that can be fulfilled locally, servers should insert a random delay. In fact, if such a system is in use, there is no reliable way to prove who you got a document from unless you can monitor the Internet connections between every site involved in the transaction.
Further complicating the matter might be the use of encryption and connection multiplexing between involved hosts. Hosts X and Y, for example, might communicate all information including proxied requests over a single encrypted channel. They might pass fodder on that channel when no transactions were in progress to reduce the effectiveness of traffic analysis.
One other great advantage is that caching could be employed to much improve download rates for popular files. Host Y, for example, could agree to keep around a few hundred megs of recently downloaded files. It then could respond to search requests for those files.
Ok now what happens when you start providing substantial disincentives or risk? Much much less people will be willing to "contribute". For instance, if RIAA simply starts making a few well placed calls to the largest ISPs, causing the user to lose his connection in short order. Even if it's only for a few days, or even an hour or two, most users would find this absolutely unacceptable. Those that are most likely to setup a site like that, also tend to be the most attached to their "fast" connections. When the pirate is presented with a choice between providing goods to hundreds of people he doesn't even know and incurring risk in the process or merely leaching like everyone else, the choice is simple. Add to this mix permanent bans, public embarassement, potential legal action, etc etc, and you have even less reason to take the chance. Remember, they need not bust EVERY pirate that is out there, just enough to provide a credible threat. Also, remember that this approach wouldn't take much in the way of resources or money.
Now sure, there will still be SOME nuts out there that will persist for whatever reason, but those will be so small in comparison to the downloading public that their effect will be nominal. The point is that greed works against the pirates as much as it does against the industry. I fully believe the industry is capable of doing this and that it would be highly effective. Against just about any known P2P-like system (e.g., Napster, GNUTella, Scour, CuteMX, or whatever.)
This is a seperate subject, but I think you're completely underestimating the absolute importance in promotion and marketing on the part of the record labels. While marketing and promotion do not necessarily have to come from the industry, a simple website will not suffice. The odds are that the artist(s) will be competing for scarce eyeballs no matter what medium they're on. Scarcity, in turn, means it'll cost lots of moola. Who has lots of capital and is willing to risk it on music investments? The industry. One way or another, capital must be risked to gain a sufficiently large following. The backers will probably be the same industry that we know today, but, even if not, it doesn't really matter. The internet isn't some kind of magical pill to make all these concerns go away.
From the article: I know that your IP address is 28.294.22.1, your ISP is Earthlink, and you logged in last at 2:26 a.m
Whew... Don't worry about their spies... they don't even know the addresses can't go above 255... 8^)
Jethro
Quidquid latine dictum sit, altum viditur.
Perhaps this is why we need security features in peer-to-peer clients.
m sp encer.net/piratestuff/bigfile.iso
Blocks was an example of a filesharing client with too much security. It was well-designed and cross-platform, but required too many resources and too much security for...well, anybody except the most advanced users. It would be very difficult to find the IP number of someone sharing certain content on the Blocks network. It's also almost impossible to even find a file on the Blocks network.
Perhaps what we need is optional security. Some users are going to want to form a mixnet, and only directly communicate with trusted peers. Some people want encrypted disk caches, so if their computers are seized, it'll be impossible to tell exactly what they're sharing. Conversely, some people would like an easy way to tell whether content is copyright-protected and shouldn't be traded, without directly notifying anyone that they've come into contact with the content.
I've outlined some security concepts in a quick page I've put together: http://mspencer.net/fs. It's a work in progress, and is very long (22 KB and growing) with almost no index or table of contents. But if peer-to-peer filesharing is a topic you are enthusiastic and excited about, you'll find the page very interesting. (There are no ad banners at all on that page -- just text, except for my email address. I put my email address in a graphic, to spam-proof it.)
From the page:
Does all of this seem seedy? Do you think people will assume that anyone who participates in any of this extra security or identity protection is automatically a criminal? Remember that this is what computers do -- they take complicated things, and take the manual labor out of them. Sure, some of these methods may seem like seedy criminal behavior turned digital -- but this behavior is usually criminal in real life because it's so costly! It takes time and effort to route anonymous messages around -- take a 'layered' envelope out of the mailbox, unwrap only one envelope leaving (an envelope still inside, possibly with more envelopes inside that), and mail it out again. Pass things around by word-of-mouth only. Use aliases. In real life, these things are difficult to do and take time and effort...so it can be concluded that the people doing them probably need the extra security or protection. That is, they're probably doing something illegal, so the extra 'cost' is worth it. But this is digital -- these are computers we're talking about. It's very easy to let the computer stand out on the streetcorner for us. We're not peddling high-value illegal material -- many of us merely don't want certain advertising companies using our personal information to enhance their seedy business. This 'shifty behavior' becomes worthwhile at the half-penny-per-transaction level, because computers do all the work. Were it the real world, this same kind of 'shifty behavior' would only be justified at the tens-of-dollars-per-transaction level.
Such a system is possible, if enough motivated and excited people get together: adapt and borrow concepts from other projects. The other projects out there (MojoNation, Freenet, Blocks, ELF, and many more) have wonderful concepts and design, and they do a very good job of solving a particular problem with filesharing. But they don't solve all of the problems.
Perhaps if enough p2p project developers are inspired to bring their concepts together into one system, we'll finally rid our gift culture of these pesky intellectual property lawyers.
On a related note...I just thought of this really evil way to abuse three existing services (WWW, DNS, and Akamai proxying) to provide a kinda-anonymous web site:
1) Use an existing DNS zone to point an NS record for a subdomain to a special kind of DNS server. (Perhaps *.anon.mspencer.net)
2) Create a special DNS server (special software, or just firewalled) that is only allowed to hand out DNS query replies to Akamai servers.
3) Publish a URL:
http://a1.g.akamaitech.net/6/6/6/6/lmnop1.anon.
It would be impossible to get the true location of lmnop1.anon.mspencer.net unless Akamai servers were cooperating with you.
--Michael Spencer
(remove the first three letters from the email address above.)
Yes, the internet has made it easier for folks to get their music. Does this really help artists? I see how it could be a lot easier for an unknown band to get noticed, but how does it help them make money?
Here is an excellent essay/letter form sam Rosenthal, the owner of Projekt records (an independent label) on how napster helps unknown bands.
Actually, with all the talk about the relative advantages & disadvantages of Freenet & the other P2P services, how 'bout a combo?
The way I understand Freenet, you can request files based on some calculated key values (hopefully unique for a given file's contents) and it will be sent to you through the Freenet network in some fashion which makes it anonymous to all of the nodes inbetween.
The current main difficulty with Freenet was associating search requests with those key values.
So how about a combo solution? Use normal P2P techniques (and normal search engines for that matter) to return key values based on search criteria. Then use the key value to download the file from Freenet.
By decoupling the searching mechanism from the download mechanism, then you can have all kinds of ways of searching without compromising the robustness & security of the download network.
Here's another idea for distributing search/key value pairs w/o compromising the identity of the people making those associations - use USENET (or a similar mass-distribution channel) with the anonymous mail-to-news gateways to distribute batches of search condition/key value pairs at a time.
I recently submitted an article about how I found a piece of spyware that is installed by a number of music sharing systems including AudioGalaxy and iMesh on my machine. Of course, Slashdot rejected it. Since it is ontopic for this discussion here it is:
The SpyWare Invasion
While writing a proxy server for a class I noticed that for each URL I clicked, a number of POST requests were being sent to d2.webhancer.com and d3.webhancer.com. Wondering what was up I decided to go to the Web Hancer website where I found out that WebHancer is a company that claims to have an installed base of millions of WebHancer agents that report web browsing statistics to their corporate headquarters.
WebHancer currently charges businesses $12,000 a month to access these usage statistics. I found the webHancer agent on my Windows machine (after a quick 'ps -W | grep gent')in "C:\Program Files\webHancer\Programs\whAgent.exe" and deleted it. What I am wondering is how the Web Hancer agent got on my machine since I don't recall being asked whether I wanted to install any spyware. Also exactly how many of their millions of anonymous usage statistics are being generated by unsuspecting users?
Which program did I install that decided to place this Trojan on my machine and is there a blacklist of such programs? AudioGalaxy
Finally, while searching for info on Web Hancer I found Ad-Aware which claims to locate and uninstall such spyware.
He's not monitoring anything by reloading the Napster web page every 10 seconds.
That's not how you do it Lars
--
Je t'aime Stéphanie
They hid it in "Program Files"? Bastards.
Maybe the state's highest function is to grind out insoluble problems. (Zelazny, Hall of Mirrors)
With a couple thousand hits an hours security through obscurity DOES work for minor things like this unless RIAA has enlisted the help of the NSA for number crunching for who downloaded what.
The other thing I wonder is why don't sites like napster et al use basic encryption techniques to keep WHAT is seen secret? It's not like there is a derth of encryption enabled software out there, much the opposite, recent browsers all can deal with port 443 and https. Start using it. Sniffers can only tell that a connection was made, they cannot tell what the contents of that connection did or is doing.
Come on people, time to stop whining and start using what is available to us to keep big brother from tracking everything.
DanH
Cav Pilot's Reference Page
Cav Pilot's Reference Page
UNIX - Not just for Vestal Virgins anymore
________
Does anyone actually have a Java program designed to control air traffic, or for the operation of a nuclear facility?
Freenet seems to be more or less immune to this sort of monitoring at the present time, due to the distributing the files throughout the network.
Good, so now the ten people who use Freenet can sleep easy.
--
--
#nohup cat
I can imagine what would happen if/when I get busted. I may pay a fine. Heck, I could see a few days in jail (doubt it for a non-violent crime, but this is the RIAA we're talking about here). More importantly, I would never, ever, ever buy another CD from that organization again. If it was the RIAA that was behind the persecution, then I'd boycott their member companies. What do they get? One less customer.
How long can record companies last that piss off and alienate their customers? It will be very interesting to see what happens when the contracts of well-known (and lesser well-known) artists come to an end.
That will leave them free to get with a good web host, a couple of programmers and voila - downloadable songs at a reasonable price. Who needs Best Buy/Tower Records/RIAA?
They can run, but they'll only die tired.
Yeah, right.