Slashdot Mirror
Cult of the Dead Cow Going P2P?
An Anonymous reader writes "The BBC is reporting that cDc is releasing a new Peekabooty software in July which will defeat totalitarian governments and law enforcement from their current monitoring efforts. The article states: 'A group of hackers are developing a web browser that it claims will make it easier for people to circumvent censorship and avoid the attentions of law enforcers.
The software, which is due to be unveiled in July, uses a combination of encryption and a Gnutella-like network...'" CDC of course is famous for tools like Back Orifice, which is mostly controversial because its a perfectly legit admin tool with a really scary sounding name, and the fact that countless crackers use it. This is just another P2P tool, but these guys have a history of making waves, so it'll be interesting to see what happens.
This seems to be quite similar to crows.
Crowds is an idea from Michael Reiter and Avi Rubin at AT&T. The basic idea is to become anonymous by joining a crowd, and to pass browsing requests to a random member of your crowd. In effect, every member of the crowd runs a proxy server for the benefit of the eveyone else. Read all about it at AT&T crowd central.
acz
Just 3 months ago there was a whole article made by one of the napster makers of why gnutella can't scale( Article here) I'm aware that it says "gnutella like" but i don't know how this could be better implemented. Also one reason why encryption isn't used all the time is because it's not as fast to get the info compared to non-encrypted websites and such. Judging by the Back Orfice encryption, i suspect that this encryption will either a)Be terribly slow that no one will want to use it. or B)It will get cracked in a week. The government can take active participation, it's not like they don't try to crack encryption scemes. I don't really see this web browser as being the ultimate privacy killer-app because you'll need users that are going to commit to slow downloading of webpages and a network protocol that has been mathmaticlly proven not to scale.
For what reasons, exactly, do you respect the French government?
Peekabooty and tools like it, are the last defense for citizens against the thought police. Just because the French know how to make wine doesn't mean their government isn't as dangerous as the one in the USA, or the one in ROC, or the one in EEC, etc...
; -- the corruption of government starts with its secrets. a truly free people keep no secrets. --
And by stint of association with the US, the French government is "A-OK with me"?
Hmm.
; -- the corruption of government starts with its secrets. a truly free people keep no secrets. --
This is one particular case where platform agnosticism is crucial.
Does Peekabooty run on Windows/MacOS/Linux/*BSD/BeOS/etc?
Is the source available? Can we port it quickly?
I'll be interested to see their launch of this tool at Defcon this year...
; -- the corruption of government starts with its secrets. a truly free people keep no secrets. --
There's no mention of this on the official cDc website, so we're still short of technical information. How does this compare to alternatives like Freenet and Mojo Nation, which are designed to avoid the mistakes of Gnutella and Napster? And how much closer does it bring us to the first P2P service proposed, Ross Anderson's Eternity Service, which basically describes all the ideal qualities a P2P could have? I'm looking forward to reading what the CDC themselves have to say about it - it's a shame we hear it from the BBC before we hear it from them...
--
Xenu loves you!
Some comparison with prior work please.....
--
Good luck!
--
--
--
--
While I hope that Peekabooty becomes a useable tamper/monitor resistant network, I wish the cDc had focused on some of the more challenging problems facing peer based networks.
There are already a number of secure information sharing networks, like Freenet, Publius, Anonymizer, etc, etc...
The problem with these networks, and probably a majority of the net is locating the content you want in the first place.
They do not mention any details on the discovery mechanism Peekabooty uses, so perhaps they have covered this base as well, but I doubt it.
Napster, which is great for locating content, is quickly dying a painfull death. Gnutella and Freenet, which are more legally resistant are no where near as effective at locating content.
Gnutella is especially inefficient at this task, so I hope Peekabooty is not modeled after the Gnutella style discovery method.
At any rate, I wish a lot of the focus of peer based projects would shift from simply being Peer to Peer!!! into specific implementations of peer based functionality, like resource discovery, content transfer, etc.
There was a paper written recently (http://www.darkridge.com/~jpr5/doc/gnutella.html) that details why Gnutella cannot scale well.
Many users (such as myself) with nice fast connections have bandwidth limits per month after which we start to pay. The moment the cable|dsl bill comes in the mail, little Billy's parents will be cutting off the broadband.
It's a great idea, but in practice it's popularity may be it's downfall.
grubbyTrolling is a art,
That seems like a great idea, a P2P web browser. The only problem is, sure you can find out a lot of things that maybe 'they' don't want you to. But that requires the information be on a server somewhere, and servers require bandwidth, so if 'they' really doesn't want you to see it, they can just take that server out. Like the French and Ebay there. We need more 'Freenet' alternatives too!
---
--
Insert Witty Sig Here
I don't necessarily think that cDc's implementation of the whoopass-crypto laden needle-in-haystack p2p app is any better or worse than the others could be. Back Orifice isn't the best of it's kind.
Currently, freenet's the 500lb gorilla of these. Crowds is cool. Hell, bolt some new host discovery tools on gnutella and use stunnel, that should be fun.
Currently the landscape has 3 variables. Encryption to hide what's being said, neat discovery protocols to hide who's serving, and transport protocols to hide who's requesting/recieving. Combined, the protocols can serve to counter traffic analysis attacks.
These things have already been thought out. It's some pretty nifty math. But all the implementations of this scheme have some fundamental weaknesses (theory/practice all over again).
The first is assuming that people will actually use them. I seriuosly doubt many people outside the geek, IP and gov community even know about freenet, crowds or such nifty things. If only a few people are using it, then they are automatically suspect, and can be attacked in other ways (tempest, wiretaps, room bugs), thus defeating the scheme.
The second is the number of apps/protocols doing this. Name 4 version 1.0, ready for prime time implementations that have been deployed widespread for consumer use...thought so. For a repressive gov or corp, it's like playing whack-a-mole with only 1 hole for the mole to pop out of.
This is where cDc comes in. The fact that the people who keep the closest eye on this kind of thing (us) heard about it from BBC says a lot. This is going to be all over the tv news. Everybody's going to know about this. Where freenet and crowds work on integrity and discovery of information, the mere idea that cDc is working on this increases the availability of the information to the defensive player. This is done through manipulation of open information sources. Brilliant.
As a result, the others who've been working on this for a while are going to become more motivated to work on their apps so that cDc doesn't steal their fire. How would you feel if you did all the basic research for this, spent years developing it, and then a bunch of drugged out, ascii art typin' wierdo's pulled the rug out from under you? I think cDc's app is going to make it so the whack-a-mole game is a whole lot more difficult. There will be more than one app/protocol simply because all the current projects will get more attention. For example: look at the current p2p landscape post napster smack-down. The other protocols are doing quite well. I would say to the effect that even though judge Patel ruled in favor of RIAA, p2p won. Thank you, RIAA, for enforcing a move away from cruft. Now we are more able to thwart you.
I don't know what cDc's app will be like, but I do know that as a platonic perfect object, it's going to be a resounding success by filling in a lot of the weaknesses of the practice of encrypted p2p. With Freenet and Crowds having worked out the theory.
Yay cDc!
"Let him go, Ralph. He knows what he's doing." --Otto Mann (simpsons)
If cDc plays nice, it'll support freenet gateways. The more the merrier! (think of the Mojo you could make by operating a MojoNation/FreeNet gateway!!) Hopefully the cDc version will support as much anonymity and security as freenet.
Returned Peace Corps IT Volunteer
diverse...oh, wait.
Ideally, one project would make everyone happy. But then we see things like microsoft... We're still in the early phases of the current P2P architectures (note the word 'current' -- let's not forget the 70s here, people). Different people will create from different paradigms, for different needs (cDc P2P--control any computer from any other computer?). We'll eventually figure out the central blob of features we need in every case, and the add-ons that each group prefers, and all will be happy.
I would hope that the freenet folks learn from the approach of the cDc folks, and vice verse. I presume cDc will be open source, as freenet is, so there can be code sharing to reduce duplication of effort.
So yeah, I guess my answer is diversity of features, but with a hope that people won't be stupid about it (the wheel already exists, don't reinvent it!) and a goal of a standard set of protocols and tools/features.
Returned Peace Corps IT Volunteer
The usefullness of this tool in countries like the US isn't really clear. If this tool will successfully redirect ip addresses for "secure" e-commerce sites, it is a MAJOR point of concern for online retailers.
This could be the script kiddies saftey blanket for online fraud like "carding" and creation of fake accounts for everything from software to porn.
I will not be surprised when users sit up and say "Why doesn't this forum remember me?" The nature of the user that this software atracts, is the half educated kid that doesn't really get it
On the other hand, cDc and L0pht have always produced tools that force security experts to stop being lazy and get back to making truely secure systems for e-commerce and the like.
Dissenter
Dissenter
"There is no knowledge that is not power."
If anyone can spank the RIAA, the MPAA, and the archaic information control policies of places like China, Singapore and half of the middle east, all at the same time, it's cDc. They've got great hackers/coders, and a great publicity engine. This is gonna sound corny, but in the age of information security, control, and secrecy, people like the cDc are freedom fighters.
I am the king... of No Pants! www.penny-arcade.com
But no matter who gets it done right, the very concept of the tool is outstanding, because it gets right at the heart of the issue; do people have a right to privacy, or not? For the French and others, REAL P2P erodes their ability to say "We respect freedom of speech and thought... Except for X, which obviously has to be stopped."
But I bet the only way this thing resembles a "web browser" is in tunnelling everything through port 80 (and maybe 443). Now *that's* the way to hide in a crowd. I'm very interested in the technical details. They will actually have a lot to do with who uses it and how...
Boss of nothin. Big deal.
Son, go get daddy's hard plastic eyes.
Expanding a vast wasteland since 1996.
People at EFC have been seeking help for countries with restrictions on what they can and can't see so this would be a plus to them. (view their email on this)
;P
What will be nice to see is how governments and corporations will respond to this, concerning piracy, patent violations, the typical bullshit we've seen for the past few weeks.
Funny I posted this on my site days ago
Privacy links
Want Root?
1. World Free Web - an attempt to connect browser caches to Freenet, creating a "backup web" that would be as anonymous and private as Freenet, but as easy to use as Mozilla.
2. FreeSQL allows you to port your SQL-based apps to use Freenet as the underlying storage mechanism.
Can your IM do this?
These days a lot of the cDc members live in san francisco.
-- free as in swatantryam - not soujanyam.
The main reason China (and other nations) haven't YET cut off all internet access, and probably won't, is that as much as the governments love their ideology, they also love money and foreign investments. China, for example, knows it can't survive without foreign investment and commerce, and the internet helps facilitate that. Thus, I don't think China would ever completely cut off its citizens from the internet - though it might restrict things to a very few "approved" web sites.
-- "Those who cast the votes decide nothing. Those who count the votes decide everything." -Joseph Stalin
The dailynews.yahoo.com link above is a good example, as it is likely that you couldn't easily visit it from a computer in China. To see what I am talking about, look at these:
-
Punching Holes in Internet Walls, a New York Times article on various
attempts to circumvent access restrictions. (Here are the obligatory
partners and
channel links.)
- Beijing
Declares Victory But Chat Rooms Are Skeptical, a New York Times article
providing background information on web discussion boards used and censored by
people in China. (Again, channel and partners
links.)
- www.realmapping.com, (changing their
name to Quova), a company attempting to keep a database of IP addresses versus
geographic position. You can look at some technical information here.
What one gathers from the above articles is an on going tit-for-tat battle between the Communists (and other censorous governments, in conservative Islamic nations, etc) on one hand, versus the people of those nations, and those who would offer them information on the other. China and those other nations don't firewall based on the content of the data passing through; they just generally block connections to specific places, by DNS name and IP address. People found they could use a proxy service such as safeweb to get to the unfiltered Internet. Then the Communists found safeweb and blocked access to it. So safeweb started daily emailing out a new list of sites which were running the safeweb proxy, and the Communists would rush to block those and the safeweb folks would rush out new ones. Eventually the safeweb people came out with a way for any individual in the free part of the world to easily run a proxy that accepts connections and redirects you to safeweb, that is the Triangle Boy system. That's about the state of things now.A system or service like that described in the realmapping links might be used by gateway machines in China to broadly filter all sites outside the country, except for perhaps a select few. This is a real threat to the safety of the world. If Chinese grandmothers and high school students could easily and regularly read anything on the web, then China is much less likely to end up in a war with us or with Taiwan. The Chinese are not going to like America more or agree with our positions because they can read the propaganda and claptrap that our press spews out every day, but they will have a different sense of perspective (perhaps more cynical) and they will be less likely to get into a froth about some spy-boys getting a little rough with airplanes. I'm not going to get into the philosophy of it all, but suffice to say that I think that the more the people of the world can see and hear of each other, the safer the world will be. The Truth Shall Set You Free.
A system like Triangle boy, which is a network of proxies run by volunteers to enable you to connect to safeweb, is what we really need to solve this Internet filtering in foreign countries. An easier to use freenet/ gnutella from l0pft will be very exciting of course, but I think it may not be the right solution for the Communist censorship problem.
For a gnutella/freenet to have effect on the Chinese student who wants to read a New York Times article, it has to be undetectable by the Communist Firewall (because the Communists might decide to block all encrypted traffic, or find the student himself) and it depends upon someone in the free part of the world running a script to dump www.nytimes.com over into the gnutella/freenet system every day. I believe it would be much better to set up something like Triangle Boy but without the single point of failure of the central safeweb service, and doing something to hide and disguise the web page requests and content.
That's really hard to do. If you settle for a distributed system that doesn't hide and disguise the traffic, then you run the risk that the Communists will simply block all encrypted traffic or start trying to track down and harass individuals inside their country. Maybe you can depend on the difficulty of running that type of firewall on a whole country, and the fact so many people will use it even the Communists won't be able to throw them all in jail. Maybe you can also set up clever proxy and client combinations that hide their real traffic in the meta tags and comments of innocent looking web pages, or use other steganographic techniques, but you would have to be constantly upgrading them against Communist detection.
By getting rid of the central safeweb point, you also avoid any censorship due to cooperation from publishers on the free side of the firewall. This would have the effect of making it impossible for Yahoo to not display Nazi stuff to France, because they couldn't tell who was from France. This would make the IP ban that occurs after you modded down 5 times in 24 hours also useless. Yahoo and the French, the Communists, and Rob Malda will all have to come to the realization that anything they put on the Internet is on the Internet for everyone, no discrimination.
That day cannot come too soon. We need to get to work.
...but not because it's revolutionary, new, or even somehow an impressive technical achievement (or achievement to be). It's important because cDc has the ability to make a statement that will be heard net-wide. It's importance is of a political nature.
That's funny, I thought the CDC was more interested in wiping out Ebola and AIDS...
Of course, it could always be (successfully) argued that governments ARE, in fact, a disease...
Hmm...
Zaphod B
Zaphod B
When duplication is outlawed, only outlaws will have
Moderations Totals for CmdrTaco: Troll -5
<grub> Reading
I believe that that's what the folks over at the freenet project are attempting to do.
No thanks. I don't smoke anymore.
I wish cDc would just go back to writing stories about Debbie Gibson fighting ninjas. Stick to what you're good at.
I don't know about the second one, but collectives usually do seem to be considered plural in British English.
/Brian
One that would be much harder to filter ... and harder to regulate ...?
I could see this doing wonders for many large countries like China ...
makes you wonder
If you've had the software around as long as Gnutella's been around and you're still trying to come up with a legitimate use for it, it's my opinion that you've already lost.
This could be done very much like Crowds, which is also an online privacy tool. It seems to be closed source though, so I havn't tried it. I predict the following extra features in the CDC program:
1) Strong encryption, ideally masquerading as SSL, to stop it being too easily blockable. Or better sill, MSN Messenger format messages.
2) Open source, and availiable on all platforms.
3) Something to allow all your HTTP traffic to be routed through the same machine for one session, so it is possible to access sites like Hotmail that forward you about a lot, and check your IP address.
4) More cow pictures.
Michael
"Goodness me, how unlike the FBI to abuse the trust of the American public." -- The Onion
Stop totalitarian governments? I'm all for freedom of speech; i.e. expressing ideas, criticizing government, etc., but governments that repress this are certain to outlaw this browser. As for the U.S., etc, do we really need more tools to help people hide things like child porn?
Donate background CPU time to fight cancer.
The MIT Freehaven site is a similar project and has some interesting articles about problems of current anonymous p2p systems like Gnutella Freenet and Mojo Nation , such as Accountability flexibility and different kinds of anonymity.
- an ISP can't possibly feel itself justified in shutting down anyone shoving gigabits through the Gnutella port (you've already heard about this probably...), and
- so the Government can't try to stop Gnutella (company?) from distributing Gnutella software (it wouldn't matter if it did: Gnutella's already out there and since it's P2P the government can't do anything to get gnutella company to shut down the service, but:)
- Or worse, to try to go after the users and to make it illegal to use gnutella! (Which isn't so farfetched...)
The government or RIAA can say today, "Look, there's no justification for using gnutella since it's basically only used for piracy, so anyone that's shoving data over it has every reason to be denied that right."But if we could say: "Uh, actually, it's just a distributed internet surfing system with encryption, which also happens to work as file-sharing as part of its distribution scheme, since it doesn't differentiate between html documents and binary documents, which isn't a meaningful distinction anyway since you can MIME encode anything into html if you want,"
THEN the government will be forced to say: "well hot-damn. We can't have ISPs shutting down distributed information sharing, which is the only thing WEB-SURFING can be construed as, since it would be a denial of freedom of speech (denial of right to know. Freeedom of speech, although IANAL, only is a meaningful right as long as those who want to listen to you have the right to listen to you.)
There's little the Government or any ISP could say against "It must be encrypted so that the information becomes available to users under a totalitarian regime. It must be distributed so that that regime cannot shut down a web server and cause the source of the information to cease."
The upshot: the government, your ISP, the RIAA, etc, etc, will have NO way of keeping the ENCRYPTED, DISTRIBUTED, "stuff" that you share from happening to be pirated. They can shut down Gnutella of today to some extent by making the software illegal to own, since they would be fairly justified in saying that it is used almost exclusively for illegal purposes. If you started doing web surfing over it, there is no such argument.
For this reason alone, all of us should start doing all of our surfing through this new system as soon as it's featurey enough.
Besides, at the very least, if we started doing that, then whatever we do websurf will be hidden from our ISP by being encrypted, and documents will probably come over much faster under a distributed system. Well, static documents would at least. Maybe this system would also serve to route you around faster, mimicking IPV6, so we could still do better to use it than surf straight. There's no limit to how much good we could get from doing all of our surfing through a distributed, encrypted system, and since the fact that it would make piracy easy is an inherent but small side-effect, it would mean that no one could stop it.
Long Live the Freeedom to Rip Artists Off!
(Which I happen to disagree with, but to a far less extent than I do with the RIAA's trying to force us not to share our files. If artists included an address to send money to in the extended descriptions fields of their MP3's [yes, artists should distribute their own mp3s], I know that I for one would take advantage of it and give them their due. As it is, it's far too much trouble and far too much of what I would pay would go straight to the record industry's pocket. That reminds me of a joke, which is actually a good analogy for why we share name-brand artists instead of no-name artists, even though name-brand artists are being whored out by the record industry.)
~
An Anonymous Coward writes "Judging by the Back Orfice encryption i suspect that this encryption will either a)Be terribly slow that no one will want to use it. or B)It will get cracked in a week." Now I'm not sure about the original BO's encryption, but BO2k has the option for plugins that can choose Blowfish, Triple-DES, or other encryption schemes for data. Doubtful that someone will crack that in a week. As for speed, I have yet to use BO2k (I'm currently experimenting with VNC, although BO2k seems to have more features), but I doubt that it is terribly slow. (Btw, if anyone does use BO2k, can you comment on the speed under a decent computer (say anything higher then a P200) with a strong encryption scheme? Thanks.)
Does that mean they are implementing something like crowds? I just hope they do it right, because making anonymity work is a bit more complex than just shipping stuff through a bunch of intermediaries.
What's wrong with Freenet? Wouldn't it be smarter to assist an ongoing anonymous, decentralized p2p network (which sounds substantially more advanced than Peekabooty) rather than spawn off another one? --Greg