Slashdot Mirror
Overpeer Spewing Bogus Files on P2P Networks
nimec writes "Zeropaid.com has posted news of a company called Overpeer which is the source of all the bogus mp3 files that are popping up on the various P2P networks. Zeropaid, in the news article, said: 'If you've encountered the "loop" files, in which a section of the chorus or hook is repeated over and over, you've been tricked by OVERPEER. OVERPEER are doing this with the full knowlege and consent of Interscope and Universal Music, in fact they are under contract to Universal and other major record labels, and will be doing a LOT MORE of this type of "interdiction" in the near future.' Right now this doesn't bother me because these bogus files are few, very spread out and it is easy spot them. I'm just afraid that over time people will keep downloading these bogus mp3s and become too lazy to delete them, like they are when it comes to incomplete songs."
That's the problem with running a service that's (for the most part) black market...when someone starts fucking it all up with counter-attacks, there's really not a lot of recourse.
I was thinking that a moderation system would work, if it's implemented correctly. For instance, once a person has been sharing X GB of files for, say, 2 weeks, they start getting moderation points....they can use these points to flag a file as being a dummy. (or just a shitty rip) If a user gets too many files modded down, he becomes unable to gain moderation points for a certain period. The sharing requirements will make it undesirable for RIAA droids to pollute the moderation system, since they'll have to be sharing material of their own. (and any dummy files they have will hopefully be moderated down...and if they ARE sharing valid material, well, cool, they're contributing to their own demise)
Please, nitpick at this suggestion, I'd like to see if it's feasible or not.
This message brought to you by the Council of People Who Are Sick of Seeing More People.
I entirely agree. I would much rather see technological innovation thrown at the problem by both sides, rather then short sighted legislation. This way, everyone wins. P2P technology created for legitimate uses doesn't face the possibilities of being made illegal. We should see the same approaches used in deep linking cases, and DRM cases. Just to make it clear, I strongly dislike the RIAA, and MPAA. And do not agree with their reasons for existence. However, given a choose of evils, I would prefer these DoS attacks rather then legislation. On the other hand, however, couldn't these DoS attacks be considered illegal, or hacking, or terrorist acts by already too broad US legislation???
It appears Ockham lost his razor and grew a beard.
In spite of this article, there's already a bunch of good files (I didnt say good music....) carried by legit people. I just follow my own rules when I download stuff from P2P networks. Be aware that I search for j-(group) type music, so mine's much harder to find files...
1: If I get a good turnout on search, I look at most of files, bitrates, and times. I download what seems to be the mode of the similar type of files.
2: I tend to stick with files that many users have (eg: 7 people have file with size 4,032,112 and 1 person with size 4,129,326). I can resume easier with "popular one". I do the same thing with movies (anime mostly)
3: While I download, I play it with Winamp/Xmms. If there are errors/not what I expected/fake files , I can easily cancel the download and blacklist the user.
4: If I get corrupt movies, I use virtualdub to determine where in the file is the error. Then I use a snip tool and "cut" the file into N parts. I can then use resume on the P2P services and possibly fix the file. However, some files, like Serial Experiments Lain (AVI sub), 1 episode has a "divx freeze frame". That error'ed file has propigated on WInMX, Kazaa, Gnutella, and Nap-clones.
5: Even with my modem, I download "weird" files in hopes of getting unreleased/changed song. You occaisionally see stuff like this when you search for a popular song. Then you see a "somewhat changed name" but usually longer. I usually get them. If they're bad, I can find out in the first minute(remember, I play as I download).
I figure that this wont be as much helpful... It's just my skills I use in getting the "goods".
What is needed to stop this is a moderating system which ranks the various traded products, as identified by their MD5 checksum signatures, according to some "measure of quality". By rank ordering, it cannot be used to entirely shutdown a trading network since everything would still be available. Products at 50 out of 100 would have received a ratio of good vs. bad moderations better than 50% of other products, and worse than the other 50% of products. It would not necessarily be a 50/50 good/bad moderation. Thus flooding of bad moderations across the board would have no effect, though it could be used to drive very specific classes of products down the list. But eventually, people would see the abuse and mod them back up. It would be sort of like moderation on slashdot, but everyone gets to play.
Now would it be possible to have selective moderation like slashdot has? Only a central authority could do that the way slashdot does. The big question would be judging who gets moderation points. As far as I know, on slashdot, it's almost entirely automated. With product trading, it would be harder to measure the quality by automation, so someone has to manually make the judgement calls and that brings some risks as well.
If individuals could be identified uniquely in some way, without the risk of exposing real identity, then meta moderation might work. One way to do that would be a slow rate of generating some kind of signed digital certificate that allows only so many to be generated at a time per network that receives it (and no personal identifying info included, and no records kept). Moderations and meta moderations would be signed by these anonymous certificates. You wouldn't know who moderated, but what you would know is that a group of moderations by the same certificate are probably from the same person and can be judged accordingly, good or bad. Excessive levels of moderation would also weaken your merit and derate your contributions.
now we need to go OSS in diesel cars
Of course, the simple solution is to just download songs that aren't owned by RIAA members and covered by their copyright. Then you can be sure that you won't get bogus files.
It's not that much of a sacrifice because MP3 sharing systems are only ever used for fair use (where you know the origin, as it's just your home/work PC that you're fairly using from) or they're to promote unsigned bands for whom P2P is an important system.
Right?
In next week's Ask Slashdot: "Dear Slashdot, I like fast cars but they're so expensive. Recently more and more of them are getting lowjacked. Isn't this a disturbing trend? What technical means are open to defeating this system? I only steal from big company showrooms so it's effectively victimless."
Before you mod this down as a troll, think about what I'm actually saying. When did we lose the cool technology, the valid fair use claims and the arguments that these systems are useful promotional tools for those who want them... and reach the point where we're bitching about only being stopped from the unfair uses?
I'm surprised nobody has pondered the fact that this could be a Very Good Thing(TM). If they continue to do this, surely they'll be blowing big holes in any future court cases. They say "Napster [replace with future contentious system] can't feature songs which are copyright". Napster says "How do we tell?". Judge says "Fine, you have to filter by filename". Napster says "But wait a minute, half the stuff with filenames of copyright songs isn't those songs at all". The fact is, by engaging with these networks, even to undermine them, the record industry damages their own court defence. Basically they will single-handedly prove that these networks aren't just for exchanging copyright material which you might not have the right to do, but for just about anything. When a court realises that, their case is blown to hell... ...I guess it's wishful thinking to imagine they would notice, though...
Let the RIAA take out those services which are too weak to defend themselves, it will only make the others stronger.
It is possible to design a filesharing service that defends itself against bogus files.
It is possible to define a protocol that hides the file lists of individual users.
It is possible to build CDRs that play, copy and rip copy-preventing CDs.
The pressure exerted by RIAA will turn these possibilities into realities - simple Darwinian evolution.
I'm working on a design for a peer-to-peer protocol that builds on the (few) mistakes of Freenet (which is also a worthy project, except for the reference implementation not being small, fast, or written in an efficient, easy-to-read language, but that's just my opinion, heh :)).
At the moment, my design is in a very early stage, but is already stronger than Freenet vis a vis anonymity and efficiency, and has a more elegant anonymous search. I've even come up with a way that prevents nodes being able to perform traffic analysis on this unless a large number of them collude.
It's also immune to rogue nodes - this protection only fails when a very large percentage (90% in simulations, but I'm not expecting the simulations to be very accurate) of the nodes are rogue.
The current working assumption is - downloads are anonymous and untraceable, uploads are pseudonymous - digitally signed, but with an untraceable point of origin. Pseudonyms actually use OpenPGP format keys, and the web of trust, in the same way, in the current prototype version.
The network also supports communications - at the moment, just nym-to-nym ES offline messages (like emails), using the underlying protocol to store, forward and anonymise message origin, size and destination and the end-to-end communication to encrypt and sign the message. I'll come up with even better ways soon, I hope. I'm already working on silc/irc-like "chatrooms" (why not use the popular word, after all?), and another member of the project is working on frost/usenet-like "groups", which are organised more like... again, save it for the paper I think.
We're going to open the protocol - and the clients - when we think it's more ready, obviously.
One big application of this will be signed releases based on a web of trust - one can expect that releases from big groups will eventually be authenticated in this manner if groups like overpeer start doing their stuff, and purely anonymous uploads serve little purpose (psuedonymous uploads make more sense - they're untraceable AND authenticated).
Now if we can just get the bootstraps working...
In short, this approach will not work forever. P2P systems will evolve, and are evolving, to combat all countermeasures, legal, quasi-legal and illegal, developed against them.
They are not unstoppable, but enough people want them to be - and as the bad ones are choked off, this serves simply to drive the critical mass towards better protocols... we hope.
Naturally, anyone seeking to drive overpeer out of business, though, has my full support no matter what means they use...
I'm mad as hell, and I'm not going to take it any more.
Helpful users have been finding out the IP address blocks owned by the "bad guys" and submitting them to create a "ban list" for search results.
The new version of Gnucleus has a feature that allows users to simply click and filter hosts that they suspect to be sharing bogus files (and spam etc.).
There are plans to expand the distributed web-based host cache system in use in Gnucleus and a few other clients to also serve blacklists. Possibly there will even be a "vote" system that would allow users to dynamically change these ban lists to propagate information on "bad" hosts automatically.
I think that using hash information is pretty useless, it's easy to stick the right hash on the wrong file. What you'd need is a PGP-like public-key encryption system with signatures and trust structures and the like, but that'd be going to the extreme.
I thought a bit about these issues (in a different context) and wrote a paper on a method for assigning identities to network participants in a fully peer-to-peer way using cryptographic techniques. The basic idea is to make identity generation computationally expensive and independently verifiable, so that you know without having to trust any third party that the user in question spent a significant amount of resources to create their identity. Though these identities are pseudonymous (they won't say "RIAA", unfortunately), they are associated with the user's behavior through message signing, so it becomes easy to build a blacklist of users that you don't like. In certain situations, you can even share unforgeable evidence of misdeed with others. With this as a start, I don't believe it's infeasible to do things like you describe...
Check it out:
http://www-2.cs.cmu.edu/~tom7/papers/peer.pdf
That's the problem with running a service that's (for the most part) black market...when someone starts fucking it all up with counter-attacks, there's really not a lot of recourse.
... not all artists trying to get exposure have signed recording contracts with the RIAA, or with anyone for that matter, and some use p2p networks to get their material heard by as many people as they can in the hopes of building name and brand recognition).
... the RIAA (and MPAA, who are the ones involved in the dummy DivX nonsense) will find themselves contributing to their own demise in any number of ways as they conduct attacks against basic internet protocols, be they p2p or client-server.
Copyright is irrelevant. This is a premeditated Denial of Service Attack against a service that may, or may not, be facilitating the sharing of copyrighted material (and is likely providing a conduit for both
What if this attack were against the entire http protocol throughout the internet, taking down web pages everywhere because a few were trading copyrighted material illegally? Would we tolerate it? Absolutely not. Not even if for every legitimate, google or slashdot style website there were ten websites trading Warez and mp3s.
The act of DOSing a service is illegal (at least in some places), regardless of whether it is a copyright cartel dinasaur leading the attack to protect their outdated business model, or script kiddies and l337 h4x0rs defacing or DOSing their least favorite corporate website to express disdain.
Gentoo, Source Mage, Debian, and other GNU/Linux distributions that use the internet to display information may well adopt p2p methods to eliminate bandwidth bottlenecks, particularly during the release of new versions of popular packages like Gnome, KDE, Mozilla, and Open Office. If Microsoft were performing such a DOS attack there would likely be people facing fines and perhaps jailtime.
This is an attack on the Internet itself. FTP, http, scp, all of these can be used to share copyrighted material. Shall we allow cartels a free hand in making those protocols unusable?
There are legal remedies for prosecuting copyright violation. There is absolutely no excuse for this kind of illegal activity in the name of 'protecting copyright', and while there will undoubtably be technical solutions to much of this kind of thing (anonymous GPG signatures and webs of trust, etc.), the bottom line is that you cannot have the majority of civilization constrained by one set of laws that make these sort of attacks illegal, while allowing another segment of society to engage in this sort of activity simply because they argue it protects their business interests.
I agree with the general sense of your post
The Future of Human Evolution: Autonomy