Slashdot Mirror
Overpeer Spewing Bogus Files on P2P Networks
nimec writes "Zeropaid.com has posted news of a company called Overpeer which is the source of all the bogus mp3 files that are popping up on the various P2P networks. Zeropaid, in the news article, said: 'If you've encountered the "loop" files, in which a section of the chorus or hook is repeated over and over, you've been tricked by OVERPEER. OVERPEER are doing this with the full knowlege and consent of Interscope and Universal Music, in fact they are under contract to Universal and other major record labels, and will be doing a LOT MORE of this type of "interdiction" in the near future.' Right now this doesn't bother me because these bogus files are few, very spread out and it is easy spot them. I'm just afraid that over time people will keep downloading these bogus mp3s and become too lazy to delete them, like they are when it comes to incomplete songs."
This doesn't bother me one bit, it only affects people pirating copyrighted music so in that respect it's certainly better than trying to shut the network down.
Actually, if you are downloading files that they are doing this to, just look for someone with a low bandwidth and download from them overnight, unless they have downloaded from overpeer, you'll be fine. Or use the preview feature of your P2P.
"Da ist ein Technölüst in mein Unterpanten!"
There's nothing more annoying than finding a brand new album in a high quality bitrate and then finding out it's nothing but a loop of two seconds. There's nothing more annoying than finding a brand new album in a high quality bitrate and then finding out it's nothing but a loop of two seconds. There's nothing more annoying than finding a brand new album in a high quality bitrate and then finding out it's nothing but a loop of two seconds.
That's the problem with running a service that's (for the most part) black market...when someone starts fucking it all up with counter-attacks, there's really not a lot of recourse.
I was thinking that a moderation system would work, if it's implemented correctly. For instance, once a person has been sharing X GB of files for, say, 2 weeks, they start getting moderation points....they can use these points to flag a file as being a dummy. (or just a shitty rip) If a user gets too many files modded down, he becomes unable to gain moderation points for a certain period. The sharing requirements will make it undesirable for RIAA droids to pollute the moderation system, since they'll have to be sharing material of their own. (and any dummy files they have will hopefully be moderated down...and if they ARE sharing valid material, well, cool, they're contributing to their own demise)
Please, nitpick at this suggestion, I'd like to see if it's feasible or not.
This message brought to you by the Council of People Who Are Sick of Seeing More People.
... for people who download these thinking they are downloading the "real deal". At least the studios are using technical means and not legal means to attack those who break copyright (no I won't use the "p" word).
People who download songs and movies continuously only make bandwidth more expensive and/or capped for the rest of us.
I think it's kind of funny - we waited overnight to download "TPM" only to discover it was "Pearl Harbor" with the title changed.
So... the artists can't ever play the same sequence of music more than two or three times before it gets flagged as bogus?
That check would instantly trigger on pretty much every soft-pop-dance track that I currently spend most of my radio-listening time trying to avoid. Cool. :-)
You cannot apply a technological solution to a sociological problem. (Edwards' Law)
I've got yet another work around suggestion.
Your p2p application (which supports metadata, hashes etc) will wait to add a downloaded file to the "shared" section until after you view it.
This would cut down on some short divx'd files (which won't play "out of the box") bogus mp3 files (overpeer) and whatever else.
A system which flags files as "ok" could come under attack because overpeer could just flag their files "ok" as well.
The system I suggested above would only of course work with files downloaded, not files you have existing on your computer. Of course through the hash system you could be verified against other people.
Overpeer... create mp3's backwards from one-way hashes! Good luck you bastards!
Considering we already have hash systems in Gnutella apps... they can suck me.
Get your Unix fortune now!
To some extent, the same thing is happening with DIVX's. In this case, someone will rename a given movie and upload it. People grab it and share it before they verify that it is what it says it is.
In this case, it does not appear to be the work of a concerted group - just trolly kids, I suspect.
Sometimes they rename pornos with titles like 'mulan.avi', etc. Sigh. Lots of wasted bandwidth.
I bet the movie industry will do that soon. They must be soiling themselves over people sharing cam grabs of every popular movie - with in hours of the opening. Download it and spend your savings on a Pizza.
The reason that the songs are blocked and return no results is because Overpeer is blocking all searches that include the word eminem on Fasttrack. They are only allowed to block the songs that contain 100% definately copyrighted material. If they blocked the name of the track then all kinds of non-eminem files would be blocked as well and therefore it would be an illegal DOS AFAIK.
1. Google search for CD track list
2. Enter titles only NOT artist in your P2P search
3. Burn, Burn, Burn RIAA.
In spite of this article, there's already a bunch of good files (I didnt say good music....) carried by legit people. I just follow my own rules when I download stuff from P2P networks. Be aware that I search for j-(group) type music, so mine's much harder to find files...
1: If I get a good turnout on search, I look at most of files, bitrates, and times. I download what seems to be the mode of the similar type of files.
2: I tend to stick with files that many users have (eg: 7 people have file with size 4,032,112 and 1 person with size 4,129,326). I can resume easier with "popular one". I do the same thing with movies (anime mostly)
3: While I download, I play it with Winamp/Xmms. If there are errors/not what I expected/fake files , I can easily cancel the download and blacklist the user.
4: If I get corrupt movies, I use virtualdub to determine where in the file is the error. Then I use a snip tool and "cut" the file into N parts. I can then use resume on the P2P services and possibly fix the file. However, some files, like Serial Experiments Lain (AVI sub), 1 episode has a "divx freeze frame". That error'ed file has propigated on WInMX, Kazaa, Gnutella, and Nap-clones.
5: Even with my modem, I download "weird" files in hopes of getting unreleased/changed song. You occaisionally see stuff like this when you search for a popular song. Then you see a "somewhat changed name" but usually longer. I usually get them. If they're bad, I can find out in the first minute(remember, I play as I download).
I figure that this wont be as much helpful... It's just my skills I use in getting the "goods".
Consider the visual analog: a web photo album... pretty much every photo site automatically generates thumbnails (very small versions of pictures) for every full-size photo uploaded, so that a user may quickly see and find the photo desired without trial and error downloading.
I propose P2P programs should as a feature, for every MP3 file shared, create the musical equivalent of a thumbnail pic: a very low bit-rate, down-sampled "preview" version of a MP3 file that could be nearly instanteously downloaded and listened to, to determine its authenticity, before a user actually takes the time to download the real version. This downsampling would be automatic and transparent.
Prudent users would always "preview" before they download, and bogus files would be quickly identified thusly.
There's 10 types of people in this world, those who understand binary and those who don't.
As they only seem to be doing it with Eminem and other recent releases. Since I don't listen to that crap, I ain't worried.
Hell, I encourage them to continue doing this with Eminem, Britney Spears, and other modern music (stretching the meaning of the work "music"). Maybe it'll drive these kids to start listening to more talented acts.
Every Eminem/Britney fan we prevent now is 1 less brain dead consumer that will take what the corporate establishment spoon feeds them. Oh crap, I'm starting to sound like a hippie!
No boom today. Boom tomorrow. There's always a boom tomorrow. - Cmdr. Susan Ivanova
#1. Many music companies hold the (sometimes exclusive) rights to distribute a musician's work ... but not the Copyright itself.
#2. I believe a strong case can be made for one of these bogus or loop MP3s being a derivative work.
If #1 and #2 hold, then the music companies are illegally creating and distributing derivative works, which puts musicians in a position to claim Copyright infringement and possibly damages.
i-name =twylite [http://public.xdi.org/=twylite], see idcommons.net
Reminds me of the BBS days where the good sysops would scan and personally run each upload to ensure quality....
Don
What is needed to stop this is a moderating system which ranks the various traded products, as identified by their MD5 checksum signatures, according to some "measure of quality". By rank ordering, it cannot be used to entirely shutdown a trading network since everything would still be available. Products at 50 out of 100 would have received a ratio of good vs. bad moderations better than 50% of other products, and worse than the other 50% of products. It would not necessarily be a 50/50 good/bad moderation. Thus flooding of bad moderations across the board would have no effect, though it could be used to drive very specific classes of products down the list. But eventually, people would see the abuse and mod them back up. It would be sort of like moderation on slashdot, but everyone gets to play.
Now would it be possible to have selective moderation like slashdot has? Only a central authority could do that the way slashdot does. The big question would be judging who gets moderation points. As far as I know, on slashdot, it's almost entirely automated. With product trading, it would be harder to measure the quality by automation, so someone has to manually make the judgement calls and that brings some risks as well.
If individuals could be identified uniquely in some way, without the risk of exposing real identity, then meta moderation might work. One way to do that would be a slow rate of generating some kind of signed digital certificate that allows only so many to be generated at a time per network that receives it (and no personal identifying info included, and no records kept). Moderations and meta moderations would be signed by these anonymous certificates. You wouldn't know who moderated, but what you would know is that a group of moderations by the same certificate are probably from the same person and can be judged accordingly, good or bad. Excessive levels of moderation would also weaken your merit and derate your contributions.
now we need to go OSS in diesel cars
This will just force the various P2P developers to scramble to develop counter-measures. The music companies are giving the developers a gift - not enough DoS to stop everybody from using P2P but still enough DoS to give the developers a decent target to aim at. The only realistic result is that the P2P programs will become "stronger" (ie, more resistant to future attacks).
It's as silly as a criminal wandering around a bank and informing the staff that he's casing the joint for the heist next week.
Of course, the simple solution is to just download songs that aren't owned by RIAA members and covered by their copyright. Then you can be sure that you won't get bogus files.
It's not that much of a sacrifice because MP3 sharing systems are only ever used for fair use (where you know the origin, as it's just your home/work PC that you're fairly using from) or they're to promote unsigned bands for whom P2P is an important system.
Right?
In next week's Ask Slashdot: "Dear Slashdot, I like fast cars but they're so expensive. Recently more and more of them are getting lowjacked. Isn't this a disturbing trend? What technical means are open to defeating this system? I only steal from big company showrooms so it's effectively victimless."
Before you mod this down as a troll, think about what I'm actually saying. When did we lose the cool technology, the valid fair use claims and the arguments that these systems are useful promotional tools for those who want them... and reach the point where we're bitching about only being stopped from the unfair uses?
I'm surprised nobody has pondered the fact that this could be a Very Good Thing(TM). If they continue to do this, surely they'll be blowing big holes in any future court cases. They say "Napster [replace with future contentious system] can't feature songs which are copyright". Napster says "How do we tell?". Judge says "Fine, you have to filter by filename". Napster says "But wait a minute, half the stuff with filenames of copyright songs isn't those songs at all". The fact is, by engaging with these networks, even to undermine them, the record industry damages their own court defence. Basically they will single-handedly prove that these networks aren't just for exchanging copyright material which you might not have the right to do, but for just about anything. When a court realises that, their case is blown to hell... ...I guess it's wishful thinking to imagine they would notice, though...
What would be a problem is if they started doing this for content they don't own. For example, if there was an artist that put his work on P2P networks, started competing with them, and then they tried to sabotage his popularity by putting out junk under his name. That, however, is probably already prohibited by current trademark laws.
1. With file sharing networks flooded with fake songs from RIAA brand name artists, it will become annoyingly difficult to pirate RIAA music. While illegal data becomes very difficult to find, notice that this does not detract from our ability to trade LEGITIMATE data. Legitimate independent labels can still be easily searchable.
2. If no technological means can be found to curb rampant piracy, they will resort to dumb laws (DMCA, CBDTPA) and Microsoft Palladium to stop it. This would be a terrible hit to the American economy as well as cause serious trouble for Open Source Software.
Let the RIAA take out those services which are too weak to defend themselves, it will only make the others stronger.
It is possible to design a filesharing service that defends itself against bogus files.
It is possible to define a protocol that hides the file lists of individual users.
It is possible to build CDRs that play, copy and rip copy-preventing CDs.
The pressure exerted by RIAA will turn these possibilities into realities - simple Darwinian evolution.
You don't really think that this is going to work do you? People will simply be annoyed and have to share more. Someone is going to have to pay for the increased bandwith usage and it's not Universal Music. So, Universal is stealing from cable opperators. It's like spam, but they don't even hope to make money off it.
You have not even thought that people might be trying to share files that were intended to be shared and are NOT owned by Unviersal Music. But that's like the big 5 music publishers, "No one but us can record music, right? Drool, Drool."
twitter, who has never bothered to download silly mass produced comercial music, is annoyed that Universal Music is going to waste his time. Universal, you suck.
Friends don't help friends install M$ junk.
Checksums.
Keep lists of good cheksums. Set up checksum servers. Add moderation. Stir.
Share Reactor. They release the files into the wild through edonkey2000, provide the MD5 checksums of the file you want to download, and edonkey2000 does everything for you. It already has a nice and juicy base of supporters (although I wouldnt say humongous, like Kazaa, specially because of the server "issue" in edonkey2000, but that is being taken care of anyways.)
Its a great system, Share Reactor cant get sued, edonkey2000 doesnt have centralized servers, and I get much greater speeds than in any other P2P program. Sure would be great to see other people take advantage of the great possibilities that edonkey2000 (and other P2P programs) can offer like Share Reactor does.
Needless to say, I highly recommend it.
"By penetrating P2P networks such as Gnutella, Open Napster, and FastTrack, our solution can use the power of P2P against abusers, instead turning software pirates into customers"
Huh?
P2P Networks turn "pirates" into customers. Obstructing the network simply ensures that network users will never become customers of authors who have hired the obstructors.
All well-documented cases (think Baen Books for example) show that freely available works increase demand and improve artist-audience relations.
I don't see how these guys can possibly succeed. They will have to continually develop technology to beat the bleeding edge of the P2P arms race, but unlike antivirus companies which enjoy a huge market and a growing pool of evangelists, Overpeer's only cashflow will come from the RIAA and anybody who has not yet learned about the positive commercial power of P2P networks.
Yesterday I went to Networld+Interop in Tokyo. Best in 5 years easily. Wireless, Broadband, Streaming Video, it was all so huge they even rented the next building. The past President now statesman of NTT DoCoMo (most successful Japanese company, and partnered with AT&T) stood up in front of a thousand people and gave an extremely lucid presentation on the future of all this. Get this, they are DEPENDING on P2P!!
This I mention as I noticed today an interesting little socket with tape over it attached to the cash register of my local convenience store (think 7/11). The tape said, DoCoMo service starts July 16. There is already a bank machine and maybe a loan machine (the mafia got wise) in most every convenience store and now the loop is finally being closed. All we need now (maybe available next week, if not I'll sure work on it) is paying for cryptgraphic passwords at the register. Now that networks carry so much data it is hard to tell when an mp3 or divx is coming over the wire, it is just going to be very difficult to stop.
But I'm not talking about pirating. Overpeer (an oxymoron like "Big Brother" in case nobody noticed) is going to fail financially because the big boys need these P2P networks to work. Not a lot of people are making waves if it is just kiddiez and bored techies downloading a few mp3z. But P2P and open group-based data sharing is becoming important for business cooperation (think Groove), B2B (Enron was doing $1 billion/day of e-commerce transactions before they tanked), and distribution of large files and streams (think Akamai, the Perl CPAN, and FTTH - now a reality for Tokyo residents this year).
When these networks start getting used for serious data as well, Overpeer is going to be messing with the value of a network resource that real companies have a stake in.
Consider that if I already own an Eminem CD (not likely) I am completely within my fair use rights to use a digital copy of that. If I was paying for a P2P network to supply my fair-use needs, Overpeer might end up on the other end of the stick (in court).
What's needed to put the RIAA in its place (bankruptcy court) and promote music and P2P?
- Use P2P for lots of legitimate data and services. For example DoCoMo phones will be used (actually are now) for ticket purchases. A P2P solution would have ensured all seats for the World Cup got sold correctly. (Hmm maybe I'll work on that one).
- Build a service and liscensing scheme specifically to support P2P and fair use.
- Tie unobstructed P2P networks to commercial profits.
- Create a reasonable system for end-user licensing that will decriminalize fair-use music owner's P2P downloads, and not incidentally reduce the price of music.
- Make commercial use of cryptographically secure, anonymous data networks with the ultimate goal of having large chunks of them hosted by giant corporate data centers.
- Create hash tables which identify in realtime abusers of P2P, which is going to very soon become a critical component of the global infrastructure.
- Create tangible benefits for artists who use these networks, or in some other way stop supporting the RIAA.
I'm sure you guys can think of a few more ideas. Personally I don't see Overpeer as a very good investment move do you? I'd take my money out of Overpeer and hire some guys to build on P2P instead of obstructing it.IMHO, the key to making this Overpeer crap go away is to make it economically counterproductive. "Anti-crap" technical countermeasures are necessary also. The RIAA folks aren't the brights bulbs in the box; it may take them a while to realize how dumb Overpeer really is.
Your solution is pretty good. But there is one major problem. It creates a nick that can be tracked back to the original distributor with a much higher degree of confidence than previously possible. Nicks known for high-quality/quantity uploads will become low-hanging fruit targets for RIAA prosecution.
--LP
P.S. IANAL but given where the law is these days, I'd be surprised if ping floods were legal, at least in US jurisdictions.
As I mentioned to one previous poster, the main problem with signing users is that you've now created a pretty strong evidentiary chain implicating the original person who is distributing the song with his 'nickname'. Given the 80/20 rule that 20% of people share 80% of the songs, you've just made it possible for the RIAA to both identify and attempt to prosecute those 20%, and now the authenticity of the public key infrastructure gets turned against the pirates.
If the RIAA (or some other prosecuting agency) can track down your IP #, they'd probably have enough probable cause to supoena your ISP records, eventually visiting you and confiscating your hard drive, and/or easily tying you with your public key to dozens or hundreds of songs you've distributed.
--LP
This method only works as long as all sites are equally trusted. If p2p software develops the idea of a web of trust, this method will fail quickly. Basically, a web of trust allows a user to mark a site as trusted or untrusted. You trust sites that sites you trust trust. In other words, I mark my client to trust foo.net and bar.com, because they always provide good stuff. They trust me as well, and a few other sites like fubar.cc. Since one or more of my trusted sites trusts fubar.cc, I trust fubar.cc.
Eventually this evolves such that sites which post bogus music, low-quality rips and the like will not get used, because no one will trust them. And a good web of trust allows you to see the trust path that led you to a server, so that if you get something bad you explicitly can mark as untrusted the nearest site to that (since they didn't do a good screening job) even though they would otherwise implicitly be trusted.
-- Two men say they're Jesus. One of them must be wrong. - Dire Straits
Interesting. Now the spoofers are using the same tactics (name changes etc) that users used before Napster went under....
So, only MP3s are currently being bogofied? (And, I would assume, primarily the Windows-only networks?) That's good, actually. Those of us who prefer to share and download Ogg Vorbis files on predominantly Unix-based networks will remain largely unaffected.
Helpful users have been finding out the IP address blocks owned by the "bad guys" and submitting them to create a "ban list" for search results.
The new version of Gnucleus has a feature that allows users to simply click and filter hosts that they suspect to be sharing bogus files (and spam etc.).
There are plans to expand the distributed web-based host cache system in use in Gnucleus and a few other clients to also serve blacklists. Possibly there will even be a "vote" system that would allow users to dynamically change these ban lists to propagate information on "bad" hosts automatically.
I think that using hash information is pretty useless, it's easy to stick the right hash on the wrong file. What you'd need is a PGP-like public-key encryption system with signatures and trust structures and the like, but that'd be going to the extreme.
So, everyone here is going on about how moderation, authentication, etc. is going to solve this problem. it would, if uploading and downloading songs wasn't usually illegal. A couple people have caught on to this, but most haven't.
The problem has two aspects:
1) If the systems has strong identities, then you have a confession from every uploader - as long as you can find them.
2) If you don't have strong identities, then those who would interfere with your system can hijack the identity system.
In the strong identity case, those few people who have uploaded most of the songs that are floating around suddenly find themselves targets. A well-funded attacker, especially one with the Law on their side, could use traffic analysis to track down the high-use users. Recall, they don't need enough info from the traffic analysis to get a conviction, just enough to get a warrant. Frankly, I don't believe claims that "my system is immune to traffic analysis." If the Law can tap into UUNet's big NOCs, they can watch the majority of US internet traffic. MP3's are pretty big, and a small population of users uploads most of the songs. It doesn't matter if your data is encrypted/chunked/whatever, the Law just looks for lots of traffic and tracks the big dataflows to their source. Once they find you, they find your secret key, and you're in jail. Secondly, a digital signature is forever. If you share a bunch of files in college, but then clean up your act and lead a respectable life (in the eyes of the RIAA), your digital signature stays behind. A gun that smokes until the statute of limitations runs out is a little scary.
In the weak identity case, you're no better off than in the no-identity case. The people who want to stomp on your little piracy garden are better funded and less constrained in their action than you. Everyone has infinite moderation points? What's to stop the bad guys (good guys?) from modding everything totally randomly?Much faster than carefully listening to each song and clicking a button. Legitimate rankings get lost in the noise. Use hashes or song fingerprints? What's to stop someone from transmitting the hashes/fingerprints from non-bogus media?
No, I'm afraid that the solution is the same as the solution to the wAr3z distribution problem. Small groups can share with full impunity (this is actually legal to do with music). But sharing music with perfect strangers is not just illegal, it means that the Man can play, too -- and do everything in his power to stop you.
So as I said, I do see this as one of the problems to be solved, although I feel it's of lesser importance. There are many ways of doing this. One of them is previewing - when downloading an audio or video file, when you're about 100k into it (100-200k if it's video), do a preview and see what you're getting. With this looping stuff you have to go farther than 100k however - preview one fourth to one third of the way into the audio files. Many Gnutella clients have a preview feature, as does Fasttrack (Kazaa).
Another method is to ban IP's and IP ranges spreading this. This is already being done - it's only a minor fix because they will always get around it, but it will help somewhat, they won't be able to have big servers spewing this stuff 24/7
The real way to fix this however is hashes. Which are already ubiquitous - they already exist and are known on Gnutella (Shareaza, Gnucleus, Morpheus, Bearshare, Limewire), Fasttrack (Kazaa) and Edonkey2000. On Gnutella (Shareaza) and Edonkey2000, you can click through or cut and paste these URI's (URLs) to files from web sites (or Usenet, IRC, e-mail, instant messengers, whatever) and start searching and downloading the files - for FastTrack (Kazaa), it is a little bit more time-consuming and complex, but worth it if you're going to be downloading a large file. The hash technology is already there, the key now is finding a trusted source for hashes which are both good and whose data is findable and downloadable on p2p networks, and for those sources to survive. I guess I'll detail how this is currently working with the various p2p networks, why not?
There are four major p2p networks - Gnutella, Fasttrack, Edonkey and Freenet. Freenet is a publishing network, the others are all file sharing networks, which is what we're concerned with. Gnutella and Fasttrack are the two largest networks. Edonkey2000 specializes somewhat in large files however, so if it's 100MB+ files you're after, Edonkey2000 is on par, and perhaps better in some ways currently, than Gnutella and FastTrack. Edonkey2000 and FastTrack are closed networks - closed source server/clients and closed protocol networks. Gnutella is open, the protocol is open, and robust open source server/clients like Gnutizen exist for it. This gives Gnutella advantages, such as a choice of multiple clients for virtually every platform, as well as other advantages. Of all the file sharing p2p networks, Gnutella is my favorite and I believe Gnutella is the future of p2p. I think competition amongst p2p networks is healthy however as every can steal everyone elses best features and innovations.
Gnutella files are hashed for HUGE with an implementation called sha1. You can read about the technical aspects here if you wish to. These hashes are useful for finding additional sources for found files so that one can resume downloads or download from multiple sources with integrity. Actually there's one caveat to that - if you are downloading from an honest client, it will tell you a truthful hash of it's data. A client could give a fake hash and then send other data - but you would have to directly download from the rogue. How clients deal with this is even more complex - Gnucleus downloads overlapping chunks - it downloads 1-2000 from one source and 1950-3950 from another - if 1950-2000 do not match from both sources, it marks both chunks as possibly bad. You can read more details about this in Gnutella documentation and discussion groups.
Aside from this usage, these hashes can be used externally as well. Currently, Shareaza, which is a pretty good servent (server/client), is the only one from which URI's (URL's) can be cut, paste, and clicked through to from the web/IRC/e-mail etc. I'm sure clients like Gnucleus will have this ability in the future. If you had Shareaza installed, you could click on a link like this - which is an, I believe uncopyrighted, Chomsky speech, Shareaza would launch (if you don't have it already) and would ask you if you want to download the file or cancel. If you select download it would connect to GnutellaNet, search for the file, and if it found a host which has the file and which has upload slots open, would start downloading it. Actually, the Slashdot "allowed HTML" filters are pulling some necessary characters out of the above link, so you can't click through on /., although you can on a normal HTML web page. I can't post an URL that you can cut and paste either since /. forces a line break after 40 characters or so, if /. didn't do this and the below was in one line, you could have cut and paste it into Shareaza, I'll show it here for an example, imagine this was all on one line for you to cut and paste, or better was just a link to cut. You can do this on any HTML page, it's just the Slashdot HTML parsing messing it up -
gnutella://sha1:HXHSJ6ATN3LQCCIOBGUEWV5FFCKP2KBL/N oam%20Chomsky%20-%20Audio%20Book%20-%20Noam%20Chom sky%20-%20At%20Johns%20Hopkins%20University.mp3/
I would give the above link a rank of "7", because the last time I searched for it, 7 people replied they had it. I have several hashes with a score of 80-90, meaning you're more likely to find or download them, but the above is the only one I have that I have enough confidence in that the data is uncopyrighted.
So now you have one link to a hash - where can you find trusted sources which tell you what hashes are ubiquitous, making it more likely you will find and be able to download them, are rated in terms of quality by multiple sources and so forth? Well for Gnutella, one source is Bitzi. You can search for data there, see what is the most reported, what things are ranked, see comments, see bit rates, file sizes, artists, titles and so forth. It is very cool. Most interaction is from Bitzi into Shareaza (the only Gnutella client that does this currently), but from within Shareaza if you find a file you can type "find Bitzi ticket" and see if the hash has been reported on already. One thing which I'm sure will soon be remedied is that Bitzi does not have direct clickthrough to Shareaza, I have to copy hashes to my clipboard, edit them to Shareaza format and paste them into Shareaza. I'm sure soon Shareaza and Bitzi will agree on a standard and remove this step so I can just click through. And soon Gnutella clients other than Shareaza will have this ability as well. Bitzi's data base is open to the public, you can read their open data policy on their web site, anyone is free to use the data as long as Bitzi is credited. Bitzi.com is the only large, good source of Gnutella hashes I know of. Edonkey2000 has had hashes for a while, and has several good, large sources for hashes such as Filenexus.com and Sharereactor.com. Since Gnutella is a larger network and it just implemented this ability, I'm sure it will have even more and larger sources in addition to Bitzi. And since Bitzi's database is open to all, if Bitzi goes down someone else can open the database up again somewhere else. I'm sure in the future, even the trusted rating system will become distributed.
Gnutella uses the sha1 hash, Edonkey2000 uses another, and Kazaa uses another. Web sites exist that centralize the hashes for these. I'm sure soon web sites will exist that coalesces and translates all of this. Gordon Mohr, who runs Bitzi, wants to see a universal p2p tag, magnet, which is agnostic about which p2p backend it is using. Why not? We can have a tag that we (more or less) trust, and can retrieve the data from Gnutella, FastTrack, Edonkey2000 or Freenet. It's a great idea.
I am less interested in other p2p networks than Gnutella but I'll discuss their hash and meta-data web sites a little. The most interesting one is Edonkey2000, which as I said, has come to specialize in large (100MB+) files, and which I have to admit is a pretty good way to download large files with some guarantee of integrity. There are two major meta data sites for Edonkey - Filenexus and Sharereactor. There are other sites as well. If you're looking for large files, they do a pretty good job currently.
Fasttrack (Kazaa) uses hashing, but the Kazaa client is not that friendly to this kind of thing. So Fasttrack/Kazaa is more of a pain in this respect than any of the others. Nonetheless, you can download a program called Sig2dat that helps you copy and paste FastTrack's UUhashes. The you can go to web sites that give meta data, rankings and so forth to these hashes. Kazaa/FastTrack is unfriendly to all of this so it is much more of a pain - you have to install files that help you do this (sig2dat), you have to restart Kazaa for every file you want to download in this fashion and so forth. With Kazaa, all of this is a hassle, it's much easier to do in Gnutella (Shareaza), Edonkey2000 and Freenet.
And lastly there is Freenet. Freenet has been using hashes since the beginning. Freenet is a publishing network, not a file sharing network. That is nomenclature - file can be and are shared on Freenet - from html pages to gifs and jpgs, to mp3's, to avi's, although Freenet is the last place you want to look for large files, Freenet's bailiwick is small files. Even a 4 meg mp3 on Freenet is harder to find and slower to download than any of the other 3 networks. Small files are the domain of Freenet - HTML pages and images. The Freenet protocol is more rich than the other protocols in many ways, thus you have more than just audio and video files going over it, you have third-party applications utilizing it, thus you have things like Fproxy (A world-wide web equivalent which runs over Freenet) and Frost and Freenet message board (Usenet equivalents - both for text and binaries). One benefit of Freenet is it's hard to crack down on people for publishing information - because no one knows who data is coming from or going to. This is not absolute, but it is much safer than the file sharing p2p networks in this respect. Also, people publish data, so that what you put out is stored somewhere other than your computer, and if your web site or shared file or whatnot is popular, it will be out there all the time without your node needing to be connected. Freenet also used a lot of signatures, encryption and so forth, so you already have a pretty solid trust mechanism and data integrity. It depends on what hash is used - KSK hashes are insecure, but SSK are signed. So with Freenet there are large upsides and downsides - the downsides are downloading is much slower, since you're downloading via intermediaries, not directly, and the larger the file, the slower the download and the harder it is to find a complete file. The upshot of Freenet is that there is less of a legal risk with regards to sharing/publishing data, data is signed by the publisher which greatly helps integrity, and also Freenet's protocol allows extensions other than file sharing with it's own internal network - web and Usenet like applications, and I'm sure there will be more in the future.
And I keep finding the same SPAM over and over again. Often times, a search will reveal the same small file(s) using the exact search criteria you specify.
It would seem to me that if an originator of such bogus files can be absolutely identified, that a peer black-list should be created to block these jokers out.
I know there are some obvious pitfalls to the idea but I am sure the notion can be refined with some careful thought. The list can specifiy the degree of the offense, (spam-bot, looped files and video files that are actually just music, etc) and the client can have a quality filter setting.
Now I know it can just be worked around in some way, but the hard-core hosts of bad files will eventually get blocked to the point that their effort is useless. And while we're at it, we can block out all know MPAA/RIAA IPs too.
Maybe it's a dumb idea... I can't be the first to think of it.
Gnucleus and BearShare currently use a hashing scheme to verify that one particular file is identical to another for the benefit of multisource downloads. If a user would be able to add a hash to a "block" list, these block lists could be updated frequently on the gnucleus web site and downloaded from a trusted source. All garbage files could be simply ignored.
Overpeer.com is getting IP service through Telemerc who, in turn, gets service through Sprintlink.net. Accroding to the Sprintlink.net's Acceptable Use Police , the following are prohibited:
7. Knowingly engage in any activities that will cause a denial-of-service (e.g., synchronized number sequence attacks) to any Sprint customers or end-users whether on the Sprint network or on another provider's network.
and
9. Using Sprint's Services to interfere with the use of the Sprint network by other customers or authorized users.
That's practically a description of overpeer.com's business model. They use their bogus material to interfere with the use of P2P services and to effectively create a Denial of Service attack against P2P services.
I encourage Slashdot readers to contact Telemerc and Sprintlink at helpdesk@telemerc.net and abuse@sprintlink.net respectively and explain (in a civil manner) that you wish them to stop providing services to Overpeer because of the DoS business model.
How do you stop Overpeer and like-minded companies from lying about the moderation points? Why can't they give it +100, CD Quality?
You can't trust the peers to be honest - assume that the RIAA will corrupt the client software.
You can't have a central server that controls the network - assume the RIAA will shut that down.
How about a central server for moderation? It can't stop the peering and doesn't know what is being shared or by who. But it gives out secure (ie public key) certificates to any client that logs on, and then any client can then rate another server anonymously.
To stop the RIAA from just setting up 1x10e5 clients and rating themselves as fantastic, each IP address could be limited to one vote for every peer out there, or something similar. That way 1000 votes from the RIAA are nullified by 1 bad vote from someone else.
Would that work? Its got to protect the privacy of the peers and have no influence over them.
Comments anyone?
Michael Veltman
There is no cryptographic solution to the problem where the intended receiver and the attacker are the same entity.
Gentleman, you have your targets. I want a clean hit, with no civilian casualties... ;P
::.. check out some Cell Phone Reviews
Does audio fingerprinting work? I have seen implementations of it that do not work. Are there any that do? This would immediately solve the problem, if there were a database of audio fingerprints.
Good idea! only I think you will find that boycotting the files is exactly what the RIAA wants. They want you to boycott the files and buy the smegging CD
Only the P2P people are already boycotting the CD because they are a bunch of theives who steal it via P2P rather than buy it
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
I thought a bit about these issues (in a different context) and wrote a paper on a method for assigning identities to network participants in a fully peer-to-peer way using cryptographic techniques. The basic idea is to make identity generation computationally expensive and independently verifiable, so that you know without having to trust any third party that the user in question spent a significant amount of resources to create their identity. Though these identities are pseudonymous (they won't say "RIAA", unfortunately), they are associated with the user's behavior through message signing, so it becomes easy to build a blacklist of users that you don't like. In certain situations, you can even share unforgeable evidence of misdeed with others. With this as a start, I don't believe it's infeasible to do things like you describe...
Check it out:
http://www-2.cs.cmu.edu/~tom7/papers/peer.pdf
You're forgetting the other side of the coin. (Some of) RIAA's clients could give bad votes to good files, nullifying positive votes by others, and making the whole rank system worthless.
- Tal Cohen
Unfortunately, a peer-to-peer network with a centralized authority is not peer to peer! This creates a single point of failure and a stronger legal liability...
The solution is really very simple. All people have to do is set their download directory different than their upload directory. Just because I download something, I don't want to automatically offer it to the world. What if it had a virus? Doing it this way I at least have the chance to clean the file before letting anyone else have it.
What no one seems to have mentioned, is that the copyright hold is RELEASING songs to the public that it owns! Even though it may only be a few seconds worth...
;-) Even if there is not looped version available for a particular song, there's no way you could know that before downloading and listening to several versions of it...
Astonishing... the possible legal issues.
If nothing else, you could say they have been using P2P networks where illegial trading is 99% of the the traffic, to promote their own music. In other words, they've contradicted the ideas that they've testified to in court.
Also, does that make the few seconds being made available into public domain? Can I mix those into my own music for free? Surely they can't retain copyright while making it easilly available.
Does that have any effect on the legality of downloading the full song? Surely you were just trying to download the looped version and just happened to get the full version
Oh, and besides what has been said, FreeNET/GNUnet systems are not necessary. We still need a system which allows a lot of anonymous people to download from a lot of other people they don't know. FreeNet/GNUnet are no better than FTP sites in that regard.
Oh, and if you want to host copyrighted files but don't want to get sued, zip each of your files, and set a 1 or 2 digit password on it. You could include an unencrypted readme in each zip that says that very thing. This means that RIAA/MPAA would need to resort to illegial tactics to discover if you were actually hosting any illegial content (making it inadmisible).
Don't want to get a lot of spoofed results? Check the sha1 hash of the majority of the files before you download, don't automatically share files you've downloaded until you've opened them, then more them into a shared folder.
And don't forget, you can BLOCK THE SOURCE IP ADDRESS of all those morons sending out crap. A public block-list could be made available at gnutelliums.com or gnutella.co.uk . It's really not possible for a big corp to just up and change their range of hundreds of IP Addresses every month or so.
Beyond that, add download/upload queuing, and message passing (so that I know I'm in the queue after 10 others) and Gnutella will be fine for another half-decade.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
That's the problem with running a service that's (for the most part) black market...when someone starts fucking it all up with counter-attacks, there's really not a lot of recourse.
... not all artists trying to get exposure have signed recording contracts with the RIAA, or with anyone for that matter, and some use p2p networks to get their material heard by as many people as they can in the hopes of building name and brand recognition).
... the RIAA (and MPAA, who are the ones involved in the dummy DivX nonsense) will find themselves contributing to their own demise in any number of ways as they conduct attacks against basic internet protocols, be they p2p or client-server.
Copyright is irrelevant. This is a premeditated Denial of Service Attack against a service that may, or may not, be facilitating the sharing of copyrighted material (and is likely providing a conduit for both
What if this attack were against the entire http protocol throughout the internet, taking down web pages everywhere because a few were trading copyrighted material illegally? Would we tolerate it? Absolutely not. Not even if for every legitimate, google or slashdot style website there were ten websites trading Warez and mp3s.
The act of DOSing a service is illegal (at least in some places), regardless of whether it is a copyright cartel dinasaur leading the attack to protect their outdated business model, or script kiddies and l337 h4x0rs defacing or DOSing their least favorite corporate website to express disdain.
Gentoo, Source Mage, Debian, and other GNU/Linux distributions that use the internet to display information may well adopt p2p methods to eliminate bandwidth bottlenecks, particularly during the release of new versions of popular packages like Gnome, KDE, Mozilla, and Open Office. If Microsoft were performing such a DOS attack there would likely be people facing fines and perhaps jailtime.
This is an attack on the Internet itself. FTP, http, scp, all of these can be used to share copyrighted material. Shall we allow cartels a free hand in making those protocols unusable?
There are legal remedies for prosecuting copyright violation. There is absolutely no excuse for this kind of illegal activity in the name of 'protecting copyright', and while there will undoubtably be technical solutions to much of this kind of thing (anonymous GPG signatures and webs of trust, etc.), the bottom line is that you cannot have the majority of civilization constrained by one set of laws that make these sort of attacks illegal, while allowing another segment of society to engage in this sort of activity simply because they argue it protects their business interests.
I agree with the general sense of your post
The Future of Human Evolution: Autonomy
...is going to be stupid enough to leave bogus files on his HD? You listen to it...if it's shit you delete it! No more bogus file being shared! Problem solved!
Or is this going to be like the proverbial pissing contest where hidden under the straw inside the barn is an electrified metal plate and after you get zapped, ou don't want to tell the other guys outside waiting for their turn to compete because they'll laugh at you? So you say nothing and let them get zapped to!
You're using her as bait, Master!
Comment removed based on user account deletion
Comment removed based on user account deletion
You want to publish a file.
2> Your system generates a public-private key pair for that file. This is *slow* because it's a big key.
3> Your sign the file. (actually, the hash of the file)
4> Optionally, you generate additional keys and re-sign the file.
5> You keep one or more of these keys. Not the first few, though, because that would identify you as the first person to sign this file.
6> You release the file on to the network.
When somebody downloads the file, if it's kosher, they:
1> Generate a key for the file.
2> Add the key they just generated to the file, sign the file, and every signature on the file.
3> Make a file, with all of the other signatures they signed, available to the machine you just downloaded the file from and to the network in general.
When you're searching for a file, you:
1> Find a file you think meets the search criteria you have.
2> Search the network for signature files for that file.
3> Down load them and check how many valid signatures the file has before you download it.
Now, here's the clever bit: when somebody asks you to download a file, you ask them for signatures: "Show me a file which contains a list of signatures to a key which you hold the private key for (i.e. x signed by y signed by z signed by x).
Each host answers download requests in a "most-signatures-first" format, and **never** honors the same signature file twice.
So, where does this take us?
1> Signatures simply attest that a file is what it says it is. Because the first N signatures are from keys you throw away, there is no evidence you uploaded the file.
2> Reputation is built on having signed a file which is what it says it is. Reputation is *diffuse* - because I sign every file with a different key, each act is atomic: I can't transfer rep. from one file to another.
3> You have to search for your credentials on the network, just like anything else: but only you can use them.
4> Fraud is quite possible: you can generate an endless number of keys and use them to garbage-sign files and propagate junk. However, and this is the key: can the RIAA afford to muster enough computing power to fight against a million hosts?
That's the key: reputation of a given file directly relates to the amount of computer power spent signing it.
You get a benefit from investing that power: first access to files on other machines.
They don't get any benefit at all: it's just a cost, and there are a lot more of us than them.
Finally, reputation is based not on making files available, but on reviewing them, which is clearly legal if you don't make the file available for download too - hence "third party review" becomes a way of building "karma" for the downloads you want.
That's clearly a desirable trait in a P2P system.
Hexayurt - open source refugee shelter,
code heads.... would it be possible for the software the read the file being downloaded, and check to see if it is looping over the firsts 20 seconds or so, and then alert you virus software style?
It could automatically stop the download, look for another file for you, and send that users name to a database as a bad file carrier.
pick this one apart please...
There's nothing Intelligent about Intelligent Design.
Most clients let you sample a file as it's downloading. Just listen to them as you are downloading them.
Also, some way needs to be incorporated into Gnutella to allow blackholing of IP's (at least personally on your client) that do this. Overpeer HAS to have a large network pipe somewhere (with a fixed IP) to be doing this from...
If there were some way to checksum MP3's, that could also be a way around it.
=== The price of freedom is eternal vigilance
This action by overpeer, at the behest of the RIAA and the labels is harassment of music fans. What do they hope to gain by angering us? They stand to lose a great deal more. I call on everyone to Boycott the recording industry. Don't buy CDs, except used ones, which they get nothing from. If we put the corporate robber barons who hold the recording industry hostage out of business, then people who do it for the love of music can take the industry back.
The Uncoveror: It's the real news.
I'm sure these dumbasses at Overpeer are simply looping the data without adding any additional variants. It should be possible for P2P networks to intercept this and terminate downloads quickly.
MP3 transforms audio data using MDCT windows of 576 samples each. So unless the length of the looped data is exactly a multiple of 576 samples, quantization will introduce slight changes from one repetition of the data to the next. Besides, it wouldn't take much work to add some low (< 48 dB) noise to fool the quantizer into making slight rounding differences from one repetition to the next.
Will I retire or break 10K?
If files are looped, definitely the downloading software could spot the loop by analyzing the data and sounding an alarm as soon as the data repeats...
It's a bit harder than that. MP3 lossy compression will usually introduce slight variation in the exact composition of the signal unless 1. there hasn't been any hiss added to cause slight rounding differences in the quantizer, and 2. the repeated length is an exact multiple of the 576-sample MDCT window.
You have to do comparisons in the spectral domain and allow for a margin of error. Some companies are selling music hashing products based on this technology, so it must be possible, even though it may not be straightforward.
Will I retire or break 10K?
Of course if that catches on, Congress might eventually decide that audio fingerprints are infringing after all.
Actually, these audio hashes already do infringe somebody's exclusive rights, but not the copyright owner's. Most of the audio hashing algorithms are patented out the @$$ in the United States and other jurisdictions that allow patenting of a generic computer running a specific algorithm.
Good thing patents last 20 years, unlike copyrights, which last effectively forever. No sound recording will enter the public domain in the United States until 2068, when copyrights on works from 1972 (sound recordings were first granted Federal copyright in 1972) are supposed to expire, barring a Chastity Bono Further Copyright Term Extension Act.
Will I retire or break 10K?
This solves nothing. In general, trust is not transitive.
Advogato seems to have developed a trust metric that does work transitively.
The question then becomes, how does one enter the community in the first place? On Advogato, you can't post anything, not even comments to stories, until you have already been certified to at least level 1 by another level 1 user. (There are three levels.)
Will I retire or break 10K?
This argument is inconsistent. You legitimize DeCSS because it helps people use "legally owned" DVDs. This implies that the law is the source of your morality. But distributing DeCSS is illegal, a violation of the DMCA. So obviously you have less respect for the DMCA than for traditional copyright. Therefore, whether something is legal is not really your criterion.
I think the generally accepted term for this is crapflooding, not Denial of Service.
YMMV.
Lawrence Lessig said "code is law". Namely, he was talking about code that business', ISP', and government's write on top of standard protocols to regulate our behavior.
But code is also law for us.
We are the one's who write the code for P2P services like Phex, LimeWire, BearShear, etc. Thus, we are the one's who create the "law" for those services.
We have the ability to code away this problem, and any other problems presented to our P2P utopia.
So how do you deal with bogus files? Well, one way to do it is by detection. Write protocols into P2P programs to detect bogus music files. How do you do that? By reverse engineering their technology. Lets say that their "bogus" files appear the same size as normal files, but about 1/4 of the way through have a hitch in them w/c causes your player to play over the part over and over again. So you write code to detect that.
Another way to deal with it is the same way we deal with spammers: block unreliable sources. If a domain-name for e-mails often gives you spam, you block that domain name. Same thing w/ P2P networks with a little bit of ingenuity.
The only thing to worry about is the red queen effect; namely, we take counter-measures to their measures, and they take counter-counter measures to our counter-measures, and so on and so forth. This results in a lot of wasted time for us, and also will eventually make our code bloated.
Another alternative is the legal route. Contrary to what some say, there is a legal option. Their actions garble up the P2P network, which will negatively affect many who are sharing non-copyrighted files. Hence, a basis for a legal restraint.
The other possibility is a counter-attack. They've screwing up our networks, so we screw up theirs and their systems. The best defense is a good offense. This would be DoS attacks on their servers, or virus'/worms aimed specifically at their computers.
Another possibility is very simple. Rather than trying to weed out untrustworthy sources, try to find trustworthy ones. This is much easier as you'll get cooperation. Real netizens of the P2P community may put tags on their files, as identification, which would securely identify them; then, those files would be rated on two categories -- quality and completeness.
social sciences can never use experience to verify their statemen
http://www-2.cs.cmu.edu/~tom7/papers/peer.pdf
...
.sig
The problem isn't the evil master mind making salt for his henchmen,
the problem is the evil master mind who makes thousands of mules. (Identities for himself.)
Signed salts do not prevent the mule problem.
I don't believe you can so easily tune the amount of work needed to create an Identity either.
The RIAA probably has over 100 computers that sit idle every night.
If it takes 8 hours to make an identity, then they could churn out over 100 every day, virtually free.
With backing, the number could easily be 10,000 a day, or even more.
If the EMM isn't constrained by legality,
then he releases a virus and generates millions of keys in a single day.
If variable strength keys can be used,
then in the processes of generating a strength K key,
the EMM also generates 2 strength K-1 keys, 4 strength K-2 keys
I think it's better to concentrate on whitelisting than blacklisting.
-- this is not a
It's rare that you're presented with a knob whose only two positions are Make History and Flee Your Glorious Destiny.
...Just build in something to P2P client applications which is aware of Overpeer's IP addresses. If there's unused bandwidth, download anything they're offering (and just throw it away). Drive up their bandwidth costs while simultaneously ignoring the junk they're sending out.
Easy.
Cheers
-b
Some of) RIAA's clients could give bad votes to good files, nullifying positive votes by others, and making the whole rank system worthless.
My idea was to only give one vote per IP address - so that making multiple votes from one site would have no extra benefit.
Michael
There is no cryptographic solution to the problem where the intended receiver and the attacker are the same entity.
Signing salts is a way to insure that the person who generates them knows the private key of the identity.
This makes it hard for someone who is interested in protecting their identity to get someone else to do the work,
but does nothing if they do not.
Mules don't care if their master knows their private key. Because the real problem isn't in adjusting the difficulty of the problem, but in deciding what difficulty is appropriate.
My mother uses a 133 Megahertz PC.
I use an 800 Megahertz PC.
At work I have access to more than 60 PCs, all
more powerful than my personal computer.
So what's the "right" computational difficulty?
If it takes my mother 6 hours, it takes me 1 hour
at home, and 1 minute at work.
Note that I'm not saying that setting the computational difficulty is impossible,
just that it's a non-trival task, with certain inherent weaknesses.
That assumes that EMM creates keys the way you've outlined.
But he doesn't. Instead he generates a new key and a new salt each time he gets a success.
For example, suppose you wanted to generate keys of stength 32, but knew that strength 28 was acceptable.
You start testing salts until you find one that's strength 28 or more.
You record the result, pick a new key, and continue.
By the time you find a strength 32 key, you will have (on average) found 2 strength 31, 4 strength 30....
But the major difficulty in generating keys is finding the large primes to multiply together.
Finding 2 primes for one RSA key may be 1,000,000 times harder, but with 101 primes, you
can generate over 50,000 keys. Generating a million keys is only about 1,500 times as hard as generating one.
(and if a square root reduction in difficulty isn't enough, you can use three primes for the key)
-- this is not
> Even if generating a key is a million times harder, when you're testing 2^24 salts per
> key, that only makes the overall problem 7% harder.
Oops, you're right, I wasn't thinking. Anyway, being able to generate lots of weaker keys is only a problem if users trust weak keys (which becomes less likely the more that attacks like this are attempted!)