Putting P2P To Work

An anonymous reader writes "Looks like some folks at IBM have had moderate success in getting P2P adopted within the corporate enterprise. One new paper on the site describes experiences in deploying a decentralized search network spanning machines in 43 countries. Another describes a system for peer-to-peer sharing of dynamic web applications instead of static files. The idea is to support development and distribution of simple modules that themselves form meta p2p networks. Neat."

Security?

[cscx]

What stops you from doing a man-in-the-middle attack, as so to speak? I.e., what assures the integrity of the original files, and how do you know that you're obtaining an authentic file?

Re:Security?

[ealar+dlanvuli]

You probably look the files up by a cryptographically signed key that is impossible to duplicate.

You would have a centralized "checkin" server and files would be distributed based upon key from there, cached every time someone accesses them.

When you acquired a new file you would check the crypto key against the checkin server and get a "valid/invalid" response.

The only really hard part of such a system is coming up with an efficent search algorithm that doesn't chew up your network while at the same time getting a decent number of cache hits.

Re:Security?

[cscx]

I was thinking of something like that, but you spoil the true peer-to-peer creamy goodness by relying a centralized server -- there's still a central point where failure can occur.

Re:Security?

[Chris_Stankowitz]

Well, for starters, I don't see why you would need a man in the middle attack on a LAN. To perform a man in the middle attack on a LAN you need a system on the LAN as well. At this point why bother with a man in the middle attack.

I think the kind of security issues you would be most concerned about would be confidentiality. My guess would be that you only place insensitive files on the P2P network, or develop P2P software that has user defined rights. That of course could lead to elevation of privileges attacks. Either way you cut it.

This is all still info that is "internal" to IBM. As everyone knows (or should know) the largest security risk that all companies face comes from internally to begin with. So its not as though these files are not accessible by a malicious and knowledgeable person on the inside already.

There are many ways that the risk can be mitigated with such a system. I could go on for paragraphs on this. I think the concept of using P2P internal for corporations has many advantages and could be come a great tool. Much like any other means of sharing information digitally all the security risk will have to be assessed before it goes into "production"

Re:Security?

[JohnFluxx]

No no - look you just sign everything with pgp. The host has to inherently trust _someone_, so the key they trusts signs someones key who signs someone elses key and so on until you have a chain of trust to the signature on the pgp file.

One way of doing this practically is to joe-bloggs sign his new files with his keys. Then some main server checks over it all, and signs his keys. Then you client get: 1) the file 2) the pgp signature of the file 3) the pgp signature from the main server of the pgp key

This involves having a main server, however you don't need to talk to it.

You need some way to make a chain of trust, and a central server/group of servers that everyone trusts is the easiest way.

JohnFLux

Re:Security?

[ryochiji]

It probably works well in a trusted setting. For an example, if you're using this in s corporate network, it's probably in your best interest to not mess with the data.

But then, look at other public P2P networks. It seems to work surprisingly well...in fact, it seems like the RIAA is the only one even talking about distributing bad (as in corrupted) files.

Re:Security?

[Bert690]

Every YouServ node is granted an SSL certificate from an integrated certificate authority, and uses it for support of HTTPS/SSL. Use of HTTPS guarantees there is no man in the middle.

YouServ is a bit different than traditional P2P apps most people are familiar with. For one, there is accountability: Every one of the files you share has YOUR NAME embedded within the URL required for accessing that file, even if that file resides on another machine at the time of download (e.g. from the ability to replicate your site to other machines). Unless you don't value your job, you'd be highly unlikely to use this system for sharing porn / MP3's / etc, a point made in the paper on the search function.

Two, it's not just for sharing files that are world readable. It's also for sharing stuff with only designated users and groups. Every node is tied together by a single sign-on infrastructure so you can use one and only one password to access secured content on any node, without the possibility of malicious nodes sniffing and stashing your password.

Third, it's at its core web compatible. You access the network with a regular web browser. There s no need to install spyware riddled clients to get at anything. Each node provides a web accessible search interface for searching the globally shared content or site-specific content. You only install the software if you want to host stuff.

Re:Security?

[bastion_xx]

A P2P network based on PKI could perform authentication without requiring 24/7 access to a central server.

Once the file has been signed by a certificate authority and the CA's public key is loaded in the P2P software, the validity of the file can be confirmed. Of course, certificate revocation lists are more problematic, but they too could be distributed via P2P.

If the network is used to insert files on a continueos basis, subordinate CA's could handle the load a redundancy.

Re:Security?

[Reziac]

[scratching head] Did they just reinvent Groupwise??

Re:Security?

[Reziac]

Ah, I see. Good explanation, thanks.

Re:Security?

[|<amikaze]

HTTPS is not entirely secure. Ettercap will sniff HTTPS traffic, including traffic through a proxy.

Hmmmm....

[dethl]

But how long before the RIAA calls this evil and attempts to shut it down?

Re:Hmmmm....

[whereiswaldo]

So what. IBM is not going to control what files people share. They are supplying the technology only.
If it gets shut down, we might as well shut down the entire Internet and call it quits.

As the linked webpage says...

[kaosrain]

As the linked webpage says, we've already had a story on this here. All that is different is a new version (and name) of YouServ, and that the currently active users number has risen from 900 to 5,000. Good job to the guys at IBM, and keep up the good work!

Project Jxta

[Isosonys]

www.jxta.org does this now, p2p search, and much more.

Re:Project Jxta

[Bert690]

There's a lot in YouServ that is not in JXTA. YouServ is an application, JXTA is more about infrastructure with a loose collection of apps atop it, none of which provide all the features offered by YouServ (web hosting with transparent site failover to buddy machines, dynamic dns, integrated authentication system and certificate authority for single sign-on and support of HTTPS, browser compatible access, p2p search over file *content* as well as filenames, and so on...)

Sure you could probably build something like this with JXTA, but nobody has done it yet.

Putting P2P To Work

[Istealmymusic]

MP3s from IBM's OC-192s?! Sign me up!

Re:Putting P2P To Work

[Cheese+Cracker]

MP3s from IBM's OC-192s?! Sign me up!

MP3s?.. Movies!

I can smell the synergy

[mr_gerbik]

What they need to do is synergize by making more robust b2b real-time applications using p2p e-solutions.

Re:I can smell the synergy

[capnjack41]

You've been using the Web Economy Bullshit Generator, haven't you!

Coming into its own

[dirvish]

First academia starts contributing to peer to peer development, now it is being used as a business app. Looks like the folks who would love to see p2p dissapear are out of luck.

P2P that isn't evil spyware????

[Shymon]

a P2P network that isn't evil spyware? must pretty cold in hell bout now.

Re:P2P that isn't evil spyware????

[dethl]

Actually, its raining down here.

Re:P2P that isn't evil spyware????

[the.jedi]

umm... yeah spyware isn't on the network.
it's on the frontend that you download.
And doing that is stupid.

There's Gnucleus
Open source and delicious.

And WinMx
No spyware. No bullshit.

the list continues...don't be dumb read the fine print

Re:P2P that isn't evil spyware????

[MarcQuadra]

I've used MyNapster (free, GPL, Win32, no spyware) for a long time now, the latest version is comparable to LimeWire, without the java-ickyness. MyNapster has a down-to-business interface and some cool tools to visualize the parts of the Gnutella network you can see. Give it a whirl if you can. On Linux I run GTK-Gnutella, because it has geeky features and I dig the interface.

For a real challenge, try P2P-ing the database

[Hugh+G.+Rekshunne]

The paper discusses "sharing of dynamic content generators, web services, and web applications" using P2P.

But as usual, the examples are of the trivial, "hello world" class.

In the real world, dynamic content and web services are linked to some back end database server. Doesn't matter what kind of fancy distributed malarkey you put in place, everything gets serialized back to a skinny pipe when you reach the database server.

Now a distributed database server based on P2P - that would be news. Oracle had such a project, code-named Andromeda, some 8 years ago but it came to naught cos it ain't that easy.

Re:For a real challenge, try P2P-ing the database

[mcroydon]

From what I can remember, Microsoft is currently working on a p2p database. I would love to see something similar implemented in the *nix community. I know it would be hard as hell, but it'd be nice to have something that sets up easier than an openmosix cluster, preferably something that you can install once and forget about...

Re:For a real challenge, try P2P-ing the database

Adndromeda came to naught because the executive sponsor, Bob Miner, got sick and died. Key people moved on to work on the RAC database. (Not to say that Andromeda was easy).

Re:For a real challenge, try P2P-ing the database

[Bert690]

As a developer of the system, I can tell you that a p2p database is not, nor will it be, one of the goals of YouServ.

The system is intended for personal web hosting, that is, for use by mostly non-technical users for sharing files, creating web logs, guest books, and so on, using their own hardware (and that of their friends). In no way are we trying to provide p2p solutions to business class functions such as serving an online store (though I agree it would be cool if someone did that).

Indeed the existing plugins are simple (my development time has been limited and this component is very new), and at this point are intended only to demonstrate the API features. But even quite simple plugins, if they cooperate across multiple machines, can do some very cool things, a few examples of which are proposed in the paper: sharing files on multiple other p2p networks, distributed content caching ("akamai for free"), cooperative weblogging, and so on. Again, you woudln't use this to build a high-traffic online store, but it does give you many new and easy to use ways to enhance and publish your own (web) content.

Re:For a real challenge, try P2P-ing the database

[cei]

Well, Akamai seems to have the best handle on this. I know it's not exactly the same as P2P, but the transfer model is similar... Someone in one corner of the net wants a file, and the user is directed to the proxy server closest to them. If that server doesn't have it, it asks its neighbors, until a copy of the requested data gets passed to it. The data then gets cached at that proxy on the chance that someone else in the neighborhood might be interested as well.

Re:For a real challenge, try P2P-ing the database

[sailesh]

Look at the PIER project at the Database group in UC Berkeley.

PIER is a P2P Query Processor .. it stands for "P2P Information Exchange and Retrieval"

http://www.cs.berkeley.edu/~huebsch/pier/

Other Upcoming Uses

[Superfreaker]

Well,
Earlier I posted to /. on a DRM solution I was deploying for a major record label. Some of you also know that these labels are paying companies to distribute files that look like real audio files, but turn out to be ads, or silence.

With the system I built, they are going to give downloads of actual music files protected by DRM on these p2p networks, where upon playing it, you will be prompted for payment. You can make payment in the licensing window of WMP. It should be noted this only works for .wma files and not mp3's. However, most p2p users use apps like kazaa where selecting "audio" files will return wma's.

It will be interesting to see how this works. It can obviously be circumvented using one of the DRM hacks, but I'm sure at least some will buy the files. Especially those on dial up who spent 15 minutes to get one song.

Is it evil? Sure. Not as evil in my mind as those companies that distribute silence or ads on these networks. Please understand, I have all the same feelings as the concensus here has. But this is a necessary step for the industry to get with the times. The DRM at least will have unlimited play, cd copy, and move to portable device.

Baby steps. Slow and steady wins the race.

Re:Other Upcoming Uses

[LostCluster]

Okay... So how long until somebody writes the one where it looks like you've downloaded the song and it then pops up the DRM window. User types in the info to buy, and off it goes to the hacker who charges a whole lot more than what he said he would! The risk of it being a fake one of these discredits the real ones, and this technology goes down the drain due to inability to be trusted.

Re:Other Upcoming Uses

[Superfreaker]

Well, what I was thinking, and I'M the original poster for this reply....

I take my HD of MP3's (around 5,000) and put DRM on them. Then You pay ME to play the downloaded file. If only I was that unscrupulous...

It would be VERY easy to do. So, I guess I am not that evil.

Re:Other Upcoming Uses

[grumpygrodyguy]

Baby steps. Slow and steady wins the race.

That's true, but it's also how DRM could become something much more menacing that what you invision it to be. Do you think Hillary Rosen shares your moderate viewpoint on DRM? You just build the tools, you don't get to decide how they are going to be used. Most people here are aware that succesful software oftentimes ends up being adopted to perform functions that the designer never even considered.

As well indended as your efforts may be to try and find a working compromise between content consumers/producers. You are laying a groundwork that could dramatically dis-empower millions of people.

The primary issue here is one of precedent. You're helping to bolster the notion that DRM is something that people will accept.

Right now marketing is being pressured into "selling" DRM without disrupting product sales. Which is very tricky in recessionary times like these. Companies need consumer dollars to stay afloat, so they can't be too hasty and scare them away with technologies like DRM. Once sales pick up again however, there will be much more leaway to completely transition to DRM based media distribution. Have you really considered what that would imply?

This isn't a comic book, and what you're doing could end up effecting real people in very negative ways. I'm just curious what is going through your mind as you're coding this stuff. Do you think you're some kind of hero? Would you please elaborate your point of view?

Re:Other Upcoming Uses

[Superfreaker]

Again, please let me emphasize, I am an average /. poster with the same exact feelings. I have HATED all experiences with DRM before I started working with it.

When I was initially apprached, I pushed MP3's hard, I even built the system around MP3's at first. They brought up DRM. I never worked with DRM and as I mentioned before, implementing DRM was the most horrific experience ever.

I am not a hero. DRM IS WRONG, IMHO. But, it is the same with software serialization. Even that is wrong, but it is a fact of our use of computers. The only thing we can do is to make it as easy as possible.

Ask yourself, What should DRM do? Not what it does (inconvenience people, anger everyone, etc..) It is to simply make sure that the people who paid for an item, get to play the songs, those who did not pay for the song, should have to pay. That is what DRM *should* do.

Does it do it in all of my previous experience? No, of course not. Is it MS's fault, partially. What have I personally done different? Well, I made it a little easier and more transparent. Its it completely silent in its process? No, of course not, the toll just is not there yet.

What do I think of things like palladium. I'm scared. But in this respect, I think I am doing a good thing, and I am proud of improving something so horrible. Again, I have the same concerns as most of us here (even if I am a Win developer :-)

Hope that helps. I'm open to off list discussion...

Re:Other Upcoming Uses

[GimmeFuel]

It will be interesting to see how this works. It can obviously be circumvented using one of the DRM hacks, but I'm sure at least some will buy the files. Especially those on dial up who spent 15 minutes to get one song.

Either that, or they'll be mad that you just wasted 15 minutes of their time and bandwidth. On top of that, you face the rest of the problems this kind of business model faces, the biggest of which being a large chunk of your target audience doesn't have a credit card. Sure, some will buy it, but not enough will to make it sucessful.

Baby steps. Slow and steady wins the race.

Baby steps don't mean much if you fall flat on your face every time you stand up, and slow and steady is still doomed when your opponent (in this case, the free P2Ps) has such a huge headstart.

Re:Other Upcoming Uses

[I_redwolf]

For the industry to get with the times they'd put all musical content online on their own p2p service and charge a fair price for a download. What you're doing is not getting with the times it's a waste of time, effort and money. The obvious solution is the simple solution is the solution the RIAA is fighting tooth and nail.

Re:Other Upcoming Uses

[grumpygrodyguy]

When I was initially apprached, I pushed MP3's hard, I even built the system around MP3's at first. They brought up DRM. I never worked with DRM and as I mentioned before, implementing DRM was the most horrific experience ever.

I appreciate your honesty, but I have another question for you.

The tone of your post seems to indicate that you don't have much say in what gets implemented. Are you in a position where the only kind of work/contract you can find right now is building something like this?

Said another way, are you having to choose between paying your rent/morgage vs. doing what you seem to know in your heart of hearts is wrong?

Re:Other Upcoming Uses

[Superfreaker]

"aid another way, are you having to choose between paying your rent/morgage vs. doing what you seem to know in your heart of hearts is wrong?"

I think most developers will agree, this is a once in a lifetime contract. The biggest client I have ever had, doing an extremely high profile project. I am trying to build a business.

I do have my objections, sure, but the opportunity is just way too much. The industry is struggling right now, I am not doing that bad though, but still, it is a great opportunity. I think I am helping them move in the right direction.

I know, I won't be remembered for the money I made, it will be volunteering at the Mormon Church, coaching little league, etc, but there are very few of us that would turn this contract down under these circumstances.

Re:Other Upcoming Uses

[grumpygrodyguy]

My god, the man is writing DRM software, not eating babies.

Actually what he's doing is worse.

He's fattening himself by sacrificing the rights of babies(all of ours). If I was a baby I'd rather he eat me than force me to grow up in a world like the one he's helping to create.

I don't get it

[papasui]

You'd think a huge corporation like IBM would have enough copies of 'Jenna's built for speed' to around so employees wouldn't have to share DiVX's. Damn ecconomy.

Like Gnutella, but webpages.

[deathcloset]

uServ + Java p2p DDNS server = Dynamic Javanet = Good times for pppoe dsl users with dynamic ip's.

Meta Bracket This...

[Quirk]

The idea is to support development and distribution of simple modules that themselves form meta p2p networks. Neat."

The american anthropolgist and all around genius Gregory Bateson was among the first to investigate theories of meta bracketing as sources of information. His two best books 'Steps to an Ecology of the Mind', and 'Mind and Nature: A Necessary Unity' are both excellent reads and brilliant insights into the human psyche.

another thought...

[shaitand]

When will microsoft make a p2p filesharing app, will they include it with the next release of windows? That should piss the riaa off but I don't think microsoft cares as long as they use a propriatary protocol so it only communicates with windows boxes. I mean, Microsoft can afford to keep an eternal court case going with the riaa.

Wow...

[Duncan3]

IBM gets ancient client-server systems to work, news at 11...

Slap "P2P" on something old and watch people drool...

Re:Wow...

[LostCluster]

IP is a P2P protocol... but since it does things other than share MP3s that's quickly forgoten.

Re:yay p2p plus ibm=sweet

[The+Original+Yama]

p2p at work? Pr0n will acquire a whole new meaning when you can pull it in over your company's T3 line.

Hooray

[toomz]

At the rate P2P is going people will be able to use 100% of my CPU power and hard disk space to remotely code DivX files reliably in just a few years!

Re:Hooray

[deathcloset]

But look on the bright side. You could use thier CPU likewise :)

Re:yay p2p plus ibm=sweet

[scott1853]

So they're going to block port 80? It's ok if posters don't want to read the articles, but the moderators should before modding someone up as insightful.

Excellent for college application!

[dethl]

Colleges could cut down on bandwidth due to the "abuse" of P2P applications by students and staff. With most networks at 100baseT, local P2P would be quick, easy, and efficient, and save bandwidth for other stuff. Still, someone would get onto Gnutella or Kazaa and download stuff, but then again, if one person downloads the new Harry Potter movie, the local P2P network can send copies all over the campus in a few seconds...that would kick a$$

Ad-hoc p2p on OS X

[h0tblack]

One great feature of 10.2.x has become apparent through use of Rendezvous (aka OpenConf) and iChat. Rather than connecting to a central iChat (ie AOL) server, you can easily and automagically create an ad-hoc iChat network between any capable (running 10.2 and have a network connection) machines. This enables people to easily chat, exchange files etc. wherever they may be, by setting up simple wired or wireless networks. Look out for more of this at various conferences (wireless ad-hoc networks) and in the workplace.
This sort of technology is being pushed by Apple and will be included in future updates to various "iApps" including iTunes...

In related news...

[Morologous]

IBM plans to license this technology at $45,000 per processor.

Re:Coming into its own-half n' half.

" First academia starts contributing [slashdot.org] to peer to peer development, now it is being used as a business app. Looks like the folks who would love to see p2p dissapear are out of luck."

No it's the half-n-half rule. Those on the business half can do what they want because they have the money to do it. Those on the residential side (our side) will have to put up with bandwidth limits and download caps, as well as port blocks, because we DON'T have the money. Isn't it nice how the world DOESN'T work.

Re:Oh oh! Not compatible? Bahhhh

[Bert690]

That's a pretty minor issue since it only affects HTTPS/SSL (which is used for file uploads to protect auth credentials).

A worse one (for YouServ compatability and anything else reyling on dynamic DNS) is the fact that Mozilla caches IP addresses until the browser is completely restarted. How's that for stupid?

Please vote to have this issue fixed right here.

P2O vs the Slashdot effect

[TomRC]

What we REALLY need is P2P software for slashdotters, to counter the slashdot effect.

It's practically the perfect application for P2P.

Re:P2O vs the Slashdot effect

[Bert690]

Working on it. See the "distributed content caching" plugin example described in the "peer to peer sharing of web applications" paper on the YouServ project page.

It will let you encode any YouServ URL so that it gets cached and served by an army of available machines instead of just your own machine.

Re:Um... no....!

[JohnFluxx]

I don't follow your point, sorry :(

The only time you access the central server is:

1) When a brand new client connects to the internet and needs to get the server's public key(s). This is when the client is at its most vulnerable from man in the middle attacks etc. You could try hard coding them into the client, but you get the same problem - basically you have to start off just trusting someone you don't know.

Then you have two choices. The server could either trust everything, say, apache spits out. To do this, the server would sign apache's public key. This is done once, and then never again do the user or apache have to contact the server again.

OR

The server could just sign individual files. The coder would then sign one of his files, then send the file and signature to the server. Some human would look over it, decide if it is good sign, then sign the signature.

In both cases, when the end-user downloads a file, they get 3 files directly from the coder - the file, their signature of the file, the signature of the signature/public key.

Re:Reliability

[Bert690]

Because it is a centrally coordinated system, fragmentation of the network is not possible and search results are almost always "complete" (that is, if what you are searching for is out there and available at the time of your search, you're almost guaranteed to find it). Check out the paper on the search function for details.

Yes, this means it does exhibit a single point of failure, but as the system is not intended for piracy, porn, evading censorship, or other uses that tend to get systems "shut down", the benefits of centrally coordinating the system outweigh the functionality and performance limitations of a fully decentralized approach.

The difference from this and a completely server-based solution is that there are no central requirements that involve a large amount of resources. The central servers are a pair of old 400MHZ PII boxes, one for DNS, and one for the coordinating services. A one man operation can easily run this system on cheap hardware and a pipe with only moderate bandwidth, and still serve tens if not hundreds of thousands of users.

Re:Shit man, just post a MD5'd checksum (nt)

[JohnFluxx]

And how do you know whether somebody hasn't maliciously replaced both the binary and the md5?