Slashdot Mirror
Mission: Infiltrate the P2P Network
prostoalex writes "Wired News unveils the secrecy behind Overpeer, the company whose mission is to infiltrate peer-to-peer networks with low-quality audio and video files, or corrupted chunks of data which carry the same name and have the same size as originals. Apparently OverPeer even managed to procure a USPTO patent on (a) producing an advertising digital music file by deteriorating or damaging a sound quality of an original music file of a record of a cooperating record corporation; and (b) distributing the advertising digital music file through the communication network."
don't users of these networks already do this when they share their crappy files
"but money is the God of Algiers & Mahomet their prophet." - Rich. O'Bryen June 8th 1786
or corrupted chunks of data which carry the same name and have the same size as originals.
Isn't there some magical algorithm that produces an unique checksum number for a file, and if it were missing chunks wouldn't that reflect in that magical number? Don't most P2P networks use this magical MD5 checksum algorithm to ensure files aren't screwed up?
Gee, you would think the patent office would realize they just awarded a patent to the same guy that sells server pixie dust.
i have prior art! i was distributing crapy files on p2p long before they ever came around!
I know some P2P networks just match file size and name, but I'm pretty sure most of the good P2P networks check a file's MD5 to see if it is the same as another. If the MD5 matches, it's probably the same file, despite having a wildly different name.
Unless Overseer or whatever found a reverse algorithm for MD5, I doubt very much that they could degrade the qualify of a music file in such a way that the MD5 doesn't change.
From the article:
2) Collect illegally produced digital music file.
3) Edit illegally produced digital music file (damage sound quality).
4) Distribute digital music file on network.
All of these are illegal under the DMCA.
Oh, I get it, it's ok to break the exact same laws you're trying to get the general public to stop breaking. I know, lets run around and rob the thieves and rape the rapists, that'll get them to stop too. Why didn't we think of it before?
<sigh>
Damien
It won't work well with all P2P networks. A prime example is the eDonkey network which uses a hash of each file as an identifier, not a filename/size identifier. You can rename the file to anything and the hash won't change. eMule Project is another great eDonkey network client and is open source.
This is too little, too late, unless you're stuck on Kazaa.
Trolling is a art,
Tit. Tat.
I might not like it, but this response seems pretty logical to me. The Industry has declared war on P2P as the source of their dwindling profits. (I'm not going to argue the validity, that's irrelevant.) Of course they're going to try to sabotage these networks any way they can.
This puts the ball back in the court of the P2Pers. So what's the next step? Seems to me it won't take long for someone to come up with either a moderation system or IP blocking scheme that will force the Industry into a different line of attack.
When are these people going to learn that if they spend 6 months developing a technology to "protect" their copyrighted info, it will take 6 days (if that) for someone to defeat it?
Dime to donuts someone has a way to beat these bogus files within the week...
-mh
The patent may in itself be a good thing. Do we want other companies to be able to duplicate this scumminess? I think not. . . better to let the scumbags feed off one-another.
!#@%*)anks for hanging up the phone, dear.
People will just delete the junk and keep the good copies (think about spam).
The good copies get moved to the "good stuff" directory (available for download) and the bad stuff goes to
"On some level they understand that P2P users are also potential customers -- record buyers, video renters or gamers -- and don't want to alienate them"
Well if you want my business, then maybe you should give me a sample of what you have to offer, and not just waste my time in the first place. But then again, If I can buy a complete movie on DVD for even as low as $5 on sale, or $20 not on sale, why would I want to pay $18 for a CD with maybe 15 tracks if I'm lucky.
Either way, these businesses need to figure out how to attract my attention, rather than ram their practices which are tried and proven to be not working, down my throat. Can't open my wallet that way!
Mine means my own, but how can this be if I owe for it?
They're getting PERMISSION from the copyright holders to do this. They're not collecting anything. Record companies will say "Hey, you have full right to distribute fake Metallica files" and you know what? It'll be LEGAL. Turn! Brain! On!
It's the age old Pissing in the well trick.. if you poison the source then people wont use it.
Unfortunately there are at least 90-100 more talented programmers and solution finders to every employee they have out there that will find a way to detect or reject their junk. This company has nothing of value to sell to any interested party, just like macrovision is 100% worthless (both 1 and 2 are easily removed without effort and only $5.00 worth of electronic parts, or a simple $10.00 box that can be purchased most anywhere called a "video stabilizer")
Let them do their worst, let the companies waste their money on this snake-oil salesmen. i dont care, it will never affect me, and by the time the first 2-3 of their supposed files get in the wild there will be patches to kazaa-lite , open nap servers, and gnutella clients that simply will not list these files.
Do not look at laser with remaining good eye.
I'm going to patent creating potholes with the cooperation of tyre manufacturers; and distribute them thru the road system.
all this discussion of checksums and the like is totally irrelevant. quite ignoring the fact that its the host that supplies the checksum (if its too be of any use in selecting potential downloads), its very unlikely that any two renditions of the same audio file would be identical. CD-based digital audio is not a bit-for-bit perfect transfer medium (hence error correcting h/w and s/w in the drives). Rip a CD on two different drives and the chances that some bits will be different in the resulting files are really pretty good.
Checksumming only works if the assumption can be made that there is a single unique version of the file. That isn't true in the most common cases.
Bandwidth's expensive. If we could at least come up with a system for users to have to actively opt to share each file after they have played them and can verify its quality -- instead of downloading bad files, not deleting, and thus sharing them -- that would slow the spreading of these files. Opting-in would, of course, slow down the general proliferation of good and bad files and would make it more difficult to find any files as fewer would share users, but I think it's a good trade-off.
That would leave the record industry cops with a lot more uploading to do. 700+MB is a lot of bits to move, and they have to do it every single time a user initiates a transfer. Are the odds that that user (assuming he only shares it if it's good and does not spread bad files) would go out and buy the movie/CD instead of either continuing to try to find a valid file, or simply giving up altogether? I highly doubt it.
The measure may be as simple as letting one listen to the song as it is downloaded, and having the users "moderate" it, à la Slashdot.
What we have is a huge cluon deficit on the part of the record companies.
As long as the focus is on how to violate copyrights we will never be able to do the much more complicated and involved work of convincing artists to ditch the hindrance of the publishing industry and take advantage of new technologies to reach a bigger audience for a lower investment (and, given the spectacularly rotten economics the biz offers musicians, make more money to boot). Everybody wins except the recording giants. Ah, that sounds like work. Better get back to pissing and moaning that they're slipping poison pills into your free stuff.
It Is the Nature of Information to Transgress Artificial Boundaries
Another amazing fact was the mod of this post. You make a very broad statement. 'P2P is good for the world'. Why is that? I know why it is good for you and me. It make it easier for the technology haves to download the music, games, videos they love so much. but why is this good for the world? How does this help society in anyway? Don't get me wrong I think the level of crap produced by the Music industry is at epic levels. However, the movie industry and game industry have been producing some major pieces of work. Yea they may be over priced and poor people may not be able to afford them (but I bet these same people can afford a kick-ass system to run those games on).
Or maybe you just wanted to try out the full game. Whatever. It don't matter. What makes this P2P good for the world?
Nothing. Don't try to justify your behavior. You can't. It's like using drugs. You don't use them to make you a better person. You use them because you can and it's fun. So please, don't try to make yourself out as any better than the 'scum' that would try to stop you. There is no honor among thieves.
The P2P concept is awesome. It is a great way to quickly exchange ideas, papers, shareware/freeware, etc. But when was the last time you downloaded anything other than copyrighted material from a P2P system?
I think you guys are pretty confused about MD5s.
Billions of crap files have exactly the same MD5 as your favorite Brittney MP3. This is because (duh) the MD5 is much shorter than the file itself.
True.
Where I think you are confused is about the nature of MD5.
MD5 is not just another hash function. It is cryptographically secure. This means that you will never ever, in the life of the universe, be able to find nor contrive / construct a file with an identical hash. That is the whole point of MD5. Otherwise digital signatures and certificates would be meaningless.
The price of freedom is eternal litigation.
There are many ways of justifying actions other than through the morality of those actions. I don't read books to make me a better person, I read them "because I can and it's fun." Perhaps reading makes me a better person (sometimes yes, sometimes no), but that's not why I do it. Does that mean I can't justify reading? And yes, sometimes drugs can make people better, too. Recreational drugs can make people less tense, they can give people new perspective, they can introduce people to whole new worlds of experience. Do they do this for most who use them? Probably not. But there is more "honor among thieves" among recreational drug users than exists between record labels and their consumers.
It's this puritanical stance that has really started to get me over the last few years. "Just because it's legal, doesn't make it right", true, but just because someone doesn't think it's right, doesn't make it so. Everything doesn't have to make the world a better place to have justification.
That aside, I do agree with your thesis. "P2P makes the world a better place" is one of the most specious and nebulous statements I've heard in a great while.
Then again, there are believed to be some weaknesses in MD5, making this a little bit easier.
TANSTAAFI: There Ain't No Such Thing As A Free iPod.
"You use them because you can and it's fun."
Whoa there buddy, there's a lot of things that humans do because they can and it's fun. Not everything needs to be done to improve one's person.
For example, unless you're a hardline religious conservative, sex is the first thing that comes to mind. People don't use that exclusively to procreate, and it's exercise value is arguable... in fact it's a great way to spread disease. We still do it of course, because it's fun.
Of course, moving off to your more reasonable point of "What makes this P2P good for the world?". The value is that people can examine things before purchasing them, which the can't legally do now. If you play a game and it sucks, too bad. Buy a movie and it stinks, so what. Buy a CD and it's full of crappy remixes and vapid lyrics, oh well (don't give me that "but you would have heard it on the radio" stuff, the radio doesn't play what I like to hear in these days of consolidation).
So, I download music online. If I like it, I buy the album. If it sucks, I don't. Yes, it's illegal. So is speeding. So is oral sex in the southeast US. So is lighting firecrackers in the northeast US. So is breaking curfew for teenagers. So is passing on the right. So is making a loud noise past 10pm. So are a ton of other things that people blow off on a regular day because they are fun, and it's stupid for them to be illegal.
Oh, and something else that's illegal.. Civil Disobedience, which is really what P2P is. Call it Corporate Disobedience, or Copyright Disobedience, or whatever you like. What it really does is show Corporate America that people hate their methods of media distribution so much they'll do whatever they have to to get around it.
And, finally, the Artists. Isn't all this P2P shit bad for them? Hell no! I never would have heard of the Cruxshadows, Claire Voyant, Attrition or The Shroud if it wasn't for P2P (you'll never hear them on the radio), but now I bought all their albums AND go see their shows. Since they don't make jack off the albums but they DO make money (the artists, not the record companies)off the shows, I think that makes it good for them too.
First of all, it pays our bandwidth and the infrastructure. I'm all for that, obviously.
Second of all, it destroys the validity of their statistics about how many files are downloaded. Their statistics on how much cash they lose through this already are bogus, but now they can't even give good numbers on how many files are transferred, because 3/4 of the downloads may be wasted through broken fake files.
Third of all, this will lead to more cool research in cryptography. There will be papers about how to make this kind of attack more difficult and how to build trust metrics between anonymous peers (and that are very interesting problems, you should consider doing research in the area!).
In the short run, this pays for bandwidth with the profits of the record companies. More bandwidth will be used to do more file sharing. One day, RIAA will understand that they are financing the infrastructure of the enemy and shut overpeer down.
In the long run, RIAA will raise the price for CDs even more, to pay for overpeer and the infrastructure of the P2P people. That will cause even more people to not buy their music but download it instead, hastening RIAA's run towards obsolescence.
Secondly, we only presume MD5 to be a good one way hash--there is no absolute proof that it is. There might be some novel approach that we just don't know about yet.
True indeed.
Just like we might find a way to easily find the prime factors of huge composite numbers. Which would render public key cryptography useless. But mathematicians smarter than us seem to think this is not likely. So your suggestion that it might happen doesn't mean much. After all, we might find a way to travel faster than light.
I can certainly generate SOME file (even if it is ugly) that will match your MD5 hash (and pass your signature with flying colors).
All you have to do to proove that a program could be written that could break MD5 is to post two tiny blocks of data which have the same MD5 hash. Basically the same simple test I would offer to anyone claiming a perpetual motion machine. Simply demonstrate it. If you break MD5 you could be famous.
Thirdly, by definition, no one-way hash can rule out the possiblity of brute forcing the hash by throwing enough stuff at it with the hope that something else will generate the same hash.
It is a given that something else will generate the same hash. I agreed with this point in your earlier post. It is just finding it that is the problem. If the RIAA wants to spend hundreds of millions of dollars to build a machine that might possibly find a block of data that hashes to the same hash as one mp3 file, then I would be right there cheering them on.
Throw enough horsepower at any problem, and you can solve it by brute force. Heck, in theory, you could exhaustively search the keyspace for a 2048-bit key. Extra credit: How many machines were working for how many years on the RC-64 challenge?
In 50 years even there is every reason to think that this would be a trivial task.
It's premature to say this. Only time will tell.
A key principal of cryptography is that you pick key lengths and algorithms that remain unbroken not just based on today's technology, but based on tomorrow's technology and how long the secrecy of the data remains important.
For instance, each bit of additional length added to a key doubles the keyspace that must be searched. Moore's law, if it continues to hold true, says that computer power doubles every 18 months. Now you figure out how many extra bits you need to add in order to prevent a successful attack within a 50-billion year timeframe. A 2048-bit key, for instance, is probably adequate over a 64-bit key.
As to your hypothesis that MD5 can be broken, you may be right. Maybe it will be. But I wouldn't hold my breath.
The price of freedom is eternal litigation.