Nullsoft's Waste: Encrypted, Distributed, Mesh Net

Myriad writes "Nullsoft, makers of the venerable Winamp MP3 player, released today a secure, distributed mesh-like networking protocal and platform called Waste. This v1.0 beta release uses RSA (key based) and Blowfish encryption for security, and features Instant Messanging and group chat, along with file browsing, searching, and transfer. Waste has been released under the GPL, with source and binaries available here."

Gnutella

[Nermal6693]

Didn't they make Gnutella too?

Re:Gnutella

[terrox]

oops now i realise it is for small secure/private networks - sounds good for VNC type stuff.

Re:Gnutella

[localghost]

No, Ferrero makes Nutella.

Re:Gnutella

[MacJedi]

Yes, they did. However, AOL didn't like it and got it shut down within the day. Then someone (Justin Frankel?) leaked the source and the rest is history.

/joeyo

Re:Gnutella

[Magila]

Indeed, here is the original slashdot story. Of course AOL quickly ended development at nullsoft, it lived on after the protocol had been reverse engineered and others picked up where nullsoft left off.

Re:Gnutella

As a matter of fact, Gnutella has nothing to do with Nutella, except for the similar name.

As you already pointed out in your links, Nutella is a chocalate spread. It is a FOOD item.

Gnutella is a SOFTWARE item. It is used for P2P (point-to-point) networking. Usually, Gnutella is used to distribute music, although it can be used to distribute any files.

I hope this comment has been helpful in clearing the matter.

Re:Gnutella

[lucas_gonze]

This is just plain wrong. The source was never available, leaked or otherwise.

The protocol was reverse engineered, with a little assistance on IRC from deadbeef.

Re:Gnutella

[bigberk]

Yes, here's a little background on gnutella and the protocol.

Re:Gnutella

[JeffSh]

deadbeef is justin frankel for anyone who is interested. same guy who did winamp, really a great software guy.

the reason why winamp 3 sucks so much, is because it's written by some other guy. justin isn't even in the credits of winamp3 .. sad

Hmmm....

[leviramsey]

AOL Time Warner (IIRC, owners of the second biggest recording company, not to mention one of the major recording studios) owns Nullsoft, which releases a program that the RIAA and MPAA will undoubtedly call a tool whose sole purpose is to illicitly distribute copyrighted works....

A cliche regarding:

• a left hand
• a right hand
• and a lack of knowledge

...comes to mind.

Re:Hmmm....

[glob]

"undoubtedly call a tool whose sole purpose is to illicitly distribute copyrighted works"

uhh, waste is for small workgroups only ..

WASTE is a software product and protocol that enables secure distributed communication for small (on the order of 10-50 nodes) trusted groups of users.

it's not about p2p file sharing, rather it's a colaborative tool.

sure, you could use to to share illegal stuff, but it's really no different in that respect to email, icq, whatever.

Re:Hmmm....

[leviramsey]

And does that fact necessarily matter to the *AA?

Re:Hmmm....

if you're not in encrypted communities for PIRATING, you're in it for TERRORISM.

Re:Hmmm....

[dir-wizard]

Not entirely true.. I work for a small company, 5-6 people who work out of their homes. Because we cannot get static IP's to everyone communication becomes and issue and a hastle. I see a real need for this kind of software. The encryption is a bonus for companies who don't want their communications listened in on....

Re:Hmmm....

[Daniel+Phillips]

AOL Time Warner (IIRC, owners of the second biggest recording company, not to mention one of the major recording studios) owns Nullsoft, which releases a program that the RIAA and MPAA will undoubtedly call a tool whose sole purpose is to illicitly distribute copyrighted works....

That was a joke right? And the moderators who marked it "interesting" and "insightful" really meant to mark it "funny", they just hit the wrong button, right?

In fact what we have here is a first cut at a secure distributed network presence system, something that would allow you to run an icq-like network between people you trust without being spied on by a central server. There are many reasons why one would want this: maybe *you* just want to trade copyrighted files, but *I* want to communicate securely and efficiently with my associates.

As for why AOL lets Nullsoft do things like this, I suppose the choice is either to let them work on what they want to or lose the talent. What Nullsoft is doing is the best thing for the net, and so is the best thing for AOL in the end.

Re:Hmmm....

[abulafia]

which releases a program that the RIAA and MPAA will undoubtedly call a tool whose sole purpose is to illicitly distribute copyrighted works....

There is no reason to call it that. It is a communication tool that tries not to leak information. I would encourage RIAA members to use it themselves, to better secure internal conversations against unintentional leakage. I'm sure "they" send files to each other via email from time to time. Isn't this better? What's not to like?

As a long time cypherpunk, I'm glad this is here. Way back in '94, I wrote out a model of this sort of thing, but with decent routing and key exchange, and then got busy working for money. I'm glad someone is doing this, even if it doesn't work on a larger scale.

Please flame the evil cypherpunk vision below.

until when

[Vej]

Makes you wonder how long it will be until protocols/network designs are attacked on the same basis as the product derived from them. ie p2p/filesharing.

Considering nullsoft, might be a risky move.

Interesting

[harikiri]

I haven't yet spotted any cryptographic "reviews" of this yet, but it certainly looks like an appealing platform to work with.

Going through the documentation, I found this:

From here

Note: It might be worth implementing WASTE using a subset of SSL, to avoid any concern of flaws in this protocol. Feedback is gladly accepted on any potential weaknesses of the negotiation. We have spent a decent amount of time analyzing this, and although we have found a few things that are not ideal (i.e. if you know public keys from a network, you can sniff some traffic and do an offline dictionary attack on the network name/ID), but overall it seems decent. The current implementation probably needs work, too.

Which suggests to me that it isn't worth rushing out and developing application with *just* yet, until further reviews have occured (and the protocol has matured/evolved).

Re:Interesting

[mark_lybarger]

come on now. the gpl won't hinder it's use in other applications at all. qt is licensed under gpl. is it's use in applications hindered? (currently only in the non unix world, but at the rate the cygwin port is coming along, that might change). gpl will ensure that all other apps are under gpl as well, and that's a good thing. i want to see and want others to see the source for my encrypted im application. i want my boss to have access to the source. i want lots of people to see the source and scrutinize it all to hell and back.

besides gpl is only for distrubiuted apps. if IBM or someother large corporation wants to make an internal use application that's customized for their use, then so be it.

Re:Interesting

[kubrick]

... or maybe Nullsoft would like people who are going to make money from it to approach them for a commercial license.

I don't see anything wrong with that -- they're a business, after all.

Five minutes later

[Jacer]

I read the article and immediately got excited. I downloaded all of the software and had it all setup and working within a few minutes. As of right now I'm living in an apartment and have no practical use, but on Monday I'm moving into my dorm room to start my summer class (bleh!) Anyway, I think this is so wonderful! I've been thinking about a secure network computing solution for my three computers when I'm at school. I have my server, workstation, and my laptop that I'd like to tie all together. The leading choice was vpn, but after playing around with this, I do think that running on my server and having the three of them connect to it, and maybe a few of my friends computers on campus, we can create a very nice, effective, small, and secure lan. Then again, after five minutes I haven't decided if the whole reinventing of the wheel is worth it. I'll probably try it out, and setup a vpn server too, and see which I like more.

Re:Five minutes later

[graveyhead]

VPN is better if you're a gamer...

Once you've set it up for a firewall, the f/w effectively vanishes inside the VPN. A friend and I struggled with firewall configs for years tweaking for the game of the day. Enter VPN, and now we have a private TCP network without firewalls. Any game supports that, no reconfiguration required.

The other thing is that it is built into w2k (my gaming platform of choice) and XP (friends platform). This means you can be up and running after reading some quick instructions on setting up the server, your shares (properly!), forward one TCP port (yes, only one) from your firewall to desktop, and that's it forever.

Add an uber-IM like Trillian, and that's all you will ever need.

Download and mirror this

[scrod]

while you can. Remember what happened when they first released Gnutella? If I recall, AOL forced them to pull it within hours (though it was already completely reverse-engineered almost immediately afterward).

Re:Download and mirror this

[Farley+Mullet]

+4 RTFA! more like it.

And I blockquote:

WASTE is a software product and protocol that enables secure distributed communication for small (on the order of 10-50 nodes) trusted groups of users.

So this isn't really a thing like gnutella. It's an enterprise product. As other posters have noted, it could conceivably be used to share (AOL-TW) copyrighted works, but that doesn't seem to be anywhere near it's main purpose. Heck, AOL is probably releasing the core technology as OSS to get the community to shake it down for bugs, in anticipation of releasing a commercial product built on top of the protocol. Kinda like how Apple has worked on open source technologies like zeroconf, and released commercial products like rendezvous built on the technology.

Re:Download and mirror this

[Ed+Avis]

WASTE is a software product and protocol...

It's understandable for marketeers and Microsoft to say 'software product' as a euphemism for 'computer program', but do hackers have to start doing it as well?

Interesting, not your usual peer to peer app.

[rmlane]

Designed for small groups of people (up to 50)

It allows easy colloboration across firewalls, and only one user inside the firewall is required to allow all users inside access to the mesh.

Each link is encrypted, but each message is decrypted and re-encrypted at each hop of the mesh, so you have to trust all of the nodes. It's also very hard to drop a node onc it is trusted, as each node shares public keys around to make sure all nodes have all public keys. Initial connection to the mesh requires manual key exchange. PITA, but moderatley secure.

All network traffic is encrypted, it will flood each mesh link with a minimum amount of bandwidth to foil traffic analysis.

For readers of Pynchon. . .

[BitHive]

That's W A S T E, not 'Waste'.

Re:For readers of Pynchon. . .

[IntlHarvester]

Above post was not at all offtopic. Crying of Lot 49 is a good nerd book, so go read it.

In the book, W.A.S.T.E is an underground postal system that allowed people to exchange messages without the authorities finding out.

Re:For readers of Pynchon. . .

[Surak]

And I doubt that's a coincidence either considering that's exactly what the protocol seems to do.

Now I've never read the book, but I'd say in an underground postal system every person in the system has to be trusted. Much like this protocol -- each node in the network needs to be trusted.

You have to build your own little underground network with a few trusted friends. This reminds me a lot of the pirate BBS days ... if you wanted access to the 'private' or 'elite' (we didn't use such silliness as 31337 ;) file sections, you had to know the sysop.

This system allowed for only quality 'warez' files because everyone who was allowed to trade files had to be trusted, and therefore they weren't going to damage their reputation by sending crap like you get on P2P nowadays like incomplete packages or stuff that said it was one thing, but really was another thing. Back when trading pirated software was more like a gentlemen's agreement and not the 'o-D4Y \/\/4R3Z!!!!' crap pimply-faced teenagers with nothing better to do do today.

On the other hand, one has to think, 'Who needs it?' Most of us who were in that community back then have merged in with the Open Source community today and if we trade software at all it's with a CD burner over a cup of coffee. ;) OTOH, maybe this is just the thing for people like us.

Just a thought...

Re:I have to ask..

[ergonal]

You're right. But you have to remember that, by the brief look of it I got, makes PGP-style stuff a lot easier. And what do most people use IM's for anyway? To chat to their friends? You bet. It wouldn't take long to develop a web of trust of, say, your entire school or workplace. But you're also right, it won't gain wide acceptance unless there's easy way to connect to the "network".. I just opened the "Network status" dialog, and what do I type in? Nothing right now, until I can get someone else to load it up.

Re:I have to ask..

[kliment]

I think this is meaningful, as it is an ad-hoc way of creating aa VPN. Also it would probably be faster if a few of the nodes have fast connections. If your friends don't see a reason behind this, then maybe it is not meant for your circle of friends. About the anonymous issue, note that Freenet already exists and works to handle that problem. This is meant to address a completely different issue

Is Groove doomed?

[misuba]

Resolved that: Gnutella aside, this technology is really a direct shot at Groove Networks, the company founded by Ray Ozzie of Lotus Notes fame to sell P2P-derived technology to small and large business.

Discuss.

Re:Is Groove doomed?

[reaper20]

If

a) Groove was actually used by anybody and
b) It wasn't such horrible software

then I would say yes. Unfortunately Groove is a solution looking for a problem, and how many people get excited when you hear "designed by the guy that designed Notes."

Re:Is Groove doomed?

[misuba]

Well, that begs the question: what problem is Waste designed to solve? Who will use it?

It seems to me that secure instant messaging and peer-to-peer file transfer between members of a distributed workgroup serves a real need. I can't imagine that Nullsoft would have developed this unless they saw a need themselves. Other solutions might technically already exist, but they don't appear to be as easy to install. (In that respect I could be wrong about VPN; I haven't looked into it.)

It'll be interesting to see whether Waste follows the path of Groove in the respect of becoming a platform, and providing an API for others to develop new tools.

Re:I have to ask..

[Motherfucking+Shit]

What's the point? If you can only connect to people who's key you have, and if only people who have your key can connect to you, this is going to be a pretty private thing.

Exactly, privacy is what it's all about. People tend to forget (or not realize to begin with) that every bit of chatter they send to one another on AIM goes through AOL's servers, every message they send to their buddy on MSN Messenger passes through Microsoft's servers, etc. Waste gives you the ability to conduct reasonably secure conversations and chat. Sure, it's not as geeky as running your own private IRC server wrapped in stunnel, but hey, the easier crypto becomes, the better.

The next time you want to have a chat with a friend, but you don't exactly want the contents bouncing all over the internet in plaintext, this looks like the perfect application. Reminds me somewhat of a program called SIMP, which is a minimalistic Blowfish-ized IM program.

Beep!

[BladeMelbourne]

Thanks for the link!

On their site I found a program called Beep. It makes noises on keyboard/mouse input :-)

http://www.nullsoft.com/free/nbeep

It gets annoying after a while, but it is 'cute' enough to impress my girlfriend. And that matters as much as keeping my RedHat system up2date. LOL

Re:Beep!

[millwall]

"[...] It makes noises on keyboard/mouse input :-) [...] it is 'cute' enough to impress my girlfriend."

Where do you find a girl that could be impressed that easily? No need for fancy restaurants or expensive gifts, just type on your keyboard and she goes mental.... nice!

Re:Beep!

[Debian+Troll]

Dear levinramsey,

I've just gotten off the phone with Bruce Perens, talking about that very topic! At the moment, both Bruce and I are too busy to devote much time to our Debian-focused e-newsletter, Elitist Open Source Zealot Virgin. As you may be aware, I am totally consumed with my current Windows port of apt-get, and Bruce has a full time job just keeping the hobos and crack junkies out of his cardboard box underneath the 23rd Street rail bridge.

Sincerely,
Debian Troll.

Re:Gnutella - YES

Yes, Nullsoft originally created Gnutella then parent company AOL forced them to stop development, but the cat was out of the back and code was leaked/reverse engineered.

Re:fix what needs fixing

[misuba]

Winamp 2.9 is the latest release of the Winamp 2.x codebase, which takes most of the good ideas that went into Winamp 3 and codes them back to an API free of excessive abstraction. It's been out for weeks, if not months. Check your facts before posting.

well...

[inkedmn]

as long as it has those uber-bitchin' skins, i'm in.

GPL Licences

[rmlane]

Quoting from the source:

Copyright (C) 2003 Nullsoft, Inc.

WASTE is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

Re:I have to ask..

[junklight]

The problem that we have here is that this network is NOT for piracy and therefore a lot of slashdot readers cannot see the use for it. Think instead of people working together - a workgroup as it where. For example why pay rental fees on an office when you can have a virtual one using tools such as this? Now I am not sure how great this tool is for that right not (I'm guessing - first release - not very) but I am sure it will come if people start using it.

They already fixed Winamp, whiner

Firstly, the WA2 group backported the two major features of WA3 (video support and the media library) to WA2 and released it as WA 2.9. Development continues on a hybrid tree under the working title WA5 (2 + 3 == 5).

Secondly, not everyone shares your idea of "what they need to do". Winamp is a nice media player, but nevertheless just a media player; to many people, a protocol that facilitates cryptographically secure collaboration is infinitely more useful.

Thirdly, I'm not clear on what obligation you think Nullsoft owes you even when they're on company time, but I wouldn't be surprised if WASTE was written in spare time--you know, for fun.

Re:They already fixed Winamp, whiner

[UniverseIsADoughnut]

Hey good their working on the old series, which would show they accept the issues of the 3x series.

I know many people do feel the way I do, talk to most people who have tried 3.0 or even go to their website and see people bitching about it. Winamp is the most used player in windows, second only to WMP, though I wouldn't be surprised if more used. To stop trying to make a decent product and ignore the problems will cause them to loose their marketshare and thus make them worthless, not a very good business model if you want to be around to do other things like protocols.

Also I don't think many people care about this protocol, sure the paranoid types might, but this is very much something most people could care less about.

Also I in no way have said they are obligated to do anything. I was just pointing out how they have gone from something good to complete crap. I don't belive companies own anyone anything unless there was some deal which requires them to.

I doubt it was done in spare time, if it was employees doing something it was during work time, and if there are things that need to be done to your product you don't have "free time" . Free time is when there is nothing you should be doing.

Nullsoft is a company. Time is money for them. Users are money for them. Being a company that gives product away for free, the balance of keaping them is huge. If no one goes to your sight and clicks on ads and so forth they are done.

One last thing, they haven't fixed jake shit. winamp 3 is broken, go to their sight, winamp 3 is what they are advertising. Making updates to an older product is not fixing. To be fixed means they got all the issues sorta out with 3.0 .

Re:They already fixed Winamp, whiner

[awakened+tech]

To a certain extent this protocol is probably far more important than winamp will ever be. We keep hearing predictions of how IM is the next big thing in business, however no buiness is going to touch current IM technologies for two main reasons, security and accessibility (if I have MSN installed I will spend more time chatting to my mates than collaborating with my colleagues). WASTE solves those two problems and therefore enables businesses to seriously look at using IM type technologies in the work place.

1337

[houston_pt]

Listen port
Listening on port 1337

Somehow I think this is a very well chosen port... ;-)

4 years later May 28th

[Isosonys]

Did nullsoft do this to thumb its nose at Aol? It was released May 28th 4 years after Aol paid a nice sum to buy Nullsoft.

Yes, it's GPL and it says so...

[malakai]

I don't know, are you a troll?

Try searching on 'GNU General Public License' Einstein.

/*
WASTE - connection.cpp (Secured TCP connection class)
Copyright (C) 2003 Nullsoft, Inc.

WASTE is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.

WASTE is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with WASTE; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/

Re:Yes, it's GPL and it says so...

[MisterFancypants]

Yeah but the original poster's question about md5/RSA code still stands...That code is incompatible with the GPL.

Re:Yes, it's GPL and it says so...

[harlows_monkeys]

Oops. I should have grepped for GNU in addition to GPL. I also see they've got a license.txt file, which includes the text of the GPL.

Now if you can just explain away the RSA code that has the license that is incompatible with the GPL, everything will be fine.

Go read Pynchon

[billstewart]

In "The Crying of Lot 49", which is a nice short fast spacy read, there's a plot thread about competing mail services and a conspiracy that conducts its private communications in a way that, if you refer to the name of the product as "waste" rather than "W A S T E", indicates you're clearly not part of their group. There are also email systems called "Trystero" for similar reasons, and it makes looking at post office boxes in Scandinavia quite silly even without sampling the local agricultural products.

Re:I have to ask..

But you're also right, it won't gain wide acceptance unless there's easy way to connect to the "network".. I just opened the "Network status" dialog, and what do I type in?

There is no network. The goal isn't "wide acceptance". This isn't another way for you to get your mp3s, porn, whatever. Front page of the site, emphasis added:

WASTE is a software product and protocol that enables secure distributed communication for small (on the order of 10-50 nodes) trusted groups of users.

WASTE is designed to enable small companies and small teams within larger companies to easily communicate and collaborate in a secure and efficient fashion, independent of physical network topology.

As for the "What's the point" question...

[malakai]

put on your conspiracy hats...

Think of it this way, these guys know probably better than anyone else NOT on the AOL IM team, just how much of IM conversations are monitored, logged, mined for information, media metrics...etc.

Not to mention, they work in that environment, they prolly want to be able to say "god damn, our executive VP is a bitch" and not have some network engineer provide a log documenting that conversation later.

Yeah, i wish it scalled, but wtf, its opensource. Go make it scale. For now, 10-50 is plenty for most groups of online friends.

Personally, I'd loved to see technology like Pastry get hacked into it.

-malakai

Re:As for the "What's the point" question...

[$carab]

I remember watching on Dateline a couple years back about a murder trial, and apparently one of the major pieces of eveidence was a saved AIM conversation. They got one the AOL execs to testify that there was no way of verifying if it was a real transcript because AOL doesnt keep logs.

I think theres an sf project do do AIM sniffing though, but still, AOL doesnt log your conversations.

Linux port ?

[theefer]

How many minutes before we can see the first Linux port (it works under W$, FreeBSD and MacOS X) ?

Re:Linux port ?

[Kompressor]

Closer than you think...

I haven't used C in 3 years and I managed to get it to compile with a bit of hacking. As for stability, your guess is as good as mine...

diff -r waste/Makefile.posix waste_port/Makefile.posix
4c4
< RSAOBJS = md5c.o nn.o prime.o r_random.o rsa.o
---
> RSAOBJS = rsa/md5c.o rsa/nn.o rsa/prime.o rsa/r_random.o rsa/rsa.o
7,8c7,8
< CXXFLAGS = -O2 $(DEBUGFLAG) -pipe -march=pentiumpro
< CFLAGS = -O2 $(DEBUGFLAG) -pipe -march=pentiumpro
---
> CXXFLAGS = -O2 $(DEBUGFLAG) -pipe
> CFLAGS = -O2 $(DEBUGFLAG) -pipe
diff -r waste/connection.cpp waste_port/connection.cpp
771c771
< if (::getsockname(m_socket,(struct sockaddr *)&sin,(socklen_t *)&len)) return 0;
---
> if (::getsockname(m_socket,(struct sockaddr *)&sin,(unsigned socklen_t *)&len)) return 0;
diff -r waste/listen.cpp waste_port/listen.cpp
85c85
< int s = accept(m_socket, (struct sockaddr *) &saddr, (socklen_t *)&length);
---
> int s = accept(m_socket, (struct sockaddr *) &saddr, (unsigned socklen_t *)&length);
diff -r waste/srvmain.cpp waste_port/srvmain.cpp
31c31
< #include "md5.h"
---
> #include "rsa/md5.h"
diff -r waste/xfers.cpp waste_port/xfers.cpp
812c812,814
< if (!RemoveDirectory(s)) break;
---
> // The below seems to be from the win32 API. I'll just comment it out and hope it doesn't break anything.
> // Jordan R. Urie
> // if (!RemoveDirectory(s)) break;

Re:Linux port ?

[Kompressor]

btw, you can catch me on ICQ at 270283531 if you want to work this in realtime.

Re:Linux port ?

[dschuetz]

Alright, I think I'm figuring this out. Lack of documentation is something of a hinderance here... It really boils down to there not being any kind of initial configuration system on the server side, so you do all the keygen and profile creation on windows and copy stuff back and forth. Ugly. But, I guess it *is* alpha (though maybe it should be 0.1 rather than 1.0...)

It's compiled (I just made the changes shown elsewhere in this thread). Start up the windows version, create a private/public key pair (using a *server* passphrase, as this will be moved to the server). Oh, also copy the profile (default.pr0) from the windows box to the wastesrv folder, modifying and deleting stuff as appropriate within the file (like I deleted my nickname, etc.)

Export the private key to a file. Move that file to "default.pr4" in the wasteserv folder. Copy the public key to the clipboard, paste that into a file called "default.pr3" in the wasteserv folder (I changed the nick on that line to "server").

Go back to your windows client, and create a *new* private/public key pair, then copy that public key, via the clipboard, to the default.pr3 file, leaving your nick intact.

Copy the public key for the server to the windows client, importing it via the preferences panel. (this was the public half of the first key pair you created, which is now the server key).

Hit the network button, enter your server's IP in the drop-down field at the top, hit connect, and, maybe, it'll work. Maybe.

'course, I'm the only person on my server, so I'm not seeing anything. Gotta get someone else to try this too.

Hope this helps....

Re:Linux port ?

[Bob+Uhl]

According to Microsoft, RemoveDirectory() removes the directory specifed in a C string. The directory must be empty, exactly as with the POSIX rmdir(). The return value is 0 if unsuccessful, non-zero otherwise; this is the opposite of rmdir(). So, it's better to replace that snippet with:

if (rmdir(s)) break;

Re:Linux port ?

[grazzy]

This code actually does work, with this patch you are able to both transfer files, connect, and chat.

The tricky thing is to set up the server properly.

The easiest way is like someone else pointed out to make a new profile in waste, (copy your own default.pr* files out of the way first).

Then, add your public SERVER key to your public-key list in the windows-client. And add your public-windows-client-key to the list of keys of the server.. (default.pr3).

Dont forget to NOT use a network name ( or make sure they are the same in your default.pr0 files).

If you want to join my server contact me on icq: 706826, or see http://waste.mjoelkbar.net/ which will be online soon.

Re:Linux port ?

[grazzy]

Wrong url:
http://grazzy.mjoelkbar.net/waste/

Re:Linux port ?

[grazzy]

Binary mirrors:
http://130.236.227.49/waste.zip
http:// grazzy.mjoelkbar.net/waste/waste.zip

Source mirrors:
http://grazzy.mjoelkbar.net/waste/waste- source.tar .gz

AOL Time Warner...

[tolarianacademy]

...owns Nullsoft, (as already mentioned by leviramsy) but an interesting theory had been presented to me, suggesting that AOL Time Warner has for some time been planning to trump Apple's iTunes store. Maybe they are planning to power such a service with peer networking? I have never beleived this personally because AOL Time Warner would just as soon want to have everyone surfing from the same servers anyhow, and a decentralized system would only tax their bandwidth more. Maybe...maybe they will release such a service that utilizes both p2p transfers in combination with traditional server-to-client transfers, and maybe use it as an advertising platform for AOL, giving AOL users better functionality, or maybe even restricting server-to-client transfers to AOL users once the service becomes popular. Does anyone else think this idea is bogus? I find it hard to beleive, but I can't figure out how else Nullsoft could be /allowed/ to create this new service.

Re:AOL Time Warner...

[Isosonys]

what service? I see software, Free software at that with code. Maybe someone got bored at the office?

Re:AOL Time Warner...

[afidel]

If I remember correctly Justin's contract basically gave him complete freedom from luser management as long as he didn't do anything illegal. Besides he got so much dough from AOL that he could just work on it at home and release it, though it would lack the Nullsoft name that obviously gets it more press. This would be pretty worthless from AOL/TW's perspective, for that they would probably want something like BitTorrent with user authentication.

Here is the full source

[infonography]

Here is the source for those who are wondering what it's all about.

---

WE AWAIT SILENT TRISTERO'S EMPIRE.

Revolution of Filesharing?

[cyberm_acc]

I'm suprised no one has mentioned the obvious. This is a terrible blow to the RIAA and the all the people who have been trying to sue filesharers into oblivion.

There are two uses I see for this:
There are going to be groups of people dedicated to one theme, for example, Horror Movies, or Horror Movies with mutant bees, sharing all their Horror Movies, you will need a certain ammount of Horror Movie Uploads for Downloads and noone will ever be to know you had Queen Bee 1-3.

If you replace Horror with new release you get lots of small miniDonkeys, many interconnected and unstoppable.

I'm convinced this is a revolution in filesharing because it solves the two biggest Problems filesharing has, crappy downloads and getting sued.
The downloads will be of really good quality beacause you will be sharing with friends of people you know from chatting and if the put crap in their upload directory they won't be one of your cirle of friends much longer.

Getting sued is obvious, noone will be able to tell what you are doing (the might be able to guess that all those people on cable are not running a vpn yet) as just your circle of friends know. There is still the possibility that one of your friends is a traitor but i would call that a rare chance.

Getting it to work.

[commonchaos]

Looks like you not only have to trade public keys with your friend, but somebody needs to have WASTE on a public IP with port 1337 open.

Re:I have to ask..

[GMC-jimmy]

If your not scared of Beta software, there's an IRC client that supports encryption for queries and even channel messages. You do have to share your key with whom ever you want to be able to read your messages however.

It's KVirc 3 over at www.kvirc.net.
It's primarily writen for KDE/Linux but they also have a pre-compiled Win32 stand-alone.

Re:Why didn't they call it "Idiot"?

[driftingwalrus]

Beleive it or not, but they're not trying to sell it. You only need marketing if you plan on selling it.

Re:License? GPL

[harlows_monkeys]

Seems like conflicting information to me.

I goofed, and grepped for "gpl". "gnu" would have been a better grep term.

However, there's still the rsa directory, which contains stuff not compatible with GPL. (Which puzzles me...since waste is GPL'ed, why didn't they use gmp for the math, or whatever gpg uses?)

By their calculations

[LiquidCoooled]

To the MPAA, 50 nodes running on a fast network means there are really 300 wicked infidel filetraders!!!!

Re:I have to ask..

[spectral]

Eh, yes it does. Otherwise I'd have a lot more connections open while talking to people than just the one single connection to AOL's server. Hence the 'direct connect' button, which then DOES establish a direct connection to the server. Also, ICQ now uses modified versions of the AIM protocol(s) anyway (or at least, can run on them), so all ICQ traffic prolly goes through the servers too.

I bet the other networks are the same. MSN, Yahoo, etc. Direct connections are a bit slower to start up, and a bit more of a security risk, since you now know the other person's IP address.

daemons name

Is it called wasted ?

Re:JabberIM does this

[wossName]

As much as I love Jabber, that's simply not true. Jabber has no widely implemented encryption between all links, and file transfer is not exactly its strong side.

Everyone invented Gnutella

[CrazyJim0]

I think hundreds or thousands of coders thought of this shit, especially when Napster got shutdown.

I personally came across it when removing a section of my P2P anti hacking designed for Diablo 1 to be secure even without a central server.

Interestingly enough, I was going to call my Gnutella: Dumpster

Which is cool they're naming their software: Waste

Lets see how it turns out

It's a really useful tool for business too

[Eminence]

WASTE is something that is indeed very useful for small company or teams (especially dispersed teams) in larger organizations. In many places one or another IM system is being used to communicate with team members. Over ICQ or AOL contracts and employment conditions are discussed, remarks about contractors and clients are passed etc. That is a huge security leak if you look at it from a certain prospective, especially for some profiles of companies like small consulting firms with employees regularly using clients networks. WASTE is a simple to use and free method of closing that leak.

I know at least two small companies that should adopt WASTE immediately and I would advise them to do so. One is a PR company with 2-10 people offices around Europe, where ICQ is frequently used as a discussion medium. Other is a small consulting company. Someone eavesdropping on their ICQ chats could seriously damage both of them.

Re:It's a really useful tool for business too

[javatips]

SecureIM only do encryption. There is NO way with SecureIM to be sure that you are talking to the right person.

It would be very easy for some network admin to do a man in the middle attack by intercepting all the trafic between you and your buddy (with the initial key exchange) without you knowing anything about it.

Having a false sense of security is worse that knowing that your communication is NOT secure.

A better way, would be to use PGP to enrypt your communication with your buddy. At least, if your are confident you obtained your buddy real public key, you know you are talking to the right person.

What no LibTomMath for bignum RSA?

[tomstdenis]

Oh darn. Looks like they used some homebrew crap for their bignum stuff.

Common LibTomMath is like a billion times faster [not to mention very well tested]....

Plug plug plug!

http://math.libtomcrypt.org

Tom

Re:What no LibTomMath for bignum RSA?

[Luminair]

Telling Slashdotters won't help.

Here, tell the WASTE folks instead: http://forums.winamp.com/forumdisplay.php?forumid= 154

Re:downloaded, now what?

[zonix]

okay i've downloaded it. now how the hell do I connect to someone else and start talking?

You need to have friends, dude! :-)

z

Looks great but...

[randomErr]

The software looks great and installed like a dream but How can I test it?

How can I point it at a node that will allow me to try it out? I ask this because what if someone is on the internet and needs to connect to me network. How do I point them to my network?

Re:Looks great but...

[tamagen]

You need at least one other client running somewhere.

You both need to enter each other's public key into your client to get started. This step shows that you "trust" one another.

Anyone else who wants to join your "network" must also enter one of your existing network members' public key into their client and have that existing member enter the new user's public key into *their* client. This step automatically makes the new person "trusted" by all the other members of the network - the important part is that you don't have to explicitly swap public keys with EVERYONE - just with one member of the network. The client does the rest once you connect to the network - see below.

Now, to get started and initially connect to someone's machine, enter their hostname or IP address (not their "username") into the "Network" window. This primes your client - it will then discover all it needs to know about the other members of the network, since by default, each client will be broadcasting discovery information (usernames, hostnames, public keys).

The "Browser" window shows all the users in the network, but currently ONLY if they are sharing one or more files. So, get each person who joins the network to share at least a test file so that they will always appear in everyone's "Browser" window.

Right-click on any names in the browser window to start interacting with them.

HTH

Re:downloaded, now what?

[dpu]

i'm going to bite my tongue about "leeches" and actually help a bit here.

reading the docs, it becomes apparent that in order to connect to other people, you need to know their public key, and vice versa. i'm paraphrasing, but that's essentially it :) good luck!

Key exchange

[yem]

"Initial connection to the mesh requires manual key exchange. PITA, but moderatley secure."

IIRC, key exchange is where most encryption schemes fall down. If this ever takes off I'd guess 99% of users will trade keys over plain ol unencrypted SMTP.

Nice summary though - this really does look interesting.

Re:Key exchange

[CrypticOutsider]

IIRC, key exchange is where most encryption schemes fall down. If this ever takes off I'd guess 99% of users will trade keys over plain ol unencrypted SMTP.

And what's wrong with that? You're exchanging your public keys.

From the Waste setup guide:

8. At this point you should copy your public key to the clipboard using the button labeled "Copy my public key to the clipboard" and then paste it into an email/IM/whatever to give it to the person(s) you wish to connect to.

9. You should also acquire the PUBLIC key of the person(s) you wish to connect to via some means, and then click the "Import public keys..." button in order to import their PUBLIC keys. Once you import their PUBLIC keys, there should be a message in the setup wizard telling you how many keys are loaded total.

Re:I have to ask..

[daserver]

Well there is a whole network, silcnet, that builds upon irc but makes it safe. It not that far away from 1.0. http://www.silcnet.org/

good name...

[fok]

. "I waste you when I get home"
. "Have you been wasted today?"
. "Be right there... just let me waste someone..."

and so on and so forth...

slighly OT: Jabber communication encryption

[Ahaldra]

*sigh* so many jabber clients - so many implementations. It seems as if noone developing a jabber client actually cared to look into the official proposals.

So, if you are a jabber client developer or intend to become one, see this article for a proposed handling of Open PGP -type encryption.

Re:name "Waste" -- Pynchon's The Crying of Lot 49

[elwinc]

I believe the name "Waste" is a references to Thomas Pynchon's novel "The Crying of Lot 49." In the novel, W.A.S.T.E is either a hoax or a secret system for communication, and (might) stand for "We Await Silent Tristero's Empire." Here's a little quote:

"Last night, she might have wondered what undergrounds apart from the couple she knew of communicated by WASTE system. By sunrise she could legitimately ask what undergrounds didn't....[H]ere were God knew how many citizens, deliberately choosing not to communicate by U.S. Mail. It was not an act of treason, nor possibly even of defiance. But it was a calculated withdrawal, from the life of the Republic, from its machinery. Whatever else was being denied them out of hate, indifference to the power of their vote, loopholes, simple ignorance, this withdrawal was their own, unpublicized, private. Since they could not have withdrawn into a vacuum (could they?), there had to exist the separate, silent, unsuspected world."

The Right Hand Knows

[fm6]

In fact what we have here is a first cut at a secure distributed network presence system, something that would allow you to run an icq-like network between people you trust without being spied on by a central server. There are many reasons why one would want this: maybe *you* just want to trade copyrighted files, but *I* want to communicate securely and efficiently with my associates.

Besides which, this software isn't particularly useful for illicit file sharing. For that you need a way to get into contact with strangers who happen to have a copy of the file you want to download. The encryption features would actually seem to work against that.

Also, this is technology that might be very useful to AOL. AIM's big drawback is that it's not very secure, and really shouldn't be used for sensitive corporate communication. (Though the engineers at my last employer used it anyway.) AOL could persuade people that are already using AIM for free to upgrade to WASTE in order to secure their communications. Not to mention the other features.

We Await Silent Trystero's Empire!

Re:The Right Hand Knows

[L7_]

Yes, it seems to be more of a client where you already have a trusted group of users either from real life (Say, a whole dorm hall or a bunch of co-workers) or from a presence online (Say, a whole gaming guild or software collaborators or even a little message board community) to open some of your system files to. It is a trusted way to get recommended files, be they legal or illegal.

You don't need to be in contact with strangers if all your friends have GBs upon GBs of "shared source".

Re:The Right Hand Knows

[jafuser]

Your post just made me realize how useful it actually is.

I run a small network in my apartment with my roommates, and we all have various versions of windows, and some computers are "homed" on a different domain, especially if a friend brings his work laptop over during a lan party.

In these kind of environments, windows file sharing seems to be much more hassle than it's worth. On Win2k, it seems like it's a 10 step process just to share a folder. Even after that, it can take one or two minutes just to navigate the windows network to get to the other computer (why is this so slow anyway?).

Sometimes I've gotten so frustrated with it that I'll skip all the windows sharing BS and just upload the files to an FTP site hosted somewhere else on the internet, then have my friend, who is only 10 meters away from me and on the same private network as me, ftp it back down.

Sure, I could put my own ftp server on my machine, but that is too much hassle for a one-time use.

With something like this, it looks like it might be a quick and easy way to do file sharing that sounds a lot safer than most of the the simple alternatives...

Re:linux?

[JakusMinimus]

yeah, the root of this is a #define for socklen_t in the non-win32 code (which is already typedef'd in system headers). my solution was to put a #ifdef POSIX around the define.

up and running on linux

[JakusMinimus]

a link to the cleaned up code i am running: http://www.entheal.com/users/dweomer/waste-source- clean.tgz

my server's public key

WASTE_PUBLIC_KEY 20 2048 entheal.com
ABB44E9339FC6CE16A3C04A9D828AD3F6C78A 308FF66442E35B3F69C2CFC
7AAF98FFFCE94A95E074C6B8F B8F46105A7575A5AB9CFBF9112E1AE13C02
B7CFDA578CD7B 114A64E6B18D9F857BD982E741D2A214EE52878580B51DA
4 081980FA0923244FA59D05FE314347384D23DBD58C736D71D6 D490EFD4D
E3587D463D351236280BCAD18DD40F12D9F0DAF 6C3C88CAB2243A21B7A8D
B0C89075685E12052263C6DD9EA 6809967A7D354037EF00F078E5E298DFC
2E89E43AF161FCF B30B2B41873F0BB34706B4C8EF749B6A3E45135F9F08D
FAF 6F684E29787ECE5FB0DFEBABF904C11327CE085F735C0D7E08 DE811B3
04CEC56742090AA7A714497B9CEF1C35000301000 1
WASTE_PUBLIC_KEY_END

server name is entheal.com (you may have guessed from the public key ... )

Re:up and running on linux

[DarkBlack]

If you are using gcc 3.2 as I am on Debian Unstable, you will probably need this patch:

--- waste/Makefile.posix 2003-05-29 11:58:45.000000000 -0400
+++ waste/Makefile.posix.new 2003-05-29 14:00:34.000000000 -0400
@@ -8,7 +8,7 @@

wastesrv: $(OBJS) $(RSAOBJS)
- $(CC) $(DEBUGFLAG) -pthread -o wastesrv $(OBJS) $(RSAOBJS)
+ $(CC) $(DEBUGFLAG) -pthread -o wastesrv $(OBJS) $(RSAOBJS) -lstdc++

clean:
rm -f $(OBJS) $(RSAOBJS) wastesrv

The good, and the bad....

[NerveGas]

While on the surface, this might seem like a reinvention of IP tunnelling and VPN's, there are a couple of important features bundled in that set it apart:

1. It turns each node into a router. While you can establish a VPN with other tool kits, you still have to enable and configure the routing manually.

2. It's entirely user-land - it's a standalone program that a user can plop on their machine and be on their way.

The best part about it is that you can get through firewalls. The worst part about it is that you can get through firewalls.

Most people are pretty polar in their opinions of firewalls, with most of those people seeing them a fascist mechanism to control what they can see. In some (perhaps most) cases, that can be true. However, firewalls are much more than that: They can (and often are) used to protect YOU, the clueless end-user, from the other bad people on the Internet.

After I clear out counters on firewall rules, it's not uncommon to see 10-20 (sometimes more) incoming attacks within 5 seconds.

So, this will be great for letting people browse the web from work. On the other hand, it will expose them to propagation of worms and attacks which would have otherwise been caught by the firewall.

Is this a good program? Overall, I think that it's a good thing that NullSoft created it. We simply need to realize that with all of the benefits it brings, it will also bring a few negatvies with it.

steve

Re:I have to ask..

[raynet]

Also Irssi and ircII have IDEA patches and they work really well too, been using them for year or two now.

Waste Public Node List

[Str8Dog]

I threw up a forum for people who would like to list their public nodes here

Nullsoft's Product Names

[Midajo]

Probably the same company that made the PIMP (and afterwards the SuperPIMP) install system...

And let's not forget the program packass.exe, which creates a big .ASS archive, similar to a tarball. No, I'm not kidding. Check it out.
Buncha hooligans.

Re:name "Waste" -- Pynchon's The Crying of Lot 49

[dav]

Ah! I love this book! I about jumped out of my seat as soon as I saw the trumpet icon :) ...but isn't it supposed to be a muted trumpet?

Nevertheless, it's a great name choice....

well, the download page just went 404

[ntk]

I guess AOL found out again...

Re:well, the download page just went 404

[Eminence]

Well, all the pages about WASTE are 404 now, WASTE also disappeared from the list of software made by Nullsoft. But - as I said already here - it's already irrelevant, as the GPL-ed source is already mirrored around the world and will be worked on. Soon we will see ports and mutations of WASTE everywhere.

Looks like the guys at Nullsoft learned from Gnutella...

and now W A S T E

[akahige]

AOL must not like W A S T E either. it's been pulled and there's no trace of it on the nullsoft site. hope someone mirrored it...

Found a Mirror

while perusing the winamp forums, I found a mirror:

waste installer
waste source

Re: Gone!

[MMHere]

Thread ID#13077 in a message entitled WASTE gone... RETURNED! (look in the forum CommunityCenter/GeneralDiscussions at forums.winamp.com has the source and binary posted.

You'll have to register for the WinAmp forums first.

Not sure if the poster hacked/altered them first, but at least something appears to be there. I was unable to grab the installer earlier, but I did grab the .zip for the sources earlier. The .zip I grabbed earlier and the .zip posted in said forum match according to the cmp command.

I'm gonna build from the sources myself rather than run the posted .EXE.

oh well

[WilyKit]

The URL provided is 404.

Looks like they did it again, got AOL Time Warner scrambling and they pulled the plug. (Same thing happened with Gnutella, remember?)

Waste Mirror

[Freaek]

Waste is here

Contents of the file are as follows;

waste - network architecture.htm
waste - network architecture_files
waste - security model and implementation.htm
waste-setup.exe
waste-source.tar.gz
waste-source.zip

This will be up until it's not. Enjoy! :)

--Pete (peteg [at] sifnt dot net)

Re:Waste Mirror

[GuNgA-DiN]

I've put up another mirror here.

Re:Gnutella: Ouch this is gone also

[Jouster]

The other fun part was that, the day after the Gnutella debacle, they managed to sneak in a mention of Nutella (and a picture of it!) into their "Ask Nullsoft" section. I wonder if they'll do something similar with WASTE?

Coincidentally, see also this lecture on this history of Gnutella (warning: PDF), or its handy Google HTML-ized version.

Jouster

Has WASTE been removed from nullsoft ?

[Taco+Cowboy]

Both the Download Page and the Security Page aren't accessible.

This bring the question of whether WASTE have been removed from nullsoft.com, or not?