Slashdot Mirror
Japanese P2P Users Arrested, Creator Targeted
nutznboltz writes "According to a story on CNET Asia, two Japanese users of the Winny P2P application have been arrested for copyright violations, and the developer of the P2P software has also had his home searched by police. Winny was 'supposedly anonymous', and purported to be based on Freenet, although Freenet creator Ian Clarke is claiming that Winny is not really like Freenet, and that he's 'not concerned that the Japanese police have somehow found a way to compromise Freenet's security'."
This must stop! If this continues, the P2P world's supply of tentacle rape porn and mech video clips could dry up overnight!
You just voice anti-Slashdot opinion somewhere else, mister! We have learned to like our daily share of "same story, different country" posts!
1. p2p isn't piracy or crime, just like everything else it can be used to violate laws, so p2p != piracy.
2. copying software isn't theft or crime, it's just copyright violation (I'm not saying it's cool, it's just not a crime)
"I'm not concerned that the Japanese police have somehow found a way to compromise Freenet's security," Clarke
"..but probably not those that allow Freenet to protect user anonymity." Clarke
I'm confused, it looks like Clarke said Freenet's compromised and he doesn't care, and that Freenet isn't compromised.
Piracy is a crime and these folks were arrested for it. I don't see why this is news.
Uh, not quite. Software piracy may be a crime, but writing a P2P application, which has practical purposes for sharing files legally, isn't (as far as I know).
It's a sad day when writing a file sharing application is enough to get your house turned upside down by the police or get you thrown into jail.
"Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
You can search Freenet _exactly_ in the same way you can search the World Wide Web. If you use a messageboard/filesharing application on top of Freenet (like Frost) you can search with a nice little search box per board or in all of them.
:)
But please, why not post uninformed opinions on Slashdot and get modded up as Insightful
it's in my head
So - what did they intend to find? Or do they use it like intimidation of some sort?
Clarke wants to save his face, but it's well known in certain circles that freenet doesn't provide 100% anonymity if the attacker has enough resources, e.g. a large ISP or the gov.
It takes some time, but you can determine the IP and stored data of a user.
But I don't think that this is so bad, in free societies such anonymizer tools are often abused by criminals, spammers and perverts and in oppressive societies the use of the tool gets you in prison anyway. The Chinese gov is not so stupid to get caught by the "hahaha - my data was encrypted, you can't prove anything"-argument.
So it's really no loss there.
Owner of a Mensa membership card.
Since Winny is pretty much unknown outside Japan, here is some background information for slashdot readers: Winny is a P2P file sharing program created by a Japanese programmer, who still remains anonymous to this day. It came out two years ago as an attempt to share copyright-protected materials "safely" when somebody was arrested for using another P2P program (WinMX). Since the application was extremely well designed and almost anything is available on its network, from movies to software, it has become immensely popular in Japan, so much so that there are a dozen book available on how to use it and network traffic in the country was down 20% after the news of the arrest broke. As for the reasons why the police was able to identify those two people who were arrested, they used an extra bulletin board feature, which does not guarantee anonymity unlike its file transfer feature, to distribute a list of warez videos. Therefore, I don't think this news has anything to do with the validity of Freenet's technology, or with that of Winny's for that matter.
I am often amazed at the abilities of some. A 15 year old breaks a hard crypto for DVDs in what seems is a poetic 30 line program... And so many others who have contribuited to technology. But in my limited thinking I cannot see how a truly anonymous P2P network could ever be thought up.
...So it seems to me.
After all the encryption, all the routing and packet filtering... eventually we're always left with unavoidable IP addresses. There's always going to be, has to be, a destinaton and origination. If a computer program can find the location of a song, so eventually can a human.
The FBI tracked the release of an email virus to some upstairs apartment laptop with a temporary dial up connection in a third world country within three days of it's release. What was it, the I love you virus or something written by some tech students? I sat in wonder watching the news reports and the video of dirt streets and old third world buildings wondering how the hell they did it. How they knew it came from that upstairs apartment. Probably logged in just long enough to send it. Not just in three days, but probably sooner with them taking 1-2 days for the "public" release.
Then I consider a truly anonymous P2P file share and wonder if it is even possible. The song is going to be on a hard disk. That hard disk is attached to the net and will have a number representing it's network location. All of which can be traced. In my mind, again, if a program can find the song, even as difficult at it may seem, so eventually can a human.
Just like *they* can never make an unbrakable copy protection, Will *we* ever be able to completely anonymous while on the Net.
I'm just wondering....
Stupid laws that cost thousands of extra police hours not only waste tax-payers money, they take police from their real job
Couldnt agree more. But this isnt the main culprit. Globally more is spent on 'THE WAR ON DRUGS' and chasing criminals who only steal to feed their habits than on ANYTHING ELSE. Apologies for the caps - just trying to be sensationalist because Im talking about drugs - which we all know are REALLY SCARY AND BAD.
Of course - these kids coul dhave been P2Ping to support a crack habit. It all comes back to wasted money on THE WAR ON DRUGS...
Here are the snippits from the spam.
Subject: Digital Music News: Don't Go to Jail
Music Industry Informs Internet Users of Risks Peer-to-Peer Networks Pose
STAY OUT OF COURT - USE LEGAL 'SHARING'
Staff Writer, The Digital Music News
The Recording Industry Association of America has filed 300 lawsuits against alleged file swappers. Don't want to become victim number 301? Then it's time to switch from programs like Kazaa and Morpheus to a legal music download service Songs purchased on legal services are more reliably of a higher quality than those downloaded from a peer-to-peer network where you're never quite sure if the file was properly labelled, ripped on an underperforming computer or contained a virus Below are the options that will help keep your life free of lawsuits To learn more about safe and secure ways of using the Internet http://www.riaa.com
The message then goes on to pimp for the various pay services. I have no idea if the RIAA actually paid for the spam, of if it is a joe job.
... another uninformed person getting modded as Insightful.
... and there are others.
Pray tell - how do you search the regular World Wide Web?
Via som sort of service that knows webcontent since it spidered it - right?
Guess what Dolphin's Freenet Index is
So, no - I know perfectly well what I'm talking about. Freenet is just as searchable as the World Wide Web. Exactly.
it's in my head
The speed of the legal system here is notoriously slow.
:)
And, I'm told, most people can escape imprisonment or heavy fining by just apologising well.
So, I'm not sure what kind of resolution the companies are expecting, but I'm sure it will be a long time til we hear anything
When you install Freenet and go to your local gateway-page there are not one but two search engines linked. That's how you search WWW - that's how you search Freenet.
Or do you know of a way to search the World Wide Web that does not include using servers which have spidered the content? Please let me know.
it's in my head
Arrested!!!! Holy shit that could lead to Hara-kiri over Hanson.
Winny was developped by the Japanese developper called "47", and it was after WinMX user was arrested here in Japan, in 2001. It was the world-first arrest of P2P users. Japanese copyright law was amended in the years before to crack down infringement over internet, protecting "right of enabling sending copyrighted material".
Since then, among Japanese users and hackers, non-encrypted P2P which is still popular in the West today became things of past.
Since Freenet made of Java was very slow application then (not much improved today), he made Winny as native Windows P2P application, with encrypted storage distrubited across peers. According to the developper, Winny is good at the both anonymity and efficiency, but anonymity is slightly lower than Freenet. Because a receiver can't determine a sender is the one who originally inserted the file to the network or not, it was considered anonymous and then more secure than ordinary P2P network, say, Gnutella or eDonkey etc. Winny has other functions like forum system, and clustering by keywords combination set by its users which help users with similar interest mold cluster. Other remarkable difference from Freenet is it dosn't split files, but can do multiple-source download.
With the help of community and its own efficiency as P2P network, Winny become extremely populor in Japan unlike experimental Freenet in the West and consumed huge bandwidth.
But those who were arrested the last month was arrested because they sent files directly, without being a bridge, or put some warez onto web page and running Winny beside it. Therefore it is still not clear whether just running Winny and sending cached files without modest deliberation means guilty or not.
Winny is really WinNY, with WinMX N is the next of M, and Y is the next of X.
The way annoymity works is that files are stored in a "cache" in a scrambled format with filename concealed, even to the local user.
:)
Winny knows how to descramble the name and data, and it can search on the P2P network a specific file using its filename or MD5 checksum.
When a file is found, it is either downloaded directly or through another random user (think proxy).
Files goes into the cache either by local upload, by downloading a file (which Winny will descramble for you, leaving a copy in the cache), or by files passing through your node. It is then available for further download by other people.
This provides a kind of load-sharing where more popular a file is, it will be found in more people's cache and more easily available. Downloading from multiple sources is also possible.
You can find out who your immediate neighbour is, but he can claim he doesn't know what the content of his cache contains an infringing file, but of course this requires him to remove the original on his disk
To give an incentive to people to cache files, # of simultanenous downloads is limited to # of uploads+1 with a lower limit of 2.
It is a very convinent system because winny has a function that let you specifies search parameters and you can just leave it alone and it'll download everything that meets the parameters, meanwhile donating bandwidth and cache space to other people on the P2P network.
This model can be possible only because Winny is closed source. Cracks have both appeared for both the download limit and cache descrambling. It is easy to see widespread use of the cracks will compromise the model (less files to be found on the network).
Fortunately normally people don't care (it is just spare upload bandwidth and disk space, which broadband P2P users usually have surplus of).
ANd why are the neighborhoods destroyed?
Because the pushers are doing something very risky for very high profits; because the users have to pay a artificially high price for drugs. eliminate government interference, prices go down, it's no longer neccesary to have hired goons running around guarding the drug dealers, no longer worthwhile to KILL to protect your drug supply.
Drugs are a problem. the Violence and crime associated with drugs is 90%+ the result of the war on crime.
Don't believe me? think about the 60's & 70's. I was there, I know.
Why, yes, I AM a Pagan Libertarian.
Just found a link to The Motley Fool that very much suggests that file-sharing isn't taking any revenue. If this is truly the case, how do they justify the restraint of freedom induced by laws and methods of enforcement? This appears to be less a case of protecting revenues as a simple imposition of unjustified power.
More musings on power and on civil disobedience. I should say that I admire the independent artist who chooses to share samples, and do not especially admire those who trade music illegally, but here, punishment is disproportionate.
Wikileaks, no DNS
I believe that the words "arrested for downloading..." should not be appearing in our lives because "arrested for downloading music" sounds very similar to "arrested for downloading political material" and this is exactly how a society moves from free to big-brother. Lets put things in perspective here: You are not gaining unauthorized entry to a remote system, you are not 'stealing' (as in bank notes) money, you are not diverting electronic funds to yourself. Flaim me all you want about what you 'are' doing but those facts remain.
What you are doing is partaking in an activity that may negatively effect a large economy. Now there is no definite case here, it could be that you were not taking a potential sale because you would never have intended to buy it in the first place, who knows? its a very blurry area and no-one can claim they know all the facts. Having said that there are allot of things in our society that follow similar logic:
Driving your car for example, now you may not contribute a significant amount to pollution yourself but everyone together does (this has more proof behind it than the case against music downloading). If you go get a drink during commercials then you aren't doing anything personally but if every single person got up during that commercial it would have a zero viewer figure (which leads to the question are the advertising companies doing their job if no-one wants to watch their adverts?). As a society we have deemed that some things are ok and some are not for whatever reason but if its deemed that filesharing is not ok then you will have put that over driving your car and a whole host of other things we do that are far worse, is that ok? its up to you.
Its society's job as a whole to decide the balance here, personally i think filesharing should be accepted and that it will lead to a positive change in the way things are done and the way music is made. Maybe it will lead to the downfall of the RIAA as we know it and music will suddenly become not a money driven thing but a enjoyment driven thing maybe like open source software, is that good? is society happy with the way things are now? are you happy with the way things are with the RIAA? because its the majority of the people that matter in a democracy not the richest and if you live in a democracy then thats the way it goes.
PS. It might happen that you dont live in a democracy or your democracy is broken and for example 2 million people all getting together in a park to demonstrate over something does not sway your PM's view atall even though it was one of the biggest demonstrations in your country's history. Or, your government openly receives funding from major corporations and just happens to churn out laws that suit those corporations and has now allowed one of those corporations to run its voting. If this is true for you then the above post means nothing, go back to your work, do what you are told and let it get worse. If you dont live in a democracy and dont want one than also ignore this post and i hope you have better luck than us and that we dont try and invade you anytime soon, if we do im sorry i had nothing to do with it.
This comment does not represent the views or opinions of the user.
Actually, just the size of the piece of content you are retreiving is very likely to tield enough information to identify exactly who retreived it, I'm afraid.
Pieces of data in Freenet are padded to the nearest exponent of two, so this particular attack would be pretty difficult.
I don't think so. How could Freenet do proper onion routing when you can not determine what route it will take?
There was a negative missing there. Freenet does NOT do onion routing. Sorry (though I think it can be seen from the context what I intended.)
Actually, the defense is both good and bad - the problem lies in the HTL - Hops To Live. As it is (or at least was, when I tried to convince them it was a bad idea) the maximum HTL is 25 (in node, no matter what the program requests). That is, if you request/insert something with HTL 25, it's *your* request/insert, noone else's.
There is an added random factor to it, IIRC, but it isn't nearly high enough. In retrospect, I think that we should not have used HTL at all, but instead had a random probability of the request terminating at each node it reaches. The blame for it not being done this way lies mostly with me - I had an idea when we implemented the basic protocol that it should be very robust, thus every node keeps track of every request and times it out as soon as possible, and then something like HTL was needed.
Having seen how things turned out, if I was to go back today, I would made the protocol as lightweight, "fire and forget", and memoryless as possible instead. The usage pattern I imagined where users made a single request that had to succeed or fail correctly became "spam the network and hope for something" and the protocol was never designed for that.
It should be noted that the anonymity aspects of freenet take a hit from the routing problems in this case: Overload and lousy routing caused people to pump up the HTL, which caused us to limit it strictly to avoid and evil cycle (that wasn't avoided), which is why most people start with the highest permitted value today.
Also here, Freenet is pretty dumb in that it has a static 50 node limit by default. Once you've got 50 compromised nodes in contact with the target node, it's isolated from the network and you can see all requests/inserts it does. With at least some random factor, you would provide some uncertainty - do we control all nodes now, or are there still more? Can we *prove* these came from him?
I would say that the benefit of a random factor is dubious here. If you have the capacity to compromise all the nodes in the routing table, then you probably have the capacity to scan their traffic to see if they have other peers (I mean, how else did you find all their peers?)
They could not do a simple port scan, as you need the node's public key to get a response. However, you can listen on the network for those. Due to the state of the Freenet network, you need a certain inflow of new nodes, and so you also need to announce your node on the network. If you had a set of stable 24/7 static ip nodes to connect to, you wouldn't need to. However, since nearly all residential connections are semi-stable (cable/dsl), it is as it must be in order to keep the node functional.
"Silent Bob" as we called the idea of not responding until the key is seen, is in the protocol, but it is not, IIRC, the current default behavior of the node (for perfromance reasons). I don't agree that "a set of stable 24/7 static ip nodes" would be a good thing. The more static the network is, the more vulnerable.
The node probing defense also makes it impossible to know without actually securing the node - the node will sometimes pass the request, regardless of whether it has the data or not.
There is no defense against timing analysis of these responses. If the response is instantaneous, then you can be pretty sure the node contained the data before you probed it.
There is no defense against timing analysis of these responses. If the response is instantaneous, then you can be pretty sure the node contained the data before you probed it.
I think my analysis is almost the opposite. I wouldn't worry much about requesting or inserting data (if the network was working, I don't know w