Professor and Student Thwart P2P File Sharing

Digitus1337 writes "Wired has the story. 'A computer science professor and graduate student have been awarded a patent for a method of thwarting illegal file sharing on peer-to-peer networks by flooding the network with bogus files that look like pirated music.' This raises the question of whether or not companies that are already using such techniques are in violation of the new patent. Good news for subscription services?"

Would it really matter?

[Rosco+P.+Coltrane]

If there are 10000 bogus files, but only a handful that have more than 5 sources, chances are these are the real McCoy and all the others are the decoys.

And even if there are 10000 files around with a lot of sources for each file, I'm sure people will start trading files containing the RC5 checksums of real files, on IRC or something. Hell, they might even P2P the real-files index :-)

In short: should the RIAA/MPAA and friends even adopt that technique, it'll give them only a very temporary reprieve. They really should realize the cat's out of the bag and they should start thinking of new business models around digital file sharing, not against it.

Re:Would it really matter?

[Coke+in+a+Can]

It's really hard to checksum MP3s, though. First thing I do after downloading an MP3 is change the ID3 tags to my liking, which changes the file, and generally makes it unique, with only one source, me.

Mixed feelings!

[sisukapalli1]

It is like someone patenting the process of "harassing people". I don't know whether to cheer for it because it makes harassing more expensive, or to feel sad about the overall state of affairs at the USPTO.

I am sure there is plenty of prior art for this. DDOS, bogus uploads to P2P (e.g. people try to become the "supreme being" on kazaa by putting dummy files named after the latest hits). If the only difference is the "intent" and "amount" of the junk sent to P2P networks, granting a patent looks ridiculous.

However, if it there is a lawsuit between these guys and the MPAA/RIAA, I will cheer for the patent.

S

file sharing

[ajs318]

I use Apache for all my file sharing needs. Anyone wanting to download anything from me needs either my domain name or IP address -- and has my word that the files are genuine.

Ultimately, the Internet will recognise the uploading of "poisoned" files as damage and route around it accordingly.

Re:Uh, prior-art?

[jpu8086]

Things that are really, really hard to implement in a true P2P network:
- Global trust matrix
- Economy
- Authentication

These are hard because the equality of peers can always be exploited by users with malicious intent. They can join in the P2P network as multiple peers (if a network limits one user per IP, an attacker with multiple computers and sufficient resources can compromise). Remember that in a true P2P network everyone is equal - it is nearly impossible to implement schemes that avoid the Sybil attack.

You need a central certificate authority to validate the autheticity of users. And, that is a big no-no in P2P systems.

So, forget about trust matrix. You can't trust anyone in a true P2P network.

Re:When will this end?

[JasonEngel]

You think this is a bad thing? Now that this pair has a patent on the concept, maybe the patent can be used AGAINST those people who flood P2P networks with false files. In order to do so now, they have to license the concept from this Prof/Student duo or face litigation.

Maybe - just maybe - this is a good thing. The question is, did it happen at a useful point in time, or is it now irrelevant?

Re:This can only be good news for fileswappers. Ma

[LilGuy]

First off, many P2P networks are smart enough to easily defeat this attack. Reputation tracking alone, out of several technologies already implimented to prevent this attack, is almost enough.

Keyword here: almost. I've gotten a number of "Excellent" rated files from kazaa and found them to have the same annoying screech-pop sounds and any other ones. I no longer pay any attention to whether or not a file is rated because it hardly makes a difference.

How is rating a file going to stop this? The only people who use it are the RIAA anti-piracy people. They get 50 people to rate it excellent, and then everyone downloads it. The find out its the same pop-screech sound, but they leave it on their hard drive and don't rate it down. Other people see that there is an enourmous bandwidth for this "excellent" file and figure its a sure thing. Wrong!

Why?

[0x0d0a]

Why would you email these people and complain? Applying social pressure isn't going to stop the march of progress any more than the RIAA sending nastygrams is going to stop me from adding code to P2P clients and working on approaches to counter attacks on P2P networks.

Spamming is a known attack on most P2P networks, because such networks treat everyone with a certain level of (possibly undeserved) trust. It's not rocket science, and if people designing networks failed to take it into account and allowed it to be an effective attack, it's *their* problem (just as the RIAA devising a business system with expensive music and infeasible protection has copy protection as *their* problem).

This does nothing to solve the thing long-term.

Here is what will happen.

Initially, P2P networks took a "trust anyone" appraoch. (Napster, etc). This rapidly was shown to be infeasible, and systems allowing black/whitelisting users, allowing trusted endorsement of files (Sharereactor and similar), and allowing community rating (Bitcollider) popped.

Hale and Manes just took the obvious next technological step, which is to make it easier to attack the network -- have a system that learns what people are suckers for most, and to exploit it (well, and just about every other claim they could think of to throw in, but that's the meat of the patent). I think that it's absurd to make this patentable, frankly. These ideas are not only obvious, but have been floating around on P2P system development forums. Furthermore, the academic and business systems that we have rewards people like Hale and Manes for creating bullshit patents -- that's still not their fault. It's that of the people who have control over the patent process, which is ultimately all of us.

It's quite possible to counter whatever Hale and Manes are claiming is new and revolutionary. There are current systems like WASTE with simple trust systems -- users can be in or out, and anonymous users aren't trusted. It may take a trust network with non-binary trust (this person is *really* trusted to provide good files, this one not as much) and transitive trust. The schemes coming from Hale and Manes are quite beatable, though -- it's a losing position to be holding.

Anyway, after someone comes out with a trust system, people like Hale and Manes will then come out with patents on processes that demonstrate attacks on whatever statistical methods are used to assess trust in such networks.

The algorithms will be tweaked by P2P folks, and eventually a pretty-good-to-the-point-that-P2P-network-attacker s-can't-effectively-beat-it network will be reached. The RIAA/MPAA/people protecting content are guaranteed to lose. Even harsh legislation against copyright infringment just promotes increasingly more anonymized systems like Freenet.

Content providers will be forced to move more towards service-oriented systems (you buy a music "service" with access to a vast music library, and then content creators and marketers are recompensed based on how much their content is used). It's not the end of the world for anyone, and the same cycle of upheaval and technological improvement has happened time and time again in many areas. In the end, we generally have a more effective system for all involved.

I personally *like* it when people run out and attack P2P networks. It drives people to do systems right, rather than just hack things up without a thought for security (and unlike a cracker breaking into a computer, someone attacking Gnutella doesn't prevent anyone from getting work done or expose personal data). I think that producing "properly built" networks that don't have such weaknesses is an absolute blast, a fun research topic, the side that gets all the love from people who are trying to toss data around, etc.

Heck, it might even be neat to work under Hale and try to thwart the latest in anti-sharing strategies that one of his other students has come up with. :-)

Re:Uh, prior-art?

[jpu8086]

"Only your key is known to the central sites so that your identity remains anonymous but your habits can be tracked"

You contradict myself. You are not anonymous if someone knows who you are. You might get a feeling of anonymity because of the shelter provided by the powers to be. But, that is all at their mercy.

Don't confuse privacy for anonymity.

not just illegal files

[townmouse]

The article says that this technique can be used to thwart illegal file sharing, but it will work equally against legally shared files. The technology could be used to suppress a rival's freely-distributed music (a subtler trick would be to flood the network with plausible-sounding but inferior copies).

This threat isnt going to keep me awake at night if it's confined to music, but as the article says,
Hale said the technology could be applied to protect all sorts of sensitive or confidential material.

This means we won't be able to trust the current generation of P2P networks for authentic news, commentary from reputable sources, free (as in either) software, accurate documentation for same, or any data that some powerful organisation doesn't want us to share. In many cases such forgeries would be illegal under copyright, trademark, defamation or competition laws, but proving which cuckoo laid the egg could be very difficult.

P2P trust is possible, here is how:

[jetmarc]

> You need a central certificate authority to validate the autheticity of users.

A way-out is to make it expensive to infiltrate the P2P network at large-scale. For example,
files could have a quality record attached, that lists what each previous downloader voted
about the quality ("good" vs "fake" file). Cryptographic algorithms could be used to make it
excessively expensive to compute a valid quality record. Time for one computation should be
a decent portion of minimum download time, eg 10-60 minutes for a 700MB file. The P2P system
could pre-compute the vote record while downloading the file and then let the user make his
vote. If you were to insert fake votes into the system, you would have to go through the
expensive algorithms for each and every individual fake vote.

When searching a file, the P2P system could cryptographically verify the votes, and weed out
the "cheap" fake files (that didn't go through the expensive computation).

The cost of cryptographic effort could be configurable. The releaser of a file could judge
the risk of "his" file being attacked (and with how much effort), and thus choose a cost
setting that is low enough to be reasonable for the downloaders, but high enough to void
all attacks.

Re:Great!

[some+guy+I+know]

How are you going to prove there is no chance of me getting cancer and dieing [sic] from the radiation released from a nuclear plant? Until you can, its [sic] just too unsafe

How are you going to prove that there is no chance of getting cancer and dying from posting to Slashdot?
Until you can, it's just too unsafe for you to continue posting here.
(And before you tell me that there is is no difference between posting online and writing to your local paper -- our bodies have learned to adapt to print media, not to electronic communication.)
There are plenty of alternative technologies that don't involve the Internet at all.
Posting to Slashdot is just too unsafe to use.