Slashdot Mirror
Professor and Student Thwart P2P File Sharing
Digitus1337 writes "Wired has the story. 'A computer science professor and graduate student have been awarded a patent for a method of thwarting illegal file sharing on peer-to-peer networks by flooding the network with bogus files that look like pirated music.' This raises the question of whether or not companies that are already using such techniques are in violation of the new patent. Good news for subscription services?"
Now I know who to sue for permanent hearing loss from those annoying shrieks and beeps in those decoy files. Maybe I'll send them a nice Beach Boys CD filled with brown noise...
Spammers have been doing this for years, ever since Napster and Gnutella came out. And, people have been filtering it since then. Once a P2P system has some sort of trust system built into it, this becomes far less effective.
First off, many P2P networks are smart enough to easily defeat this attack. Reputation tracking alone, out of several technologies already implimented to prevent this attack, is almost enough. The news here is not about the technology used, it's the patent itself.
With that said, this is then a barrier to entry for Overpeer, MediaDefender, and like companies- either they convince these folks to license this technology or they'll probably face a lawsuit (depending on whether they're infringing currently, which is probable).
So yeah, this is good news for P2P filesharing specifically, and P2P networks in general, as being a network disrupter is probably more costly because of this patent.
The courts, however, might rule that one cannot patent things such as this-- there's little-to-no qualitative difference between folks patenting this and me patenting a method for a DDOS or patenting a method used in a computer virus. Depending on the judge, they may be in for a surprise if their patent goes to court.
RD
Something like this could also be used to confuse the RIAA with their obviously unresearched lawsuits. Hmm...
IRC. Unless this thing can stop IRC, it's only making it harder for the casual filesharer. Determined individuals will just go elsewhere.
1. Invent product
2. Deploy into market
3. Product becomes obsolete
4. Patent awarded
"Ladies and gentlemen of the RIAA, we will be happy to allow you to license our patent to continue your technology-based counter-p2p operations.... for ONE BILLION DOLLARS!" [touch pinkie to corner of mouth, for added effect]
And of course, phase 3: Profit!!!!
If there are 10000 bogus files, but only a handful that have more than 5 sources, chances are these are the real McCoy and all the others are the decoys.
:-)
And even if there are 10000 files around with a lot of sources for each file, I'm sure people will start trading files containing the RC5 checksums of real files, on IRC or something. Hell, they might even P2P the real-files index
In short: should the RIAA/MPAA and friends even adopt that technique, it'll give them only a very temporary reprieve. They really should realize the cat's out of the bag and they should start thinking of new business models around digital file sharing, not against it.
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
To have shame requires you to have honor.
Wouldn't that be an example of prior art? If so it wouldn't cause much of a problem for them.
Either way, I have to wonder how effective this method would actually be. Surely I could get around it by simply downloading the file with the biggest number of sources?
So it's safe to put 5. Profit :)
The Raven
It is like someone patenting the process of "harassing people". I don't know whether to cheer for it because it makes harassing more expensive, or to feel sad about the overall state of affairs at the USPTO.
I am sure there is plenty of prior art for this. DDOS, bogus uploads to P2P (e.g. people try to become the "supreme being" on kazaa by putting dummy files named after the latest hits). If the only difference is the "intent" and "amount" of the junk sent to P2P networks, granting a patent looks ridiculous.
However, if it there is a lawsuit between these guys and the MPAA/RIAA, I will cheer for the patent.
S
The Definition says:
First spotted in June 10, 2000, so the patent is a false or fradulant one.
Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
but, as soon as you get a bad download, you erase it, so people dont spread them. If you search for a song using say gtk-gnutella, just download the file that has the most sources. It's highly unlikely that 80+ people will have a bogus song under the file you're looking for. We're in trouble if they start sharing on multiple IP's though...
No, good news for Direct Connect.
John Susek
From the article It's like looking for a needle in a haystack.
Much like legitimate email in our inboxes.
To-do List: Receive telemarketing call during a tornado warning. Check.
If you eliminate one technology, another one will pop up in its place. Maybe even just an improved version of the one currently in place! Since this has been done before, you'd hope that they did an improved version of it in some way, and that's how they got the patent? It hasn't worked yet, and it won't work anytime in the future either.
All this does is damage a network through crap flooding anyhow. It will kill freely distributed content as well as the content they are attacking. On the same note, I think that it's complete crap that you can patent something like that. Patent a means of attacking something? If they can patent this, I really need to patent my method of ridding people of underage drinking, known as firing a pistol at the containers that they are holding.
I use bittorrent for my content, and have no need for something that someone is trying to keep me from using, hearing, or seeing by eroding my privacy and rights. If they want to put a barrier between me and their product, I won't waste my time or money on it.
That's scary.
This is basically a patent on the reality of spam. A bunch of noise that makes email/IM/p2p such a mess that it's hard to find anything that you want.
If only someone held a patent on spam, maybe that'd lower the volume of it somewhat.
One time I threw a brick at a duck.
ofc. it's legal. a heck of a lot more legal than all the *real* britney spears mp3's on the networks anyway. basically what they're doing is sharing non-copyrighted material on a p2p network, which happened to be what the network was for *officially* anyway. just because the filenames are bogus doesn't mean anything, p2p networks hardly come with guarantuees....
People replying to my sig annoy me. That's why I change it all the time.
I hope that "student" gets a punch from each of his fellow students. A student attempting to stop filesharing? What is the world coming to.
When someone uses P2P on Fastrack or other popular networks, generally the more mainstream a song the more bogus files there are. I can guarantee you that 90% of peers out there serving a popular song will have a bad (Beeps, static, sounds, etc. purposefully scattered through the song) copy.
Back a year or two ago, I remember encountering an mp3 file being served by over 1500 sources on FastTrack, and it was screwed up beyond belief.
I use Apache for all my file sharing needs. Anyone wanting to download anything from me needs either my domain name or IP address -- and has my word that the files are genuine.
Ultimately, the Internet will recognise the uploading of "poisoned" files as damage and route around it accordingly.
Je fume. Tu fumes. Nous fûmes!
Sure, like P2P apps haven't had difficulty with this before.
Magnet links send you right to the file without neeeding to search.
You can check for files with lots of sources AND different IPS with a file that ISN'T rated 0 with a FAKE comment attached to it.
IP Bans, file size checks, sample checking, file hashing.
There's too many ways to block fake files.
Maybe - just maybe - this is a good thing. The question is, did it happen at a useful point in time, or is it now irrelevant?
First off, many P2P networks are smart enough to easily defeat this attack. Reputation tracking alone, out of several technologies already implimented to prevent this attack, is almost enough.
Keyword here: almost. I've gotten a number of "Excellent" rated files from kazaa and found them to have the same annoying screech-pop sounds and any other ones. I no longer pay any attention to whether or not a file is rated because it hardly makes a difference.
How is rating a file going to stop this? The only people who use it are the RIAA anti-piracy people. They get 50 people to rate it excellent, and then everyone downloads it. The find out its the same pop-screech sound, but they leave it on their hard drive and don't rate it down. Other people see that there is an enourmous bandwidth for this "excellent" file and figure its a sure thing. Wrong!
You're nothing; like me.
All it takes is someone to put it all together, most of the bits and pieces are already there. And that, is only a matter of time. Unfortunately, I suspect there will be some collateral damage:
They're now trying to cure what I would call light sniffles with heavy antibiotics when it comes to information control. One day, not so many years from now someone will point at the copyright holders and say: "You see the movie of this 4yo eating cum, that'll download if I double-click? We can't stop it, and it's all YOUR FAULT"
Kjella
Live today, because you never know what tomorrow brings
Why would you email these people and complain? Applying social pressure isn't going to stop the march of progress any more than the RIAA sending nastygrams is going to stop me from adding code to P2P clients and working on approaches to counter attacks on P2P networks.
r s-can't-effectively-beat-it network will be reached. The RIAA/MPAA/people protecting content are guaranteed to lose. Even harsh legislation against copyright infringment just promotes increasingly more anonymized systems like Freenet.
:-)
Spamming is a known attack on most P2P networks, because such networks treat everyone with a certain level of (possibly undeserved) trust. It's not rocket science, and if people designing networks failed to take it into account and allowed it to be an effective attack, it's *their* problem (just as the RIAA devising a business system with expensive music and infeasible protection has copy protection as *their* problem).
This does nothing to solve the thing long-term.
Here is what will happen.
Initially, P2P networks took a "trust anyone" appraoch. (Napster, etc). This rapidly was shown to be infeasible, and systems allowing black/whitelisting users, allowing trusted endorsement of files (Sharereactor and similar), and allowing community rating (Bitcollider) popped.
Hale and Manes just took the obvious next technological step, which is to make it easier to attack the network -- have a system that learns what people are suckers for most, and to exploit it (well, and just about every other claim they could think of to throw in, but that's the meat of the patent). I think that it's absurd to make this patentable, frankly. These ideas are not only obvious, but have been floating around on P2P system development forums. Furthermore, the academic and business systems that we have rewards people like Hale and Manes for creating bullshit patents -- that's still not their fault. It's that of the people who have control over the patent process, which is ultimately all of us.
It's quite possible to counter whatever Hale and Manes are claiming is new and revolutionary. There are current systems like WASTE with simple trust systems -- users can be in or out, and anonymous users aren't trusted. It may take a trust network with non-binary trust (this person is *really* trusted to provide good files, this one not as much) and transitive trust. The schemes coming from Hale and Manes are quite beatable, though -- it's a losing position to be holding.
Anyway, after someone comes out with a trust system, people like Hale and Manes will then come out with patents on processes that demonstrate attacks on whatever statistical methods are used to assess trust in such networks.
The algorithms will be tweaked by P2P folks, and eventually a pretty-good-to-the-point-that-P2P-network-attacke
Content providers will be forced to move more towards service-oriented systems (you buy a music "service" with access to a vast music library, and then content creators and marketers are recompensed based on how much their content is used). It's not the end of the world for anyone, and the same cycle of upheaval and technological improvement has happened time and time again in many areas. In the end, we generally have a more effective system for all involved.
I personally *like* it when people run out and attack P2P networks. It drives people to do systems right, rather than just hack things up without a thought for security (and unlike a cracker breaking into a computer, someone attacking Gnutella doesn't prevent anyone from getting work done or expose personal data). I think that producing "properly built" networks that don't have such weaknesses is an absolute blast, a fun research topic, the side that gets all the love from people who are trying to toss data around, etc.
Heck, it might even be neat to work under Hale and try to thwart the latest in anti-sharing strategies that one of his other students has come up with.
May we never see th
Only the "fittest" files will survive on these networks. As a result, it amuses me to see these guys try and put bogus files out there. They almost instantly die in the wild when people rank them as bogus.
When will they learn?
Don't think that a small group of dedicated individuals can't change the world. It's the only thing that ever has.
What... It took a professor and a student to concieve of this? It's childs play, and issuing a patent for this sort of thing seems useless, but who cares. This technique won't work on all P2P networks. DirectConnect (DC++ anyway) shows a hash code along with the search results. Simply ignore the files that have the same size and different hashes. If you download the wrong file to begin with, then download the other heh. Plus, the DC hub daemons seem to only allow 4 search results per person searched, so at worst, you could get 4 bogus hits from any one source of bogusness. In the ongoing war between anti- and pro-file swappers, technology WILL escalate until someone stays on top, and my guess is techniques like this won't keep traders down for long before they solve the 'problem' of fake file shares.
This kind of thing has been happening for a long time now. I've seen this on the kazaa networks for the last couple of years, usually with newly released songs.
To be honest, I get a kick out of it...I derive an amount of satisfaction after I find a "good" version of a song that somebody went through the trouble of making and distributing a decoy of, knowing that they FAILED in their attempt to stop me from downloading. Once you've had it happen to you enough times, it isn't all that hard to pick out the good versions of a song and ignore the messed up ones (I started calling them riaa bombs, since I figured they are probably behind it.)
This issue underscores one of the problems with p2p networks...if you want to get your music this way you have to remember its a crapshoot. You might get an intentionally messed up song like this, you might get an mp3 that was encoded by an idiot (full of pops and scratches, dropouts, terrible sound, joint stereo, low bitrate, came from the radio or analog tape, etc) who either doesn't bother or care to check his work; or you might get a nice well made music file.
It also seems like a lot of people download bad versions of songs like this, and never bother to check them...so their spread is helped. In fact this can help you spot bad files on kazaa, when 50 sources show up for one file there's a good chance its one of these.
This threat isnt going to keep me awake at night if it's confined to music, but as the article says,
Hale said the technology could be applied to protect all sorts of sensitive or confidential material.
This means we won't be able to trust the current generation of P2P networks for authentic news, commentary from reputable sources, free (as in either) software, accurate documentation for same, or any data that some powerful organisation doesn't want us to share. In many cases such forgeries would be illegal under copyright, trademark, defamation or competition laws, but proving which cuckoo laid the egg could be very difficult.
Ask me if I've been required to disclose any crypto keys.
> You need a central certificate authority to validate the autheticity of users.
A way-out is to make it expensive to infiltrate the P2P network at large-scale. For example,
files could have a quality record attached, that lists what each previous downloader voted
about the quality ("good" vs "fake" file). Cryptographic algorithms could be used to make it
excessively expensive to compute a valid quality record. Time for one computation should be
a decent portion of minimum download time, eg 10-60 minutes for a 700MB file. The P2P system
could pre-compute the vote record while downloading the file and then let the user make his
vote. If you were to insert fake votes into the system, you would have to go through the
expensive algorithms for each and every individual fake vote.
When searching a file, the P2P system could cryptographically verify the votes, and weed out
the "cheap" fake files (that didn't go through the expensive computation).
The cost of cryptographic effort could be configurable. The releaser of a file could judge
the risk of "his" file being attacked (and with how much effort), and thus choose a cost
setting that is low enough to be reasonable for the downloaders, but high enough to void
all attacks.
It would still be a stupid patent, even if they filed for it in 1990. The idea is not novel, the idea is to increase the noise to the point that the signal is hard to find. The government did this a long time ago with radio/radar jamming. Its not a new or novel idea, just a new implementation. And it is really easy to get around, the P2P network (users) just adapts and finds a way to identify the real thing.
Additionally, the bogus files will not survive because people will just delete them once they realize they are bogus, thus they will not propagate as fast as real files, and will eventually die off. You'd think these acedamians would realize that.
I don't use P2P myself, but I don't think the RIAA would have as much to worry about if they put out some music worth paying for. I'm happy to pay to support artists I like, and iTunes is pretty damn good, but c'mon, the only way I'd buy anything by Brittany Spears is for 30 minutes alone with her to do my bidding.
"None of us are as dumb as all of us." - meeting mantra
Problem solved - peer network users will quickly be able to excreed bogus files by declaring them as 'suspicous'. Quality content will flow to the top and will be shared more effectively. In fact, while this might throw a monkey wrench into existing clients and frameworks, it might actually lead to higher quality downloads.
Translating "all your base are belong to us" into Latin is surely some kind of punishable crime :).
One CPU cycle wasted on digital restrictions management is ONE TOO MANY.
How does this ruin the P2P network? It has absolutely no effect on the network and the underlying applications at all. It just ruins the copyrighted content on the network without doing anything to the network at all.
"I have a porkchop, you have a porkchop. I have a veal, you have a veal".
Does this kid have *any* friends at all?
Really, I know what I'm doing...Ohhhh, look at the shiny buttons!
The courts, however, might rule that one cannot patent things such as this-- there's little-to-no qualitative difference between folks patenting this and me patenting a method for a DDOS or patenting a method used in a computer virus. Depending on the judge, they may be in for a surprise if their patent goes to court.
Morality hasn't been a factor in patents for ages, and was inappropriate when it was. You can patent bad things.
-- This and all my posts are in the public domain. I am a lawyer. I am not your lawyer, and this is not legal advice.
How do you identify someone to compare them to what's on your black list? IP address? Good luck cause you have to deal with DHCP and NAT. Use a token instead? What's to keep them from using a new token whenever they like?
Its easy to say, just use a list but it's not easy to do that.
A white list setup leaves you with a WASTE-like network not an anonymous one.
Are you saying it's bad to combat P2P piracy? Slashdotters shouldn't care, right--after all, they don't illegally pirate. Right?
I've been buying from the iTunes store since it came out. There is no valid reason whatsoever to pirate an artists' works on Kazaa and eMule. Slashdotters have yet to legally or morally justify ripping off an artist's stuff.
This raises a very interesting point. If one were to start a service that would be borderline legal, the best way to protect the profitable, questionably legal portions would be to patent every method of attack. As you are the one designing the system, you have a good chance of seeing its weaknesses first.
In this way, you use the patent system to shield illegal activity. If one could find a way to wrap a DMCA encryption layer into the process, one would have lots of ammunition against those companies that are attempting to vigilante your semi-illicit activities.
The ______ Agenda
Can I get a patent for my method of weeding out bogus files so that people can pirate the right files?
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano