Slashdot Mirror

← Back to Stories (view on slashdot.org)

Finnish Firm Claims Fake P2P Hash Technology

Posted by timothy on from the spy-vs.-spy-isn't-even-to-frame-2-yet dept.

An anonymous reader writes "As reported by The Inquirer, a Finnish company known as Viralg Oy claim to have developed software that can create a junk file with the same hash as a genuine p2p download. This, according to the company, can altogether stop the sharing of copywritten files by flooding p2p networks with corrupt/junk data, which then spreads through the network, causing less and less of the original file to be available. However, with the resolve of the p2p userbase, is this software really going to 'beat all Peer 2 Peer pirates at their own game,' or simply prove a minor annoyance?"

36 of 748 comments (clear)

  1. Just an annoyance by whoppers · · Score: 4, Insightful

    People will always creatively find a way around everything!

    1. Re:Just an annoyance by ePhil_One · · Score: 3, Insightful

      Any evidence that what they've really done is found a way to trick the P2P software into reporting whatever hash they want for a given file? The remote client can't really verify the hash until the complete file is downloaded, so you are clearly relying on the comprimised remote computer to computre this. So if they lie about the hash and stream /dev/random onto the network, what is the check?

      --
      You are in a maze of twisted little posts, all alike.
  2. Doubt it by stealthmidget · · Score: 1, Insightful

    I highly doubt this would work - the object of a P2P network is to "peer-review" the files that get transferred. If you get a crappy copy of a file, most people delete it. Therefore, when one searches, the most popular results will most likely be the correct file and not the bad one.

  3. Allow me to be one the first to say... by Ann+Elk · · Score: 5, Insightful

    Bullshit. "Virtual Algorithms" my ass.

    1. Re:Allow me to be one the first to say... by bigberk · · Score: 5, Insightful
      Bullshit. "Virtual Algorithms" my ass.
      You called it. They can either do proper MD5/SHA1 collisions with unchanged filesize, or they can't. My guess is, they can't.
  4. For all the new 'copysafe' tech that comes out... by FortKnox · · Score: 3, Insightful

    ... it only takes most pirates (at most) a week to find a work around and everything is back to (pirating) normal.

    --
    Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
  5. Re:They have cracked strong hashes, huh? by martok · · Score: 5, Insightful

    Indeed. In order for example to do this with
    BitTorrent, they would need to be able to
    generate colisions in sha1 hashes. The
    implications of which would go well beyond p2p.

  6. Add another hash by Fjornir · · Score: 2, Insightful
    *shrug* Then the p2p networks will respond by using two different hashing algorithms, and a collision will be that much harder to generate.

    Their site is down so I can't get any real details, but I think this is smoke and mirrors in any case.

    --
    I want a new world. I think this one is broken.
  7. Possible Solution by BlacBaron · · Score: 3, Insightful

    Use 2 (or more) different hashing algorithms on the file, and check the file size.

    I'm pretty sure that should reduce the collisions to some stupidly small value.

    --
    Update Watch - Automatic software update notification
  8. Only The Whole File? by TheFlyingGoat · · Score: 5, Insightful

    Don't most P2P programs use MD5? I was also under the assumption that P2P programs do a checksum on each piece of the file they receive, and if it's inaccurate it automatically re-downloads that part of the file. I've had pieces of a bittorrent download fail due to corruption and the client has just downloaded that part again.

    Seems like this company's setup would only work in very specific circumstances, meaning it won't have much of an effect at all.

    --
    You have enemies? Good. That means you've stood up for something, sometime in your life. --Winston Churchill
  9. Re:They have cracked strong hashes, huh? by CharonX · · Score: 5, Insightful

    And the best:
    You cracked SHA-1. Oh well, time to switch to SHA-256

    --
    +++ MELON MELON MELON +++ Out of Cheese Error +++ redo from start +++
  10. Re:They have cracked strong hashes, huh? by Sycraft-fu · · Score: 5, Insightful

    I'm sure that they just found some P2P client that has a weak hash and managed to make a generator for that. Then they are either morons that don't know there's more than one hash algorithm, or they do and are just pimping it to try and get money.

    Either way, I give it about a 0 chance they figured out how to quickly find collisions in a strong hash space. If they had, they'd be talking to the NSA, not the RIAA.

  11. By God by somethinghollow · · Score: 4, Insightful

    If I have one of these files and share the hell out of it, I better not be contacted by RIAA. If this spreads, not only will it make sharing difficult, it will make tracking legitimate (haha) piracy more difficult to detect. This (sort of) reminds me of a more high tech version of the time everyone started changing the name of their tracks to things like "Br1tn3y Sp34rs" to evade blocked searches.

  12. durfy durfy by autopr0n · · Score: 2, Insightful

    Using multiple hashes is a hash algorithm itself. If someone found a general way to crack hashes, then they'd be able to crack this new 'super' hash just as easily. All you'd really be doing is creating a hash with more bits. Might as well use the "best" hashing algorithm and increase the width.

    --
    autopr0n is like, down and stuff.
    1. Re:durfy durfy by adamruck · · Score: 2, Insightful

      Partially true. If you take your strongest hash and just increase the number of bits of the result, assuming that someone can crack that hash, it will simply take longer to compute a collision. This would probably increase in a linear fashion.

      Howoever, If you use more than one algrithm, it becomes harder to find a collision that fits both systems AND has the correct file size. This would probably increase in a exponential fashion(read: impossible).

      --
      Selling software wont make you money, selling a service will.
    2. Re:durfy durfy by LanMan04 · · Score: 2, Insightful

      That's not true. First of all, there is no "general" way to crack hashes. That's like saying there is a "general" way to crack crypto algorithms. Sure, there are general cryptanalytic stratagies to reduce keyspace, or use some fancy-ass algrbra to knock NP-complete problems down to NP or something, but there's no "general" magic bullet.

      So, even if you manage to crack one specific hash algorithm completely (meaning you can produce files of arbitrary size and content that produce a desired hash), you still have to crack the others the file/message is hashed in. I would consider any message/file hashed under multiple algorithms much more secure than any single one. We're not talking hashes of hashes here, but of multiple, independent hashes of a single source file/message. And they must ALL match for the file to be considered genuine.

      Try producing a file that resolves to the same MD5, RIPEMD-160, SHA-1, and SHA-256 hashes as another given file. Damn near impossible.

      --
      With the first link, the chain is forged.
  13. Hashes are cheap, use several by mihalis · · Score: 2, Insightful

    Let's just concede they can actually produce a junk file which has the same hash. I'll even skip over which hash - let's also say it's one of the useful ones.

    I'd be tempted to step up the credentials for a file, say one hash for the entire file, and another for the first 1kb, and so on. It should get significantly harder with each additional verification point.

  14. Collateral Damage by DumbSwede · · Score: 4, Insightful
    Since P2P can also distribute legitimate files (I am looking into one such project even now) this can only be seen as something that will lead to unintended collateral damage(assuming it works of course).

    Here is a tool specifically designed to cripple the flow of data, how can it be thought of as anything but a virus? Should it work I could see TV and Movie studios using it surreptitiously to cripple net-based fledgling media companies.

    This should be outlawed just like another intentionally malevolent software. Why shouldn't everyone write viruses and malware when the big guys do it and the government sanctions it. This is just the kind of thing that keeps web commerce from taking off to its full potential.

    --
    Letter To Iran
  15. Re:They have cracked strong hashes, huh? by jdray · · Score: 3, Insightful
    ...or they do and are just pimping it to try and get money

    Safe money bets that horse.

    --
    The Spoon
    Updated 6/28/2011
  16. The hash is generated client side? by ThinkTiM · · Score: 2, Insightful

    The hash is generally generated on the client side of the original uploading system - and the validity of the file can only be checked once the file has been fully downloaded. So to break the system, just modify one of the open soure clients to report a particular hash for some random file of the same size as the original. There isn't any need to go to the effort that these guys have.

  17. Re:They have cracked strong hashes, huh? by drgonzo59 · · Score: 4, Insightful

    Agree, this is more like news for the marketing and general folk who don't know what hash is. From the news post the implication is that they can generate another file with the same hash as a given file. If they had indeed found a crack in all the hash algorithms (all SHAs and MDs) the news wouldn't be about P2P but about a major breakthrough in cryptography.

  18. Re:Agreed by metamatic · · Score: 2, Insightful
    I have listened to music that sounds pretty good, but after the 10th playing it starts skipping. Or it could be those skips are not very noticable when first played, but once identified, they become annoying.

    I suspect your hard drive is failing.

    --
    GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
  19. Re:They have cracked strong hashes, huh? by me+at+werk · · Score: 3, Insightful

    Wouldn't it not be the same size, though? "Wow, this Britney Spears MP3 is 5 times the size yet it has the same hash!"

    Sure, you can find a collision, but finding a collision which has a size close enough to the more popular real file is a lot more difficult, I'd think.

    --
    For context, click Parent.
  20. The hash algorithms DO NOT NEED to be broken. by atomm1024 · · Score: 2, Insightful

    P2P clients, when they search for files, receive alleged hashes from where? The peers that claim to have them. And since most of these protocols have been reverse-engineered by now, I suspect that this program just combines a random-data generator with a multi-network untrustworthy P2P client. It'll sit on a network and respond to searches, report the expected filename, filesize, and hash (whatever algorithm is used), and wait for people to bite.

    There is no technological way of verifying that the other peer is telling the truth (or at least there won't be unless the whole world implements some sort of Orwellian "Trusted Computing" requirement), aside from downloading the whole file and verifying it against the expected hash. No hash algorithms need be broken. I mean, once the whole file is downloaded, what does it matter to them whether the hash really matches? Why would even an idiot keep a downloaded file just because the program says it's verified and the size matches, if he can clearly see that the file doesn't work?

    --
    Signature.
  21. Re:Interesting idea, how can we apply it to spam? by Anonymous Coward · · Score: 1, Insightful

    The "noise" messages will bounce, and spammer will identify all the fake addresses. Won't work.

  22. Re:Already done by Anonymous Coward · · Score: 1, Insightful

    > So you could end up with a song that is a half-song, half-static type of thing?

    I think that's called "Nine Inch Nails".

  23. Re:Agreed by Have+Blue · · Score: 4, Insightful

    Because the vast, vast majority of P2P users are trying to get stuff for free, not create an alternative-media-distribution free-expression utopia. They're not going to do anything on anyone else's behalf because it does not directly benefit them or immediately help them get more free stuff faster.

  24. This is so stupid by commodoresloat · · Score: 5, Insightful
    If the copyright issues were not present here and someone built a program that did something like this, they would be universally reviled as a malicious hacker. Hey! Here's a program that creates phony web pages with false information masquerading as legitimate pages! Here's one that copies Excel spreadsheets on the web and subtly pollutes the database with phony information, then stores multiple copies around with the same name! This handy tool attaches to a photocopy machine and randomly scrambles the words on the page you are photocopying!!

    P2P is a technology. Yes it can be used for copyright violations, just like a photocopy machine or tape recorder. But it also has amazing possibilities in terms of creating a universal organic archive. Crippling like this -- and through using lawsuits -- is an unnecessary attack on a system in its infancy.

    The copyright issues will work themselves out -- until the 20th century human art and ingenuity survived for thousands of years without the ability to make millions selling recorded music and video. If p2p has a major effect on the entertainment industry's ability to profit (and I'm still not convinced that it really will), human art and culture will survive. And people will continue to find ways to make a living creating art.

    1. Re:This is so stupid by kamapuaa · · Score: 2, Insightful
      You realize this technology doesn't block *all* p2p traffic, right?

      The main concern shouldn't be the use by the RIAA or MPAA to stop the bootlegging of copyrighted concerns. It's within their rights. The main concern should be possibility of the technology getting out to griefers who block the legitimate use of Bittorrent.

      But honestly, if this doesn't get out to hackers (which it probably will), this is a lot better solution than having to sue warez websites, or the users who illegally trade movies.

      --
      Slashdot: providing anti-social weirdos a soapbox, since 1997.
    2. Re:This is so stupid by StikyPad · · Score: 2, Insightful

      If the copyright issues were not present here and someone built a program that did something like this, they would be universally reviled as a malicious hacker.

      This isn't some idealistic universe where all decisions are morally right or wrong regardless of the criteria. Your knee-jerk reaction is baseless and inflammatory.

      "Look people.. If this gangrene wasn't present here, chopping off my leg would be completely unacceptable! How can we just go around chopping off people's legs? Just because I have gangrene!?! What's next, chopping my head off because I have a cold? If someone chopped my leg off when I didn't have gangrene, they would be reviled as malicious!"

      Of course the issue of copyright matter. And, as you mention, they are present here.

      Let's review your next point...

      P2P is a technology. Yes it can be used for copyright violations, just like a photocopy machine or tape recorder. But it also has amazing possibilities in terms of creating a universal organic archive. Crippling like this -- and through using lawsuits -- is an unnecessary attack on a system in its infancy.

      So technologies are amoral? I'm glad you agree. If a technology comes along that, say, creates random data that matches the hash of another file, that technology might be used to corrupt filesharing networks, but it might also help further the development of stronger encryption.

      The copyright issues will work themselves out...If p2p has a major effect on the entertainment industry's ability to profit (and I'm still not convinced that it really will), human art and culture will survive. And people will continue to find ways to make a living creating art.

      If someone knocked on my door one day and told me I had to move because the city was tearing down my house to build a highway, I'd fight it tooth and nail. It might be patently obvious to everyone else that my efforts are futile, but I'm comfortable with my house and I like my location. It's entirely possible, and probable, that I'll find a new place to live -- maybe even a better place to live -- but that doesn't mean I want to be kicked off my property involuntarily. After all, it's also possible that I won't be able to afford a similar house. True, the highway will benefit hundreds of thousands of people, and maybe it's selfish of me to want to stay put, but I'd bet that most people would be displeased if they were in my situation.

      Nobody likes having change forced on them.. I'm not saying it's worthwhile to fight it, but I can understand why they would try.

      --
      https://www.eff.org/https-everywhere
  25. Re:Agreed by Anonymous Coward · · Score: 1, Insightful

    untrue

    2 examples.

    1. I had a HDD slowly die. It corrupted files randomly, in this case pictures, where by several files would be readable and the rest although being there (can copy has a file size etc) they did not open. Probably this was only a few bytes in the file that got messed.

    2. a hard drive that spins erratically can produce random wait times for certain things. if it was a really delicate fail, something like heat just a few degrees above a threshold, you could definaltly notice weird artifacts in the mp3s.

    I had some video files that would have little skips in them because of a bad codec. could be that as well.

  26. Re:They have cracked strong hashes, huh? by CDarklock · · Score: 2, Insightful

    I've wondered this myself. Theoretically, if you MD5 a file *and* SHA1 a file, the complexity of matching both hashes is 288 bits. Basically, given a standard distribution, 1 out of every 2^128 files will match the MD5 of your file... and 1 out of every 2^160 of those will match the SHA1. (1/2^128)/2^160 = 1/2^288.

    I'd really like to know if this interpretation is flawed. Even when hash algorithms are broken, if you parallelise them, you can still get enough bits of security to work. It seems to me that you would have to MD5 the file, generate a collision, SHA1 the file, generate a collision, and then check to see if your MD5 still matches.

    --
    Microsoft cheerleader, blue flag waving, you got a problem with that?
  27. RIAA can lie to the tracker by davidwr · · Score: 3, Insightful

    The RIAA can put out "evil clients" that find good files and lie to the tracker telling the tracker it's a bad file.

    Unless the tracker double-checks the file itself, or has some way to trust the clients it's getting reports from, it's vulnerable to being lied to.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  28. Is there a need to crack strong hashes? by aitio · · Score: 2, Insightful

    I don't know how the search functions work in Kazaa etc. but can't you just send match to all querys with a fake client? Is there real data integrity check built into Kazaa clients?

    --
    Quidquid latine dictum sit, altum sonatur.
  29. Re:Interesting idea, how can we apply it to spam? by Anonymous Coward · · Score: 1, Insightful

    > (X) Countermeasures should not involve sabotage of public networks

    What public network is being sabotaged here? So an admin puts pages of fake email addresses on his server... how is that sabotage?

    I think this particular anti-spam solution is useful. Sure, spammers don't care about invalid addresses, but this kind of thing must make life a little harder for them.

  30. Nope by No+Such+Agency · · Score: 3, Insightful

    Sorry, that level of doublethink is only alowed for corporate lawyers. Your lawyer will be smacked down for trying it, since it is not a defense permitted to second-class citizens (see earlier post).

    --
    Freedom: "I won't!"