Slashdot Mirror

← Back to Stories (view on slashdot.org)

Finnish Firm Claims Fake P2P Hash Technology

Posted by timothy on from the spy-vs.-spy-isn't-even-to-frame-2-yet dept.

An anonymous reader writes "As reported by The Inquirer, a Finnish company known as Viralg Oy claim to have developed software that can create a junk file with the same hash as a genuine p2p download. This, according to the company, can altogether stop the sharing of copywritten files by flooding p2p networks with corrupt/junk data, which then spreads through the network, causing less and less of the original file to be available. However, with the resolve of the p2p userbase, is this software really going to 'beat all Peer 2 Peer pirates at their own game,' or simply prove a minor annoyance?"

47 of 748 comments (clear)

  1. Just an annoyance by whoppers · · Score: 4, Insightful

    People will always creatively find a way around everything!

    1. Re:Just an annoyance by bherman · · Score: 5, Funny

      Except /. dupes!

      --
      Error: Sig not found.
    2. Re:Just an annoyance by Psiolent · · Score: 4, Funny

      Ah, yes. That ancient principle pontificated by Dr. Ian Malcolm: Life will find a way.

    3. Re:Just an annoyance by Dutchmaan · · Score: 5, Funny

      Don't you mean..

      "Life... uhhhh.. will..uhh... find a way!"

    4. Re:Just an annoyance by bman08 · · Score: 4, Interesting

      The magic of this system is that it also works in reverse: "Your honor, my client hates p2p filesharing. All those songs he downloaded, he thought they were phonies with duplicate hashes and deliberately shared them in order to poison the network."

    5. Re:Just an annoyance by merlin_jim · · Score: 4, Informative

      Actually we were both wrong; it is (2^keylength)^2 number of keys. However this number is equivalent to 2^(keylength*2), not 2^(keylength^2)

      Why would this not be "just double work"?

      First you find all files matching the first hash, then filter out one matching the second.

      And where exactly do you think the work is occuring? Computing the second hash. If you have one hash algorithm, you only have to match once. If you have two hash algorithms and you did it this way, you have to match enough with the first algorithm to find a match for the second algorithm. This isn't twice as much work, this is twice as much keyspace (with each bit increase in keyspace representing twice the work)

      --
      I am disrespectful to dirt! Can you see that I am serious?!
    6. Re:Just an annoyance by ePhil_One · · Score: 5, Funny

      Its a perfectly cromulent word...

      --
      You are in a maze of twisted little posts, all alike.
  2. They have cracked strong hashes, huh? by Flywheels+of+Fire · · Score: 5, Informative
    This is not true. It might work on Kazaa but most other P2P networks use MD5 or better. Okay, they have found collisions but no one has found a way to generate file for a given key. So the claim by the finnish company is bogus.

    Or they have cracked even the strong hashes. In which case they are really cool. I know Mr. Torvalds is Finnish, but I doubt even he could come up with algorithms to do that.

    In their conceited press release, they have compared Spoofing vs DRP/a

    --
    Iran captures three CIA agents
    1. Re:They have cracked strong hashes, huh? by martok · · Score: 5, Insightful

      Indeed. In order for example to do this with
      BitTorrent, they would need to be able to
      generate colisions in sha1 hashes. The
      implications of which would go well beyond p2p.

    2. Re:They have cracked strong hashes, huh? by CharonX · · Score: 5, Insightful

      And the best:
      You cracked SHA-1. Oh well, time to switch to SHA-256

      --
      +++ MELON MELON MELON +++ Out of Cheese Error +++ redo from start +++
    3. Re:They have cracked strong hashes, huh? by Sycraft-fu · · Score: 5, Insightful

      I'm sure that they just found some P2P client that has a weak hash and managed to make a generator for that. Then they are either morons that don't know there's more than one hash algorithm, or they do and are just pimping it to try and get money.

      Either way, I give it about a 0 chance they figured out how to quickly find collisions in a strong hash space. If they had, they'd be talking to the NSA, not the RIAA.

    4. Re:They have cracked strong hashes, huh? by drgonzo59 · · Score: 4, Insightful

      Agree, this is more like news for the marketing and general folk who don't know what hash is. From the news post the implication is that they can generate another file with the same hash as a given file. If they had indeed found a crack in all the hash algorithms (all SHAs and MDs) the news wouldn't be about P2P but about a major breakthrough in cryptography.

    5. Re:They have cracked strong hashes, huh? by garbletext · · Score: 5, Funny

      Yeah! easily! i'm working on a free program that turns a 1KB hash into a 4 GB DVD ISO, or anything else you want! it turns out we don't need to share files, just write the hash down on a piece of paper and you can transmit ANY size file with almost NO bandwidth! and if you hash the hash, it gets smaller and smaller until it's just a zero or a one!

      I'll make millions!

    6. Re:They have cracked strong hashes, huh? by Trurl's+Machine · · Score: 4, Funny

      Either way, I give it about a 0 chance they figured out how to quickly find collisions in a strong hash space. If they had, they'd be talking to the NSA, not the RIAA.

      What makes you so sure that NSA pays better?

    7. Re:They have cracked strong hashes, huh? by Feyr · · Score: 4, Funny

      they pay in life

      "hand this over, or we'll make sure you never see the sun ever again"

    8. Re:They have cracked strong hashes, huh? by Local+ID10T · · Score: 4, Funny

      Have you ever tried turning down a request from the NSA? Talk about an offer you cant refuse...

      --
      "You want to know how to help your kids? Leave them the fuck alone." -George Carlin
    9. Re:They have cracked strong hashes, huh? by mboverload · · Score: 5, Informative

      Bittorrent clients ban IP's that send them a certain number of bad pieces.

    10. Re:They have cracked strong hashes, huh? by tryone · · Score: 5, Funny

      "hand this over, or we'll make sure you never see the sun ever again"

      Oh noes! The NSA are going to destroy the sun!

  3. Bite My Shiny Metal Ass by B3ryllium · · Score: 5, Funny

    Bah! Screw you guys. I'll just make my own P2P hash algorithm. With blackjack. And hookers. In fact, forget the P2p hash algorithm. And the blackjack.

  4. "Copyrighted" by As+Seen+On+TV · · Score: 5, Informative

    It's "copyrighted," not "copywritten." We're talking about rights, not writings.

  5. Coral Cache by Anonymous Coward · · Score: 5, Informative

    I took the liberty of pre-caching the site on Coral before it went live - http://www.viralg.com.nyud.net:8090/index.html. I think Slashdot should really consider doing this as part of the proceedure...this site won't last a minute under the weight of our collective, nerdy asses.

  6. Possible? Yeah by robpoe · · Score: 5, Interesting

    I've always thought it would be extremely possible to create a file with the same MD5 hash.

    Now, what the company has to do is create a file of the SAME FILE SIZE, with the same MD5 hash that's a fake .. then I'll be impressed.

    --
    = Grow a brain...
  7. Minor annoyance at first.... by dgatwood · · Score: 4, Interesting
    ...but if you can create a random junk file in a reasonable period of time, the mechanism can probably be extended easily enough to make it possible to add arbitrary junk to the end of a trojaned executable in a future version of the tool....

    --

    Check out my sci-fi/humor trilogy at PatriotsBooks.

  8. claims? by geoffspear · · Score: 5, Interesting
    I read the article and everything I could find by following links on their website, and found no reference to how their product supposedly works, or any claim having to do with identical hashes. Did the article submitter just make up the identical hash claim, or is there more information on this product available somewhere else?

    What hashing algorithm do they claim to have broken so completely? Sounds like BS to me.

    --
    Don't blame me; I'm never given mod points.
  9. Allow me to be one the first to say... by Ann+Elk · · Score: 5, Insightful

    Bullshit. "Virtual Algorithms" my ass.

    1. Re:Allow me to be one the first to say... by bigberk · · Score: 5, Insightful
      Bullshit. "Virtual Algorithms" my ass.
      You called it. They can either do proper MD5/SHA1 collisions with unchanged filesize, or they can't. My guess is, they can't.
  10. Re:Already done by B3ryllium · · Score: 5, Informative

    By the time this is submitted, it will probably already be redundant (even though it's informative :)) - but the hashes are used for parallel download streams of the same file. So, if you saturate the network with the same hash, you can corrupt the data when the client automatically assumes it's the same file and tries to merge it with the other incoming data.

  11. Link to the patent application by Zarhan · · Score: 4, Informative

    in pdf form

    Note the claims section and references - they keep talking about Napster and Kazaa - nothing about anything that use hashes.

  12. Re:Already done by rkcallaghan · · Score: 4, Informative

    how will this be different from the flodding of fake files already on P2P networks like Kazaa. Sure, the hash will be the same, but what "JHoe Sixpack" looks at hashes?!

    Joe Sixpack may not look at hashes, but his P2P software probably does. I know aMule uses the hash to match files that have had their names changed.

    ~Rebecca

  13. Only The Whole File? by TheFlyingGoat · · Score: 5, Insightful

    Don't most P2P programs use MD5? I was also under the assumption that P2P programs do a checksum on each piece of the file they receive, and if it's inaccurate it automatically re-downloads that part of the file. I've had pieces of a bittorrent download fail due to corruption and the client has just downloaded that part again.

    Seems like this company's setup would only work in very specific circumstances, meaning it won't have much of an effect at all.

    --
    You have enemies? Good. That means you've stood up for something, sometime in your life. --Winston Churchill
  14. Seems bogus to me by gtoomey · · Score: 5, Informative
    It takes 2^69 operations to find collisions with SHA1

    Unless they have lots of supercomputer time, seeding the occasional p2p file with bad data will be very expensive.

    1. Re:Seems bogus to me by pjrc · · Score: 5, Informative
      Remember that those 2^69 "operations" (each many CPU cycles) are for a SHA1 "collision" attack. A "preimage" attack that would be necessary to inject corrupt data into a p2p network using SHA1 (such as Bittorrent) is much harder and has not been discovered and published.

      Quoting from the linked page:

      Q: What is a collision attack and a preimage attack?
      A: A preimage attack would enable someone to find an input message that causes a hash function to produce a particular output. In contrast, a collision attack finds two messages with the same hash, but the attacker can't pick what the hash will be. The attacks announced at CRYPTO 2004 are collision attacks, not preimage attacks.

      --
      PJRC: Electronic Projects, 8051 Microcontroller Tools
  15. By God by somethinghollow · · Score: 4, Insightful

    If I have one of these files and share the hell out of it, I better not be contacted by RIAA. If this spreads, not only will it make sharing difficult, it will make tracking legitimate (haha) piracy more difficult to detect. This (sort of) reminds me of a more high tech version of the time everyone started changing the name of their tracks to things like "Br1tn3y Sp34rs" to evade blocked searches.

  16. Re:Preview/Trailer by KarmaMB84 · · Score: 4, Funny

    I'm not downloading copyrighted music, I'm downloading junk to burden the p2p network with useless traffic. It just so happens I go a real file in the process!

  17. Agreed by John+Seminal · · Score: 5, Interesting
    I wonder why people who use P2P don't help each other out a little more. For example, you have someone with 200 files shared. They are downloading and sharing at the same time. Sometimes they download a bad file, and share it. It would make more sense to have a "unchecked" folder for downloads, then more it to the "checked" folder to share.

    What is neat, or not so neat depending on your point of view, are music files which deteriorate after a while. I don't know how they are made, but I have listened to music that sounds pretty good, but after the 10th playing it starts skipping. Or it could be those skips are not very noticable when first played, but once identified, they become annoying.

    --

    Rosco: "If brains were gunpowder, Enos couldn't blow his nose."

    1. Re:Agreed by Have+Blue · · Score: 4, Insightful

      Because the vast, vast majority of P2P users are trying to get stuff for free, not create an alternative-media-distribution free-expression utopia. They're not going to do anything on anyone else's behalf because it does not directly benefit them or immediately help them get more free stuff faster.

    2. Re:Agreed by Anonymous Coward · · Score: 4, Funny

      What is neat, or not so neat depending on your point of view, are music files which deteriorate after a while. I don't know how they are made, but I have listened to music that sounds pretty good, but after the 10th playing it starts skipping.

      The files are perfectly normal -- you're simply realizing that most of the music out there is trash which simply repeats the same verses over and over again so much that it sounds like it's skipping. Add to that the endless remixes which ruin perfectly good songs, and I can see how you'd mistake that with repetitive skipping. Rest assured that a better choice in music will alleviate this problem.

  18. If they crack the hash by miracle69 · · Score: 5, Funny

    I'm switching to hashish.

    --
    Linux - Because Mommy taught me to Share.
  19. Collateral Damage by DumbSwede · · Score: 4, Insightful
    Since P2P can also distribute legitimate files (I am looking into one such project even now) this can only be seen as something that will lead to unintended collateral damage(assuming it works of course).

    Here is a tool specifically designed to cripple the flow of data, how can it be thought of as anything but a virus? Should it work I could see TV and Movie studios using it surreptitiously to cripple net-based fledgling media companies.

    This should be outlawed just like another intentionally malevolent software. Why shouldn't everyone write viruses and malware when the big guys do it and the government sanctions it. This is just the kind of thing that keeps web commerce from taking off to its full potential.

    --
    Letter To Iran
  20. Interesting idea, how can we apply it to spam? by Progman3K · · Score: 4, Interesting

    If increasing the noise ratio on P2P networks is a good thing, maybe we can use a similar technique to defeat spammers?

    For example, if we could pollute spammers' email address databases with millions of bogus e-mail addresses, then instead of delivering millions of spam e-mails to real e-mail accounts every day, maybe spammers could only reliably send a few hundred to users, the rest of their messages would be to bogus addresses and be "noise" that spammers have to deal with.

    How could we go about doing this?

    --
    I don't know the meaning of the word 'don't' - J
  21. Bad news for the music industry by nizo · · Score: 5, Funny

    What will they do when people like the files with random noise better than any of the current music?

    --
    I Am My Own Worst Enemy
  22. There is one way.... by Col.+Blackwolf · · Score: 5, Funny

    You can always ensure an identical hash and size by filling the file with identical data and then uploading the new file to the P2P network. Imagine how quick filesharing would stop if all of the major industry groups started doing this. P2P wouldn't stand a chance, no siree.

  23. Blaaaaaah by mindriot · · Score: 4, Informative

    Not only the company's, but also the submitter's claim seems to be bogus. Neither the Inquirer article nor the viralg.com website anywhere seem to be talking about hashes. Moreover, I'm kind of wondering where the Inqurer got their stuff from, since the viralg website contains... nothing. Nothing but blaah. No word at all on how they protect anything from anyone. A random link to the Finnish Top 40 allegedly showing how BMG became the market leader for domestic music. Umm, except that nothing whatsoever proves that Viralg had anything to do with it. (If you have evidence to the contrary, please post it!) Then there's some blurb about being insiders with mathematical knowledge up in the lonely north where there's nothing else to do is what got them where they are. So, where are they? Not like they actually tell us. No contact information besides the email address either (and nothing in the whois info). Apparently, being up in the lonely north with nothing else to do doesn't get you much further than producing a nonsensical website claiming you know how to save the world, find the question to the answer to life, the Universe and everything, with "stunning results."

    And, breaking hashes, nonsense. If anything, maybe they are managing to manipulate P2P protocols to send you data you weren't supposed to be getting, but which is not actually going into the checksum?

    Nothing for you to see here, methinks... and here I am wasting my time actually writing a reply to a trollish article. :)

    On another random note, I kind of liked how their website looked in links.

    Empty. :)

  24. Why this won't affect Slashdot. by stlhawkeye · · Score: 4, Funny
    As anybody who reads Slashdot knows, perfectly legal and legitimate downloading comprises the majority of internet downloading, and actually bolsters profits to member organizations of such content ownership cartels as the RIAA.

    "This, according to the company, can altogether stop the sharing of copywritten files by flooding p2p networks with corrupt/junk data"

    Slashdot should rejoice at this! Since none of us download illegal material and nobody that any of us knows downloads illegal material, this technology might allow us to continue our legal, legitimate downloading of media and only target those handful of ruffians who engage in illegal filesharing. I'm all in favor of this!

    --
    "I have never won a debate with an ignorant person." -Ali ibn Abi Talib
  25. Missing the Point by Jherek+Carnelian · · Score: 4, Funny

    Y'all are missing the point.
    These guys are not about taking out P2P.
    They are part of a denial of service attack against the RIAA and MPAA, and we need more companies like them in order to make it effective.

    You see, it works like this:

    1) Make up a really snazzing sound anti-piracy product,
    2) Back it with lots of sexy buzzwords and hand-waving
    3) Sell, sorry LICENSE, it for lots of money to the (RI|MP)AA.
    4) When it fails to perform, let in the next guy ready to do the same.

    Repeat until (RI|MP)AA bank accounts have been depleted.

  26. This is so stupid by commodoresloat · · Score: 5, Insightful
    If the copyright issues were not present here and someone built a program that did something like this, they would be universally reviled as a malicious hacker. Hey! Here's a program that creates phony web pages with false information masquerading as legitimate pages! Here's one that copies Excel spreadsheets on the web and subtly pollutes the database with phony information, then stores multiple copies around with the same name! This handy tool attaches to a photocopy machine and randomly scrambles the words on the page you are photocopying!!

    P2P is a technology. Yes it can be used for copyright violations, just like a photocopy machine or tape recorder. But it also has amazing possibilities in terms of creating a universal organic archive. Crippling like this -- and through using lawsuits -- is an unnecessary attack on a system in its infancy.

    The copyright issues will work themselves out -- until the 20th century human art and ingenuity survived for thousands of years without the ability to make millions selling recorded music and video. If p2p has a major effect on the entertainment industry's ability to profit (and I'm still not convinced that it really will), human art and culture will survive. And people will continue to find ways to make a living creating art.

  27. As someone who actually _does_ have a P2P attack.. by Effugas · · Score: 5, Informative

    It's a couple pages in my paper here. Basically, the first 300Kb of Kazaa's files are hashed normally, then every 32Kb chunk of the file is hashed independently. This allows independent chunks to be downloaded out of order. These out of order chunks are recursively hashed against one another to create one final value, called a "kzhash", which is verified after the file is downloaded.

    The attack is to use the recently released collision -- which creates two blocks that, when mixed against the default initial state of MD5, emit the same system state. Every 32K, you can embed one or the other in the file you're transmitting, and kzhash can't tell. What can you do with this? Morph a file as it traverses the network; have an installation executable describe the systems its being installed on as it propogates through a network. With a fairly large installer, you'd get quite a few bits in there.

    You still don't get to do random noise, and while it's no Tiger Tree, kzhashing doesn't appear so exploitable that this group is likely to have anything. I could be wrong, but then, virtual algorithm? Right.