Slashdot Mirror

← Back to Stories (view on slashdot.org)

Anyone Can Play Big Brother With BitTorrent

Posted by timothy on from the shrinking-wilderness dept.

An anonymous reader writes "I was at the 3rd USENIX Workshop on Large-Scale Exploits and Emergent Threats yesterday, and there were people from the French Institute for Computer Science who have continuously spied on most BitTorrent users on the Internet for 100 days, from a single machine. They've also identified 70% of all content providers; yes, those guys that insert the new contents into BitTorrent. As a BitTorrent user, I was shocked that anyone with a box connected to the Internet can spy on what everyone is downloading on BitTorrent."

9 of 436 comments (clear)

  1. Re:Copyright laws. by loufoque · · Score: 5, Informative

    First off, Copyright infringement is not theft.

    Secondly, transmitting copyrighted material over a computer network is not necessarily copyright infringement, even if copyright holders would like it to be.

  2. Re:Shocked. Shocked! by CondeZer0 · · Score: 4, Informative

    > You mean, all you have to do is send a simple request to the tracker, which will happily provide you with a fairly complete list of peers.

    Most trackers (at least most public/open trackers) insert random ips to give a degree of 'plausible deniability'.

    This of course is not perfect, but to be certain that a peer is serving a file the only way is to actually try to connect to it and fetch some blocks, which is quite a bit more work than just querying the tracker, specially if you have to do it for hundreds of thousands of torrents.

    --
    "When in doubt, use brute force." Ken Thompson
  3. fear-mongerish by drDugan · · Score: 5, Informative

    Saying you "can spy on what everyone is downloading on BitTorrent" and TFA stating "major privacy threat" are over-the-top and fear-mongering exaggerations.

    A more accurate way to state this is: Using BitTorrent will make our IP address public regarding what content is downloaded and shared online from that IP address. When someone monitors the same content, then they can log your IP address. This is obvious from how the protocol works to anyone who looks into privacy questions seriously. Yes, there is less privacy with what you download with BitTorrent compared to a direct download, as other people also sharing the same content can see your IP address.

    But remember, with every download method online someone else knows you have downloaded it, with direct downloads and with all the different peer-to-peer distribution options. If you go to Adobe and download the latest Photoshop demo, they know, they log your IP, and usually even ask for even more information about you.

    The only a real privacy problem (a "major threat") is for people using BitTorrent for illegal redistribution of content; it is not a major problem for distribution of open licensed or public domain content, businesses or organizations using BitTorrent for distribution to lower costs, or to distribute free content for viral or marketing purposes.

    (Disclaimer: our company, ClearBits, does exactly this, offers distribution as a service to others, and we use BitTorrent extensively)

  4. Re:An Opportunity by Bigjeff5 · · Score: 5, Informative

    If you can get an IP, you can narrow down the area quite a lot without the ISP's cooperation, possibly enough to force the ISP's cooperation. With ISP cooperation you can narrow an IP down to a physical address. At that point, you're screwed.

    What people who don't understand how networking works is, if there is a connection then there is an IP address trail to follow. You cannot spoof an IP address and maintain a connection. You can spoof a MAC address just fine, because that is only used on the last leg of the connection, but the IP address is used the rest of the way and a link must be maintained if data is ever to get back to the source. Pretty much all IP spoofing is good for are cases where you don't want to receive the response, like a DOS attack (there are elaborate network hacks using IP spoofing, but they require direct access to the destination network). That's obviously no good for a BitTorrent connection.

    What you can do is sort of "launder" the IP address to make it difficult to trace - that is, to route it through multiple NAT services. Each NAT maintains an IP trail to the previous address though, or the connection would fail, so this is only obscuring the source, not erasing the trail. Someone diligent enough (and with sufficient authority to force cooperation from various ISP's) could potentially track any sufficiently current IP address from destination back to source. Also, setting up such a route would go a long way to establishing intent to commit a crime, which will blow most of your defense out of the water in such a case.

    There might be some honeybuckets in the tracker's list, which would be clever, but all it is going to do is waste a little bit of time for whoever is tracking these IP's, it's certainly no protection for anybody but the tracker (who would be monitoring the honeybucket, one would assume).

    --
    Security is mostly a superstition... Avoiding danger is no safer in the long run than outright exposure. - Helen Keller
  5. Re:Good! by blair1q · · Score: 4, Informative

    No, it's a pretty simple application of basic undercover investigative technique.

    They pretended to be part of the Tor web, joining it at a point where the user's IP address was visible.

    People willingly handed them the IP address.

    And since the web was fairly limited in size, and connection points were selected randomly, and most users did multiple connections over time, eventually 70% of users willingly handed them the IP address. Since Tor has no way of ensuring trust in its security servers, its security is void. You couldn't have designed it better to funnel users' IP addresses to a spy unless you had only one server in the whole web and faked the rest of the topology.

    it was wide-open to being exploited by sting operations.

    This is also the reason you should never trust anonymizing proxy servers or Arab sheiks.

    There's nothing so useless as a lock with a voice imprint - Lord President Borusa

  6. Re:Copyright laws. by Arker · · Score: 4, Informative

    Once again, copyright infringement is NOT stealing. Nor is copying copyrighted data necessarily and always copyright infringement. Finally, it's better to be on the right side for the wrong reasons than to be on the wrong side entirely.

    --
    =-=-=-=-=-=-=-=-=-=-=-=-=-=-
    Friends don't let friends enable ecmascript.
  7. Re:Copyright laws. by Barrinmw · · Score: 4, Informative

    Actually, I did a report in High School on the creation of Playboy and this one girl got all pissy at me for it and said how it was degrading to women and everything. I told her that people do buy it for the articles too and she was like, Yeah who? My answer was the 10,000 blind people who order the braile edition. That shut her up pretty good.

  8. Re:Copyright laws. by thesandtiger · · Score: 5, Informative

    It's worse than that: they steal from us, the public.

    Back when copyrights were first codified into law, there was a deal:

    We, the people, gave protections to people who created works so that they could profit from those works, but in exchange for those protections, the creators of the works agreed to give us, the people, their work after a certain timeframe had passed.

    Works may now - if the copyright holder wishes - no longer come into the public domain because copyright holders are corporations who are solely interested in making a profit, and who use their political influence (money) to ensure that copyright NEVER expires.

    While it certainly won't give me any kind of legal defense, I simply do not care about copyright because the very basis for it has been completely violated by the holders of that copyright.

    If we go back to the original law - life of the initial copyright holder + a small extension past that, and only real-live human beings can be considered to be initial copyright holders - I will give up piracy. Until then, I really don't consider copyright law to be valid because the fundamental premise of it: you get yours, we get ours, has now become "they get theirs, everyone else gets fucked."

    Copyright no longer benefits anyone but the copyright holder, and that is NOT what it was intended to do.

    --
    Since I can't tell them apart, I treat all ACs as the same person.
  9. Re:Or a warning by fbjon · · Score: 3, Informative
    Not so sure. I checked out one of the swarms indicated, and sure enough, I found the peer listed on the that site.

    Incidentally, the CLI interface is fragile, and it can break out into a standard apache directory listing. It also occasionally redirects to an RFC document for some reason. Anyway, there's a log of all tried passwords there. But more interestingly, there's a lot of other stuff elsewhere in the tree, an 18MB text file with a Twitter social connection graph (just a list of name pairs), and a monitor/ directory with what looks like GSM/email/p2p monitoring stuff. Can't access most of it except an auto-refreshing IRC monitoring page though.

    Somebody is using it for something it seems.

    --
    True confidence comes not from realising you are as good as your peers, but that your peers are as bad as you are.