Anyone Can Play Big Brother With BitTorrent

An anonymous reader writes "I was at the 3rd USENIX Workshop on Large-Scale Exploits and Emergent Threats yesterday, and there were people from the French Institute for Computer Science who have continuously spied on most BitTorrent users on the Internet for 100 days, from a single machine. They've also identified 70% of all content providers; yes, those guys that insert the new contents into BitTorrent. As a BitTorrent user, I was shocked that anyone with a box connected to the Internet can spy on what everyone is downloading on BitTorrent."

An Opportunity

[MarkvW]

Looks like a good way to earn a paycheck from the RIAA.

Re:An Opportunity

[poetmatt]

looks like something that won't work for those who understand that plenty of these IP addresses could be spoofed or not even uploading, or knows what I2P does, or uses VPN. This is just a list of IPs that they are assuming are 100% valid because they were listed in the tracker when the content went up. They're saying that if someone is listed on more than one tracker, it confirms who they are.

That= a bad study.

All they're saying is "We can tie an IP to a torrent", but that doesn't mean you can get anything more than that. Judges already don't accept an IP simply being tied to a torrent.

Re:An Opportunity

[feepness]

Judges already don't accept an IP simply being tied to a torrent.

What do they accept? My, err, friend wants to know!

Re:An Opportunity

[Bigjeff5]

If you can get an IP, you can narrow down the area quite a lot without the ISP's cooperation, possibly enough to force the ISP's cooperation. With ISP cooperation you can narrow an IP down to a physical address. At that point, you're screwed.

What people who don't understand how networking works is, if there is a connection then there is an IP address trail to follow. You cannot spoof an IP address and maintain a connection. You can spoof a MAC address just fine, because that is only used on the last leg of the connection, but the IP address is used the rest of the way and a link must be maintained if data is ever to get back to the source. Pretty much all IP spoofing is good for are cases where you don't want to receive the response, like a DOS attack (there are elaborate network hacks using IP spoofing, but they require direct access to the destination network). That's obviously no good for a BitTorrent connection.

What you can do is sort of "launder" the IP address to make it difficult to trace - that is, to route it through multiple NAT services. Each NAT maintains an IP trail to the previous address though, or the connection would fail, so this is only obscuring the source, not erasing the trail. Someone diligent enough (and with sufficient authority to force cooperation from various ISP's) could potentially track any sufficiently current IP address from destination back to source. Also, setting up such a route would go a long way to establishing intent to commit a crime, which will blow most of your defense out of the water in such a case.

There might be some honeybuckets in the tracker's list, which would be clever, but all it is going to do is waste a little bit of time for whoever is tracking these IP's, it's certainly no protection for anybody but the tracker (who would be monitoring the honeybucket, one would assume).

Re:An Opportunity

[Shakrai]

With ISP cooperation you can narrow an IP down to a physical address. At that point, you're screwed.

Speak for yourself. I do all my bittorrenting from open wireless networks ;)

Re:An Opportunity

[wealthychef]

This is actually an argument for buying a wireless router and leaving it open without a password. Sure, you can be owned by your malicious neighbors, but they could also be the ones doing the torrent downloads... hmm. LOL

Re:An Opportunity

[blackfrancis75]

Buying some Pringles is seriously magic for that exact purpose..

Fixed that for ya ;)

Re:An Opportunity

[poetmatt]

You can indeed spoof an IP and maintain a connection. ever heard of a: VPN or b: a proxy, c: I2P or d: tor?

Good luck with that. None of those are new techniques by any means.

It's also one thing to identify someone just being connected to a torrent. It's another to prove distribution. You will have to connect to identify someone. None of this stuff from this report says they connected to the individuals to verify the IP addresses.

You can (if an ISP chooses to share the data) tie an IP down to a physical address and a time. That doesn't tie it to a person by itself. That's like saying - X time on Y day at Z location something happened. Since it was near you, it must be you! (accusatory). Considering more than one person lives at a location, well, do the math. If you have a wireless connection unsecured? Again, do the math.

Get real. Anyone can collect the data, but taking it to the legal level for this is basically not going to happen. Police care about this, oh, zero, unless you're doing it commercially.

Re:An Opportunity

[Bigjeff5]

If they get enough to get a search warrant, you're screwed, because even if you're masking you're MAC they'll be able to figure that out once they have access to your machine and make a positive link to the IP address.

If you use whole-drive encryption, recent court cases have shown you've opened up a whole new can of worms, and didn't really save yourself any trouble.

If you try hard enough at hiding it, you could be in a situation where the circumstantial evidence is enough to push a jury past the "reasonable doubt" threshold, in which case you've saved yourself nothing.

It really is not easy to shield yourself when you use a protocol that by its very nature must identify your machine uniquely. The best you can do is hide and make your discovery more difficult. You can't completely prevent it completely and still access the internet in any useful way.

Re:An Opportunity

[Bigjeff5]

You do realize that they can track it down to the boarders AP and will know with reasonable accuracy (within 100 meters or so) where the downloader must live, right?

Then it's just a matter of getting a search warrant to find the PC with the right MAC address. Even spoofing your MAC won't protect you at this stage, unless you catch wind of what is going on and remove all traces of spoofing from your machine.

Fortunately, the police aren't that interested in downloaders, and are the only ones with the kind of authority to get a warrant for a whole group of people at a time. Fishing for a defendant is pretty difficult for a civil action, and I can't see it happening if all you have is a list of 50 people who it may be.

Still, technically there is nothing preventing such a situation.

Re:An Opportunity

[dimeglio]

This was the idea behind bitTorrent from its inception as quick and efficient method of deploying large content to many users simultaneously. The drawback is the public display of IP addresses and yes, a simple computer, connected to several torrents, can obtain many addresses. This doesn't really mean anything except they are participating in the bitTorrent network. It does not necessarily mean any data from the torrent file is on the computer. It is simply a node unknowingly exchange inappropriate content.

Re:An Opportunity

[Agarax]

You do realize that your MAC address is lost at the layer 3 translation at the router, right?

Even if they pulled a list of MAC addresses from the router, there would be no way to tell which MAC address downloaded the material unless they caught you in the act.

People don't seem to realize that Bittorrent wasn't designed for anonymity or privacy. It was designed for the easy distribution of free *legal* content such as FOSS. Getting the tracker from the software's website removed the risk of downloading an infected fake.

Re:An Opportunity

[montibbalt]

If you also have a few random garbage generators installed on the system, that also makes it look more plausible.

Luckily, several of these are built into Windows itself!

Re:An Opportunity

[Shakrai]

You do realize that they can track it down to the boarders AP and will know with reasonable accuracy (within 100 meters or so) where the downloader must live, right?

High-gain antennas increase that range number quite a bit. I've personally connected to APs with a high-gain antenna on one side of the connection from more than a mile away. Others have done it from further out.

unless you catch wind of what is going on and remove all traces of spoofing from your machine.

Or use encryption.....

Re:An Opportunity

[Shakrai]

We are talking about civil actions here, not criminal ones. How would RIAA go about tying your MAC address back to you, even if you weren't smart enough to spoof it? Are they going to file discovery motions on every single house within range of the AP that was used? Heck, for that matter, how would law enforcement do it? No Judge would issue a warrant for "every computer within a 150 meter radius of this location", not for something as mundane as file sharing.

BTW, you can get a lot further than 150 meters with the right antenna setup. I've seen associations made at ranges exceeding two kilometers, under less than ideal conditions.

Re:An Opportunity

[mgblst]

You can have your MAC address change every day, by a simple little script.

Re:An Opportunity

[JoelisHere]

If you live in the UK you can say goodbye to those open wireless networks, 'cause it doesn't matter who does the downloading, it's whoever's internet connection that was used. http://news.slashdot.org/story/10/04/08/132210/Digital-Economy-Bill-Passed-In-the-UK

Re:An Opportunity

[Thanshin]

they would tell you they were paying you $1 million while actually giving you $5. And that $5 would probably be copied.

ffs... Stolen! Not copied, STOLEN!

Alternatively, you can use "pirated", "robbed" or "pillaged".

Cheers,
RIAA

Re:An Opportunity

[Xest]

You seem to have a good grasp of the technical aspects, but a severe lack of the legal aspects.

The issue is that once you've got an address, then what? In most countries you can't simply hold the subscriber responsible for an illegal act, at best the ISP can hold them responsible for breaching their ISPs subscriber agreement and cut them off after which they go to an ISP.

Even if they get the police to issue a search warrant and search the house, then what next? They can find a computer with content on it, but they have to prove the content wasn't put there via a remote access trojan, they have to prove it wasn't copied through your wireless network to an open share on your computer, they have to prove that you were the person who downloaded the content. Even if they do forensics on the keyboard they may find other people's fingerprints there, but even then can they prove the keyboard hadn't merely been switched?

The fact is, short of catching you red handed there's absolutely no way to conclusively tie someone to a digital crime committed over the internet. Despite this many people get prosecuted, but it's often because they and their lawyers don't have an understanding of the technicalities involved in trying to prove someone guilty of a computer crime and so fail to put their case across, however the closest case to demonstrating was probably this one:

http://www.yorkshirepost.co.uk/news/breaking-craig-meehan-guilty-but.4495490.jp

Whilst it's almost certain the guy was guilty, what's interesting in this case is the circumstances in which he was discovered, and the judges comments on why he chose to rule against him. Specifically, he was only discovered because his computer was seized as the result of another separate investigation, and that the evidence that mattered was the times which those images were downloaded at demonstrating they were downloaded when he was not at work. So if you were to set downloads going remotely, using an unlogged piece of software, whilst you're at work, or if you also demonstrated the unreliability of time stamps on computer files it's very likely he could well have ended up getting away with it. The Judge had to rely on what came down to mistakes due to a lack of technical understanding on behalf of the defendant.

Of course, all this isn't too relevant to a civil case, the standards of evidence required there are lower, but similarly I think the chance of the police being involved in getting a court order for a search warranty over a few movies and MP3s is also unlikely.

The issue is, you're somewhat right in your analysis of how easy it is to follow an IP trail (with some caveats- covered below), but you're missing the weak point- connecting the IP trail to the perpertrator of the crime.

The caveats to your comments on tracking an IP are that you make the assumption that interim systems log all connections- you point out that someone can hop between routers to mask their IP and then suggest that if there is enough cooperation of IPs, the trail can simply be traced back, but that's only true if all those connections are logged. If I connect to a US torrent client, via a VPN connection to a country that doesn't demand ISPs such as the VPN provider log everything then any attempts to track this will stop at the VPN provider, as there's simply no way to tell which way the connection went then. This is similar to the situation of wireless- if someone has home wireless, and another person connects to it and leeches torrents through their wireless router, a device which rarely logs connections, then the buck is going to stop at the wireless router. There's no way even the police can reasonably say that the owner of the internet connection is responsible if they search his hard drive and find nothing, and if he has an open or low security access point, they wouldn't stand a chance in court.

So I think many appreciate it's true that you're always

Re:An Opportunity

[Shotgun]

I had a situation where a kid was using Skype to make bomb threat phone calls to the middle school my son attended. The kid had a history of the same behavior and could make a reasonable guess that it was the kids voice on the phone. There was also a phone call that reported a gun fight at my house. I was working in the garage when the police showed up with handguns and rifles locked and loaded.

There wasn't enough evidence to support the issuance of a warrant to get the call records from Skype. And that was for an actual bomb threat that shut down a school and a call that had police speeding through town and brandishing loaded weapons.

I'm sure the RIAA can by themselves some search warrants, but they're likely to go broke if they do more than make some example arrests.

Copyright laws.

[headkase]

If copyright law was more sane we wouldn't have to argue so much about privacy.

Re:Copyright laws.

[DarkKnightRadick]

I care about privacy and I only use bit torrent for legitimate purposes.

Re:Copyright laws.

[loufoque]

First off, Copyright infringement is not theft.

Secondly, transmitting copyrighted material over a computer network is not necessarily copyright infringement, even if copyright holders would like it to be.

Re:Copyright laws.

[jeffmeden]

Is privacy invaded because of people pursuing copyright violators, or is privacy pursued because people want to evade copyright enforcers? Seems that if you decide it's the latter you are prepared to give away the privacy of many (those who arent copyright thieves) for the protection of the few (those that own IP that is being copied)...

You know giving up the first little bit is always the easiest...

Re:Copyright laws.

[Red+Flayer]

I dunno about that.

Privacy isn't just about keeping your illegal activities hidden from an authority that can punish you for those activities. I don't want anyone to be able to glean the details of my day-to-day habits, be they bittorent use, physical locations, or anything else. Even if we had NO copyright laws, I'd still have a problem with people being able to track my actions. And FWIW, I have nothing to hide, AFAIK[1], other than routinely exceeding the speed limit in my car. I refuse on principle to violate copyrights.

[1] the AFAIK is a big problem. There's probably a good chance I violate some law or other occasionally, but I have no idea since there are so many laws on the books. But that just feeds into the privacy issue... I'm no Randian, but the massive amount of laws we have on the books that make innocuous behavior illegal means that I'm probably a criminal without knowing it. The best way to protect against this extant situation is to make sure I maintain the privacy of my activity. Better not to have that situation in the first place, but that's a topic for a different discussion.

Re:Copyright laws.

Same AC here. I didn't say that everyone only cares about privacy because they don't want to get caught doing anything illegal, I said it was interesting and saddening to see one person admit as such. I personally don't download anything illegally anymore, though i'll admit that at one time i did so often and freely. i do however care deeply about my right to privacy. and you have to admit that there are a large number of people jumping on the internet privacy bandwagon, yet they have absolutely no real belief or feelings about the cause. they simply like stealing shit, and are scared that they're going to get caught, so they scream privacy violation till they're blue in the face. and honestly, i feel this is one of the biggest threats to privacy we currently face, because the actions of these cheap childish assholes degrade the cause in its entirety. to the average person on the street privacy advocate is becoming synonymous with pirate and various agencies and corporations are more than happy to fuel that fire.

Re:Copyright laws.

[commodore64_love]

I don't lie to myself.

I steal. Rather than go out and buy the DVDs, I steal the content. And no I don't care. Movie companies steal from their workers all the time ("Sorry Mr. Cameron, actors, and crew... Titanic made no profit, so your profit share check will be zero."). If the movie is any good (like Star Trek) then I will buy it.

Re:Copyright laws.

[calmofthestorm]

"The trouble with fighting for human freedom is that one spends most of one's time defending scoundrels. For it is against scoundrels that oppressive laws are first aimed, and oppression must be stopped at the beginning if it is to be stopped at all."
-- H. L. Mencken

Re:Copyright laws.

[Arker]

Once again, copyright infringement is NOT stealing. Nor is copying copyrighted data necessarily and always copyright infringement. Finally, it's better to be on the right side for the wrong reasons than to be on the wrong side entirely.

Re:Copyright laws.

[JesseMcDonald]

YOU are denying the person who created the content the sale. YOU have denied them the money they would have made. YOU have TAKEN from them something that was rightfully theirs. THE SALE.

<sarcasm>Just think of how much you've stolen by not-buying all those CDs you don't own! You must owe the RIAA more than the GDP of the United States by now!</sarcasm>

Choosing not to buy something is not theft. No one owns "THE SALE". They own their physical property, because it is scarce. And they have not been deprived of that property.

Re:Copyright laws.

[nmb3000]

I'm not going to get into the copyright violation vs theft argument (again), but this is just plain WRONG. Drivel like this reeks of **AA and artist entitlement whining.

YOU are denying the person who created the content the sale.

No, because I had no plans on buying whatever it was I'm downloading. If I can get X for free, I'll grab it. If I can't, I'll do without. No sale lost.

YOU have denied them the money they would have made.

They wouldn't have made any money, ergo I denied them nothing.

YOU have TAKEN from them something that was rightfully theirs. THE SALE.

Again, there was no sale to be made. 0 - 0 = 0.

If you want to argue on the basis of morals then I imagine most people would agree that violating a (sane) copyright is wrong. When you start talking about 120-year old copyrights or trying to prevent what most feel is fair use then people will start to disagree.

Regardless of all that, the monetary value of a potential sale is exactly $0.00.

Re:Copyright laws.

[Barrinmw]

Actually, I did a report in High School on the creation of Playboy and this one girl got all pissy at me for it and said how it was degrading to women and everything. I told her that people do buy it for the articles too and she was like, Yeah who? My answer was the 10,000 blind people who order the braile edition. That shut her up pretty good.

Re:Copyright laws.

[JesseMcDonald]

The enlightened argument is not that the act of copying is theft, but that illegal copying deprives the copyright owner of monetary gains which would otherwise have been earned.

So does simply choosing to go without. Should that be illegal now as well?

You can't "steal" the expectation of income. Only that which is owned is subject to theft, and theft only occurs when one is deprived of its use. If one cannot be deprived of the use of a thing—as is the case for everything subject to copyright, since mere duplication cannot deprive anyone of use of the original copy—then that thing cannot be stolen.

Re:Copyright laws.

[thesandtiger]

It's worse than that: they steal from us, the public.

Back when copyrights were first codified into law, there was a deal:

We, the people, gave protections to people who created works so that they could profit from those works, but in exchange for those protections, the creators of the works agreed to give us, the people, their work after a certain timeframe had passed.

Works may now - if the copyright holder wishes - no longer come into the public domain because copyright holders are corporations who are solely interested in making a profit, and who use their political influence (money) to ensure that copyright NEVER expires.

While it certainly won't give me any kind of legal defense, I simply do not care about copyright because the very basis for it has been completely violated by the holders of that copyright.

If we go back to the original law - life of the initial copyright holder + a small extension past that, and only real-live human beings can be considered to be initial copyright holders - I will give up piracy. Until then, I really don't consider copyright law to be valid because the fundamental premise of it: you get yours, we get ours, has now become "they get theirs, everyone else gets fucked."

Copyright no longer benefits anyone but the copyright holder, and that is NOT what it was intended to do.

Re:Copyright laws.

[loufoque]

But clearly most BT traffic is copyright infringement.

Clearly most road traffic is, too. Aren't all those trucks and cars full of copyrighted material?

Re:Copyright laws.

[Arker]

I think you meant to say, copyright infringement is not theft. Stealing is not limited to physical property; plagiarism is considered stealing (the credit for) words, for example. Legal definition of 'steal' is irrelevant, if U.S. law defines stealing at all. It does define 'theft'.

Stealing and theft are synonyms. See stealing: S: (n) larceny, theft, thievery, thieving, stealing (the act of taking something from someone unlawfully.

"Stealing credit" makes sense. It's a more metaphorical application, but you are still *taking* something. "Stealing copyright" could be used similarly, but it would refer to what SCO/Caldera is attempting to do in court, not to some kid downloading a song. He is not taking anything from anyone, at most he is violating a statute that granted someone else a monopoly on reproducion of a particular pattern.

Re:Copyright laws.

[betterunixthanunix]

"In some (not all) cases the content owner is deprived of a sale."

Except that it is really impossible to prove such a thing. If we are willing to set aside the fact that the sale never really existed (how can you be deprived of something that does not exist), there are a lot of confounding factors. The downloader might have decided to go out to a store to buy the media, had it not been available for download, and then seen something better to spend money on, and not purchase the media. Or, perhaps the downloader never even had the money to spend on the media, and the sale never even had a chance of happening. Or perhaps the media was not even available to purchase, and the copyright holder did not feel like spending the money on making further copies.

Even if we ignore all of the above, there is a new problem with declare "deprivation of sales" to be a form of theft. Maybe my business attracts more customers than your business -- does that now make me a thief, because I am depriving you of the sales you would have had if I had not been in business? What if I go around telling people not to buy your products -- is that thievery too?

This is the problem with trying to claim that imaginary things like "potential sales" can be "stolen." In general, "stealing" something that is intangible, whether it is some sort of media, or potential sales, or an idea, or whatever else, is illogical. The term "theft" is only used by people who want "copyright" to be considered the equivalent of "real estate," which it was never intended to be.

Re:Copyright laws.

[JesseMcDonald]

If you're arguing that copyright could be transmuted into a contract governing access to the physical copy—not the abstract pattern which copyright currently covers—then I agree with you in theory but do not believe this transmutation to be likely, or effective. The contract would be similar to an NDA, with the same weaknesses. NDAs are only effective when distribution of the information is limited; copyright must cover the case where content is to be distributed to the public at large. Enforcement (tracking) costs would be high, and recovery limited to the individual who first broke the contract. Buyers would be skeptical of agreeing to formal contracts over a mere few hours of entertainment. Content providers are welcome to try it, but I don't think it would work.

If you are instead saying that there is a property right in the value of a secret, such that duplication (devaluation) becomes a violation of the owner's property rights—just think about that for a moment. That would mean that all production (and all decreases in demand) must violate the property rights of existing owners in the values of their goods. This way lies madness.

Property rights can only apply consistently to the goods themselves, not their values.

However, even taking the value-as-property approach, the change in market value of that copy, or any additional copies, is no different than if I had simply decided against having/using the "thing" entirely, or even created something which competes against it. If not-buying and competition do not infringe on this "property right" in the value of the good, then neither can the making of a copy, since the effect on the value is identical.

On the other hand, accepting that property rights apply to the goods themselves rather than their market values, the statement "You got value at his expense" is false; I did receive value, but there was no expense to him. He has exactly as much as he had before: the original copy.

Finally, if there is no objective harm then force is not a proportional, or appropriate, response. (Speak up if you disagree...) A rule-of-thumb in determining the existence of objective harm is thus: if you could not determine, by any theoretical means, that an action had taken place simply by observing your own property, then that action does not objectively harm you. When the "property" is the pattern embedded in some physical object, and the action mere duplication, then there is no change in your "property" which would indicate that the action had taken place. Ergo, there is no objective harm, and no justification for the use of force.

After all, what is the difference in outcome which would justify making the production of a deliberate copy illegal, but not the creation of an identical copy by random convergence? Surely the "harm" is the same in either case? Accidental harm is still harm, but accidental creation of a copy is not considered copyright infringement.

Re:Copyright laws.

[Arker]

A friend of mine has a house that backs onto a small nature preserve. On the other side of that woodland area is an ampitheatre, at which a great many concerts are held. He can sit out back and hear the concerts from his patio, or he can pack a picnic basket and take his wife and kids on a short walk through the woodland to a point directly overlooking the ampitheatre and hear it much better - in fact at that range the volume level is just perfect. They can take binoculars and see the concert as well, almost as if they were in the front row, without suffering from hearing loss and without paying for (very expensive) tickets.

Do you think he is stealing too?

Shocked. Shocked!

[guspasho]

As a BitTorrent user, I was shocked that anyone with a box connected to the Internet can spy on what everyone is downloading on BitTorrent."

Really? All you have to do is be on the torrent and connect to them.

Re:Shocked. Shocked!

[Peach+Rings]

You mean, all you have to do is send a simple request to the tracker, which will happily provide you with a fairly complete list of peers.

And people make themselves available on the DHT network.

And people offer their peers freely through PEX.

Re:Shocked. Shocked!

[CondeZer0]

> You mean, all you have to do is send a simple request to the tracker, which will happily provide you with a fairly complete list of peers.

Most trackers (at least most public/open trackers) insert random ips to give a degree of 'plausible deniability'.

This of course is not perfect, but to be certain that a peer is serving a file the only way is to actually try to connect to it and fetch some blocks, which is quite a bit more work than just querying the tracker, specially if you have to do it for hundreds of thousands of torrents.

Re:Shocked. Shocked!

[peragrin]

you forgot the real part.

You then have to download the entire thing to find out if those blocks are part of IronMan2.avi are actually part of ironman2 movie or some dumb students project on feeding excessive iron to a man.

what percentage of the RIAA music takedowns where not actually infringing music but someone's project with a similar name? I know of at least 3 separate incidents where they made a school take down a professors own notes because of a file name.

Re:Shocked. Shocked!

[natehoy]

Yeah, I'm shocked that anyone could be shocked.

P2P means "Peer to Peer". That means your computer makes a direct connection to other users who seed or leech you. In order to do that, you need to give your IP address so they know who to talk back to. IP addresses resolve to a host, which can always identify your ISP and in rarer cases can identify your username on the ISP (this is thankfully very rare any more).

I wonder how shocked the poster of this article would be if he realized that every web page he visits gets the same exact information?

Re:Shocked. Shocked!

[klapaucjusz]

You then have to download the entire thing to find out if those blocks are part of IronMan2.avi are actually part of ironman2 movie or some dumb students project on feeding excessive iron to a man.

Not in BitTorrent.

A torrent is uniquely identified by its "info-hash", and the first thing you do when you connect to a peer is to agree on the info-hash. So with BitTorrent, you only need to download the file once, check that it is the right file, and then ask all of the peers you find whether they are distributing files with this particular info-hash.

Re:UNISEX?

[2obvious4u]

Did you know when reading you really only look at the first and last letter? Your mind fills in the rest. So that comment just shows where your mind is.

This is not an important security article.

[Spazntwich]

It is an important reminder of just how ignorant most technology users are of the very tools they're using.

Re:This is not an important security article.

[vxice]

Shocking, shocking I say that when I use p2p to upload and download files to other people that someone could possibly be sitting around listening to and recording my requests for data as well as requesting data that I have sourced that they 'want' who would have guessed?

Re:This is not an important security article.

[0100010001010011]

I download something from Napster
  And the same guy I downloaded it from starts downloading it from me when I'm done
  I message him and say "What are you doing? I just got that from you"
  "getting my song back fucker"

- bash

Redacted

[StikyPad]

[This post removed under the first rule of USENET.]

Re:Redacted

But if I copy the redacted post and paste into my favorite editor, all is revealed!

Hi, I'm new here

[EkriirkE]

You mean to tell me when I connect to a large pool of people, there is a large pool of people there?

OMG

This must mean my IP address is being BROADCAST TO THE WORLD! And I thought I had punched the monkey to prevent this.

Well duhh! Of course you can find thm out!

[MarkTina]

It's P2P, you can't hide your IP from someone when they ask for a bit of movie file and your computer cheerfully sends it! It's the equivilant of the police walking down your street shouting "Are their any thieves here ?", and you sticking your head out the window to shout back "Yes Me me me! I'm a thief!!" ;-)

The best you can do is not respond to requests from IPs on a block list ... or steal Wifi from a poorly secured neighbour.

Re:Good!

[Jer]

Actually, despite the credulousness of the summary poster, if you click through to the abstract you also get this bit:

To circumvent this kind of monitoring, BitTorrent users are increasingly using anonymizing networks such as Tor to hide their IP address from the tracker and, possibly, from other peers. However, we showed that it is possible to retrieve the IP address for more than 70% of BitTorrent users on top of Tor [LMC_POST10]. Moreover, once the IP address of a peer is retrieved, it is possible to link to the IP address other applications used by this peer on top of Tor.

Perhaps I'm exposing my own ignorance (because I've never felt the need to use Tor myself) but that strikes me as surprising if it's true. And something that even savvy internet users might not think about.

Nice

[Hognoxious]

I was at the 3rd USENIX Workshop on Large-Scale Exploits and Emergent Threats yesterday

Awesome. Meet any chicks?

They cracked Tor?

[VTI9600]

That you can view peers on a BT network is not shocking. What deserves more attention is the fact that they were able to identify IP's of even those users who used Tor. Of course, BT and Tor should never be mixed (to protect the network of those who need privacy for something other than piracy). This just proves it.

Re:Good!

[Knara]

Well, things like Javascript can expose the originating IP over Tor to the receiver, so it's probably not a large leap to assume that you can look at torrrent traffic and find the originating IP at the application level.

That said, its a "problem" with the originating application, not Tor specifically. As said on the Tor website "Tor does not automatically make all your communications secure."

fear-mongerish

[drDugan]

Saying you "can spy on what everyone is downloading on BitTorrent" and TFA stating "major privacy threat" are over-the-top and fear-mongering exaggerations.

A more accurate way to state this is: Using BitTorrent will make our IP address public regarding what content is downloaded and shared online from that IP address. When someone monitors the same content, then they can log your IP address. This is obvious from how the protocol works to anyone who looks into privacy questions seriously. Yes, there is less privacy with what you download with BitTorrent compared to a direct download, as other people also sharing the same content can see your IP address.

But remember, with every download method online someone else knows you have downloaded it, with direct downloads and with all the different peer-to-peer distribution options. If you go to Adobe and download the latest Photoshop demo, they know, they log your IP, and usually even ask for even more information about you.

The only a real privacy problem (a "major threat") is for people using BitTorrent for illegal redistribution of content; it is not a major problem for distribution of open licensed or public domain content, businesses or organizations using BitTorrent for distribution to lower costs, or to distribute free content for viral or marketing purposes.

(Disclaimer: our company, ClearBits, does exactly this, offers distribution as a service to others, and we use BitTorrent extensively)

If you think that's fun...

[Call+Me+Black+Cloud]

1. Host TOR exit node
2. Eavesdrop on traffic
3. Post results
...
4. Profit!

I'm sure the traffic coming out of TOR is far more interesting than BitTorrent traffic (unless you're a media company).

Re:UNISEX?

[HTH+NE1]

Yeah, that has been disproven.

There exist pairs of words which are anagrams of each other while still having the same first and last letter. Thus you would not be able to distinguish them if the intervening letters were scrambled. Two examples are protuberantial/perturbational and, even more on point, undefinability/unidentifiably.

Re:Good!

[blair1q]

No, it's a pretty simple application of basic undercover investigative technique.

They pretended to be part of the Tor web, joining it at a point where the user's IP address was visible.

People willingly handed them the IP address.

And since the web was fairly limited in size, and connection points were selected randomly, and most users did multiple connections over time, eventually 70% of users willingly handed them the IP address. Since Tor has no way of ensuring trust in its security servers, its security is void. You couldn't have designed it better to funnel users' IP addresses to a spy unless you had only one server in the whole web and faked the rest of the topology.

it was wide-open to being exploited by sting operations.

This is also the reason you should never trust anonymizing proxy servers or Arab sheiks.

There's nothing so useless as a lock with a voice imprint - Lord President Borusa

Re:Can I get a DUH here?

[jch.pgh]

Thank you for that DUH. Bram Cohen originally designed the protocol to be an ultra-scalable file distribution approach, and every attempt to add security, encryption, or whatever is trying to add something against the grain of its origin. (It may still be worth doing it, in the same sense that steganography may still be worth doing.) Bittorrent is for above-board, everyone-knows-you're-doing-it file distribution. If you want to hide what you're doing, do it with something else.

Re:Good!

[plasticsquirrel]

Yeah, some assholes use Tor for BitTorrent, and it's awful for the network. Then people like me who live behind the Great Firewall of China, get slower-than-molasses browsing of censored web sites (terrible things like Google Pages, Blogger, anything from Taiwan, any page containing a string the PRC doesn't like, etc.). The main use for such work-arounds is usually just for my own research and education, and this is the basic reason that Tor exists. Users who run BitTorrent through Tor are really abusing what is basically a charity for people who need it.

I confess I'm a thief: A True Story

[mangu]

He fully expected the sale to anyone that WATCHED that movie.

Let me tell you a true story very much like the theoretical example you posted. When I was a kid there was a Rolling Stones song I loved, but I had no money to buy the album and my parents hated rock music. Our neighbors had that album, and I used to run to the backyard to listen when they played it. Was I stealing?

The scanner committed piracy itself

[frizzantik]

From the PDF it says the scanner downloaded pieces of data from all of the 1.2 Million torrents it listened in on. Shame Shame!

Talking about shock

[ElusiveJoe]

As a BitTorrent user, I was shocked that anyone with a box connected to the Internet can spy on what everyone is downloading on BitTorrent."

That's nothing! Imagine how shocked were content providers, when they discovered that anyone with a box connected to the Internet can insert the new contents into BitTorrent!

Re:Or a warning

[fbjon]

Not so sure. I checked out one of the swarms indicated, and sure enough, I found the peer listed on the that site.

Incidentally, the CLI interface is fragile, and it can break out into a standard apache directory listing. It also occasionally redirects to an RFC document for some reason. Anyway, there's a log of all tried passwords there. But more interestingly, there's a lot of other stuff elsewhere in the tree, an 18MB text file with a Twitter social connection graph (just a list of name pairs), and a monitor/ directory with what looks like GSM/email/p2p monitoring stuff. Can't access most of it except an auto-refreshing IRC monitoring page though.

Somebody is using it for something it seems.

RTFA, important if you use BT

The article goes into a lot of detail about how they identify those users who are on VPN, Proxy, tor, etc. They've also identified over 10,000 IPs that "monitor" only, from a few data centers in the United States. If you're using BT, you should definitely read this article..

Re:Not very observant?

[gronne]

I was just thinking that in the year 2010, how is it possible for a Slashdot reader not to know that Bittorrent is not private?

Re:Semantics and bullshit

[JesseMcDonald]

Let's say I find myself a man to play the guitar at dinnertime each night. It's now the end of the week, and he has the "expectation" of income. He was deprived of the use of his time, and I enjoyed the fruits of his labour. If I choose to not pay him, have I not stolen from him?

That depends. What does your contract say? If the contract states that you give him a certain amount of money on the condition that he plays for you, and after he plays you refuse to turn over the money, then you are indeed stealing from him—that's his money you're withholding. One can envision other circumstances, including the absence of any contract (not necessarily written), where refusal of payment would not be theft. The expectation is not enough, by itself.

If I'm not stealing in the second case, I'm not stealing in the first.

In the second case you explicitly did not agree in advance to pay him. This changes matters. If you did agree to such in the first case then the situations are not analogous.

he was deprived of the use of his time

Perhaps, but not by you. The decision to spend his time playing or recording his performances was his own. You have not deprived him of any additional time by listening. He was under no obligation to make his recordings available to you without first arranging for payment. Only the existence of a voluntary contract would create an obligation on your part for payment after the fact.