Anyone Can Play Big Brother With BitTorrent

An anonymous reader writes "I was at the 3rd USENIX Workshop on Large-Scale Exploits and Emergent Threats yesterday, and there were people from the French Institute for Computer Science who have continuously spied on most BitTorrent users on the Internet for 100 days, from a single machine. They've also identified 70% of all content providers; yes, those guys that insert the new contents into BitTorrent. As a BitTorrent user, I was shocked that anyone with a box connected to the Internet can spy on what everyone is downloading on BitTorrent."

An Opportunity

[MarkvW]

Looks like a good way to earn a paycheck from the RIAA.

Re:An Opportunity

[poetmatt]

looks like something that won't work for those who understand that plenty of these IP addresses could be spoofed or not even uploading, or knows what I2P does, or uses VPN. This is just a list of IPs that they are assuming are 100% valid because they were listed in the tracker when the content went up. They're saying that if someone is listed on more than one tracker, it confirms who they are.

That= a bad study.

All they're saying is "We can tie an IP to a torrent", but that doesn't mean you can get anything more than that. Judges already don't accept an IP simply being tied to a torrent.

Re:An Opportunity

[feepness]

Judges already don't accept an IP simply being tied to a torrent.

What do they accept? My, err, friend wants to know!

Re:An Opportunity

[Bigjeff5]

If you can get an IP, you can narrow down the area quite a lot without the ISP's cooperation, possibly enough to force the ISP's cooperation. With ISP cooperation you can narrow an IP down to a physical address. At that point, you're screwed.

What people who don't understand how networking works is, if there is a connection then there is an IP address trail to follow. You cannot spoof an IP address and maintain a connection. You can spoof a MAC address just fine, because that is only used on the last leg of the connection, but the IP address is used the rest of the way and a link must be maintained if data is ever to get back to the source. Pretty much all IP spoofing is good for are cases where you don't want to receive the response, like a DOS attack (there are elaborate network hacks using IP spoofing, but they require direct access to the destination network). That's obviously no good for a BitTorrent connection.

What you can do is sort of "launder" the IP address to make it difficult to trace - that is, to route it through multiple NAT services. Each NAT maintains an IP trail to the previous address though, or the connection would fail, so this is only obscuring the source, not erasing the trail. Someone diligent enough (and with sufficient authority to force cooperation from various ISP's) could potentially track any sufficiently current IP address from destination back to source. Also, setting up such a route would go a long way to establishing intent to commit a crime, which will blow most of your defense out of the water in such a case.

There might be some honeybuckets in the tracker's list, which would be clever, but all it is going to do is waste a little bit of time for whoever is tracking these IP's, it's certainly no protection for anybody but the tracker (who would be monitoring the honeybucket, one would assume).

Re:An Opportunity

[Shakrai]

With ISP cooperation you can narrow an IP down to a physical address. At that point, you're screwed.

Speak for yourself. I do all my bittorrenting from open wireless networks ;)

Re:An Opportunity

[wealthychef]

This is actually an argument for buying a wireless router and leaving it open without a password. Sure, you can be owned by your malicious neighbors, but they could also be the ones doing the torrent downloads... hmm. LOL

Re:An Opportunity

[Bigjeff5]

If they get enough to get a search warrant, you're screwed, because even if you're masking you're MAC they'll be able to figure that out once they have access to your machine and make a positive link to the IP address.

If you use whole-drive encryption, recent court cases have shown you've opened up a whole new can of worms, and didn't really save yourself any trouble.

If you try hard enough at hiding it, you could be in a situation where the circumstantial evidence is enough to push a jury past the "reasonable doubt" threshold, in which case you've saved yourself nothing.

It really is not easy to shield yourself when you use a protocol that by its very nature must identify your machine uniquely. The best you can do is hide and make your discovery more difficult. You can't completely prevent it completely and still access the internet in any useful way.

Re:An Opportunity

[montibbalt]

If you also have a few random garbage generators installed on the system, that also makes it look more plausible.

Luckily, several of these are built into Windows itself!

Re:An Opportunity

[Shakrai]

We are talking about civil actions here, not criminal ones. How would RIAA go about tying your MAC address back to you, even if you weren't smart enough to spoof it? Are they going to file discovery motions on every single house within range of the AP that was used? Heck, for that matter, how would law enforcement do it? No Judge would issue a warrant for "every computer within a 150 meter radius of this location", not for something as mundane as file sharing.

BTW, you can get a lot further than 150 meters with the right antenna setup. I've seen associations made at ranges exceeding two kilometers, under less than ideal conditions.

Shocked. Shocked!

[guspasho]

As a BitTorrent user, I was shocked that anyone with a box connected to the Internet can spy on what everyone is downloading on BitTorrent."

Really? All you have to do is be on the torrent and connect to them.

Re:Shocked. Shocked!

[CondeZer0]

> You mean, all you have to do is send a simple request to the tracker, which will happily provide you with a fairly complete list of peers.

Most trackers (at least most public/open trackers) insert random ips to give a degree of 'plausible deniability'.

This of course is not perfect, but to be certain that a peer is serving a file the only way is to actually try to connect to it and fetch some blocks, which is quite a bit more work than just querying the tracker, specially if you have to do it for hundreds of thousands of torrents.

Re:Shocked. Shocked!

[peragrin]

you forgot the real part.

You then have to download the entire thing to find out if those blocks are part of IronMan2.avi are actually part of ironman2 movie or some dumb students project on feeding excessive iron to a man.

what percentage of the RIAA music takedowns where not actually infringing music but someone's project with a similar name? I know of at least 3 separate incidents where they made a school take down a professors own notes because of a file name.

Re:Shocked. Shocked!

[natehoy]

Yeah, I'm shocked that anyone could be shocked.

P2P means "Peer to Peer". That means your computer makes a direct connection to other users who seed or leech you. In order to do that, you need to give your IP address so they know who to talk back to. IP addresses resolve to a host, which can always identify your ISP and in rarer cases can identify your username on the ISP (this is thankfully very rare any more).

I wonder how shocked the poster of this article would be if he realized that every web page he visits gets the same exact information?

This is not an important security article.

[Spazntwich]

It is an important reminder of just how ignorant most technology users are of the very tools they're using.

Re:This is not an important security article.

[0100010001010011]

I download something from Napster
  And the same guy I downloaded it from starts downloading it from me when I'm done
  I message him and say "What are you doing? I just got that from you"
  "getting my song back fucker"

- bash

Redacted

[StikyPad]

[This post removed under the first rule of USENET.]

Hi, I'm new here

[EkriirkE]

You mean to tell me when I connect to a large pool of people, there is a large pool of people there?

OMG

This must mean my IP address is being BROADCAST TO THE WORLD! And I thought I had punched the monkey to prevent this.

Re:Copyright laws.

[DarkKnightRadick]

I care about privacy and I only use bit torrent for legitimate purposes.

Re:Copyright laws.

[loufoque]

First off, Copyright infringement is not theft.

Secondly, transmitting copyrighted material over a computer network is not necessarily copyright infringement, even if copyright holders would like it to be.

Re:Copyright laws.

[jeffmeden]

Is privacy invaded because of people pursuing copyright violators, or is privacy pursued because people want to evade copyright enforcers? Seems that if you decide it's the latter you are prepared to give away the privacy of many (those who arent copyright thieves) for the protection of the few (those that own IP that is being copied)...

You know giving up the first little bit is always the easiest...

Well duhh! Of course you can find thm out!

[MarkTina]

It's P2P, you can't hide your IP from someone when they ask for a bit of movie file and your computer cheerfully sends it! It's the equivilant of the police walking down your street shouting "Are their any thieves here ?", and you sticking your head out the window to shout back "Yes Me me me! I'm a thief!!" ;-)

The best you can do is not respond to requests from IPs on a block list ... or steal Wifi from a poorly secured neighbour.

Re:Copyright laws.

[Red+Flayer]

I dunno about that.

Privacy isn't just about keeping your illegal activities hidden from an authority that can punish you for those activities. I don't want anyone to be able to glean the details of my day-to-day habits, be they bittorent use, physical locations, or anything else. Even if we had NO copyright laws, I'd still have a problem with people being able to track my actions. And FWIW, I have nothing to hide, AFAIK[1], other than routinely exceeding the speed limit in my car. I refuse on principle to violate copyrights.

[1] the AFAIK is a big problem. There's probably a good chance I violate some law or other occasionally, but I have no idea since there are so many laws on the books. But that just feeds into the privacy issue... I'm no Randian, but the massive amount of laws we have on the books that make innocuous behavior illegal means that I'm probably a criminal without knowing it. The best way to protect against this extant situation is to make sure I maintain the privacy of my activity. Better not to have that situation in the first place, but that's a topic for a different discussion.

Re:Good!

[Jer]

Actually, despite the credulousness of the summary poster, if you click through to the abstract you also get this bit:

To circumvent this kind of monitoring, BitTorrent users are increasingly using anonymizing networks such as Tor to hide their IP address from the tracker and, possibly, from other peers. However, we showed that it is possible to retrieve the IP address for more than 70% of BitTorrent users on top of Tor [LMC_POST10]. Moreover, once the IP address of a peer is retrieved, it is possible to link to the IP address other applications used by this peer on top of Tor.

Perhaps I'm exposing my own ignorance (because I've never felt the need to use Tor myself) but that strikes me as surprising if it's true. And something that even savvy internet users might not think about.

Nice

[Hognoxious]

I was at the 3rd USENIX Workshop on Large-Scale Exploits and Emergent Threats yesterday

Awesome. Meet any chicks?

Re:Good!

[Knara]

Well, things like Javascript can expose the originating IP over Tor to the receiver, so it's probably not a large leap to assume that you can look at torrrent traffic and find the originating IP at the application level.

That said, its a "problem" with the originating application, not Tor specifically. As said on the Tor website "Tor does not automatically make all your communications secure."

fear-mongerish

[drDugan]

Saying you "can spy on what everyone is downloading on BitTorrent" and TFA stating "major privacy threat" are over-the-top and fear-mongering exaggerations.

A more accurate way to state this is: Using BitTorrent will make our IP address public regarding what content is downloaded and shared online from that IP address. When someone monitors the same content, then they can log your IP address. This is obvious from how the protocol works to anyone who looks into privacy questions seriously. Yes, there is less privacy with what you download with BitTorrent compared to a direct download, as other people also sharing the same content can see your IP address.

But remember, with every download method online someone else knows you have downloaded it, with direct downloads and with all the different peer-to-peer distribution options. If you go to Adobe and download the latest Photoshop demo, they know, they log your IP, and usually even ask for even more information about you.

The only a real privacy problem (a "major threat") is for people using BitTorrent for illegal redistribution of content; it is not a major problem for distribution of open licensed or public domain content, businesses or organizations using BitTorrent for distribution to lower costs, or to distribute free content for viral or marketing purposes.

(Disclaimer: our company, ClearBits, does exactly this, offers distribution as a service to others, and we use BitTorrent extensively)

Re:Copyright laws.

[commodore64_love]

I don't lie to myself.

I steal. Rather than go out and buy the DVDs, I steal the content. And no I don't care. Movie companies steal from their workers all the time ("Sorry Mr. Cameron, actors, and crew... Titanic made no profit, so your profit share check will be zero."). If the movie is any good (like Star Trek) then I will buy it.

If you think that's fun...

[Call+Me+Black+Cloud]

1. Host TOR exit node
2. Eavesdrop on traffic
3. Post results
...
4. Profit!

I'm sure the traffic coming out of TOR is far more interesting than BitTorrent traffic (unless you're a media company).

Re:Good!

[blair1q]

No, it's a pretty simple application of basic undercover investigative technique.

They pretended to be part of the Tor web, joining it at a point where the user's IP address was visible.

People willingly handed them the IP address.

And since the web was fairly limited in size, and connection points were selected randomly, and most users did multiple connections over time, eventually 70% of users willingly handed them the IP address. Since Tor has no way of ensuring trust in its security servers, its security is void. You couldn't have designed it better to funnel users' IP addresses to a spy unless you had only one server in the whole web and faked the rest of the topology.

it was wide-open to being exploited by sting operations.

This is also the reason you should never trust anonymizing proxy servers or Arab sheiks.

There's nothing so useless as a lock with a voice imprint - Lord President Borusa

Re:Copyright laws.

[Arker]

Once again, copyright infringement is NOT stealing. Nor is copying copyrighted data necessarily and always copyright infringement. Finally, it's better to be on the right side for the wrong reasons than to be on the wrong side entirely.

Re:Copyright laws.

[JesseMcDonald]

YOU are denying the person who created the content the sale. YOU have denied them the money they would have made. YOU have TAKEN from them something that was rightfully theirs. THE SALE.

<sarcasm>Just think of how much you've stolen by not-buying all those CDs you don't own! You must owe the RIAA more than the GDP of the United States by now!</sarcasm>

Choosing not to buy something is not theft. No one owns "THE SALE". They own their physical property, because it is scarce. And they have not been deprived of that property.

Re:Copyright laws.

[nmb3000]

I'm not going to get into the copyright violation vs theft argument (again), but this is just plain WRONG. Drivel like this reeks of **AA and artist entitlement whining.

YOU are denying the person who created the content the sale.

No, because I had no plans on buying whatever it was I'm downloading. If I can get X for free, I'll grab it. If I can't, I'll do without. No sale lost.

YOU have denied them the money they would have made.

They wouldn't have made any money, ergo I denied them nothing.

YOU have TAKEN from them something that was rightfully theirs. THE SALE.

Again, there was no sale to be made. 0 - 0 = 0.

If you want to argue on the basis of morals then I imagine most people would agree that violating a (sane) copyright is wrong. When you start talking about 120-year old copyrights or trying to prevent what most feel is fair use then people will start to disagree.

Regardless of all that, the monetary value of a potential sale is exactly $0.00.

Re:Copyright laws.

[Barrinmw]

Actually, I did a report in High School on the creation of Playboy and this one girl got all pissy at me for it and said how it was degrading to women and everything. I told her that people do buy it for the articles too and she was like, Yeah who? My answer was the 10,000 blind people who order the braile edition. That shut her up pretty good.

Re:Copyright laws.

[JesseMcDonald]

The enlightened argument is not that the act of copying is theft, but that illegal copying deprives the copyright owner of monetary gains which would otherwise have been earned.

So does simply choosing to go without. Should that be illegal now as well?

You can't "steal" the expectation of income. Only that which is owned is subject to theft, and theft only occurs when one is deprived of its use. If one cannot be deprived of the use of a thing—as is the case for everything subject to copyright, since mere duplication cannot deprive anyone of use of the original copy—then that thing cannot be stolen.

Re:Copyright laws.

[thesandtiger]

It's worse than that: they steal from us, the public.

Back when copyrights were first codified into law, there was a deal:

We, the people, gave protections to people who created works so that they could profit from those works, but in exchange for those protections, the creators of the works agreed to give us, the people, their work after a certain timeframe had passed.

Works may now - if the copyright holder wishes - no longer come into the public domain because copyright holders are corporations who are solely interested in making a profit, and who use their political influence (money) to ensure that copyright NEVER expires.

While it certainly won't give me any kind of legal defense, I simply do not care about copyright because the very basis for it has been completely violated by the holders of that copyright.

If we go back to the original law - life of the initial copyright holder + a small extension past that, and only real-live human beings can be considered to be initial copyright holders - I will give up piracy. Until then, I really don't consider copyright law to be valid because the fundamental premise of it: you get yours, we get ours, has now become "they get theirs, everyone else gets fucked."

Copyright no longer benefits anyone but the copyright holder, and that is NOT what it was intended to do.

I confess I'm a thief: A True Story

[mangu]

He fully expected the sale to anyone that WATCHED that movie.

Let me tell you a true story very much like the theoretical example you posted. When I was a kid there was a Rolling Stones song I loved, but I had no money to buy the album and my parents hated rock music. Our neighbors had that album, and I used to run to the backyard to listen when they played it. Was I stealing?

Re:Copyright laws.

[betterunixthanunix]

"In some (not all) cases the content owner is deprived of a sale."

Except that it is really impossible to prove such a thing. If we are willing to set aside the fact that the sale never really existed (how can you be deprived of something that does not exist), there are a lot of confounding factors. The downloader might have decided to go out to a store to buy the media, had it not been available for download, and then seen something better to spend money on, and not purchase the media. Or, perhaps the downloader never even had the money to spend on the media, and the sale never even had a chance of happening. Or perhaps the media was not even available to purchase, and the copyright holder did not feel like spending the money on making further copies.

Even if we ignore all of the above, there is a new problem with declare "deprivation of sales" to be a form of theft. Maybe my business attracts more customers than your business -- does that now make me a thief, because I am depriving you of the sales you would have had if I had not been in business? What if I go around telling people not to buy your products -- is that thievery too?

This is the problem with trying to claim that imaginary things like "potential sales" can be "stolen." In general, "stealing" something that is intangible, whether it is some sort of media, or potential sales, or an idea, or whatever else, is illogical. The term "theft" is only used by people who want "copyright" to be considered the equivalent of "real estate," which it was never intended to be.

Re:Or a warning

[fbjon]

Not so sure. I checked out one of the swarms indicated, and sure enough, I found the peer listed on the that site.

Incidentally, the CLI interface is fragile, and it can break out into a standard apache directory listing. It also occasionally redirects to an RFC document for some reason. Anyway, there's a log of all tried passwords there. But more interestingly, there's a lot of other stuff elsewhere in the tree, an 18MB text file with a Twitter social connection graph (just a list of name pairs), and a monitor/ directory with what looks like GSM/email/p2p monitoring stuff. Can't access most of it except an auto-refreshing IRC monitoring page though.

Somebody is using it for something it seems.