Researchers ID Skype, BitTorrent Users

itwbennett writes "Researchers have figured out a way to link online Skype users to their activity on peer-to-peer networks like BitTorrent. The team was able to sift out the nodes through which Skype calls are routed and determine the user's real IP address by sniffing the packets. To correlate the identified Skype users with files shared on BitTorrent, the researchers built tools to collect BitTorrent file identifiers, a BitTorrent crawler to collect IP addresses on the network and a verifier to match an online Skype user with an online BitTorrent user (PDF). 'As soon as the BitTorrent crawler detects a matching IP address, it signals the verifier, which immediately calls the corresponding Skype user and, at the same time, initiates a handshake with the BitTorrent client,' they wrote."

Scary

[AcesHidden]

Privacy is but an illusion.

Re:Scary

[ackthpt]

Privacy is but an illusion.

Yep. RIAA & MPAA dollars at work? If not, I bet they are keenly interested. Very keenly.

Still bugs me, 15+ years on that a lot of spam and other mischief on the internet hasn't been shut down. All the information is there.

Re:Scary

Privacy is but an illusion.

Yep. RIAA & MPAA dollars at work? If not, I bet they are keenly interested. Very keenly.

Still bugs me, 15+ years on that a lot of spam and other mischief on the internet hasn't been shut down. All the information is there.

Tor project is getting more popular every day. http://www.google.com/insights/search/#q=tor%20project&cmpt=q. As your IP becomes less and less of a shield for intrusion, it could happen that more and more stuff will just move to the next level of privacy... secrecy. And with it, the crime, spam, etc.

Re:Scary

[shoehornjob]

Maybe the so called "researchers" (MAFIAA research department) need to leave that sh!t alone and respect my privacy. I looked into using Skype for Video conferencing but their application was incredibly intrusive.

Re:Scary

Fuck tor. Only pedophiles use that garbage and anyone using it should take a hard look at their life and feel ashamed that they are supporting the rape of the children by using it.

Re:Scary

[__aavevi421]

Political dissidents are child molesters now? Dick head.

Re:Scary

[WorBlux]

So the U.S. navy is a bunch of child molesters? Tor is just a tool to increase privacy and security online. What people use it for is their own responsibility. Abusus non tollit usum. (Abuse is no argument against proper use)

Quick!

Unplug the internet!

Re:Quick!

Unplug the internet!

Destroy the computer!

Re:Quick!

[taoareyou]

Imprison the user!

Re:Quick!

Hack the planet!

Re:Quick!

[pakar]

Pickaxe?

Researchers?

[HellYeahAutomaton]

C'mon!

  Where do they get off calling these guys researchers, when they are clearly criminals attempting to invade the reasonably expected privacy of Skype users and BT users? These guys are peeping toms at best and identity thieves at worse.

Hold the organizations that employ these guys accountable.

Re:Researchers?

[bigredradio]

I guess it will depend on who they are working for. If it is for the CIA, FBI or RIAA, then they are crime fighters. If they work for Anonymous, Wikileaks, or the Chinese government, then they are criminals.

Re:Researchers?

[joebok]

If they were criminals, wouldn't they keep their methods secret in order to blackmail or otherwise monetize it in some way? Research like this is the only way that security gets better.

Re:Researchers?

[pclminion]

Are you some kind of dumbshit? You'd rather the government did this to you and you had no idea it was possible? Now we know this form of tracking is possible and we can develop a defense against it.

Re:Researchers?

[Stalks]

If you use bittorrent, then you should expect no privacy at all as the protocol openly allows others to get the list of users.

Re:Researchers?

[Nom+du+Keyboard]

C'mon!

Where do they get off calling these guys researchers, when they are clearly criminals attempting to invade the reasonably expected privacy of Skype users and BT users? These guys are peeping toms at best and identity thieves at worse.

Hold the organizations that employ these guys accountable.

I can only hope that my taxpayer money hasn't gone to fund this "research".

Re:Researchers?

[Lunix+Nutcase]

invade the reasonably expected privacy of Skype users and BT users?

For Skype users you might have a point but bittorrent works by publicly broadcasting your IP to the swarm. That's like standing outside shouting your name and social security number and claiming you had an expectation of privacy.

Re:Researchers?

[jdavidb]

reasonably expected privacy

In other words, you'd like everyone to see this issue the way you do, so you call your expectations reasonable and anyone who disagrees with you is unreasonable.

Privacy costs. Not necessarily money, but it costs. Sure I avert my eyes if I run into someone's private moment, but if I really want to be private, I consider it my own responsibility to take precautions to achieve that.

Re:Researchers?

[postbigbang]

Like you have control over it. Whatchya going to do? And what good will it do ya?

Re:Researchers?

People using BT are already doing IP changing and have other tracking obfuscators at work.

Re:Researchers?

What if they're professors from the Polytechnic Institute of New York University using a grant from the National Science Foundation? They only acknowledge the one grant for funding. They say it was "partially" funded through that but I have a hard time believing that a part of NYU would leave something as important out as getting funding from a party that had uncomfortable relations with the subject.

Besides, if you read the paper, they call it a "security threat" and the theoretical users of the method "attackers." Plus they throw the word "scheme" around a lot too. It might be used by the RIAA but it's not like the vulnerability didn't exist without this study.

Re:Researchers?

I guess it will depend on who they are working for. If it is for the CIA, FBI or NSA, then they are crime fighters. If they work for Anonymous, Wikileaks, RIAA / MPAA or the Chinese government, then they are criminals.

FTFY

Re:Researchers?

[MrSmith0011000100110]

Hasn't anyone learned from Aaron Barr? Don't fuck with people on the net you don't know. They can/will get you. That's obviously besides the legal implications of these "researchers". First, sniffing internet traffic is illegal...even google got in trouble for doing that "accidentally". Second, there is absolutely no way to correlate the data without stealing files or potentially protected IP from the "target" computer. So these "researchers" should be prosecuted to the fullest degree of the law...just like the people they're working for usually want to do to the rest of us.

Re:Researchers?

[HellYeahAutomaton]

> In other words, you'd like everyone to see this issue the way you do, so you call your expectations reasonable and anyone who disagrees with you is
> unreasonable.

I can buy into Linus's law for the idea of making public problems that exist in security and software. However, this goes above and beyond and has directly subjected 100,000 users purposefully to unwarranted intrusion (an act of aggression) on their communications directly. It doesn't matter *who* does this.
It is wrong.

reasonable expectation of privacy: An objective, legitimate or reasonable expectation of privacy is an expectation of privacy generally recognized by society.

Is it a public service as a researcher to point out that if a person's home which appears to be secure is currently no longer secure while leaving the front door wide open? Perhaps.

Is it a public service for the researcher to walk inside and help themselves to your wife and your beer? Absolutely not.

Re:Researchers?

[Joce640k]

If bittorrent data is arriving at your machine then somebody's got your IP address. Period. No way around it.

Re:Researchers?

postbigbang, proud to be complacent.

Re:Researchers?

If you are successfully connected to the internet, and data is leaving from / arriving at your machine, then someone has your IP address.

Don't like it? Pull the plug.

Re:Researchers?

[postbigbang]

Feel free to suggest a legal procedure that has a chance of working. Failing that, dream on.

Re:Researchers?

[jdavidb]

Is it a public service for the researcher to walk inside and help themselves to your wife and your beer? Absolutely not.

Nothing of the sort has happened, unless I'm missing something.

Re:Researchers?

[jdavidb]

reasonable expectation of privacy: An objective, legitimate or reasonable expectation of privacy is an expectation of privacy generally recognized by society

You are repeating your beliefs instead of addressing my point.

Re:Researchers?

[E.I.A]

How does this comment get "flamebait" and the one saying essentially the same thing below gets 5 for "interesting". You guys need to lighten up a bit with the trigger-happy troll crap. I get branded a troll every time I make a joke. wtf?

Re:Researchers?

[OeLeWaPpErKe]

Hi dear AC,

Google for these technologies : NAT, VPN, Tor, Proxy, Anomymizing proxies, Overlay networks, Distributed hashtables, ...

Re:Researchers?

[HellYeahAutomaton]

http://en.wikipedia.org/wiki/Expectation_of_privacy

An objective, legitimate or reasonable expectation of privacy is an expectation of privacy generally recognized by society.

Re:Researchers?

Google for this: ISP

Re:Researchers?

[jdavidb]

Once upon a time society also generally recognized that the earth was flat, that the world was created by God, and that homosexuals should be tortured and burned. Popularity contests are no way to decide morality.

Re:Researchers?

[HellYeahAutomaton]

You can't have it both ways -- first accusing of wanting to have the view as my way, and then against the general accepted view of the majority. Most people, liberty loving people see the view my way and in this case, since no one is harmed by this expectation it probably is morally correct.

You've only just proven yourself to be obstinate and disagreeable, citing irrelevant causes.

Privacy

[Alunral]

So what's this old thing we used to call privacy? Is this even legal for them to be doing? Or will it, like everything else, fall into that gray area and be used against everyone?

Re:Privacy

[Lunix+Nutcase]

What's illegal about it? What federal or state statute have they violated?

Re:Privacy

[Nom+du+Keyboard]

What's illegal about it? What federal or state statute have they violated?

They have wiretapped your Skype calls for identifying information. Is that enough for you?

Re:Privacy

[znerk]

What's illegal about it? What federal or state statute have they violated?

Wiretapping. Conspiracy to collect information assumed to be private, via technological means.
Robocalling (the Skype phone, duh). Wardialing (same thing).

They've violated a boatload of communications regulations... and the fact that they did it as part of a multi-researcher study means it was premeditated, and they conspired to do it. Conspiracy to commit a misdemeanor is a felony.

The problem here would be that anyone who tries to have them arrested and/or takes them to civil court will be presumed guilty of something, because why else would we care if someone can tie our online activities to our real-world identities?

Re:Privacy

[nfc_Death]

Um collecting and storing personal data without an investigators license.

Re:Privacy

[Lunix+Nutcase]

No they haven't. They've.only figured out the ip address. They aren't tapping the call.

Re:Privacy

[Lunix+Nutcase]

An ip address you.publicly broadcast is personal information?

Re:Privacy

[Lunix+Nutcase]

Since when is your ip address assumed to private when you are publicly broadcasting it all the time?

Re:Privacy

[localman57]

On top of that, it's not even like they're sniffing out packets on a public network. As I understand it, Skype uses YOUR computer to route / connect calls you may not be involved in. It seems to me that if someone sends an IP packet to your PC, you should be able to do anything with it you please. Sending malicious packets to another PC may be another story...

Re:Privacy

[nfc_Death]

Personal information gathered without an investigators license is against the law. Correlation of a skype phone number with an IP address and data mining for that correlation is acting as a private investigator without a license.
Your argument is what? That an IP is semi-public info?
What does that have to do with the price of tea in china?

Re:Privacy

[Jackie_Chan_Fan]

It should be considering it is the path to the machine that holds all of your personal information.

When you get a key duplicated, a key maker can easily sell a copy of that key, and link it to your name. What if your name is Bill Gates? "This key here is for Bill Gate's personal safe, and this one is for his house, perhaps you would like a copy?"

Just because its available, doesnt mean its not private, or doesnt come with some expectation of privacy. I dont expect the key maker to sell a copy of my key to someone who intends to harm me.

Re:Privacy

[znerk]

How many people do you know, other than us slashdotters, that realize they have an IP address when their equipment has a connection to the internet?

How many even know what an IP address is?

Re:Privacy

[Khyber]

"Personal information gathered without an investigators license is against the law."

Only in certain states. There is no Federal ruling on this issue that I am aware of.

Re:Privacy

[rocket+rancher]

Personal information gathered without an investigators license is against the law. Correlation of a skype phone number with an IP address and data mining for that correlation is acting as a private investigator without a license.
Your argument is what? That an IP is semi-public info?
What does that have to do with the price of tea in china?

Dude, don't be an idiot -- look up public domain at your nearest law library before you go trolling again.

Re:Privacy

[rocket+rancher]

So what's this old thing we used to call privacy? Is this even legal for them to be doing? Or will it, like everything else, fall into that gray area and be used against everyone?

You don't put private information on computers that are connected to other computers that you don't control, because the information will not stay private. There is no expectation of privacy on the internet, any more than there is an expectation of privacy in a theater, or at a sporting event, or in a restaurant, or rolling down the street as a passenger on a public bus.

Tell me -- would you conduct confidential business at a restaurant, or store your private records under your seat at the theater, or go over your credit card bills at the ball game? Of course you wouldn't -- it is only fucking common sense, right? Why would the net be any different? Nobody is forcing you to put your private records on a publicly accessible device like an internet-connected computer, so be smart and don't do it voluntarily, either.

Re:Privacy

[nfc_Death]

http://arstechnica.com/tech-policy/news/2008/02/mediasentry-role-in-riaa-lawsuit-comes-under-scrutiny.ars

Idiot huh? Nice response.

Re:Privacy

[Alunral]

And it's thinking like that is what's getting us into this mess. The internet is not something like that anymore, it is a viable resource that should not be controlled like that. Banking, money transfers, private things, creditcard information all happens on the internet. It is not some toy anymore, it is just as much a part of business, and life, as anything else is. Are we not allowed to have privacy on it?

Re:Privacy

It's not the IP that is assumed to be private..... It's being able to make a connection to a specific person in real life, and if you can make a connection then the IP is (or altleast should) considered to be private..

Why should the rules be different when on the phone than when online...

Ie, this would make the police be able to track some of the people that sends anonymous tips.....

Or even better... If an ISP then proxy all requests to sex-webshops.... Start trying to trace every visitor you get on those pages to a skype account, mapping to a real live person from there is usually not very hard...... Try find public figures in the logs... Start a blog and post ... "Congressman X just bought 1x Extra large butplug, 2x Gay monthly" complete with 'proof'..

Maybe then we would start to see a change in how they define privacy and what to allow big companies to do...

Good

[eugene2k]

I for one welcome our new RIAA overlords.

Re:Good

Fuck that.

IPV6. Problem solved.

Give every program and protocol its own IP address.

Packet sniffing

Seeing as how this relies on packet sniffing of an unaware party's network traffic, I'm pretty sure any application of this without a warrant would constitute wiretapping. Correct me if I'm wrong, but that's my understanding of it.

Re:Packet sniffing

[Lunix+Nutcase]

People are actually unaware that they are broadcasting their ip address when on the internet? Really? Especially those using bittorrent that works through broadcasting yourself to the swarm.

Re:Packet sniffing

[mcavic]

Skype uses your computer to carry other people's traffic, and I assume BT is very similar. The question is whether you're entitled to sniff the data that's flowing through your own computer.

In other words, if you stand outside my window, talk on your cell phone, and I hear you, it's not eavesdropping.

That being said, Skype traffic is supposed to be encrypted.

Re:Packet sniffing

[GameboyRMH]

Nope doesn't seem that it requires any kind of interception, just specialized local traffic analysis. It does require that you have accurate personal information in your Skype profile. Good luck finding me from that.

Re:Packet sniffing

Not necessarily being unaware that they are broadcasting it, just unaware that it is being sniffed. Example: satellite TV signals are being broadcast at you all the time, but it's illegal to receive and decrypt them without paying the provider. Example2: You are having a verbal conversation; it is illegal for that to be recorded without either a warrant or consent of at least 1 party (all parties in some states) despite the fact that you are broadcasting your voice for all to hear.

Re:Packet sniffing

That being said, Skype traffic is supposed to be encrypted

I'm replying to you, because you're the best comment I've seen and still, you obviously didn't read the article.

Because Skype uses a proprietary protocol and encrypts the payloads of its messages, packets coming from the called party can't be inspected, the researchers wrote. Instead, they looked at the patterns between a caller and the Skype nodes.

I honestly expected to find some intelligent discussion here, but everyone assumes this research relies on packet sniffing. It doesn't. My place of work doesn't allow Skype exactly because it does stupid stuff like sharing your data all over the internet. Just like BitTorrent.

Re:Packet sniffing

[Bucky24]

The Skype protocol should be easy enough to detect, and all they need to know is that Skype is in use, not the communication data.

Re:Packet sniffing

[znerk]

A packet analyzer (also known as a network analyzer, protocol analyzer or sniffer, or for particular types of networks, an Ethernet sniffer or wireless sniffer) is a computer program or a piece of computer hardware that can intercept and log traffic passing over a digital network or part of a network.

http://en.wikipedia.org/wiki/Packet_analyzer

Sniffing doesn't necessarily require opening the packets. Think of it this way: if you want to know who someone is sending mail to, and who they're receiving mail from, then all you need to do is look at the fronts of the envelopes in their mailbox - sender and receiver address information is there for all to see. You don't actually care what's written inside, you just want to know who they're talking to.

Of course, it's still illegal to tamper with the mail, but if you didn't actually open the mail, then you might just get a slap on the wrist, instead of a few years in the federal penitentiary - assuming it was proven you touched the mail in the first place.

Re:Packet sniffing

[Lunix+Nutcase]

So your complaining that they are doing nothing different than every bittorrent client does?

Re:Packet sniffing

You're obviously not an american.

In america, the wiretapping law only protects cops against being recorded in public places. You have no protection from this as an ordinary citizen.

Re:Packet sniffing

[Khyber]

"Example: satellite TV signals are being broadcast at you all the time, but it's illegal to receive and decrypt them without paying the provider."

Not according the the FCC which made rulings on OTA signals being intercepted. If it hits your property, you're free to intercept.

This is how police scanners are legal.

Re:Packet sniffing

I only use my skype account with my wife while travelling for work, so my avatar is my dick so if you recognize me by my dick you can identify me ;)

Re:Packet sniffing

Nah, they're just sniffing what is happening on their own network interface.

Re:Packet sniffing

[WorBlux]

Look at the next sentence

As data streams flow across the network, the sniffer captures each packet and, if needed, decodes the packet's raw data, showing the values of various fields in the packet, and analyzes its content according to the appropriate RFC or other specifications.

The actually verify the packet is a Skype one you have to pull it apart more that if you were merely going to route it.

Re:Packet sniffing

[znerk]

[To] actually verify the packet is a Skype [packet] you have to pull it apart more [than] if you were merely going to route it.

... unless you happen to know that the destination IP belongs to a Skype service node, in which case all you need to know is where the packet is going - especially since you won't (in theory) be able to decode any information in the packet in the first place. Skype packets are encrypted, making packet disassembly a waste of time that could be used instead to correlate your internet traffic with individual components of a BitTorrent swarm and a known trafficker in Skype communications, without having to (or being able to) spy on what you were actually talking about on that Skype call.

This is an example of a side channel attack.

On the bright side, it's likely to be inadmissible as evidence in court, due to the fact that the information is obtained via methods that will probably be deemed illegal; wiretapping without a warrant is illegal in most jurisdictions. On the not-so-bright side, that's unlikely to deter anyone; it should be easy enough to use the illegal evidence to construct a legal fiction in order to obtain the information in other ways.

Re:Packet sniffing

[znerk]

I know, bad form to reply to my own post, but I neglected to include some information that I felt was important enough to warrant the breach of netiquette.

Firstly, I wish to point out that my original intent was to show you that packet sniffing was indeed used in the attack (or information-gathering methodology, if you prefer).

Second, I would like to explain that it is not necessary to decode or decrypt the information in the packets, themselves, as the intent is to identify an individual, rather than to identify the content they are transmitting or receiving. The correlation is made between an individual BitTorrent user's traffic, and an (assumed to be the same) individual Skype user's traffic. The only information required for that inference is the source and destination of the packets.

That is to say, packet sniffing is involved. As you yourself quoted at me, the second paragraph of the wiki entry indicates (emphasis mine):

As data streams flow across the network, the sniffer captures each packet and, if needed, decodes the packet's raw data, showing the values of various fields in the packet, and analyzes its content according to the appropriate RFC or other specifications.

"Packet sniffing" does not necessarily indicate decryption/decoding. In this particular instance, the main concern is observing that packets are flowing, and sampling the sender and receiver information. The information indicating the packet's source and its destination are the only pertinent data, and are available with no more than a cursory glance at the packet to obtain the routing information. In other words, no more information is required than "if you were merely going to route it".

Being able to correlate the connection between the user and the BitTorrent swarm they are participating in, as well as correlating the user and the Skype node they are connected to, allows the observer (or attacker, depending on your viewpoint) to determine that a particular IP address that is communicating via the BitTorrent protocol is also communicating via the Skype protocol - if nothing else, the assumption that continued communication with IP addresses known to serve Skype and others that are known to serve BitTorrent seems to indicate that the required protocols are being observed.

IP Spoofing can not protect against this, as the communication is necessarily two-way, and without an accurate "return address" on the "envelope", the "package" will never be able to be successfully responded to - that is to say, the user would never receive the requested information because the address to send it to is false.

It is true that I have not read the article, and I am also not a Skype user. I am unaware of exactly how they are obtaining the identifying information from the Skype network.... but the fact remains that the "researchers" are able to obtain identifying information by correlating data from encrypted traffic - or more accurately, from the source and destination of that traffic.

As an aside, I am no longer quite so certain that this methodology will be deemed illegal, as the contents of the "conversation" are not necessarily discovered. Merely the fact of the conversation's existence seems to be enough to (accurately) point a finger.

Skype incoming call...

[Andrewkov]

Ring ring... incoming Skype call, it's the RIAA.

Re:Skype incoming call...

hahahaha!

Re:Skype incoming call...

[mcavic]

That's why I don't use Bit Torrent.

Re:Skype incoming call...

AND the reason why I quit using Skype.

Re:Skype incoming call...

[interval1066]

Skype alone isn't worth the time developers seem to be spending on it, so I avoid it where possible. The quality is so bad, I can't understand anything the other party is saying. I'm not dropping my torrent streams though.

Re:Skype incoming call...

[mcavic]

Skype is very good for me, as long as the network is reliable on both ends. Having the firewall port open on both ends (uPnp should do it) is helpful too.

Re:Skype incoming call...

[Jackie_Chan_Fan]

What? Skype has incredible audio quality.

Re:Skype incoming call...

[Gyorg_Lavode]

Skype quality is extremely dependent on hardware and room acoustics. If we can compress, stream, and decode MP3s in real time, the technology is likely not the problem. Instead, I think people simply are unwilling to pay real money for a simple microphone. However, a lot of nicer webcams seem to come with very nice Mics.

Re:Skype incoming call...

[znerk]

Depends on your internet speed and what else is making traffic in your vicinity. I've had Skype calls so bad that I literally could not understand what information the caller was attempting to convey.

Re:Skype incoming call...

[Khyber]

If you have bad quality on Skype, it's time to upgrade your box, or reinstall your OS.

I've had pretty much zero issues unless I'm on some bad wireless network.

Re:Skype incoming call...

[fluffy99]

Skype quality is extremely dependent on hardware and room acoustics. If we can compress, stream, and decode MP3s in real time, the technology is likely not the problem. Instead, I think people simply are unwilling to pay real money for a simple microphone. However, a lot of nicer webcams seem to come with very nice Mics.

Except we can buffer the MP3 stream to smooth out latency, jitter, packets arriving out of order, and retransmit dropped packets if need be. You can't do that with Voice over IP, as adding more than about 1/2-second.2 seconds latency is very noticeable.

http://www.voip-news.com/faq/voip-service-level-faq/

Re:Skype incoming call...

[interval1066]

Nope, I have a state of the art rig with an i7 quad core processor and plenty o ram + 1.5Mbs bandwidth connection. Its not me, its the protocol. Unless everyone I talk to has a shitty setup like your describing.

Re:Skype incoming call...

A collect call no less...

Re:Skype incoming call...

I almost died laughing.

Re:Skype incoming call...

[Khyber]

2.6 GHz AMD Athlon64 X2 5200+, 1.5 GB RAM, 30 mbit down 5 mbit up cable. I only tend to have issues when using wireless networking.

You don't mention your OS.

Re:Skype incoming call...

[interval1066]

On that rig its windows 7.

Re:Skype incoming call...

[Khyber]

I've got Windows 7 Home Premium 64-bit. No issues.

Video is fine.

OTOH, G+ hangouts work better, and you get up to 10 people for free in a video conference.

dump skype?

Another great reason to dump skype? Skype in a sence not bad from prespective of security, but, there are other reasons.

Eitherway, bit torrent is not so good with privacy either... People need to shift to decentralised distributing systems. I have no idea what i just said, but it sounded pretty cool!

Re:dump skype?

[ToiletBomber]

People need to shift to decentralised distributing systems.

That's precisely what Bittorrent is...

Re:dump skype?

[icebraining]

Decentralizing doesn't really help, since it doesn't change the fact that Bittorrent works by advertising the IPs of the nodes and the torrents they're downloading/seeding.

What you'd need is something like onion routing, where it's hard to know who you're sharing with, even with centralized trackers.

Luckily, that exists in the form of Bittorrent over I2P.

Re:dump skype?

[GameboyRMH]

I've looked at BT over I2P. It's completely incompatible with regular Bittorrent. It's a great idea but there just aren't enough users on there to make it a replacement for regular Bittorrent.

Re:dump skype?

[WorBlux]

Except that all of a sudden each user needs to upload at least 3x what they download to make the system work instead of at least one times. And its still susceptible to timing attacks and supernodes.

This years hottest horror movie

[Jumperalex]

ring ring ring
"Hello." ... ... ...
"Hello? Is there anyone there?" ... ... ...
"We know what you downloaded last summer!!!"

Re:This years hottest horror movie

[ackthpt]

ring ring ring
"Hello." ... ... ...
"Hello? Is there anyone there?" ... ... ...
"We know what you downloaded last summer!!!"

"Um. My house was burgled who curiously didn't break a window, lock or leave fingerprints anywhere. Prove me wrong!"

Re:This years hottest horror movie

[mcavic]

Don't forget the sequel: We still know what you downloaded 3 years ago.

Re:This years hottest horror movie

"Um. My house was burgled who curiously didn't break a window, lock or leave fingerprints anywhere. Prove me wrong!"

Are you saying they're guilty of falsely accusing you? I think they're innocent unless proven otherwise. You're going to jail, buddy.

Re:This years hottest horror movie

[Jumperalex]

"We have a recording of your voice eminating from your Skype call at the IP assigned to your modem ... muwahahahahaha"

Re:This years hottest horror movie

That was my voicemail message...and it came from inside my house!

Re:This years hottest horror movie

do you know where i am... i'm in the house!

can't tell if you're serious

[Chirs]

If the researchers can do it, the bad guys may already be doing it.

Re:can't tell if you're serious

[ackthpt]

If the researchers can do it, the bad guys may already be doing it.

If you mean RIAA or MPAA, they usually don't bother with this level of stuff, they just kick down your door, grab your stuff and up-end their Bucket o' Lawyers on your.

Re:can't tell if you're serious

[ArhcAngel]

I don't think the sale of Skype is finalized yet but you can be sure as soon as it is this will be an invaluable tool of the Empire to combat piracy.

This is not research.

[spicyed]

All it is is data mining packets from skype nodes and comparing them to open torrent peer lists. This is not really surprising or scary to me. There are other 'researchers' who can link alot more data to you then this.

Re:This is not research.

The devil is in the details. In the full paper they talk about things like how to track a user even if they have specifically blocked you, etc. This work points out interesting, previously unknown privacy flaws in a widely used system. It's much scarier than what is portrayed in the summary.

Re:This is not research.

[ackthpt]

All it is is data mining packets from skype nodes and comparing them to open torrent peer lists. This is not really surprising or scary to me. There are other 'researchers' who can link alot more data to you then this.

All the better reason to lock down your wireless network.

Re:This is not research.

Or open it wide open.

Re:This is not research.

[znerk]

All it is is data mining packets from skype nodes and comparing them to open torrent peer lists. This is not really surprising or scary to me. There are other 'researchers' who can link alot more data to you then this.

All the better reason to lock down your wireless network.

... to make absolutely certain that the traffic they're sniffing couldn't possibly come from an outside agent?

Way to paint a target on your forehead.

Re:This is not research.

[fluffy99]

All it is is data mining packets from skype nodes and comparing them to open torrent peer lists. This is not really surprising or scary to me. There are other 'researchers' who can link alot more data to you then this.

All the better reason to lock down your wireless network.

I have mine unlocked thank you. I have a Netopia Wireless router which advertises two SSIDs. One is wide open for visitors and only has access to the internet. The other SSID can access both my internal network and the internet. This avoids my daughters friends having to ask what the password is every time they visit, and gives me some plausible deniability if I ever get questioned.

TOR

good thing I am running a tor exit node on my PC

Re:TOR

[lennier1]

At least until the authorities come knocking because someone was downloading child pornography through the exit node you're running.

"Identity Thieves"

But that implies the identity is stolen, when in fact it's copied. If I copy yours you have it too, one for me and one for you. What's wrong with copying? Let's embrace it.

Re:"Identity Thieves"

[MobileTatsu-NJG]

In the situation you described, measurable damage is actually caused.

You get a D-. Go study chapters 3 and 4 again.

Re:"Identity Thieves"

"Thief" is still the incorrect terminology, whatever "measurable damage" notwithstanding

Re:"Identity Thieves"

[MobileTatsu-NJG]

Oh yeah? Tell us more about that.

Re:"Identity Thieves"

Actually no damage has occurred here what so ever... It's only when someone abuses the copied version that damage is done..

Re:"Identity Thieves"

[MobileTatsu-NJG]

When is the term 'Identity Theft' used before any damage is done?

Re:"Identity Thieves"

[OeLeWaPpErKe]

Oh no the "victimless crime" thing applies to a lot of very not-ok crimes too :

credit card "theft" : usually involves duplicating credit cards, often by very impressive hacking feats
identity "theft": usually refers to stealing identification codes of other's credit cards online
breaking in your email, getting your passwords, exposing strange users at online fora ...

All of these crimes are "victimless". And if you ask hackers, all of the above should be perfectly legal, after all, you're pretty much bound to commit such crimes if you successfully break someone's security. They merely give the attacker the option of doing some damage ... just like piracy.

Re:"Identity Thieves"

[MobileTatsu-NJG]

If i ever get the chance, I will ask a hacker that. I've never heard 'victimless crime' when talking about Identity Theft. Learn something new every day.

Encryption?

[Hadlock]

Are there any BT clients out there that don't encrypt their packets these days?

Re:Encryption?

[Lunix+Nutcase]

You are still broadcasting your ip even when using encryption. How else do you think you create connections to others in the swarm?

Re:Encryption?

What about using TOR? Does that anonymize your IP address?

Re:Encryption?

I don't know what you're talking about. My computer seeks out shady middlemen over dark fiber to ensure that all communications remain discreet.

Re:Encryption?

[Hadlock]

Well if all they're doing is matching up IP addresses between two databases, what does it matter what protocol they're using? For that matter, why is this even newsworthy? The encrypted payload, and how they're tracking encrypted BT (or perhaps, more imporantly how they know the encrypted packet is a BT packet) packets without violating the DMCA is what I'm curious about.

Re:Encryption?

[GameboyRMH]

Most are set not to force encryption by default. That said I've forced outgoing encryption on my seedbox and the uplink stays pegged all day. I've been thinking of forcing incoming encryption to see how it goes, pretty much all BT clients do support encryption.

Re:Encryption?

[GameboyRMH]

True, encryption defeats wiretapping, but not swarm monitoring.

Re:Encryption?

[Lunix+Nutcase]

How is crawling a bittorrent swarm violating the dmca? You do realize that your IP address is publicly broadcasted, right?

Re:Encryption?

[GameboyRMH]

Yes but you shouldn't run BT over Tor. It will be slow as shit for you and you'll be hogging the network. I encourage Tor node operators to block bittorrent over Tor (in fact I think it's blocked by default in recent releases).

Re:Encryption?

you realize that wile ip is broadcasted, type of traffic is not? For all I care, it could be skype multi speaker session!

CLEARLY authoritative

Because NAT and UPNP wouldn't make a random Skype user and a different BitTorrent user appear to be coming from the same IP address..

Re:CLEARLY authoritative

[vux984]

If the IP traces back to a verizon dsl modem, then its authoritative enough to know its either you or your mom. Just because there is some edge case out there doesn't change the fact that this CAN be used to sniff users out with high reliability a large percentage of the time.

Re:CLEARLY authoritative

[Technician]

For us poor linux users with poor Skype performance and and such, I've used SIP instead. Just recently the SIP provider IPPI.fr has added a skype gateway that appears to work great.

I rarely use Bit Torrent as FTP is much faster for legal files, even if I was talking to someone on Skype while using BT, It would not show a connection. The Skype connection would be an IP in France.

I use SIP instead of Skype. i can connect it to a telephone with an old Vontage adapter or a Linksys PAP2T. With IPKall, I have unlimited free incoming minutes. Like Skype, SIP to SIP calls are free worldwide. With IPPI, I also get a free INUM number for incoming international calls. Most SIP accounts can call a INUM for free. The speed dialer included allows me to enter Skype numbers so they can be speed dialed with just the phone. No computer needed.

New: ippi lets you call Skype users for free!

If you follow ippi on Twitter and Facebook, you already know since late July that ippi can make calls to Skype users for free! Even better, ippi also allows Skype users free calls to users ippi !

Directions:

- To call from ippi to Skype, dial skype_id@skype.ippi.com and start the call

- To call from Skype to ippi, dial skype2ippi (add this contact for ease), then, when you get a chat message, send as a chat message the ippi login you wish to call (or ippi number)

For more information, our support is at your disposal.

Re:CLEARLY authoritative

You would be amazed how many of my parent's neighbors use their wireless.

Re:CLEARLY authoritative

or a guest at your home, or a neighbor using your unsecured wireless signal.

Only in America does an IP address equal a person.

Re:CLEARLY authoritative

Read the article! They specify a technique where by calling you and Skype and connecting to you on BitTorrent they verify that the two users are one and the same, despite a NAT.

Re:CLEARLY authoritative

[znerk]

Because NAT and UPNP wouldn't make a random Skype user and a different BitTorrent user appear to be coming from the same IP address..

No, it wouldn't. "Random" implies that they wouldn't necessarily know each other, whereas "same ip" implies they have knowledge of one another, since they are operating from the same physical network address.

Re:CLEARLY authoritative

Because nobody has EVER gone on an open or WEP secured WiFi network without authorization before...

/MDWM

Re:CLEARLY authoritative

[vux984]

or a guest at your home

And if that torrent is up for 3 months? At what point does guest become "resident"?

or a neighbor using your unsecured wireless signal.

My wireless is not unsecured.

Only in America does an IP address equal a person.

Nobody said it equalled a person. But it gets you close enough to a person often enough that you can't shove your head in your ass and pretend that your safe or immune from being looked at.

If someone is shot with a gun registered to you, that doesn't prove you pulled the trigger ... maybe it was your house guest... or your neighbor borrowed it because you left the back porch door unlocked... so what? You can bet your ass they are going to take a good hard look at you anyway.

Re:CLEARLY authoritative

It's coming from inside the LAN

but...

  THEN WHO WAS PIRATE???

Re:CLEARLY authoritative

Bear in mind that your 'edge cases' include users of most UK ISP's, anyone at an internet cafe, and anyone in a halls of residence, for example. When you consider the weight of BT traffic from the latter group, those edge cases will basically make this kind of discovery useless.

That won't stop moneyed interests from pursuing innocent people in court, sadly.

And Why Are We Happy About This?

[Nom+du+Keyboard]

And why are we happy that researchers seem to think that the more that they can do to strip away privacy as actually a Good Thing? Why not instead work out systems to make our computers more resistant to virus/trojan/rootkit infections. THAT would actually benefit the majority of us overall.

Re:And Why Are We Happy About This?

Security/privacy research involves finding holes as well as hardening systems because if you never find any holes in your security, then you have no reason to think your system is insecure. Once an attack like this one has been found, then a security system has to avoid this attack in order to be considered secure.

Re:And Why Are We Happy About This?

[znerk]

The problem, despite my other posts in this thread, is not privacy. It's a lack of sane legislation.

Copyright has become a joke, completely unenforceable for nearly any digital content. It has become more and more illegal to do things that would have been considered "fair use" just a few years ago. Adding to this is the fact that digital media can't be "loaned to a friend", which increases the feeling of being treated like a criminal, which causes the users to be less and less inclined to actually follow the rules in the first place.

It's an arms race, and the world already had one of these. It was called the Cold War, and it nearly resulted in world-wide destruction. Unfortunately, humanity doesn't seem to have learned that escalating both sides of a conflict leads only to violence.

What we need is a new media distribution system that has the consumers' rights built into the relationship between the consumer and the content producer. I don't have any idea what that system might be, but almost anything would be better than the system we have now, where pirating digital media results in a superior quality product (less intrusion to the content itself, with quality not far below the physical media in most cases).

Re:And Why Are We Happy About This?

[Rhacman]

Are you arguing that we'd have more privacy if we ignored the vunerability than if the researchers had published it? Are you advocating privacy through obscurity... on Slashdot of all places?

Moral of the story...

[Lumpy]

Dont use Skype.

Re:Moral of the story...

And use... what?

Re:Moral of the story...

[HellYeahAutomaton]

SIP.
IAX.
XMPP

Re:Moral of the story...

Thanks (though people use apps not protocols...)

Re:Moral of the story...

[i_b_don]

I think this is the real issue here. It all has to be coming from problems with skype's security and nothing else. Skype should take this as a huge warning and encrypt their packet information NOW. I don't care what this is used for, people sniffing packets and being able to tell who someone is on a program like skype that is often left on 24/7 is a huge security risk for the person involved! This should NOT be happening and it's all skype's fault.

You guys are getting to hung up on the bit torrent aspect of this and should realize that it's really a major skype fuck up.

d

Re:Moral of the story...

So I'm not using the HyperText Transfer Protocol on a Transmission Control Protocol connection on a Internet Protocol network?

Thanks for clearing that up...

Re:Moral of the story...

It has to be possible to find a Skype user's IP address... otherwise your computer couldn't connect to theirs to make a call. Stop calling it a "major fuck up" until you can actually think of a realistic solution.

Re:Moral of the story...

[Lumpy]

A telephone, cellphone, smoke signals, there are a lot more communication modes other than skype.

From TFA

[Dunbal]

to determine the current IP address of identified and targeted Skype user (if the user is currently active)

Moral of the story - make sure you are logged off from Skype before file sharing.

Re:From TFA

[misterooga]

But what other apps, besides Skype, can be used for this type of tracking? I don't use BT or Skype but I'd like to know if there are any ways to prevent this, besides not using XXX or YYY. (at least at the same time.)

Re:From TFA

Close skype and change IP before use torrents... ;-)

Re:From TFA

[znerk]

If I am understanding the method properly, then anything that generates traffic can be used to correlate data, indicating that the BT user is also a user of (insert internet-using software here). Skype happens to be useful as an immediate indication of the identity of the user.

The question might then become, "What (legitimate) internet software might I be running, to cast doubt on whether I was using BT to acquire digital content illegally?"

For example, World of Warcraft uses BitTorrent to distribute patches, and can be configured to do so while you are logged in and playing. With the addition of the "Free to Play" aspect, your BitTorrent traffic might fly under the radar. I'm sure there are other pieces of software that can allow you to show good reason why your computer might have been servicing BitTorrent traffic...

Part of the problem, here, is that BitTorrent is coming under indirect attack by the media industry... most people will assume that "torrenting" is synonymous with "pirating".

Re:From TFA

[znerk]

to determine the current IP address of identified and targeted Skype user (if the user is currently active)

Moral of the story - make sure you are logged off from Skype before file sharing.

... because there's no way they can acquire the Skype identification at "random time A", and then correlate that with the BitTorrent traffic at "random time B"...

Re:From TFA

Wrong, Skype will also provide the last used IP address, as long as it has been used in the past 72 hours.

Re:Warning!

Fortunately I reconfigured my computer so that it doesn't broadcast an IP addr

[NO CARRIER]

Re:First

[taoareyou]

Fail.

But when they traced the call...

Relevant XKCD comic.

Interesting but doesn't necessarily mean anything

[FyberOptic]

But let's not confuse an IP address as being a person. Just because a Skype user is behind an IP doesn't mean the torrent user is the same person. Fortunately (and unfortunately for the media industry) the law, in America at least, is gradually beginning to make that distinction.

The bar is low with this one

[Hentes]

So collecting IP addresses now qualifies as research? Will I become a security researcher if I post the IPs of my peers?

Re:The bar is low with this one

It's not really low, because it also involved illegal wiretapping. That makes it innovative.

get a new IP address

[KWTm]

"""Moral of the story - make sure you are logged off from Skype before file sharing."""

... because there's no way they can acquire the Skype identification at "random time A", and then correlate that with the BitTorrent traffic at "random time B"...

Right, at least for those users whose ISP gives them a dynamically reassigned IP address. Log off Skype, disconnect from the Internet and then reconnect, hopefully getting a new IP address (I remember one Slashdot user who kept getting reassigned the same "random" address), and then your IP addresses won't be correlatable.

I pity the guy who ends up with your recycled IP address, though.

Re:get a new IP address

[Dunbal]

I pity the guy who ends up with your recycled IP address, though.

Better yet, live in a country that recognizes that IP addresses do not correlate to specific people.

mmmmm

[Chuby007]

/me slowly closes skype... -.-

hmm

[koan]

Guess who owns Skype, M$.

I smell something funny.

How that song go!!!

Wasn't ME,,

Well DOH !!!!

[microphage]

"Researchers have figured out a way to link online Skype users to their activity on peer-to-peer networks like BitTorrent. The team was able to sift out the nodes through which Skype calls are routed and determine the user's real IP address by sniffing the packets.

Unethical research

There is no valid and ethical use for this technology. As such, these people need to be kicked out of the industry (if not fined / imprisoned) for unethical research, much like a biologist doing genetic experiments on humans would be.

This is not facts you're citing

I call FUD on this.

The author neglects documented research, counters with his beliefs and emotions and then attempts to create fear and uncertainty and doubt in the reader.

Hat on a hat...

[Tyr07]

It's just two NAT's? I know.. Genius right? That way, so while I'm using NAT, if I want to use NAT, I can!