New Wave Of File-Sharing Embraces Secrecy

twin-cam writes "There's an article over at The Inquirer that software developers are designing secret file sharing networks that will make it harder for the music and file industry to prove cases of piracy. According to Reuters, three file sharing networks are being planned which its users think will make it a lot harder for music industry to track and charge people on their networks. The first is Optisoft which runs on Blubster and Piolet, music-only file-sharing networks. Only a matter of time before the RIAA requests a data dump from the ISPs or just sues everyone using their network."

Good.

[mfos.org]

This was only a matter of time, and really the RIAA's heavy handed tactics, and the goverenments complacency with them have forced developers to take matters into their own hands. Now they're really screwed.

It's pretty easy to design a network that will at least frustrate attempts to recover identities of sharers. Now if only freenet would stop sucking.

Data dump?

[Anonymous Coward]

They better start building one heck of a computer cluster if they want to break the encryption. If anything, the RIAA/MPAA will give up the fight, and turn their efforts to getting Congress to pass some sort of tax on media, media players, your computer, your stereo, your car, your dog, your dinner, and anything else which could possibly be related to music or movies.

DMCA to the rescue! Yes, that's right....

[i_want_you_to_throw_]

Here's something to think about, the DMCA isn't just for big mega corporations. Put together a private peer-to-peer network using some kind of encryption and use a trusted invitation method (like maybe Orkut) to invite people.

Protect your network communications under provisions of the DMCA. Obviously if the DMCA knows what you're trading then THEY are violating the DMCA because the only way they would know is if they somehow got on and broke encryption.

Someone more technically more adept should be able to figure out how to pull this off but there HAS to be a way to establish a peer to peer network (which is still legal) and protect it via the DMCA.

WASTE

[tokachu(k)]

I've heard of this program a couple of years ago. That, and there will always be the file-trading madness at nearly every LAN party. If the recording industry sees this as breaking news, no wonder they're losing the battle -- they're about 5 years behind the rest of the modern world.

More new music is freely downloadable than cd-only

[phr1]

Slashdot mentioned a few days ago [slashdot.org] that mp3.com held 1.7 million songs at the time Vivendi took it down. I also read recently elsewhere that there are around 30,000 CD's released in the US every year. At ten songs (average) per CD, that's 300,000 songs/year released on CD.

I don't know how long the original mp3.com was around, but it was probably less than 5 years, and it probably put up mp3's at a faster rate near the end than near the beginning. But even at a uniform rate over the whole 5 years, it sounds like one web site was distributing more songs per year all by itself, than the entire CD industry released put together (1.7 million songs / 5 years = 340,000 songs/year). Add to that the number of musicians who distribute their stuff through their own sites, and it's clear there's a heck of a lot more music being released as gratis downloads than as proprietary CD's.

Some people blame diminishing CD sales on unauthorized CD copying; others blame it on technological obsolescence (people buy DVD's instead of CD's now); still others say it's because poor artistic decisions by record labels result in releasing uninteresting music that people don't want to buy. I haven't yet seen a connection made with authorized, freely downloadable music, that people can listen to instead of buying proprietary CD's, just like they can run GNU/Linux instead of buying Windows, Apache instead of IIS, etc. Sure, a lot of mp3.com downloads are crap, but lots of commercial CD's are crap too.

Anyway, it seems to me that most of the music even on these "secret" all-music p2p networks is likely to be freely downloadable.

(Note: this post mostly rehashes an earlier comment of mine from that other thread, but the statistic is interesting enough that I felt it was worth posting again).

Social Networks

[bendelo]

I think the best way to keep the RIAA out would be to have filesharing networks based upon social networks (like orkut [orkut.com]). You trade with your 'trusted' friends and their 'trusted' friends. You could set how many hops you were willing to spread.

Hell, the new p2p app ...

[torpor]

... as far as I'm concerned, is the "VPN Name Resolution" service.

openswan and an IP address somewhere is all thats needed to 'bury a filesharing service'. It doesn't even have to be p2p ... I know of a fair few VPN's that are maintained with quite steady uptimes, all using plain ol' FTP as the internal-xfer-service of choice...

Its interesting that its come to this. Whats next - routers which won't route unless they know the protocols being encapsulated in the tund'd packets they're peer-transferring for? Sheesh, as if that will ever happen ...

(If anyone knows of some good VPN's, please share! heh heh...)

Re:Hell, the new p2p app ...

[BuckaBooBob]

Actually... Next gen P2P network could use unsecured unpatched windows boxen to hide whos shareing and doing what... That would cause alot of heat on redmond to secure their OS.. past and present :)

An Easy Solution

[hacker]

I proposed this solution about 4 years ago to one of the gnome-vfs guys at a Helixcode party in San Francisco "back in the day".

Basically you have a section of your local storage that is specifically set aside for this purpose, say a 5gb slice of your partition. This storage area is strongly encrypted with hashes that only you know (Blowfish, AES, whatever), via your own passphrase or private key.

When you send a file "to the network", that file is split into blocks, and encrypted with your public key, and those blocks are dispersed to everyone else on the network, in that encrypted fashion, and the "map" to reassemble them is dispersed likewise.

Every node with block #1, has a map which tells them how to get block #2, but not block #3. System with block #2 (which knows that block as block #1 to itself), knows how to get block #3, and so on. Sort of like the "Triad" mob system in Japan.

Your system requests a file, which is dispersed as a series of encrypted blocks, across hundreds, thousands, millions of other systems, and those blocks are reassembled, using those systems to find "The Next Block", and send it to you. You could also arrange it so that each "node" could know about the next 5 or 10 or 20 blocks, etc.

It is sort of a mesh between PKI + BitTorrent (which didn't exist when I came up with the idea), and the methodologies of common peer-to-peer networks.

You could further strenghthen the network by only accepting blocks from nodes you "trust" (via your own public keyring). Facilities to "swap blocks" across systems on a regular (or irregular) schedule, to keep the network "self-healing" would also be a good idea.. or keeping duplicate blocks in different parts of the "storage slice" for redundancy, etc. Storage is cheap.

In the end, this means that nobody can be accused of having "the full file", nor can anyone figure out what is in those encrypted blocks. Even if they had 1 block, there is no way to get all of them, or to accuse someone of distributing the material, since it would be moved around at irregular intervals.

What do you think?

Suggestion for anonymous sharing...

[evilviper]

You could have an anonymous P2P app that has network performance that is nearly as good as current networks, like Gnutella/Kazaa...

All you have to do is allow the source of a file transfer it to the client without the client knowing the source's IP address. To do this, you simply have the server sending files with UDP and a spoofed source IP address. Since few networks have any egress filtering, this should not pose a problem.

Now, the client has to be able to tell the server to send packets faster/slower, and which packets didn't get through. Well, first you must have a huge window size (TCP term, but applicable) so that the server will send a massive ammount of packets before the client has to send back any responses...

When the client does eventually have to send a few packets to the server, it does so by broadcasting them to all-nodes (just as searches are handled). So, everybody gets them, and everybody but the server involved can just ignore them.

I left out some details, like all servers generating a random 32bit Unique ID every hour or so, and sending it instead of their IP address with search results.

Now, that's only the anti-RIAA anonymity. It'll make things 99% more anonymous, but any foe with the ability to monitor the network will be able to see what is happening. To combat that, you could just have search queries include the client's public key. The results can include the server's public key (encrypted with the client's public key) in addition to the search results... That would keep you completely anonymous, even from resourceful snoopers that can eavesdrop on your own network.

The best thing about this is the speed compared to other anonymous networks. No longer would it take an hour to download a small MP3, because you don't need any intermediary nodes (except for small-message-passing), direct from source to destination, at full-speed.

Re:A Bad Thing

[curator_thew]

These guys just f**k up the internet for the rest of us.

What will happen is that the entertainment industry will leverage its weight to justify the broadcast flag and banning of "unauthorised" encryption for this reason, effectively painting any "encryption user" as being suspicious and illegitimate, and exerting greater control and oversight over legitimate users - leading to all sorts of privacy and data protection issues.

Isn't it about time that we all stopped stealing content from poor business models and started supporting content from newer business models?

Support the creation of a new and better world, not the plundering of an old and broken one.

They effectively already did this - in Canada

[ozborn]

In Canada you pay a tax on blank media, the assumption being you are going to use it to break somebody's copyright. They didn't even have to open a phonebook, a few well priced lobbyists (lawyers probably) managed to get them their own source of tax revenue.
I don't blame lawyers per say, but I do think that if political parties take coporate cash (Liberals in this case) you can expect that they are going to return the favor to their benefactors.

Re:Good.

[Darkman, Walkin Dude]

Sorry, I can't let this slide - its nowhere near the equivalent of asking for one segment of an orange. Its more like asking for the one or two segments that aren't rotten or sour to the taste. And yes, if I want it without peel, then that is what I will pay for.

Because in a capitalistic society, demand drives production, not the other way around. The only situation where this is not true is where a monopoly controls the market, a situation which is -rightly- illegal. How it perserveres in the States is a testament to the rules by which financial aid can be supplied to political candidates, and the overwhelming control of the media by the suppliers.

Ah the whole point is moot anyway, the RIAA and their ilk are going head to head with human nature... If I can get it for free, I will not pay for it. Not neccessarily my personal perspective, but really the only logical choice for most people.

Corporations outsource workers to save money. The average person saves money by not buying songs. The right, wrong, and long term consequences of these decisions matters not a whit to the decision makers.

Re:Good.

[Anonymous Coward]

CD singles are rarely single songs, and usually cost almost the same as the full album.

Wrong direction for p2p

[Diclophis]

Instead of trying to go farther 'underground' why not add facilities to p2p networks for content verification and authenticity.

By this I mean, if your looking for a old Micky Mouse (copyright symbol) cartoon, you go into the Disney (copyright symbol) 'channel', search through their offereings and download what you want... except since you are 100% positive what your downloading is what it says it is... you are willing to pay a small fee (how about $1 dollar a download, size independent... or some sort of subscription service... I pay Disney Inc. directly to be able to download their verified and authenticated content).

This would elminate 'piracy' on the 'overground' network because why would you need to go 'underground' if you allready have access to all the content you wanted through a minimal monthly (or per download) basis (instead of cable telvision... we pay the content creators directly for their shows). This will greatly help artists... because they will be able to market and sell directly to the 'listener' (or viewer)... and bypass the recording industries web of middlemen.

Now ofcourse the underground will still exists, but there will be no point going there... unless your looking for illegal (not pirated) content like child porn (and other nasty stuff). The bandwith costs of being a content producer are augmented through some sort of bittorrent like swarm download... where you are downloading parts of your content from other people who have also downloaded it. This will open up a whole new way to access media, eg. what if instead of going to the shitty theater (and paying a shitty price for shitty sugar water and burnt corn) you can wait until the release day... download a HD stream of that movie directly to your home theater. And since you have 24/7 access to all the content you want (and the downloads are fast because everyone has broadband or better (idlealy fiber)) there is no point of 'hordeing' all the content on your 400gig drive.

Computers slim back down in terms of hardware, and start to act more like what they should act like (for a typical consumer) vcrs. You turn on your fluxbox (I would like to call the system the 'flux') and on your screen is a list of stuff to watch, read, or listen to... and all you pay is a minimal monthly fee... (less than $50, and or pay per download)

Re:So the RIAA will just go ahead and sue everyone

[mysidia]

1. Subpoena all ISPs in the world for the contact information about _all_ internet customers in the world
2. Cross-reference every customer to the proprietary database which is linked to the customer purchase histories provided by all the "authorized" merchants of the (non-Used/secondhand) products.
3. Use the statistics to compute the average number of CD purchases per month by all users of the internet.
4. Artificially inflate said average as needed to maximize profitability of all members and as possible without arousing too much suspicion.
5. Send a bill for "music download" tax to every internet user whose $$$ in CD purchases happened to be below the average
6. Send hundreds of lawyers at anyone who fails to pay
7. Profit?

A P2P moderation system?

[Graftweed]

More privacy can only be a good thing and I'm not about to launch into a rant about freedom vs. safety, but let's just look at some of the more ugly tactics people can use to subvert a P2P system.

So anyone looking into stopping sharing of illegal material can't launch lawsuits anymore because they don't know the identities of the users. Fine, but they (or anyone malicious enough) can still flood the network with garbage and create so much noise that it will drive people away.

So how about a P2P moderation system similar to the /. one? Has anyone implemented anything like this? I don't know if it could be used alongside any privacy measures the designers implemented, but with enough work and balancing couldn't this be feasible? Imagine browsing limewire at a high threshold /. style and weeding out all those porn movies in disguise, incomplete files and mp3's with artifacts in them. There could be different ratings based on the node and the individual files and while the system could be abused I'm sure enough thought going behind it could make it fairly balanced and useful.

Just a though, slightly off-topic.

Monopoly? Not.

[Saeed al-Sahaf]

You're ignoring the virtual monopoly that exists for music nowadays.

People toss the term "monopoly" around quite inaccurately, I think. I mean, of course record companies have a "virtual monopoly" on making records. But canned air makers have a "virtual monopoly" on canned air. Super glue makers have a "virtual monopoly" on super glue. So what?

Indie musicians release their music outside the traditional channels, and if you would like to make your own canned air, if you have the resources, no one is stopping you. But, if you want a piece of music (product) managed, owned, controlled by some major label, you have to give them what they want for it. It's their product; they manage it, own or manage the rights to it. They don't have to give it to you at all, if they don't want to.

If you buy a car off the lot, you don't tell the dealership what they are going to sell it to you for, they tell you. And, if you buy that car and start producing exact copies in your garage and distributing these copies, my guess is you will get a visit from a lawyer.

Re:Good.

[PseudononymousCoward]

Because in a capitalistic society, demand drives production, not the other way around. The only situation where this is not true is where a monopoly controls the market, a situation which is -rightly- illegal.

Repeat after me:
monopolies are NOT illegal
monopolies are NOT illegal
monopolies are NOT illegal

Look around you: how many companies do you want putting sewer pipes into your house? Or gas lines? Or providing police or justice systems? Or running phone lines to your house? Should we abolish all copyrights & patents? Ask Pfizer to continue to spend 8 BILLION dollars a year on R&D knowing that their discoveries will be immediately copied by others?

The /. crowd is badly in need of some basic economic education--which, per chance, is my occupation.

Monopolies are not always and everywhere bad. The power to set prices is not always and everywhere bad. The monopoly power granted patent and copyright holders exists to incentivize continued creation. Are there abuses? Sure. Do some/many of the items that can be patented/copyrighted seem dubious? I think so. But that doesn't call for the abolition of copyrights & patents, it calls for the reform of the system.

Monopolies are bad where a firm creates barriers to entry and then exploits those barriers to artificially support the price and reduce consumption. In the case of music, those barriers exist to incentivize continued production.

The natural /. retort here is to point out how much money the record companies make by exploiting those poor artists, who all die broke because they never saw one cent of their revenues, which instead enriched the stupid record company execs and their minions at the RIAA.

If any of you ./ers believe that, then I have a suggestion for you: start a record company. Really. Do it. Tell the artists that you will pay them fairly, however you define it, and then turn around and sell DRM-free mp3/ogg format via PayPal. Then, get back to us all on how many artists that you sign (which you are neither a member of, related to, nor live in your neighborhood) and how much money you make them. Because there MUST be a business model here, right? Otherwise people would just stop talking about it.

Re:A few issues...

[evilviper]

The second thing this network doesn't provide is any incentive whatsoever to share files or bandwidth. Networks that rely solely on the honor system doesn't get much (one of many reasons Freenet is slow).

Forget Freenet. Both Kazaa and Gnutella work on this priciple, and they are going strong. Bittorrent just isn't a system that can be applied to real file-sharing networks.

Third, it's trivial to disrobe which server is sending you what. Instead of sending "to all nodes like searches", a hostile client would try them in order.

Not as trivial as you think. You are connected to 4 nodes, and the 4 servers you are connected to are connected to 4 nodes, and they are in-turn connected to 4 nodes, etc.

So, you might be able to narrow it down to 1/4, but what good would it do you to know that? That's still just the address of a node that might be directly or indirectly connected to the server. You can't get that node to tell you what nodes are connected to it, and if you could, you couldn't get that node to only broadcast your packets to one of the connected nodes at a time, in sequence.

I flood the network with UDP packets telling them to all hit one server.

How do you tell UDP packets to hit a server? Or more specifically, what is it that you can do over this network, that you couldn't with plain old IP?

That server has no way to tell them he doesn't want those packets, since he doesn't know the network.

Who is this network and server you speak of? I really can't sort out what you are trying to say here.

Re:An Easy Solution

[Anonymous Coward]

It's also vulnerable to carpflooding and file spoofing.

Unless of course there is some way to mark "useless" files.

Add "Good" and "Garbage" buttons to the download windows. The results of pressing this button is stored with the metadata for the file, and is visible when someone is looking for files. Once someone downloads the whole file they can press the good/garbage button as needed to add thier rating to the file.

As the network nears 100% capacity the files with the lowest good/garbage ratios are deleted to make room for incoming material.

Of course the RIAA/MPAA and such could create fake downloaders to raise the good/garbage ratio of their spoofed files and lower it for the real files.

Hmm both are closed source?

[nurb432]

And only for windows?

Neither facts instill confidence in them, that there isn't anything evil hidden away ( anyone remember earthstation 5? ), or its actually anonymous and hard to break its encryption.

Not ranting about 'everything needs to be open', but with stuff like this, it is important to know what you are dealing with. Before the man comes knocking on the door ( or you start broadcasting spam like crazy )

Re:Good.

[SiliconEntity]

It's pretty easy to design a network that will at least frustrate attempts to recover identities of sharers. Now if only freenet would stop sucking.

No, it's not that easy. The only way to do it is to forward the data via some intermediate node(s). That's what Freenet does, and it's really hard to make that work right. It makes data transmission tend to be really slow, which is one of the reasons Freenet sucks. I have yet to see a large scale network which forwards data like this that doesn't suck.

Plus, it may not even work legally. If I can request data from node X and it gives it to me, the fact that it forwarded the request to node Y and then forwarded the reply data back to me may not matter. X may still be liable. The legal doctrines of contributory and/or vicarious infringement can make servers liable even when they don't directly provide the data (and in fact you could even argue in this case that they are direct infringers).

People talk about 'common carriers' and such but this is not legally precise. Ironically the best defense may come from the much maligned DMCA, not the part that criminalizes decryption, but the other part, that provides 'safe harbor' loopholes for ISPs so they can't be found liable when their subscribers infringe. It's possible that Freenet-type node operators could find protection there. But it's written very specifically to protect ISPs. Napster (the old Napster) tried to take harbor there but was not successful.

So it is very questionable whether even a system like Freenet which forwards requests and data node-to-node can provide legal protection. And it is further questionable whether it can be made to work technically and can overcome the speed penalties this kind of transmission imposes. My suspicion is that these press announcements are more hype than reality.

Re:Hell, the new p2p app ...

[torpor]

Well, it's not 'buried' if you have to know the IP address to access it, is it?

all i'm saying is, where are the RIAA gonna end up stopping this protocol-chasing stupidity? protocols are infinite. laws are infinite. none of this does anything for their markets, or the markets of their members.

sorry RIAA, but some of the most buried networks have been simple groups of people who trust each other enough to share a VPN setup. are the RIAA going to kill VPN's as well as p2p? because it doesn't look like they're going to stop their abusive law-making around -any- of the open public protocols.

See? You're relying on obscurity, not security. Anyone who would share with you will share with the RIAA.

ummm yeah, i guess my 'wry heh heh point' didn't really come across ... i tried for it, though.

what the RIAA, really, is up against, is the OSI model... when what they ought to be doing, perhaps, is using the model and getting someone to write them up a good RFC for media-content control, their own new in-band protocols, for protecting their own content and the content of their group of members...

But instead, it seems they're just on the warpath.

MAP

[MushMouth]

The receord companies were fined for MAP pricing, which was there to help record stores vs stores like Best Buy which sells a small selection of CD's for below retail so that people would come into their stores for music and buy a TV for a huge markup. This really cut into the profits, not of the record companies, but music only stores such as tower records. Lowering the price of music would not have helped this situation since the electronics retails are already taking a loss on every CD sale. SO to prop up the record stores they made MAP (minimum advertised pricing) which gave a kickback to the record stores for their advertising if they advertised the CD at a certain price or higher (that price was not the same for all companies or CD's). It was not really a big deal, while the record companies a fairly small fine and where told to stop MAP, it didn't come close to criminal price fixing like ADM, where people went to jail.

Re:WASTE

[DroopyStonx]

WASTE is fundamentally flawed at some level.

First, it's not even anonymous. You know the IP of the person you're getting data from.

Second, it's safe IF AND ONLY IF *you* personally know everyone on your node and are 100% sure they won't tell the authorities. As soon as your friends invite friends who invite friends, you never know who they work for and who they are. A potential law enforcement agent, RIAA employee, or flat out rat could screw you up just as bad as the RIAA doing scans of public IPs on popular P2P networks.

It's good if you want to just share files between people you know, but then again, why not just use AIM or something?

Instead of being decentralized with a ton of private networks, WASTE (or a p2p app like it) needs to be designed so it has the option of putting these branch networks on to ONE huge network (a la Gnutella/Gnutella2) AND provide a reliable means to search files (and transfer them) anonymously. Once you get 50+ people on there, the network starts getting shaky.

Re:Good.

[Michael Spencer Jr.]

There's a difference between direct copyright infringement liability and copying copyright-protected material. Search for RTC (religious technology center, a.k.a. Scientology) v Netcom. The decision in that case sets a precedent that the owner of a service cannot be liable for automated acts of reproduction. Instead there must be some volitional act -- you have to know you're doing it.

There's still contributory and vicarious infringement liability to worry about, but at least if you join a network with honest good intentions you can explain to a judge, and copyright infringement happens without your knowledge, you can't be held liable for direct copyright infringement without the judge ignoring precedent.

(If you're profiting from looking the other way and running a node with no other legal uses, that's vicarious copyright infringement. If you're materially contributing to infringement but not actually doing it yourself, and you know (or should reasonably know) it's happening, that's contributory copyright infringement.)

The bottom line here is: the law gives legal protection from automated acts of copyright infringement to ISPs, so they can continue to operate. We need to assume that sometime in the future, lawmakers are going to try to stop that body of law from being used to benefit home users on a filesharing network.

To do that, they are going to codify in law the difference between an ISP (with paying customers), a "volunteer ISP" (with nonpaying, anonymous customers, whatever it ends up being called), and a normal home user. Then they're going to have to explain to their fellow lawmakers why they are giving freedoms and granting exclusions for one class of citizen (including Cox Communications) but not for another class of citizen (including you and I).

I don't think they can make it illegal to start an ISP. I have to be able to go out to some little hick town in the middle of nowhere and set up a microwave relay and be a small-business ISP. If I can do that, I can set up an 802.11b repeater on my roof and be a free ISP for my neighbors. If I can do that, I can set up a virtual service using only my Internet connection that gives people "real Internet access" when they only have "cable modem web access". (That last one means: I'm a VPN, I'm enabling filtered ports, etc.) If I can do that, I can participate in one of these filesharing networks.

To forbid these filesharing networks they need to be able to draw the line in there somewhere, and codify that line with precise language in law.

I am not a lawyer, but one of my emails on this subject was featured in a slashdot article long ago. (Protecting Clients: Legal Implications of Filesharing Network Design) Check my posting history.

--Michael Spencer