New Tool Promises To Passively ldentify BitTorrent Files 265
QuietR10t writes "A new technique has been developed for detecting and tracking illegal content transferred using the BitTorrent file-trading protocol. According to its creators, the approach can monitor networks without interrupting the flow of data and provides investigators with hard evidence of illicit file transfers. 'Our system differs in that it is completely passive, meaning that it does not change any information entering or leaving a network,' says Schrader." I wonder if it can specifically identify legal content, too.
It's called Port Mirroring (Score:5, Informative)
And my $200 24 port gigabit switch from Dell will do it. And that's a cheap piece of crap. For the 3 of you who don't already know, You specify one port on the switch to receive a copy of all traffic on the entire switch, a vlan or a specific port. Then you can hook etherial to that port and monitor all of the traffic without modifying the original. OOOOhhhh, magic eh?
Anyway, even after I RTFA, I still didn't see anything that this thing does that my cheap port and a P2 running etherial couldn't do.
Re:Carrier Status? (Score:5, Informative)
I wish people would stop repeating this urban legend. ISPs do NOT have common carrier status. I wish they did, but they don't.
Re:Yawn (Score:5, Informative)
If I read the article correctly, what they're really doing is looking at the BitTorrent infohash, which is used when communicating with the tracker and other peers to identify the torrent. (The infohash uniquely identifies the torrent.) Having a different infohash for each peer would require significant BitTorrent reengineering, I would think.
However, it's defeated by encryption, cannot legally be used in the U.S. or Europe by ISPs, and relies on a blacklist of illicit torrents.
Re:Encryption? (Score:5, Informative)
Re:Encryption? (Score:5, Informative)
I'm assuming this has no chance of defeating encrypted connections?
The article explicitly says it cannot recognize encrypted files as the method cannot identify them with a hash. Although, I doubt anyone could think of a good way to ID files in encrypted BitTorrent.
I thought my summary submitted this morning [slashdot.org] did a better job describing this but you should note that this has some key things to overcome before it can be used:
They seriously need to overcome these obstacles before illegal file sharers should worry about it being used to target people.
Re:Developed by the Air Force (Score:3, Informative)
Re:Carrier Status? (Score:5, Informative)
The short story: There's more to being a common carrier than lack of liability, and ISPs don't want it. ISPs have liability protections under USC 17512 [cornell.edu] which are very strong and thus under heavy lobbying attack, but they are *not* repsponsible for content today. Read it yourself, it's surprisingly clear.
Re:Not yet (Score:3, Informative)
Well, this article [technologyreview.com] claims that it is too slow @100Mb/s for ISP and law enforcement use. And it is defeated by encryption.(yes, that is the same article that is linked in the summary!)
FTA:
[emphasis mine]
Admittedly, this was all on the second page of TFA, but it is there.
Re:Encrypted traffic... (Score:5, Informative)
New York State Penal Law:
250.05 Eavesdropping.
A person is guilty of eavesdropping when he unlawfully engages in wiretapping, mechanical overhearing of a conversation, or intercepting or accessing of an electronic communication.
Eavesdropping is a class E felony.
Re:Not yet (Score:3, Informative)
who the hell decided that such a short article needed to be split into two pages?
The guy who wants to get a lot of ad revenue by making you see more ads.
Re:Completely Biased and Worthless (Score:1, Informative)
Re:Carrier Status? (Score:5, Informative)
Usenet probably counts as a cache under section 512(b) of the DMCA; as long as ISPs process takedown notices correctly they have no liability. Also see ALS Scan v. Remarq. IANAL.
Unclear wording (Score:5, Informative)
This is a non-issue. If anyone actually starts using this, trackers will just start using shttp for their torrent files. They're small and (relatively) low traffic, so it would be a negligible performance issue.
The only notable thing about this article is that it points out how clueless tech journalists really are.
They've never heard of salting? (Score:2, Informative)
There's a well-known technique for dealing with dictionaries of hashes - add some meaningless bits to the content before computing the hash, so that the number of possible hashes increases. This is cheap for everyone except a person trying to keep a dictionary of all possible hashes.
Re:Carrier Status? (Score:5, Informative)
If you read the content of USC 17512 [cornell.edu] yourself, you will see that it addresses exactly the same kind of protections that I stated, and that if they do alter or supply the content, they lose the protection of the law. While this does not directly pertain to actual, "official" common carrier status, this is still often referred to as the "common carrier defense", since the principal is exactly the same. Why did YOU not know that?
In any case, since that is out of the way: what are these other reasons that you assert are the cause of ISPs not wanting to be common carriers? That is more to the point.
This is useless (Score:4, Informative)
"Another drawback is that the system cannot cope with encrypted files."
Even the article mentions that anyone doing something they want to hide is more likely to check the "encrypted only" checkbox. I work on NetSpective WebFilter, which has been passively identifying encrypted protocols that try to hide themselves like encrypted BitTorrent (both standard and Azureus), Skype, and UltraSurf for years. It also lets you choose to block any of these protocols you don't want on your network.
"If a hash matches any stored in a database of prohibited hashes, then the system will make a record of the transfer and store the network addresses involved."
Maintaining a list of hashes is not a new idea, as they seem to claim. It was abandoned because the list is insanely painful to manage, and it is insanely easy to get around. These guys aren't even trying to provide a list, which might be worth something (until the hackers put in the time to work around it). They're just sniffing/logging the hashes, which is child's play and worth almost nothing.
Re:Carrier Status? (Score:2, Informative)
This is an opinion, NOT legal advice; for legal advice, please see a competent attorney in your jurisdiction.
An ISP which provides access (and does not host end-user systems directly on its network) doesn't have, and has never had, "common carrier".
They do, however, have immunity for liability under monetary relief for copyright infringement under 17 USC 512(a) [cornell.edu] (Digital Millennium Copyright Act), unless they filter, modify or cache their traffic. (Cache is covered under (b), hosting under (c); note there are no required takedown provisions under (a), i.e., takedowns are not valid in that context.)
[Please note that (j)(1)(B)(i) provides that they can be made the subject of injunctions to cut the downstream off if in the US by terminating the infringing account [if identified], and (ii) that they can be ordered to take "reasonable steps specified [...] to block access, to a specific, identified, online location outside the United States". But that's it. No ex parte Orders (excepting Orders "ensuring the preservation of evidence or other orders having no material adverse effect on the operation of the service provider's communications network"). No equitable relief. No monetary relief.
Whether or not actually complying with such an Order would constitute an action which could affect your immunity under subsection (a) is, however, unclear; this may be an oversight in the drafting of the statute.
But, then, I'm not qualified in the US, so I'm leaving that question open to the ones who are.]
Re:Encryption? (Score:3, Informative)
All it does is compare the encoded hash value in the Bittorrent header against a list of known illegal hashes. Hashes you have to program manually.
That sounds exactly how Snort [snort.org] works.
I guess if you had a bunch of hashes, you could put these in a configuration and basically have the described functionality.
I've analyzed Snort more than 6 years ago and also remembered that it couldn't operate on more than 100Mbit. Might've been a change here and there, though.
Re:Carrier Status? (Score:4, Informative)
I wish people would stop repeating this urban legend. ISPs do NOT have common carrier status. I wish they did, but they don't.
The "safe harbor" provisions of the DMCA create a situation for ISPs that gives them common carrier status in all but name. So yes, people should stop saying "give up their common carrier status", and instead say "fail to meet the conditions of DMCA Safe Harbor".
Re:Carrier Status? (Score:4, Informative)
Oh, yes, that is another important point. Censorship or moderation of a forum is de facto control of content, which generally means that the censor has legally assumed liability (or at least some of the liability) for that content.
For example, in a libel case involving an AOL online chatroom, both the poster of the alleged libel and AOL were named as defendants. AOL tried to wiggle out of the suit by claiming immunity via the "common carrier defense", but the judge did not allow that because they moderated the chatroom, which means they actively controlled the content.
Re:ATTN !! Is this a good thing or a bad thing? (Score:4, Informative)
If you read the article, you know the answer to these questions.
They plan to sniff for the hash, of course, and compare it to a list of hashes for "forbidden files".
It's not new technology - the same approach is used in China (according to the article).
And no, I don't think this is legal in the EU (not yet at least), and certainly not in the U.S., as it requires sniffing through everybody's stuff, regardless of what they're downloading.
Re:ATTN !! Is this a good thing or a bad thing? (Score:3, Informative)
From TFA
Another drawback is that the system cannot cope with encrypted files. "Today, about 25 percent of BitTorrent traffic is encrypted," says Schulze. If such a tool became widely used, then anyone with something to hide would almost certainly switch to using encryption, he says.
/ducks for reading TFA