Anyone Can Play Big Brother With BitTorrent 436
An anonymous reader writes "I was at the 3rd USENIX Workshop on Large-Scale Exploits and Emergent Threats yesterday, and there were people from the French Institute for Computer Science who have continuously spied on most BitTorrent users on the Internet for 100 days, from a single machine. They've also identified 70% of all content providers; yes, those guys that insert the new contents into BitTorrent. As a BitTorrent user, I was shocked that anyone with a box connected to the Internet can spy on what everyone is downloading on BitTorrent."
Re:Shocked. Shocked! (Score:2, Informative)
You mean, all you have to do is send a simple request to the tracker, which will happily provide you with a fairly complete list of peers.
And people make themselves available on the DHT network.
And people offer their peers freely through PEX.
Huh? (Score:1, Informative)
As a BitTorrent user, I was shocked that anyone with a box connected to the Internet can spy on what everyone is downloading on BitTorrent."
Seriously? BitTorrent is a completely open, unsecured protocol. Yes. Anybody can be listening in. The only difficulty is finding the trackers, and it's not like that is THAT hard...
Whether or not the list created is ACCURATE, however, is another matter. It's also incredibly easy to 'poison' those lists with fake addresses, as in the case of the music-sharing printer...
Re:Copyright laws. (Score:5, Informative)
First off, Copyright infringement is not theft.
Secondly, transmitting copyrighted material over a computer network is not necessarily copyright infringement, even if copyright holders would like it to be.
Re:Shocked. Shocked! (Score:5, Informative)
> You mean, all you have to do is send a simple request to the tracker, which will happily provide you with a fairly complete list of peers.
Most trackers (at least most public/open trackers [trackon.org]) insert random ips to give a degree of 'plausible deniability'.
This of course is not perfect, but to be certain that a peer is serving a file the only way is to actually try to connect to it and fetch some blocks, which is quite a bit more work than just querying the tracker, specially if you have to do it for hundreds of thousands of torrents.
fear-mongerish (Score:5, Informative)
Saying you "can spy on what everyone is downloading on BitTorrent" and TFA stating "major privacy threat" are over-the-top and fear-mongering exaggerations.
A more accurate way to state this is: Using BitTorrent will make our IP address public regarding what content is downloaded and shared online from that IP address. When someone monitors the same content, then they can log your IP address. This is obvious from how the protocol works to anyone who looks into privacy questions seriously. Yes, there is less privacy with what you download with BitTorrent compared to a direct download, as other people also sharing the same content can see your IP address.
But remember, with every download method online someone else knows you have downloaded it, with direct downloads and with all the different peer-to-peer distribution options. If you go to Adobe and download the latest Photoshop demo, they know, they log your IP, and usually even ask for even more information about you.
The only a real privacy problem (a "major threat") is for people using BitTorrent for illegal redistribution of content; it is not a major problem for distribution of open licensed or public domain content, businesses or organizations using BitTorrent for distribution to lower costs, or to distribute free content for viral or marketing purposes.
(Disclaimer: our company, ClearBits, does exactly this, offers distribution as a service to others, and we use BitTorrent extensively)
Re:An Opportunity (Score:5, Informative)
If you can get an IP, you can narrow down the area quite a lot without the ISP's cooperation, possibly enough to force the ISP's cooperation. With ISP cooperation you can narrow an IP down to a physical address. At that point, you're screwed.
What people who don't understand how networking works is, if there is a connection then there is an IP address trail to follow. You cannot spoof an IP address and maintain a connection. You can spoof a MAC address just fine, because that is only used on the last leg of the connection, but the IP address is used the rest of the way and a link must be maintained if data is ever to get back to the source. Pretty much all IP spoofing is good for are cases where you don't want to receive the response, like a DOS attack (there are elaborate network hacks using IP spoofing, but they require direct access to the destination network). That's obviously no good for a BitTorrent connection.
What you can do is sort of "launder" the IP address to make it difficult to trace - that is, to route it through multiple NAT services. Each NAT maintains an IP trail to the previous address though, or the connection would fail, so this is only obscuring the source, not erasing the trail. Someone diligent enough (and with sufficient authority to force cooperation from various ISP's) could potentially track any sufficiently current IP address from destination back to source. Also, setting up such a route would go a long way to establishing intent to commit a crime, which will blow most of your defense out of the water in such a case.
There might be some honeybuckets in the tracker's list, which would be clever, but all it is going to do is waste a little bit of time for whoever is tracking these IP's, it's certainly no protection for anybody but the tracker (who would be monitoring the honeybucket, one would assume).
Re:Good! (Score:1, Informative)
Perhaps I'm exposing my own ignorance (because I've never felt the need to use Tor myself) but that strikes me as surprising if it's true. And something that even savvy internet users might not think about.
The sawy internet users are kindly invited to read the paper on weaknesses of BitTorrent over Tor [inria.fr] to reduce their level of ignorance. There are 2 passive ways and an active way (running a Tor exit node) to exploit "BT leaks" (not really leaks since it wasn't designed with security/privacy in mind).
Re:An Opportunity (Score:3, Informative)
Buying some Pringles is seriously magic for that exact purpose..
Fixed that for ya ;)
Re:UNISEX? (Score:3, Informative)
Yeah, that has been disproven.
There exist pairs of words which are anagrams of each other while still having the same first and last letter. Thus you would not be able to distinguish them if the intervening letters were scrambled. Two examples are protuberantial/perturbational and, even more on point, undefinability/unidentifiably.
Re:They cracked Tor? (Score:1, Informative)
The Achilles' heel of TOR is comprised of the application protocols. For example, if you browse the web through TOR and don't disable "active" content, e.g. Flash, then an attacker can use Flash to find your external IP address locally and send it as payload back to the server. If you browse unencrypted pages, the attacker who provides an exit node through which your requests are routed can make the necessary changes to the web pages on the fly. The attack on Bittorrent over TOR is similar: Bittorrent leaks the public IP of the computer its running on.
To avoid this whole class of attacks, the application PC should only ever see a network with RFC 1918 addresses and no direct internet connection. The router should then encapsulate all packets and hand them to the TOR network.
Re:Good! (Score:5, Informative)
No, it's a pretty simple application of basic undercover investigative technique.
They pretended to be part of the Tor web, joining it at a point where the user's IP address was visible.
People willingly handed them the IP address.
And since the web was fairly limited in size, and connection points were selected randomly, and most users did multiple connections over time, eventually 70% of users willingly handed them the IP address. Since Tor has no way of ensuring trust in its security servers, its security is void. You couldn't have designed it better to funnel users' IP addresses to a spy unless you had only one server in the whole web and faked the rest of the topology.
it was wide-open to being exploited by sting operations.
This is also the reason you should never trust anonymizing proxy servers or Arab sheiks [wikipedia.org].
There's nothing so useless as a lock with a voice imprint - Lord President Borusa
Re:Copyright laws. (Score:5, Informative)
Once again, copyright infringement is NOT stealing. Nor is copying copyrighted data necessarily and always copyright infringement. Finally, it's better to be on the right side for the wrong reasons than to be on the wrong side entirely.
Re:An Opportunity (Score:3, Informative)
You can indeed spoof an IP and maintain a connection. ever heard of a: VPN or b: a proxy, c: I2P or d: tor?
Good luck with that. None of those are new techniques by any means.
It's also one thing to identify someone just being connected to a torrent. It's another to prove distribution. You will have to connect to identify someone. None of this stuff from this report says they connected to the individuals to verify the IP addresses.
You can (if an ISP chooses to share the data) tie an IP down to a physical address and a time. That doesn't tie it to a person by itself. That's like saying - X time on Y day at Z location something happened. Since it was near you, it must be you! (accusatory). Considering more than one person lives at a location, well, do the math. If you have a wireless connection unsecured? Again, do the math.
Get real. Anyone can collect the data, but taking it to the legal level for this is basically not going to happen. Police care about this, oh, zero, unless you're doing it commercially.
Re:Copyright laws. (Score:4, Informative)
Re:An Opportunity (Score:3, Informative)
This was the idea behind bitTorrent from its inception as quick and efficient method of deploying large content to many users simultaneously. The drawback is the public display of IP addresses and yes, a simple computer, connected to several torrents, can obtain many addresses. This doesn't really mean anything except they are participating in the bitTorrent network. It does not necessarily mean any data from the torrent file is on the computer. It is simply a node unknowingly exchange inappropriate content.
Re:Shocked. Shocked! (Score:3, Informative)
You then have to download the entire thing to find out if those blocks are part of IronMan2.avi are actually part of ironman2 movie or some dumb students project on feeding excessive iron to a man.
Not in BitTorrent.
A torrent is uniquely identified by its "info-hash", and the first thing you do when you connect to a peer is to agree on the info-hash. So with BitTorrent, you only need to download the file once, check that it is the right file, and then ask all of the peers you find whether they are distributing files with this particular info-hash.
Re:Copyright laws. (Score:5, Informative)
It's worse than that: they steal from us, the public.
Back when copyrights were first codified into law, there was a deal:
We, the people, gave protections to people who created works so that they could profit from those works, but in exchange for those protections, the creators of the works agreed to give us, the people, their work after a certain timeframe had passed.
Works may now - if the copyright holder wishes - no longer come into the public domain because copyright holders are corporations who are solely interested in making a profit, and who use their political influence (money) to ensure that copyright NEVER expires.
While it certainly won't give me any kind of legal defense, I simply do not care about copyright because the very basis for it has been completely violated by the holders of that copyright.
If we go back to the original law - life of the initial copyright holder + a small extension past that, and only real-live human beings can be considered to be initial copyright holders - I will give up piracy. Until then, I really don't consider copyright law to be valid because the fundamental premise of it: you get yours, we get ours, has now become "they get theirs, everyone else gets fucked."
Copyright no longer benefits anyone but the copyright holder, and that is NOT what it was intended to do.
Re:Copyright laws. (Score:3, Informative)
Stealing and theft are synonyms. See stealing [princeton.edu]: S: (n) larceny, theft, thievery, thieving, stealing (the act of taking something from someone unlawfully.
"Stealing credit" makes sense. It's a more metaphorical application, but you are still *taking* something. "Stealing copyright" could be used similarly, but it would refer to what SCO/Caldera is attempting to do in court, not to some kid downloading a song. He is not taking anything from anyone, at most he is violating a statute that granted someone else a monopoly on reproducion of a particular pattern.
Re:An Opportunity (Score:2, Informative)
You do realize that your MAC address is lost at the layer 3 translation at the router, right?
Even if they pulled a list of MAC addresses from the router, there would be no way to tell which MAC address downloaded the material unless they caught you in the act.
People don't seem to realize that Bittorrent wasn't designed for anonymity or privacy. It was designed for the easy distribution of free *legal* content such as FOSS. Getting the tracker from the software's website removed the risk of downloading an infected fake.
The scanner committed piracy itself (Score:2, Informative)
Re:Or a warning (Score:4, Informative)
Incidentally, the CLI interface is fragile, and it can break out into a standard apache directory listing [meningrey.net]. It also occasionally redirects to an RFC document for some reason. Anyway, there's a log of all tried passwords there. But more interestingly, there's a lot of other stuff elsewhere in the tree, an 18MB text file with a Twitter social connection graph (just a list of name pairs), and a monitor/ directory with what looks like GSM/email/p2p monitoring stuff. Can't access most of it except an auto-refreshing IRC monitoring page though.
Somebody is using it for something it seems.
Re:An Opportunity (Score:2, Informative)
Re:An Opportunity (Score:3, Informative)
You seem to have a good grasp of the technical aspects, but a severe lack of the legal aspects.
The issue is that once you've got an address, then what? In most countries you can't simply hold the subscriber responsible for an illegal act, at best the ISP can hold them responsible for breaching their ISPs subscriber agreement and cut them off after which they go to an ISP.
Even if they get the police to issue a search warrant and search the house, then what next? They can find a computer with content on it, but they have to prove the content wasn't put there via a remote access trojan, they have to prove it wasn't copied through your wireless network to an open share on your computer, they have to prove that you were the person who downloaded the content. Even if they do forensics on the keyboard they may find other people's fingerprints there, but even then can they prove the keyboard hadn't merely been switched?
The fact is, short of catching you red handed there's absolutely no way to conclusively tie someone to a digital crime committed over the internet. Despite this many people get prosecuted, but it's often because they and their lawyers don't have an understanding of the technicalities involved in trying to prove someone guilty of a computer crime and so fail to put their case across, however the closest case to demonstrating was probably this one:
http://www.yorkshirepost.co.uk/news/breaking-craig-meehan-guilty-but.4495490.jp [yorkshirepost.co.uk]
Whilst it's almost certain the guy was guilty, what's interesting in this case is the circumstances in which he was discovered, and the judges comments on why he chose to rule against him. Specifically, he was only discovered because his computer was seized as the result of another separate investigation, and that the evidence that mattered was the times which those images were downloaded at demonstrating they were downloaded when he was not at work. So if you were to set downloads going remotely, using an unlogged piece of software, whilst you're at work, or if you also demonstrated the unreliability of time stamps on computer files it's very likely he could well have ended up getting away with it. The Judge had to rely on what came down to mistakes due to a lack of technical understanding on behalf of the defendant.
Of course, all this isn't too relevant to a civil case, the standards of evidence required there are lower, but similarly I think the chance of the police being involved in getting a court order for a search warranty over a few movies and MP3s is also unlikely.
The issue is, you're somewhat right in your analysis of how easy it is to follow an IP trail (with some caveats- covered below), but you're missing the weak point- connecting the IP trail to the perpertrator of the crime.
The caveats to your comments on tracking an IP are that you make the assumption that interim systems log all connections- you point out that someone can hop between routers to mask their IP and then suggest that if there is enough cooperation of IPs, the trail can simply be traced back, but that's only true if all those connections are logged. If I connect to a US torrent client, via a VPN connection to a country that doesn't demand ISPs such as the VPN provider log everything then any attempts to track this will stop at the VPN provider, as there's simply no way to tell which way the connection went then. This is similar to the situation of wireless- if someone has home wireless, and another person connects to it and leeches torrents through their wireless router, a device which rarely logs connections, then the buck is going to stop at the wireless router. There's no way even the police can reasonably say that the owner of the internet connection is responsible if they search his hard drive and find nothing, and if he has an open or low security access point, they wouldn't stand a chance in court.
So I think many appreciate it's true that you're always