Anyone Can Play Big Brother With BitTorrent

An anonymous reader writes "I was at the 3rd USENIX Workshop on Large-Scale Exploits and Emergent Threats yesterday, and there were people from the French Institute for Computer Science who have continuously spied on most BitTorrent users on the Internet for 100 days, from a single machine. They've also identified 70% of all content providers; yes, those guys that insert the new contents into BitTorrent. As a BitTorrent user, I was shocked that anyone with a box connected to the Internet can spy on what everyone is downloading on BitTorrent."

An Opportunity

[MarkvW]

Looks like a good way to earn a paycheck from the RIAA.

Re:An Opportunity

[poetmatt]

looks like something that won't work for those who understand that plenty of these IP addresses could be spoofed or not even uploading, or knows what I2P does, or uses VPN. This is just a list of IPs that they are assuming are 100% valid because they were listed in the tracker when the content went up. They're saying that if someone is listed on more than one tracker, it confirms who they are.

That= a bad study.

All they're saying is "We can tie an IP to a torrent", but that doesn't mean you can get anything more than that. Judges already don't accept an IP simply being tied to a torrent.

Re:An Opportunity

[feepness]

Judges already don't accept an IP simply being tied to a torrent.

What do they accept? My, err, friend wants to know!

Re:An Opportunity

[Bigjeff5]

If you can get an IP, you can narrow down the area quite a lot without the ISP's cooperation, possibly enough to force the ISP's cooperation. With ISP cooperation you can narrow an IP down to a physical address. At that point, you're screwed.

What people who don't understand how networking works is, if there is a connection then there is an IP address trail to follow. You cannot spoof an IP address and maintain a connection. You can spoof a MAC address just fine, because that is only used on the last leg of the connection, but the IP address is used the rest of the way and a link must be maintained if data is ever to get back to the source. Pretty much all IP spoofing is good for are cases where you don't want to receive the response, like a DOS attack (there are elaborate network hacks using IP spoofing, but they require direct access to the destination network). That's obviously no good for a BitTorrent connection.

What you can do is sort of "launder" the IP address to make it difficult to trace - that is, to route it through multiple NAT services. Each NAT maintains an IP trail to the previous address though, or the connection would fail, so this is only obscuring the source, not erasing the trail. Someone diligent enough (and with sufficient authority to force cooperation from various ISP's) could potentially track any sufficiently current IP address from destination back to source. Also, setting up such a route would go a long way to establishing intent to commit a crime, which will blow most of your defense out of the water in such a case.

There might be some honeybuckets in the tracker's list, which would be clever, but all it is going to do is waste a little bit of time for whoever is tracking these IP's, it's certainly no protection for anybody but the tracker (who would be monitoring the honeybucket, one would assume).

Re:An Opportunity

[Shakrai]

With ISP cooperation you can narrow an IP down to a physical address. At that point, you're screwed.

Speak for yourself. I do all my bittorrenting from open wireless networks ;)

Re:An Opportunity

[wealthychef]

This is actually an argument for buying a wireless router and leaving it open without a password. Sure, you can be owned by your malicious neighbors, but they could also be the ones doing the torrent downloads... hmm. LOL

Re:An Opportunity

[Bigjeff5]

If they get enough to get a search warrant, you're screwed, because even if you're masking you're MAC they'll be able to figure that out once they have access to your machine and make a positive link to the IP address.

If you use whole-drive encryption, recent court cases have shown you've opened up a whole new can of worms, and didn't really save yourself any trouble.

If you try hard enough at hiding it, you could be in a situation where the circumstantial evidence is enough to push a jury past the "reasonable doubt" threshold, in which case you've saved yourself nothing.

It really is not easy to shield yourself when you use a protocol that by its very nature must identify your machine uniquely. The best you can do is hide and make your discovery more difficult. You can't completely prevent it completely and still access the internet in any useful way.

Re:

[Xest]

You seem to have a good grasp of the technical aspects, but a severe lack of the legal aspects.

The issue is that once you've got an address, then what? In most countries you can't simply hold the subscriber responsible for an illegal act, at best the ISP can hold them responsible for breaching their ISPs subscriber agreement and cut them off after which they go to an ISP.

Even if they get the police to issue a search warrant and search the house, then what next? They can find a computer with content on it, b

Re:

[Shotgun]

I had a situation where a kid was using Skype to make bomb threat phone calls to the middle school my son attended. The kid had a history of the same behavior and could make a reasonable guess that it was the kids voice on the phone. There was also a phone call that reported a gun fight at my house. I was working in the garage when the police showed up with handguns and rifles locked and loaded.

There wasn't enough evidence to support the issuance of a warrant to get the call records from Skype. And that

Re:

[montibbalt]

If you also have a few random garbage generators installed on the system, that also makes it look more plausible.

Luckily, several of these are built into Windows itself!

Re:

[blackfrancis75]

Buying some Pringles is seriously magic for that exact purpose..

Fixed that for ya ;)

Re:

[Bigjeff5]

You do realize that they can track it down to the boarders AP and will know with reasonable accuracy (within 100 meters or so) where the downloader must live, right?

Then it's just a matter of getting a search warrant to find the PC with the right MAC address. Even spoofing your MAC won't protect you at this stage, unless you catch wind of what is going on and remove all traces of spoofing from your machine.

Fortunately, the police aren't that interested in downloaders, and are the only ones with the kind of

Re:

[Shakrai]

You do realize that they can track it down to the boarders AP and will know with reasonable accuracy (within 100 meters or so) where the downloader must live, right?

High-gain antennas increase that range number quite a bit. I've personally connected to APs with a high-gain antenna on one side of the connection from more than a mile away. Others have done it from further out.

unless you catch wind of what is going on and remove all traces of spoofing from your machine.

Or use encryption.....

Re:

[mgblst]

You can have your MAC address change every day, by a simple little script.

Re:An Opportunity

[Shakrai]

We are talking about civil actions here, not criminal ones. How would RIAA go about tying your MAC address back to you, even if you weren't smart enough to spoof it? Are they going to file discovery motions on every single house within range of the AP that was used? Heck, for that matter, how would law enforcement do it? No Judge would issue a warrant for "every computer within a 150 meter radius of this location", not for something as mundane as file sharing.

BTW, you can get a lot further than 150 meters with the right antenna setup. I've seen associations made at ranges exceeding two kilometers, under less than ideal conditions.

Re:

[poetmatt]

You can indeed spoof an IP and maintain a connection. ever heard of a: VPN or b: a proxy, c: I2P or d: tor?

Good luck with that. None of those are new techniques by any means.

It's also one thing to identify someone just being connected to a torrent. It's another to prove distribution. You will have to connect to identify someone. None of this stuff from this report says they connected to the individuals to verify the IP addresses.

You can (if an ISP chooses to share the data) tie an IP down to a physical add

Re:

[dimeglio]

This was the idea behind bitTorrent from its inception as quick and efficient method of deploying large content to many users simultaneously. The drawback is the public display of IP addresses and yes, a simple computer, connected to several torrents, can obtain many addresses. This doesn't really mean anything except they are participating in the bitTorrent network. It does not necessarily mean any data from the torrent file is on the computer. It is simply a node unknowingly exchange inappropriate content

Re:Or a warning

[fbjon]

Not so sure. I checked out one of the swarms indicated, and sure enough, I found the peer listed on the that site.

Incidentally, the CLI interface is fragile, and it can break out into a standard apache directory listing [meningrey.net]. It also occasionally redirects to an RFC document for some reason. Anyway, there's a log of all tried passwords there. But more interestingly, there's a lot of other stuff elsewhere in the tree, an 18MB text file with a Twitter social connection graph (just a list of name pairs), and a monitor/ directory with what looks like GSM/email/p2p monitoring stuff. Can't access most of it except an auto-refreshing IRC monitoring page though.

Somebody is using it for something it seems.

Re:

[biryokumaru]

The scary part is that it doesn't have any of the torrents I've actually downloaded in the past few days, like BT4 [backtrack-linux.org] which was a huge swarm and came in at like 3 MB/s.

Re:

[Thanshin]

they would tell you they were paying you $1 million while actually giving you $5. And that $5 would probably be copied.

ffs... Stolen! Not copied, STOLEN!

Alternatively, you can use "pirated", "robbed" or "pillaged".

Cheers,
RIAA

Copyright laws.

[headkase]

If copyright law was more sane we wouldn't have to argue so much about privacy.

Re:Copyright laws.

[Red Flayer]

I dunno about that.

Privacy isn't just about keeping your illegal activities hidden from an authority that can punish you for those activities. I don't want anyone to be able to glean the details of my day-to-day habits, be they bittorent use, physical locations, or anything else. Even if we had NO copyright laws, I'd still have a problem with people being able to track my actions. And FWIW, I have nothing to hide, AFAIK[1], other than routinely exceeding the speed limit in my car. I refuse on principle to violate copyrights.

[1] the AFAIK is a big problem. There's probably a good chance I violate some law or other occasionally, but I have no idea since there are so many laws on the books. But that just feeds into the privacy issue... I'm no Randian, but the massive amount of laws we have on the books that make innocuous behavior illegal means that I'm probably a criminal without knowing it. The best way to protect against this extant situation is to make sure I maintain the privacy of my activity. Better not to have that situation in the first place, but that's a topic for a different discussion.

Re:Copyright laws.

[DarkKnightRadick]

I care about privacy and I only use bit torrent for legitimate purposes.

Re:

[Anonymous Coward]

Same AC here. I didn't say that everyone only cares about privacy because they don't want to get caught doing anything illegal, I said it was interesting and saddening to see one person admit as such. I personally don't download anything illegally anymore, though i'll admit that at one time i did so often and freely. i do however care deeply about my right to privacy. and you have to admit that there are a large number of people jumping on the internet privacy bandwagon, yet they have absolutely no real

Re:

[DarkKnightRadick]

I know that's not what you said. I wasn't trying to imply that was what you were implying.

I agree 100% with you.

Re:

[calmofthestorm]

"The trouble with fighting for human freedom is that one spends most of one's time defending scoundrels. For it is against scoundrels that oppressive laws are first aimed, and oppression must be stopped at the beginning if it is to be stopped at all."
-- H. L. Mencken

Re:Copyright laws.

[Arker]

Once again, copyright infringement is NOT stealing. Nor is copying copyrighted data necessarily and always copyright infringement. Finally, it's better to be on the right side for the wrong reasons than to be on the wrong side entirely.

Re:

[Arker]

I think you meant to say, copyright infringement is not theft. Stealing is not limited to physical property; plagiarism is considered stealing (the credit for) words, for example. Legal definition of 'steal' is irrelevant, if U.S. law defines stealing at all. It does define 'theft'.

Stealing and theft are synonyms. See stealing [princeton.edu]: S: (n) larceny, theft, thievery, thieving, stealing (the act of taking something from someone unlawfully.

"Stealing credit" makes sense. It's a more metaphorical application, but you

Re:

[Arker]

A friend of mine has a house that backs onto a small nature preserve. On the other side of that woodland area is an ampitheatre, at which a great many concerts are held. He can sit out back and hear the concerts from his patio, or he can pack a picnic basket and take his wife and kids on a short walk through the woodland to a point directly overlooking the ampitheatre and hear it much better - in fact at that range the volume level is just perfect. They can take binoculars and see the concert as well, almos

Re:

[Mordok-DestroyerOfWo]

And most Playboy readers only buy them for the articles.

Re:

[DarkKnightRadick]

I wouldn't know, but I don't like what you are implying.

Re:Copyright laws.

[Barrinmw]

Actually, I did a report in High School on the creation of Playboy and this one girl got all pissy at me for it and said how it was degrading to women and everything. I told her that people do buy it for the articles too and she was like, Yeah who? My answer was the 10,000 blind people who order the braile edition. That shut her up pretty good.

Re:Copyright laws.

[loufoque]

First off, Copyright infringement is not theft.

Secondly, transmitting copyrighted material over a computer network is not necessarily copyright infringement, even if copyright holders would like it to be.

Re:

[JoeBuck]

If the transmission is done with the permission of the copyright holder (either explicitly or because of a license), it's not infringement. And in some circumstances fair use (some countries call it "fair dealing") applies. But clearly most BT traffic is copyright infringement.

Re:

[loufoque]

But clearly most BT traffic is copyright infringement.

Clearly most road traffic is, too. Aren't all those trucks and cars full of copyrighted material?

Re:Copyright laws.

[commodore64_love]

I don't lie to myself.

I steal. Rather than go out and buy the DVDs, I steal the content. And no I don't care. Movie companies steal from their workers all the time ("Sorry Mr. Cameron, actors, and crew... Titanic made no profit, so your profit share check will be zero."). If the movie is any good (like Star Trek) then I will buy it.

Re:Copyright laws.

[thesandtiger]

It's worse than that: they steal from us, the public.

Back when copyrights were first codified into law, there was a deal:

We, the people, gave protections to people who created works so that they could profit from those works, but in exchange for those protections, the creators of the works agreed to give us, the people, their work after a certain timeframe had passed.

Works may now - if the copyright holder wishes - no longer come into the public domain because copyright holders are corporations who are solely interested in making a profit, and who use their political influence (money) to ensure that copyright NEVER expires.

While it certainly won't give me any kind of legal defense, I simply do not care about copyright because the very basis for it has been completely violated by the holders of that copyright.

If we go back to the original law - life of the initial copyright holder + a small extension past that, and only real-live human beings can be considered to be initial copyright holders - I will give up piracy. Until then, I really don't consider copyright law to be valid because the fundamental premise of it: you get yours, we get ours, has now become "they get theirs, everyone else gets fucked."

Copyright no longer benefits anyone but the copyright holder, and that is NOT what it was intended to do.

Re:Copyright laws.

[JesseMcDonald]

YOU are denying the person who created the content the sale. YOU have denied them the money they would have made. YOU have TAKEN from them something that was rightfully theirs. THE SALE.

<sarcasm>Just think of how much you've stolen by not-buying all those CDs you don't own! You must owe the RIAA more than the GDP of the United States by now!</sarcasm>

Choosing not to buy something is not theft. No one owns "THE SALE". They own their physical property, because it is scarce. And they have not been deprived of that property.

I confess I'm a thief: A True Story

[mangu]

He fully expected the sale to anyone that WATCHED that movie.

Let me tell you a true story very much like the theoretical example you posted. When I was a kid there was a Rolling Stones song I loved, but I had no money to buy the album and my parents hated rock music. Our neighbors had that album, and I used to run to the backyard to listen when they played it. Was I stealing?

Re:Copyright laws.

[nmb3000]

I'm not going to get into the copyright violation vs theft argument (again), but this is just plain WRONG. Drivel like this reeks of **AA and artist entitlement whining.

YOU are denying the person who created the content the sale.

No, because I had no plans on buying whatever it was I'm downloading. If I can get X for free, I'll grab it. If I can't, I'll do without. No sale lost.

YOU have denied them the money they would have made.

They wouldn't have made any money, ergo I denied them nothing.

YOU have TAKEN from them something that was rightfully theirs. THE SALE.

Again, there was no sale to be made. 0 - 0 = 0.

If you want to argue on the basis of morals then I imagine most people would agree that violating a (sane) copyright is wrong. When you start talking about 120-year old copyrights or trying to prevent what most feel is fair use then people will start to disagree.

Regardless of all that, the monetary value of a potential sale is exactly $0.00.

Re:Copyright laws.

[JesseMcDonald]

The enlightened argument is not that the act of copying is theft, but that illegal copying deprives the copyright owner of monetary gains which would otherwise have been earned.

So does simply choosing to go without. Should that be illegal now as well?

You can't "steal" the expectation of income. Only that which is owned is subject to theft, and theft only occurs when one is deprived of its use. If one cannot be deprived of the use of a thing—as is the case for everything subject to copyright, since mere duplication cannot deprive anyone of use of the original copy—then that thing cannot be stolen.

Re:

[JesseMcDonald]

If you're arguing that copyright could be transmuted into a contract governing access to the physical copy—not the abstract pattern which copyright currently covers—then I agree with you in theory but do not believe this transmutation to be likely, or effective. The contract would be similar to an NDA, with the same weaknesses. NDAs are only effective when distribution of the information is limited; copyright must cover the case where content is to be distributed to the public at large. Enforcem

Re:

[JesseMcDonald]

Let's say I find myself a man to play the guitar at dinnertime each night. It's now the end of the week, and he has the "expectation" of income. He was deprived of the use of his time, and I enjoyed the fruits of his labour. If I choose to not pay him, have I not stolen from him?

That depends. What does your contract say? If the contract states that you give him a certain amount of money on the condition that he plays for you, and after he plays you refuse to turn over the money, then you are indeed stealing from him—that's his money you're withholding. One can envision other circumstances, including the absence of any contract (not necessarily written), where refusal of payment would not be theft. The expectation is not enough, by itself.

If I'm not stealing in the second case, I'm not stealing in the first.

In the second case you explicitly did

Re:Copyright laws.

[betterunixthanunix]

"In some (not all) cases the content owner is deprived of a sale."

Except that it is really impossible to prove such a thing. If we are willing to set aside the fact that the sale never really existed (how can you be deprived of something that does not exist), there are a lot of confounding factors. The downloader might have decided to go out to a store to buy the media, had it not been available for download, and then seen something better to spend money on, and not purchase the media. Or, perhaps the downloader never even had the money to spend on the media, and the sale never even had a chance of happening. Or perhaps the media was not even available to purchase, and the copyright holder did not feel like spending the money on making further copies.

Even if we ignore all of the above, there is a new problem with declare "deprivation of sales" to be a form of theft. Maybe my business attracts more customers than your business -- does that now make me a thief, because I am depriving you of the sales you would have had if I had not been in business? What if I go around telling people not to buy your products -- is that thievery too?

This is the problem with trying to claim that imaginary things like "potential sales" can be "stolen." In general, "stealing" something that is intangible, whether it is some sort of media, or potential sales, or an idea, or whatever else, is illogical. The term "theft" is only used by people who want "copyright" to be considered the equivalent of "real estate," which it was never intended to be.

Re:

[biryokumaru]

Here's a thought experiment:

If I invent a replicator and make an exact, atom by atom copy (yes, this would be impossible space magic, just go with me here) of something with a copyright on it, is that copyright infringement?

If yes, then how can an exact digital copy of a series of 1's and 0's with a copyright on them not be copyright infringement?

Note: this wasn't really the conclusion I was aiming for... stupid thought experiment...

Re:Copyright laws.

[jeffmeden]

Is privacy invaded because of people pursuing copyright violators, or is privacy pursued because people want to evade copyright enforcers? Seems that if you decide it's the latter you are prepared to give away the privacy of many (those who arent copyright thieves) for the protection of the few (those that own IP that is being copied)...

You know giving up the first little bit is always the easiest...

Shocked. Shocked!

[guspasho]

As a BitTorrent user, I was shocked that anyone with a box connected to the Internet can spy on what everyone is downloading on BitTorrent."

Really? All you have to do is be on the torrent and connect to them.

Re:

[Peach Rings]

You mean, all you have to do is send a simple request to the tracker, which will happily provide you with a fairly complete list of peers.

And people make themselves available on the DHT network.

And people offer their peers freely through PEX.

Re:Shocked. Shocked!

[CondeZer0]

> You mean, all you have to do is send a simple request to the tracker, which will happily provide you with a fairly complete list of peers.

Most trackers (at least most public/open trackers [trackon.org]) insert random ips to give a degree of 'plausible deniability'.

This of course is not perfect, but to be certain that a peer is serving a file the only way is to actually try to connect to it and fetch some blocks, which is quite a bit more work than just querying the tracker, specially if you have to do it for hundreds of thousands of torrents.

Re:Shocked. Shocked!

[peragrin]

you forgot the real part.

You then have to download the entire thing to find out if those blocks are part of IronMan2.avi are actually part of ironman2 movie or some dumb students project on feeding excessive iron to a man.

what percentage of the RIAA music takedowns where not actually infringing music but someone's project with a similar name? I know of at least 3 separate incidents where they made a school take down a professors own notes because of a file name.

Re:

[CondeZer0]

This is a good point, but I assumed that if they can get a few random blocks that match the hash, that would probably be enough evidence form a legal point of view.

Re:

[CondeZer0]

Still only needs to download the whole file once at most, not once from every peer.

Re:

[klapaucjusz]

You then have to download the entire thing to find out if those blocks are part of IronMan2.avi are actually part of ironman2 movie or some dumb students project on feeding excessive iron to a man.

Not in BitTorrent.

A torrent is uniquely identified by its "info-hash", and the first thing you do when you connect to a peer is to agree on the info-hash. So with BitTorrent, you only need to download the file once, check that it is the right file, and then ask all of the peers you find whether they are distributing files with this particular info-hash.

Re:

[ravenspear]

Yeah I mean, that's really not a surprise. The torrent would be pretty useless if you couldn't connect to the other clients on it. And to connect to them you need to know the ip address.

Some torrent clients have a handy browser that lets you view the IPs of all connected clients.

Now, connecting to all torrents on the net would take some effort, but if you were able to do that then you would be able to see everyone using BitTorrent.

Re:

[Bigjeff5]

Now, connecting to all torrents on the net would take some effort, but if you were able to do that then you would be able to see everyone using BitTorrent.

Not really, there are a relatively small number of tracker servers, once you have access to the tracker it should be pretty trivial scripting out a request for each torrent they have on the server.

Private servers I'd expect they would not be able to connect to, but otherwise most of the trackers are public enough that they could crawl for most of them. It certainly not an easy undertaking, but it's far from shocking in my opinion. I think the OP just had no real concept of how BitTorrent works.

Re:Shocked. Shocked!

[natehoy]

Yeah, I'm shocked that anyone could be shocked.

P2P means "Peer to Peer". That means your computer makes a direct connection to other users who seed or leech you. In order to do that, you need to give your IP address so they know who to talk back to. IP addresses resolve to a host, which can always identify your ISP and in rarer cases can identify your username on the ISP (this is thankfully very rare any more).

I wonder how shocked the poster of this article would be if he realized that every web page he visits gets the same exact information?

Re:

[iamhassi]

"Really? All you have to do is be on the torrent and connect to them."

What about protocol encryption [torrentfreak.com] or PeerGuardian [phoenixlabs.org]? Do either of these help or are they worthless? Article is very light on details, just says "use torrent, we c u IPs"

Re:

[ravenspear]

Encryption masks the content of what you are transferring. You still have to know who to connect to.

This is not an important security article.

[Spazntwich]

It is an important reminder of just how ignorant most technology users are of the very tools they're using.

Re:

[vxice]

Shocking, shocking I say that when I use p2p to upload and download files to other people that someone could possibly be sitting around listening to and recording my requests for data as well as requesting data that I have sourced that they 'want' who would have guessed?

Re:

[phantomcircuit]

The only thing even slightly interesting about this is how centralized the trackers actually are.

But I guess they wouldn't see the private trackers at all.

Re:This is not an important security article.

[0100010001010011]

I download something from Napster
  And the same guy I downloaded it from starts downloading it from me when I'm done
  I message him and say "What are you doing? I just got that from you"
  "getting my song back fucker"

- bash [bash.org]

Redacted

[StikyPad]

[This post removed under the first rule of USENET.]

Re:

[Anonymous Coward]

But if I copy the redacted post and paste into my favorite editor, all is revealed!

Re:

[value_added]

ME TOO!

--
anon@aol.com

Re:

[HTH NE1]

ME TOO!

tl;dr

Re:

[Bigjeff5]

[This post removed under the first rule of USENET.]

Don't tell me, "Don't talk about USENET?"

Good!

[feepness]

As a BitTorrent user, I was shocked that anyone with a box connected to the Internet can spy on what everyone is downloading on BitTorrent.

This is good news. It means BitTorrent is no longer relegated to those who are even remotely user savvy. This means more sharing!

Hint: BitTorrent is a protocol that relies on users talking to each other about what they're downloading. This, strangely enough, provides users with information on what everyone is downloading on BitTorrent.

Re:Good!

[Jer]

Actually, despite the credulousness of the summary poster, if you click through to the abstract you also get this bit:

To circumvent this kind of monitoring, BitTorrent users are increasingly using anonymizing networks such as Tor to hide their IP address from the tracker and, possibly, from other peers. However, we showed that it is possible to retrieve the IP address for more than 70% of BitTorrent users on top of Tor [LMC_POST10]. Moreover, once the IP address of a peer is retrieved, it is possible to link to the IP address other applications used by this peer on top of Tor.

Perhaps I'm exposing my own ignorance (because I've never felt the need to use Tor myself) but that strikes me as surprising if it's true. And something that even savvy internet users might not think about.

Re:Good!

[Knara]

Well, things like Javascript can expose the originating IP over Tor to the receiver, so it's probably not a large leap to assume that you can look at torrrent traffic and find the originating IP at the application level.

That said, its a "problem" with the originating application, not Tor specifically. As said on the Tor website "Tor does not automatically make all your communications secure."

Re:Good!

[blair1q]

No, it's a pretty simple application of basic undercover investigative technique.

They pretended to be part of the Tor web, joining it at a point where the user's IP address was visible.

People willingly handed them the IP address.

And since the web was fairly limited in size, and connection points were selected randomly, and most users did multiple connections over time, eventually 70% of users willingly handed them the IP address. Since Tor has no way of ensuring trust in its security servers, its security is void. You couldn't have designed it better to funnel users' IP addresses to a spy unless you had only one server in the whole web and faked the rest of the topology.

it was wide-open to being exploited by sting operations.

This is also the reason you should never trust anonymizing proxy servers or Arab sheiks [wikipedia.org].

There's nothing so useless as a lock with a voice imprint - Lord President Borusa

Re:

[plasticsquirrel]

Yeah, some assholes use Tor for BitTorrent, and it's awful for the network. Then people like me who live behind the Great Firewall of China, get slower-than-molasses browsing of censored web sites (terrible things like Google Pages, Blogger, anything from Taiwan, any page containing a string the PRC doesn't like, etc.). The main use for such work-arounds is usually just for my own research and education, and this is the basic reason that Tor exists. Users who run BitTorrent through Tor are really abusing wh

Hi, I'm new here

[EkriirkE]

You mean to tell me when I connect to a large pool of people, there is a large pool of people there?

Re:

[Bigjeff5]

You'll also be surprised to know that when you tell everybody what you're downloading, everybody knows what you're downloading.

Shocking, I know, and completely counter-intuitive, but there it is.

OMG

[Anonymous Coward]

This must mean my IP address is being BROADCAST TO THE WORLD! And I thought I had punched the monkey to prevent this.

Shocked?

[Zedrick]

First day on the internet? Welcome.

Re:

[Bigjeff5]

Come on now, it could reasonably be his second or third. Don't be so hard on the guy!

are you new here?

[Colin Smith]

As a BitTorrent user, I was shocked that anyone with a box connected to the Internet can spy on what everyone is downloading on BitTorrent."

Why? Have you been downloading really compromising porn?

WTF? It's peer to peer. All they need to do is have a copy and other people download stuff from you... so you know what they're downloading...

 

Re:

[Spad]

Much worse, it was the Backstreet Boys discography.

Everyone?

[neoform]

BitTorrent user, I was shocked that anyone with a box connected to the Internet can spy on what everyone is downloading on BitTorrent.

How could they possibly spy on me if I'm using a private tracker with DHT disabled?

Re:

[CondeZer0]

> How could they possibly spy on me if I'm using a private tracker with DHT disabled?

They can't.

While ignorance is widespread among bitorrent users (as the poster illustrates with his surprise at this story), this story also seems to include some amount of FUD.

Re:

[blueg3]

By story, you mean the submitter's comment on the story. Both the "quote" from TFS and also TFA say "most", not "all".

Re:

[blueg3]

You're assuming, among other things, that everyone else in the torrent has PEX disabled -- or at least that the "private" flag in the metainfo file is set and that everyone's torrent software honors that by disabling PEX.

Well duhh! Of course you can find thm out!

[MarkTina]

It's P2P, you can't hide your IP from someone when they ask for a bit of movie file and your computer cheerfully sends it! It's the equivilant of the police walking down your street shouting "Are their any thieves here ?", and you sticking your head out the window to shout back "Yes Me me me! I'm a thief!!" ;-)

The best you can do is not respond to requests from IPs on a block list ... or steal Wifi from a poorly secured neighbour.

Re:

[CannonballHead]

or steal Wifi from a poorly secured neighbour.

That's not theft, it is only theft if you take a physical object... ;)

[sarcasm]

Wouldn't Peer Guardian prevent this?

[jbeach]

Or is that completely wrong and sooooo 2009?

Re:

[blueg3]

Only if they have an IP address in a known-dangerous block. Being security researchers, they're probably well-aware that an excellent way to spy on P2P users is with a laptop on a local coffee shop's WiFi.

Nice

[Hognoxious]

I was at the 3rd USENIX Workshop on Large-Scale Exploits and Emergent Threats yesterday

Awesome. Meet any chicks?

Sees thru TOR!?

[JackSpratts]

Well thank God TOR is transparent.

- JackSpratts

Founder, Society for the Elimination of Opacity. ;)

They cracked Tor?

[VTI9600]

That you can view peers on a BT network is not shocking. What deserves more attention is the fact that they were able to identify IP's of even those users who used Tor. Of course, BT and Tor should never be mixed (to protect the network of those who need privacy for something other than piracy). This just proves it.

Re:

[FooHentai]

Proves it? The two points you mentioned are valid but not related.

fear-mongerish

[drDugan]

Saying you "can spy on what everyone is downloading on BitTorrent" and TFA stating "major privacy threat" are over-the-top and fear-mongering exaggerations.

A more accurate way to state this is: Using BitTorrent will make our IP address public regarding what content is downloaded and shared online from that IP address. When someone monitors the same content, then they can log your IP address. This is obvious from how the protocol works to anyone who looks into privacy questions seriously. Yes, there is less privacy with what you download with BitTorrent compared to a direct download, as other people also sharing the same content can see your IP address.

But remember, with every download method online someone else knows you have downloaded it, with direct downloads and with all the different peer-to-peer distribution options. If you go to Adobe and download the latest Photoshop demo, they know, they log your IP, and usually even ask for even more information about you.

The only a real privacy problem (a "major threat") is for people using BitTorrent for illegal redistribution of content; it is not a major problem for distribution of open licensed or public domain content, businesses or organizations using BitTorrent for distribution to lower costs, or to distribute free content for viral or marketing purposes.

(Disclaimer: our company, ClearBits, does exactly this, offers distribution as a service to others, and we use BitTorrent extensively)

card

[RichardJenkins]

As a BitTorrent user, I was shocked that anyone with a box connected to the Internet can spy on what everyone is downloading on BitTorrent.

Your geek card, hand it in!

If you think that's fun...

[Call Me Black Cloud]

1. Host TOR exit node
2. Eavesdrop on traffic
3. Post results [wired.com]
...
4. Profit!

I'm sure the traffic coming out of TOR is far more interesting than BitTorrent traffic (unless you're a media company).

Re:

[2obvious4u]

Did you know when reading you really only look at the first and last letter? [ecenglish.com] Your mind fills in the rest. So that comment just shows where your mind is.

Re:

[HTH NE1]

Yeah, that has been disproven.

There exist pairs of words which are anagrams of each other while still having the same first and last letter. Thus you would not be able to distinguish them if the intervening letters were scrambled. Two examples are protuberantial/perturbational and, even more on point, undefinability/unidentifiably.

Re:

[biryokumaru]

No, it means their conclusion is highly flawed. Or, at least, 2obvious4u's interpretation of their conclusion.

Re:

[EkriirkE]

Encryption only helps when sniffing someone's network for BT traffic as ISPs do. All you need to do is open your favorite torrent client, wait for the tracker for your *.torrent to give you peers and look at your peers window. Pure unadulterated IPs, for which the client either allows to connect directly to you, or you connect directly to them.

If for some reason your client doesn't have a peers tab/window, just do a netstat and see the flood of IPs and hosts you are connected with.

Re:

[JWSmythe]

Correct. The ISP can't identify your traffic, but the endpoints obviously can. Otherwise, the encryption would be worthless.

That's an argument I've had with people about https:/// [https] sites. Sure, the data is hidden in between your machine and the server, but both ends know exactly what it is. Otherwise, it just wouldn't work.

From your machine, you can see who is requesting what from you, and likewise they can see what you request from them.

It can

Re:

[ClioCJS]

You mean, if 480i is acceptable to you. If you want 1080p because you sit 4 ft from a 52 inch screen [like the one I'm typing on right now], then it's not quite so trivial, is it? [is it? really.. i'd like to know]