Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
The Internet Media

Finnish Firm Claims Fake P2P Hash Technology 748

An anonymous reader writes "As reported by The Inquirer, a Finnish company known as Viralg Oy claim to have developed software that can create a junk file with the same hash as a genuine p2p download. This, according to the company, can altogether stop the sharing of copywritten files by flooding p2p networks with corrupt/junk data, which then spreads through the network, causing less and less of the original file to be available. However, with the resolve of the p2p userbase, is this software really going to 'beat all Peer 2 Peer pirates at their own game,' or simply prove a minor annoyance?"
This discussion has been archived. No new comments can be posted.

Finnish Firm Claims Fake P2P Hash Technology

Comments Filter:
  • Just an annoyance (Score:4, Insightful)

    by whoppers ( 307299 ) on Monday April 18, 2005 @02:29PM (#12272753)
    People will always creatively find a way around everything!
    • by bherman ( 531936 ) on Monday April 18, 2005 @02:30PM (#12272780) Homepage
      Except /. dupes!
    • by Psiolent ( 160884 ) on Monday April 18, 2005 @02:32PM (#12272807)
      Ah, yes. That ancient principle pontificated by Dr. Ian Malcolm: Life will find a way.
    • Agreed (Score:5, Interesting)

      by John Seminal ( 698722 ) on Monday April 18, 2005 @02:39PM (#12272932) Journal
      I wonder why people who use P2P don't help each other out a little more. For example, you have someone with 200 files shared. They are downloading and sharing at the same time. Sometimes they download a bad file, and share it. It would make more sense to have a "unchecked" folder for downloads, then more it to the "checked" folder to share.

      What is neat, or not so neat depending on your point of view, are music files which deteriorate after a while. I don't know how they are made, but I have listened to music that sounds pretty good, but after the 10th playing it starts skipping. Or it could be those skips are not very noticable when first played, but once identified, they become annoying.

      • Re:Agreed (Score:3, Insightful)

        by metamatic ( 202216 )
        I have listened to music that sounds pretty good, but after the 10th playing it starts skipping. Or it could be those skips are not very noticable when first played, but once identified, they become annoying.

        I suspect your hard drive is failing.

      • Re:Agreed (Score:3, Funny)

        by UrgleHoth ( 50415 )
        What is neat, or not so neat depending on your point of view, are music files which deteriorate after a while. I don't know how they are made, but I have listened to music that sounds pretty good, but after the 10th playing it starts skipping.

        These are zoot files. Every once in a while, they skip a groove.
      • Re:Agreed (Score:3, Interesting)

        by Nebu ( 566313 )

        Sometimes they download a bad file, and share it. It would make more sense to have a "unchecked" folder for downloads, then more it to the "checked" folder to share.

        The filesharing programs I use force you to share the directory you download into. Sure, I could name the download directory "unchecked", but few people bother to view the full paths as set by the sources from the people they download.

        What is neat, or not so neat depending on your point of view, are music files which deteriorate after a w

      • Re:Agreed (Score:3, Informative)

        Shareaza has a "commenting" system for just this purpose.
      • Re:Agreed (Score:3, Informative)

        by Jjeff1 ( 636051 )
        I've also heard MP3s that work fine on my PC, but skipped horribly on my car player. Different players handle corrupted or badly compressed files differently.
      • Re:Agreed (Score:5, Insightful)

        by Have Blue ( 616 ) on Monday April 18, 2005 @03:29PM (#12273656) Homepage
        Because the vast, vast majority of P2P users are trying to get stuff for free, not create an alternative-media-distribution free-expression utopia. They're not going to do anything on anyone else's behalf because it does not directly benefit them or immediately help them get more free stuff faster.
      • incomplete downloads (Score:4, Informative)

        by TamMan2000 ( 578899 ) on Monday April 18, 2005 @03:43PM (#12273863) Journal
        I wonder why people who use P2P don't help each other out a little more. For example, you have someone with 200 files shared. They are downloading and sharing at the same time. Sometimes they download a bad file, and share it. It would make more sense to have a "unchecked" folder for downloads, then more it to the "checked" folder to share.

        That would break a feature which enables greater sharing... Uploading of parts of files that you do not have all of. Think BitTorrent, but less organized...
      • Re:Agreed (Score:4, Funny)

        by Anonymous Coward on Monday April 18, 2005 @03:47PM (#12273919)
        What is neat, or not so neat depending on your point of view, are music files which deteriorate after a while. I don't know how they are made, but I have listened to music that sounds pretty good, but after the 10th playing it starts skipping.

        The files are perfectly normal -- you're simply realizing that most of the music out there is trash which simply repeats the same verses over and over again so much that it sounds like it's skipping. Add to that the endless remixes which ruin perfectly good songs, and I can see how you'd mistake that with repetitive skipping. Rest assured that a better choice in music will alleviate this problem.
    • Re:Just an annoyance (Score:4, Interesting)

      by merlin_jim ( 302773 ) <James@McCracken.stratapult@com> on Monday April 18, 2005 @02:51PM (#12273100)
      For instance, hash with two different algorithms. In theory it is possible to find a file that can hash to the same value in two different algorithms, but its a lot harder than finding a file that hashes to a specific value in one algorithm.
    • This is so stupid (Score:5, Insightful)

      by commodoresloat ( 172735 ) on Monday April 18, 2005 @03:30PM (#12273669)
      If the copyright issues were not present here and someone built a program that did something like this, they would be universally reviled as a malicious hacker. Hey! Here's a program that creates phony web pages with false information masquerading as legitimate pages! Here's one that copies Excel spreadsheets on the web and subtly pollutes the database with phony information, then stores multiple copies around with the same name! This handy tool attaches to a photocopy machine and randomly scrambles the words on the page you are photocopying!!

      P2P is a technology. Yes it can be used for copyright violations, just like a photocopy machine or tape recorder. But it also has amazing possibilities in terms of creating a universal organic archive. Crippling like this -- and through using lawsuits -- is an unnecessary attack on a system in its infancy.

      The copyright issues will work themselves out -- until the 20th century human art and ingenuity survived for thousands of years without the ability to make millions selling recorded music and video. If p2p has a major effect on the entertainment industry's ability to profit (and I'm still not convinced that it really will), human art and culture will survive. And people will continue to find ways to make a living creating art.

      • Re:This is so stupid (Score:4, Interesting)

        by WaterBreath ( 812358 ) on Monday April 18, 2005 @04:07PM (#12274212)
        Yes it can be used for copyright violations, just like a photocopy machine or tape recorder.

        And those things were each also embroiled in copyright lawsuits by big corporations in their day. The difference is that today, the big corps have finally gained enough political leverage to get it their way.

        Corporations are the new first-class citizens. Any individual, regardless of race, gender, or creed, is second-class compared to a corporation.

        I honestly fear that by the time the American people get fed-up enough to realize this, the transformation will be complete, and we will be powerless to change it.

      • Re:This is so stupid (Score:3, Interesting)

        by patio11 ( 857072 )
        This doesn't cripple P2P. It just makes a dent in pirate-2-pirate. There is a difference, you realize. The Blizzard Bittorrent patch downloader will still function perfectly. Indie bands who release their new CDs to Kazaa won't have anybody trying to pollute their download pools. And it probably won't even work, more's the pity.
      • by kamapuaa ( 555446 )
        You realize this technology doesn't block *all* p2p traffic, right?

        The main concern shouldn't be the use by the RIAA or MPAA to stop the bootlegging of copyrighted concerns. It's within their rights. The main concern should be possibility of the technology getting out to griefers who block the legitimate use of Bittorrent.

        But honestly, if this doesn't get out to hackers (which it probably will), this is a lot better solution than having to sue warez websites, or the users who illegally trade movies.

      • by StikyPad ( 445176 )
        If the copyright issues were not present here and someone built a program that did something like this, they would be universally reviled as a malicious hacker.

        This isn't some idealistic universe where all decisions are morally right or wrong regardless of the criteria. Your knee-jerk reaction is baseless and inflammatory.

        "Look people.. If this gangrene wasn't present here, chopping off my leg would be completely unacceptable! How can we just go around chopping off people's legs? Just because I have g
  • by Flywheels of Fire ( 836557 ) on Monday April 18, 2005 @02:29PM (#12272756) Homepage
    This is not true. It might work on Kazaa but most other P2P networks use MD5 or better. Okay, they have found collisions but no one has found a way to generate file for a given key. So the claim by the finnish company is bogus.

    Or they have cracked even the strong hashes. In which case they are really cool. I know Mr. Torvalds is Finnish, but I doubt even he could come up with algorithms to do that.

    In their conceited press release, they have compared Spoofing vs DRP/a [mithuro.com]

  • by B3ryllium ( 571199 ) on Monday April 18, 2005 @02:29PM (#12272760) Homepage
    Bah! Screw you guys. I'll just make my own P2P hash algorithm. With blackjack. And hookers. In fact, forget the P2p hash algorithm. And the blackjack.
    • Bah! Screw you guys. I'll just make my own P2P hash algorithm. With blackjack. And hookers. In fact, forget the P2p hash algorithm. And the blackjack.

      Forget the p2p algorithm and the blackjack, I'll take the HASH!

  • "Copyrighted" (Score:5, Informative)

    by As Seen On TV ( 857673 ) <asseen@gmail.com> on Monday April 18, 2005 @02:29PM (#12272762)
    It's "copyrighted," not "copywritten." We're talking about rights, not writings.
  • Preview/Trailer (Score:3, Interesting)

    by fembots ( 753724 ) on Monday April 18, 2005 @02:29PM (#12272767) Homepage
    I guess there are two schools here.

    One believes this kind of fake files will only add burden to the internet, as users will just download one fake file after another until they got a hit.

    The other believes that such annoyance will put most people off, because the total time/cost it takes to acquire something is now higher than the actual product.

    I don't think MP3s will be affected because you can start playing the song if you've got the first bit. Can/will other file formats do that too?
  • Coral Cache (Score:5, Informative)

    by Anonymous Coward on Monday April 18, 2005 @02:29PM (#12272771)
    I took the liberty of pre-caching the site on Coral before it went live - http://www.viralg.com.nyud.net:8090/index.html [nyud.net]. I think Slashdot should really consider doing this as part of the proceedure...this site won't last a minute under the weight of our collective, nerdy asses.
    • by lpp ( 115405 )
      won't last a minute under the weight of our collective, nerdy asses


      What would?
    • I'm trying to figure out why the guy on this website's banner is pointing (what looks like) a Gamecube controller at me. Is he going to ruin our P2P experience from a Nintendo? How 1337.
  • The question is.. (Score:3, Interesting)

    by k98sven ( 324383 ) on Monday April 18, 2005 @02:30PM (#12272776) Journal
    How big is that 'junk file'?
  • Possible? Yeah (Score:5, Interesting)

    by robpoe ( 578975 ) on Monday April 18, 2005 @02:30PM (#12272777)
    I've always thought it would be extremely possible to create a file with the same MD5 hash.

    Now, what the company has to do is create a file of the SAME FILE SIZE, with the same MD5 hash that's a fake .. then I'll be impressed.
  • by dgatwood ( 11270 ) on Monday April 18, 2005 @02:30PM (#12272779) Homepage Journal
    ...but if you can create a random junk file in a reasonable period of time, the mechanism can probably be extended easily enough to make it possible to add arbitrary junk to the end of a trojaned executable in a future version of the tool....

  • claims? (Score:5, Interesting)

    by geoffspear ( 692508 ) * on Monday April 18, 2005 @02:30PM (#12272783) Homepage
    I read the article and everything I could find by following links on their website, and found no reference to how their product supposedly works, or any claim having to do with identical hashes. Did the article submitter just make up the identical hash claim, or is there more information on this product available somewhere else?

    What hashing algorithm do they claim to have broken so completely? Sounds like BS to me.

    • Re:claims? (Score:3, Informative)

      by SpecBear ( 769433 )
      Looks like a fraud/hoax/jok/whatever.
      • There's no text on the site. It's all images and flash animations. This immediately raises suspicions.
      • They claim that the technology has already been successfully used by BMG.
      • No Company info, phone number, or address, just a single email address
      • No details of how the tech works.
      • Claims 100% effectiveness.
      • Red alert phrase: "virtual algorithm"

      Anybody remember the name of that company that promised extremely high lossless compression rates on arbitrary files?

  • by Ann Elk ( 668880 ) on Monday April 18, 2005 @02:30PM (#12272785)

    Bullshit. "Virtual Algorithms" my ass.

  • Well, there have been reports that some hash algrorithms are prone to "collisons" i.e. it is possible to find, with some effort, files that produce the same hash value and having the same size despite having different content.
    The easy solution:
    Use a safer Hash function.
    • Use a safer Hash function.

      Or even better, use more than one. If file_x is hashed 10 different ways, using 10 different algorithms, there's no way the file generated by this firm will behave the same way for ALL of them, perhaps not even for two.

  • by FortKnox ( 169099 ) * on Monday April 18, 2005 @02:31PM (#12272789) Homepage Journal
    ... it only takes most pirates (at most) a week to find a work around and everything is back to (pirating) normal.
  • Er.. (Score:3, Interesting)

    by t_allardyce ( 48447 ) on Monday April 18, 2005 @02:31PM (#12272796) Journal
    They might be able to fake one hash, but don't most P2P networks use a combination of different hashes? if not then it would be easy to implement - you can either go for more than one different type of hash like md5 and sha etc or add salt/pepper to a chunk and make any number of hashes where each additional hash makes it insanely harder to crack..
  • Add another hash (Score:2, Insightful)

    by Fjornir ( 516960 )
    *shrug* Then the p2p networks will respond by using two different hashing algorithms, and a collision will be that much harder to generate.

    Their site is down so I can't get any real details, but I think this is smoke and mirrors in any case.

  • Possible Solution (Score:3, Insightful)

    by BlacBaron ( 875559 ) on Monday April 18, 2005 @02:31PM (#12272806) Homepage
    Use 2 (or more) different hashing algorithms on the file, and check the file size.

    I'm pretty sure that should reduce the collisions to some stupidly small value.
  • by Zarhan ( 415465 ) on Monday April 18, 2005 @02:32PM (#12272815)
    in pdf form [espacenet.com]

    Note the claims section and references - they keep talking about Napster and Kazaa - nothing about anything that use hashes.
    • Thanks for the link. If you look at page four of the document, it explains that because the UUHash algorithm used by Kazaa hashes only a small part of the file it is feasible to change other parts and produce hash collisions through brute-force attacks. Then the attacker just pretends to be a normal node and feeds bad data into the network.
      The obvious way to counter this is to either fix Kazaa or switch to a network where the whole file is hashed.
  • by TheFlyingGoat ( 161967 ) on Monday April 18, 2005 @02:34PM (#12272842) Homepage Journal
    Don't most P2P programs use MD5? I was also under the assumption that P2P programs do a checksum on each piece of the file they receive, and if it's inaccurate it automatically re-downloads that part of the file. I've had pieces of a bittorrent download fail due to corruption and the client has just downloaded that part again.

    Seems like this company's setup would only work in very specific circumstances, meaning it won't have much of an effect at all.
  • Seems bogus to me (Score:5, Informative)

    by gtoomey ( 528943 ) on Monday April 18, 2005 @02:34PM (#12272844)
    It takes 2^69 operations to find collisions with SHA1 [cryptography.com]

    Unless they have lots of supercomputer time, seeding the occasional p2p file with bad data will be very expensive.

    • Re:Seems bogus to me (Score:5, Informative)

      by pjrc ( 134994 ) <paul@pjrc.com> on Monday April 18, 2005 @03:09PM (#12273345) Homepage Journal
      Remember that those 2^69 "operations" (each many CPU cycles) are for a SHA1 "collision" attack. A "preimage" attack that would be necessary to inject corrupt data into a p2p network using SHA1 (such as Bittorrent) is much harder and has not been discovered and published.

      Quoting from the linked page [cryptography.com]:

      Q: What is a collision attack and a preimage attack?
      A: A preimage attack would enable someone to find an input message that causes a hash function to produce a particular output. In contrast, a collision attack finds two messages with the same hash, but the attacker can't pick what the hash will be. The attacks announced at CRYPTO 2004 are collision attacks, not preimage attacks.

  • Sharing (Score:3, Interesting)

    by man_ls ( 248470 ) on Monday April 18, 2005 @02:34PM (#12272855)
    The time-vs-accuracy tradeoff is a big one. One client which I know some people who use, takes almost 48 hours to index a full hard drive of files to share, and hash them all.

    Anything less robust, you're liable to have collisions, such as these, apparently. Any more, and if you have a lot of files, there's a major time committment before you can actually begin to serve anything -- most people aren't willing to have their CPU pegged for 2 days straight while their P2P client hashes their 35,000 MP3s and 200 movies, or so.
  • Hash (Score:3, Interesting)

    by PureCreditor ( 300490 ) on Monday April 18, 2005 @02:35PM (#12272877)
    isn't the whole point of a hash is that it's computationally-infeasible to create a file that that H(new file)=H(original).

    if this technology is true, it'll completely undermine the safety of today's unix passwords, which are stored in clear text of their hash.
  • By God (Score:5, Insightful)

    by somethinghollow ( 530478 ) on Monday April 18, 2005 @02:35PM (#12272878) Homepage Journal
    If I have one of these files and share the hell out of it, I better not be contacted by RIAA. If this spreads, not only will it make sharing difficult, it will make tracking legitimate (haha) piracy more difficult to detect. This (sort of) reminds me of a more high tech version of the time everyone started changing the name of their tracks to things like "Br1tn3y Sp34rs" to evade blocked searches.
  • by mihalis ( 28146 ) on Monday April 18, 2005 @02:39PM (#12272931) Homepage

    Let's just concede they can actually produce a junk file which has the same hash. I'll even skip over which hash - let's also say it's one of the useful ones.

    I'd be tempted to step up the credentials for a file, say one hash for the entire file, and another for the first 1kb, and so on. It should get significantly harder with each additional verification point.

  • by miracle69 ( 34841 ) on Monday April 18, 2005 @02:41PM (#12272946)
    I'm switching to hashish.
  • Sword Cuts Both Ways (Score:3, Interesting)

    by 4of12 ( 97621 ) on Monday April 18, 2005 @02:41PM (#12272958) Homepage Journal

    If someone can really poison P2P networks with junk that hash matches (and I have a difficult time believing they've cracked all the hash generators), then consider some hypothetical entity probing illicit distribution of copyrighted material using hashes. They could end up making false accusations against individuals for trading trash instead of Trash©.

  • bittorrent uses sha1 (Score:3, Informative)

    by pjrc ( 134994 ) <paul@pjrc.com> on Monday April 18, 2005 @02:43PM (#12272984) Homepage Journal
    Hard to believe this is gonna work on bittorrent... the most important file sharing app in use today.

    The Bittorrent protocol uses SHA1 hashing [bittorrent.com].

    Yes, there was recently a paper presented that "broke" SHA1, but the result is 2**69 operations instead of 2**80 [schneier.com] to find a SHA1 collision. 2**69 is still a very large number of operations... a lot less than a full 2**80, but still a prohibitively large number (more costly than the actual realized losses the entertainment industry is suffering).

  • Collateral Damage (Score:5, Insightful)

    by DumbSwede ( 521261 ) <slashdotbin@hotmail.com> on Monday April 18, 2005 @02:43PM (#12272985) Homepage Journal
    Since P2P can also distribute legitimate files (I am looking into one such project even now) this can only be seen as something that will lead to unintended collateral damage(assuming it works of course).

    Here is a tool specifically designed to cripple the flow of data, how can it be thought of as anything but a virus? Should it work I could see TV and Movie studios using it surreptitiously to cripple net-based fledgling media companies.

    This should be outlawed just like another intentionally malevolent software. Why shouldn't everyone write viruses and malware when the big guys do it and the government sanctions it. This is just the kind of thing that keeps web commerce from taking off to its full potential.

  • by Progman3K ( 515744 ) on Monday April 18, 2005 @02:45PM (#12273019)
    If increasing the noise ratio on P2P networks is a good thing, maybe we can use a similar technique to defeat spammers?

    For example, if we could pollute spammers' email address databases with millions of bogus e-mail addresses, then instead of delivering millions of spam e-mails to real e-mail accounts every day, maybe spammers could only reliably send a few hundred to users, the rest of their messages would be to bogus addresses and be "noise" that spammers have to deal with.

    How could we go about doing this?
    • by rbarreira ( 836272 ) on Monday April 18, 2005 @04:14PM (#12274310) Homepage
      Your post advocates a

      (X) technical ( ) legislative ( ) market-based ( ) vigilante

      approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

      ( ) Spammers can easily use it to harvest email addresses
      ( ) Mailing lists and other legitimate email uses would be affected
      ( ) No one will be able to find the guy or collect the money
      ( ) It is defenseless against brute force attacks
      ( ) It will stop spam for two weeks and then we'll be stuck with it
      ( ) Users of email will not put up with it
      ( ) Microsoft will not put up with it
      ( ) The police will not put up with it
      ( ) Requires too much cooperation from spammers
      ( ) Requires immediate total cooperation from everybody at once
      ( ) Many email users cannot afford to lose business or alienate potential employers
      (X) Spammers don't care about invalid addresses in their lists
      ( ) Anyone could anonymously destroy anyone else's career or business

      Specifically, your plan fails to account for

      ( ) Laws expressly prohibiting it
      ( ) Lack of centrally controlling authority for email
      ( ) Open relays in foreign countries
      ( ) Ease of searching tiny alphanumeric address space of all email addresses
      ( ) Asshats
      ( ) Jurisdictional problems
      ( ) Unpopularity of weird new taxes
      ( ) Public reluctance to accept weird new forms of money
      ( ) Huge existing software investment in SMTP
      ( ) Susceptibility of protocols other than SMTP to attack
      ( ) Willingness of users to install OS patches received by email
      ( ) Armies of worm riddled broadband-connected Windows boxes
      ( ) Eternal arms race involved in all filtering approaches
      (X) Extreme profitability of spam
      ( ) Joe jobs and/or identity theft
      ( ) Technically illiterate politicians
      ( ) Extreme stupidity on the part of people who do business with spammers
      ( ) Dishonesty on the part of spammers themselves
      ( ) Bandwidth costs that are unaffected by client filtering
      ( ) Outlook

      and the following philosophical objections may also apply:

      (X) Ideas similar to yours are easy to come up with, yet none have ever
      been shown practical
      ( ) Any scheme based on opt-out is unacceptable
      ( ) SMTP headers should not be the subject of legislation
      ( ) Blacklists suck
      ( ) Whitelists suck
      ( ) We should be able to talk about Viagra without being censored
      ( ) Countermeasures should not involve wire fraud or credit card fraud
      (X) Countermeasures should not involve sabotage of public networks
      ( ) Countermeasures must work if phased in gradually
      ( ) Sending email should be free
      ( ) Why should we have to trust you and your servers?
      ( ) Incompatiblity with open source or open source licenses [hey, it's Microsoft... they've probably already submitted the patent...]
      ( ) Feel-good measures do nothing to solve the problem
      ( ) Temporary/one-time email addresses are cumbersome
      ( ) I don't want the government reading my email
      ( ) Killing them that way is not slow and painful enough

      Furthermore, this is what I think about you:

      (X) Sorry dude, but I don't think it would work.
      ( ) This is a stupid idea, and you're a stupid person for suggesting it.
      ( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!
  • by nizo ( 81281 ) * on Monday April 18, 2005 @02:45PM (#12273020) Homepage Journal
    What will they do when people like the files with random noise better than any of the current music?
  • by James Youngman ( 3732 ) <jay&gnu,org> on Monday April 18, 2005 @02:49PM (#12273080) Homepage
    I suppose their method is based on the fact that it turns out that it's easier to find SHA-1 and MD5 collisions than was earlier thought [schneier.com]. In fact there's another paper [hyperlink.cz] (this paper is not by the Chinese team) which shows that this can be achieved on individual PCs in mere hours, which puts this sort of thing into the realm of commercial exploitability.

    For example, you send the company a copy of the .mp3 file you want to drive out of circulation. They feed it to a computation cluster and eventually out comes another file which has the same hash. You then publish this new file with the same filename on the victim P2P network and hope that it spreads enough to poison the P2P well, so to speak. There are a number of problems with this scheme (assuming of course that this is the sort of scheme that they offer):

    1. The new 'collision' file might have the same MD5 hash, but is it a valid MP3 file?
    2. All it takes to beat this scheme is for P2P software to use more than one hash function, for example
      hash (data)
      {
      return concatenate(md5(data), sha1(data));
      }
      After all, even though we now know how to find collisions in MD5 and SHA-1 (quite slowly) we don't yet know an efficient way to find a single file that is a hash collision for both of them.
    3. If the company paying the money for the 'collision' file is doing so because somebody has spread their material around the P2P network, then the file must be quite prevalent. So why would they expect the 'collision' file to preferentially spread around the network enough to displace the original file?
  • by stlhawkeye ( 868951 ) on Monday April 18, 2005 @03:06PM (#12273315) Homepage Journal
    As anybody who reads Slashdot knows, perfectly legal and legitimate downloading comprises the majority of internet downloading, and actually bolsters profits to member organizations of such content ownership cartels as the RIAA.

    "This, according to the company, can altogether stop the sharing of copywritten files by flooding p2p networks with corrupt/junk data"

    Slashdot should rejoice at this! Since none of us download illegal material and nobody that any of us knows downloads illegal material, this technology might allow us to continue our legal, legitimate downloading of media and only target those handful of ruffians who engage in illegal filesharing. I'm all in favor of this!

  • by Jherek Carnelian ( 831679 ) on Monday April 18, 2005 @03:15PM (#12273435)
    Y'all are missing the point.
    These guys are not about taking out P2P.
    They are part of a denial of service attack against the RIAA and MPAA, and we need more companies like them in order to make it effective.

    You see, it works like this:

    1) Make up a really snazzing sound anti-piracy product,
    2) Back it with lots of sexy buzzwords and hand-waving
    3) Sell, sorry LICENSE, it for lots of money to the (RI|MP)AA.
    4) When it fails to perform, let in the next guy ready to do the same.

    Repeat until (RI|MP)AA bank accounts have been depleted.

  • by Effugas ( 2378 ) * on Monday April 18, 2005 @03:58PM (#12274095) Homepage
    It's a couple pages in my paper here [doxpara.com]. Basically, the first 300Kb of Kazaa's files are hashed normally, then every 32Kb chunk of the file is hashed independently. This allows independent chunks to be downloaded out of order. These out of order chunks are recursively hashed against one another to create one final value, called a "kzhash" [chronosempire.org.uk], which is verified after the file is downloaded.

    The attack is to use the recently released collision -- which creates two blocks that, when mixed against the default initial state of MD5, emit the same system state. Every 32K, you can embed one or the other in the file you're transmitting, and kzhash can't tell. What can you do with this? Morph a file as it traverses the network; have an installation executable describe the systems its being installed on as it propogates through a network. With a fairly large installer, you'd get quite a few bits in there.

    You still don't get to do random noise, and while it's no Tiger Tree, kzhashing doesn't appear so exploitable that this group is likely to have anything. I could be wrong, but then, virtual algorithm? Right.

If all the world's economists were laid end to end, we wouldn't reach a conclusion. -- William Baumol

Working...