Nullsoft's Waste: Encrypted, Distributed, Mesh Net

Myriad writes "Nullsoft, makers of the venerable Winamp MP3 player, released today a secure, distributed mesh-like networking protocal and platform called Waste. This v1.0 beta release uses RSA (key based) and Blowfish encryption for security, and features Instant Messanging and group chat, along with file browsing, searching, and transfer. Waste has been released under the GPL, with source and binaries available here."

Re:Gnutella

No, Ferrero [ferrero.de] makes Nutella [nutella.de].

Re:Gnutella

Yes, they did. However, AOL didn't like it and got it shut down within the day. Then someone (Justin Frankel?) leaked the source and the rest is history.

/joeyo

Re:Gnutella

This is just plain wrong. The source was never available, leaked or otherwise.

The protocol was reverse engineered, with a little assistance on IRC from deadbeef.

Re:Gnutella

deadbeef is justin frankel for anyone who is interested. same guy who did winamp, really a great software guy.

the reason why winamp 3 sucks so much, is because it's written by some other guy. justin isn't even in the credits of winamp3 .. sad

and now W A S T E

AOL must not like W A S T E either. it's been pulled and there's no trace of it on the nullsoft site. hope someone mirrored it...

Re:Gnutella

Indeed, here [slashdot.org] is the original slashdot story. Of course AOL quickly ended development at nullsoft, it lived on after the protocol had been reverse engineered and others picked up where nullsoft left off.

Everyone invented Gnutella

I think hundreds or thousands of coders thought of this shit, especially when Napster got shutdown.

I personally came across it when removing a section of my P2P anti hacking designed for Diablo 1 to be secure even without a central server.

Interestingly enough, I was going to call my Gnutella: Dumpster

Which is cool they're naming their software: Waste

Lets see how it turns out

Re:name "Waste" -- Pynchon's The Crying of Lot 49

I believe the name "Waste" is a references to Thomas Pynchon's novel "The Crying of Lot 49." In the novel, W.A.S.T.E is either a hoax or a secret system for communication, and (might) stand for "We Await Silent Tristero's Empire." Here's a little quote:

"Last night, she might have wondered what undergrounds apart from the couple she knew of communicated by WASTE system. By sunrise she could legitimately ask what undergrounds didn't....[H]ere were God knew how many citizens, deliberately choosing not to communicate by U.S. Mail. It was not an act of treason, nor possibly even of defiance. But it was a calculated withdrawal, from the life of the Republic, from its machinery. Whatever else was being denied them out of hate, indifference to the power of their vote, loopholes, simple ignorance, this withdrawal was their own, unpublicized, private. Since they could not have withdrawn into a vacuum (could they?), there had to exist the separate, silent, unsuspected world."

Hmmm....

AOL Time Warner (IIRC, owners of the second biggest recording company, not to mention one of the major recording studios) owns Nullsoft, which releases a program that the RIAA and MPAA will undoubtedly call a tool whose sole purpose is to illicitly distribute copyrighted works....

A cliche regarding:

• a left hand
• a right hand
• and a lack of knowledge

...comes to mind.

Re:Hmmm....

"undoubtedly call a tool whose sole purpose is to illicitly distribute copyrighted works"

uhh, waste is for small workgroups only ..

WASTE is a software product and protocol that enables secure distributed communication for small (on the order of 10-50 nodes) trusted groups of users.

it's not about p2p file sharing, rather it's a colaborative tool.

sure, you could use to to share illegal stuff, but it's really no different in that respect to email, icq, whatever.

By their calculations

To the MPAA, 50 nodes running on a fast network means there are really 300 wicked infidel filetraders!!!!

Re:Hmmm....

if you're not in encrypted communities for PIRATING, you're in it for TERRORISM.

Re:Hmmm....

AOL Time Warner (IIRC, owners of the second biggest recording company, not to mention one of the major recording studios) owns Nullsoft, which releases a program that the RIAA and MPAA will undoubtedly call a tool whose sole purpose is to illicitly distribute copyrighted works....

That was a joke right? And the moderators who marked it "interesting" and "insightful" really meant to mark it "funny", they just hit the wrong button, right?

In fact what we have here is a first cut at a secure distributed network presence system, something that would allow you to run an icq-like network between people you trust without being spied on by a central server. There are many reasons why one would want this: maybe *you* just want to trade copyrighted files, but *I* want to communicate securely and efficiently with my associates.

As for why AOL lets Nullsoft do things like this, I suppose the choice is either to let them work on what they want to or lose the talent. What Nullsoft is doing is the best thing for the net, and so is the best thing for AOL in the end.

The Right Hand Knows

In fact what we have here is a first cut at a secure distributed network presence system, something that would allow you to run an icq-like network between people you trust without being spied on by a central server. There are many reasons why one would want this: maybe *you* just want to trade copyrighted files, but *I* want to communicate securely and efficiently with my associates.

Besides which, this software isn't particularly useful for illicit file sharing. For that you need a way to get into contact with strangers who happen to have a copy of the file you want to download. The encryption features would actually seem to work against that.

Also, this is technology that might be very useful to AOL. AIM's big drawback is that it's not very secure, and really shouldn't be used for sensitive corporate communication. (Though the engineers at my last employer used it anyway.) AOL could persuade people that are already using AIM for free to upgrade to WASTE in order to secure their communications. Not to mention the other features.

We Await Silent Trystero's Empire!

Re:Hmmm....

which releases a program that the RIAA and MPAA will undoubtedly call a tool whose sole purpose is to illicitly distribute copyrighted works....

There is no reason to call it that. It is a communication tool that tries not to leak information. I would encourage RIAA members to use it themselves, to better secure internal conversations against unintentional leakage. I'm sure "they" send files to each other via email from time to time. Isn't this better? What's not to like?

As a long time cypherpunk, I'm glad this is here. Way back in '94, I wrote out a model of this sort of thing, but with decent routing and key exchange, and then got busy working for money. I'm glad someone is doing this, even if it doesn't work on a larger scale.

Please flame the evil cypherpunk vision below.

until when

Makes you wonder how long it will be until protocols/network designs are attacked on the same basis as the product derived from them. ie p2p/filesharing.

Considering nullsoft, might be a risky move.

Re:JabberIM does this

As much as I love Jabber, that's simply not true. Jabber has no widely implemented encryption between all links, and file transfer is not exactly its strong side.

Interesting

I haven't yet spotted any cryptographic "reviews" of this yet, but it certainly looks like an appealing platform to work with.

Going through the documentation, I found this:

From here [nullsoft.com]

Note: It might be worth implementing WASTE using a subset of SSL, to avoid any concern of flaws in this protocol. Feedback is gladly accepted on any potential weaknesses of the negotiation. We have spent a decent amount of time analyzing this, and although we have found a few things that are not ideal (i.e. if you know public keys from a network, you can sniff some traffic and do an offline dictionary attack on the network name/ID), but overall it seems decent. The current implementation probably needs work, too.

Which suggests to me that it isn't worth rushing out and developing application with *just* yet, until further reviews have occured (and the protocol has matured/evolved).

Re:I have to ask..

But you're also right, it won't gain wide acceptance unless there's easy way to connect to the "network".. I just opened the "Network status" dialog, and what do I type in?

There is no network. The goal isn't "wide acceptance". This isn't another way for you to get your mp3s, porn, whatever. Front page of the site, emphasis added:

WASTE is a software product and protocol that enables secure distributed communication for small (on the order of 10-50 nodes) trusted groups of users.

WASTE is designed to enable small companies and small teams within larger companies to easily communicate and collaborate in a secure and efficient fashion, independent of physical network topology.

Re:I have to ask..

I think this is meaningful, as it is an ad-hoc way of creating aa VPN. Also it would probably be faster if a few of the nodes have fast connections. If your friends don't see a reason behind this, then maybe it is not meant for your circle of friends. About the anonymous issue, note that Freenet already exists and works to handle that problem. This is meant to address a completely different issue

Re:I have to ask..

What's the point? If you can only connect to people who's key you have, and if only people who have your key can connect to you, this is going to be a pretty private thing.

Exactly, privacy is what it's all about. People tend to forget (or not realize to begin with) that every bit of chatter they send to one another on AIM goes through AOL's servers, every message they send to their buddy on MSN Messenger passes through Microsoft's servers, etc. Waste gives you the ability to conduct reasonably secure conversations and chat. Sure, it's not as geeky as running your own private IRC server wrapped in stunnel, but hey, the easier crypto becomes, the better.

The next time you want to have a chat with a friend, but you don't exactly want the contents bouncing all over the internet in plaintext, this looks like the perfect application. Reminds me somewhat of a program called SIMP [winfosec.com], which is a minimalistic Blowfish-ized IM program.

Re:I have to ask..

Eh, yes it does. Otherwise I'd have a lot more connections open while talking to people than just the one single connection to AOL's server. Hence the 'direct connect' button, which then DOES establish a direct connection to the server. Also, ICQ now uses modified versions of the AIM protocol(s) anyway (or at least, can run on them), so all ICQ traffic prolly goes through the servers too.

I bet the other networks are the same. MSN, Yahoo, etc. Direct connections are a bit slower to start up, and a bit more of a security risk, since you now know the other person's IP address.

Re:I have to ask..

If your not scared of Beta software, there's an IRC client that supports encryption for queries and even channel messages. You do have to share your key with whom ever you want to be able to read your messages however.

It's KVirc 3 over at www.kvirc.net [kvirc.net].
It's primarily writen for KDE/Linux but they also have a pre-compiled Win32 stand-alone.

Re:I have to ask..

The problem that we have here is that this network is NOT for piracy and therefore a lot of slashdot readers cannot see the use for it. Think instead of people working together - a workgroup as it where. For example why pay rental fees on an office when you can have a virtual one using tools such as this? Now I am not sure how great this tool is for that right not (I'm guessing - first release - not very) but I am sure it will come if people start using it.

Five minutes later

I read the article and immediately got excited. I downloaded all of the software and had it all setup and working within a few minutes. As of right now I'm living in an apartment and have no practical use, but on Monday I'm moving into my dorm room to start my summer class (bleh!) Anyway, I think this is so wonderful! I've been thinking about a secure network computing solution for my three computers when I'm at school. I have my server, workstation, and my laptop that I'd like to tie all together. The leading choice was vpn, but after playing around with this, I do think that running on my server and having the three of them connect to it, and maybe a few of my friends computers on campus, we can create a very nice, effective, small, and secure lan. Then again, after five minutes I haven't decided if the whole reinventing of the wheel is worth it. I'll probably try it out, and setup a vpn server too, and see which I like more.

Re:Five minutes later

VPN is better if you're a gamer...

Once you've set it up for a firewall, the f/w effectively vanishes inside the VPN. A friend and I struggled with firewall configs for years tweaking for the game of the day. Enter VPN, and now we have a private TCP network without firewalls. Any game supports that, no reconfiguration required.

The other thing is that it is built into w2k (my gaming platform of choice) and XP (friends platform). This means you can be up and running after reading some quick instructions on setting up the server, your shares (properly!), forward one TCP port (yes, only one) from your firewall to desktop, and that's it forever.

Add an uber-IM like Trillian, and that's all you will ever need.

Re:Download and mirror this

+4 RTFA [nullsoft.com]! more like it.

And I blockquote:

WASTE is a software product and protocol that enables secure distributed communication for small (on the order of 10-50 nodes) trusted groups of users.

So this isn't really a thing like gnutella. It's an enterprise product. As other posters have noted, it could conceivably be used to share (AOL-TW) copyrighted works, but that doesn't seem to be anywhere near it's main purpose. Heck, AOL is probably releasing the core technology as OSS to get the community to shake it down for bugs, in anticipation of releasing a commercial product built on top of the protocol. Kinda like how Apple has worked on open source technologies like zeroconf, and released commercial products like rendezvous built on the technology.

Re:Download and mirror this

WASTE is a software product and protocol...

It's understandable for marketeers and Microsoft to say 'software product' as a euphemism for 'computer program', but do hackers have to start doing it as well?

Interesting, not your usual peer to peer app.

Designed for small groups of people (up to 50)

It allows easy colloboration across firewalls, and only one user inside the firewall is required to allow all users inside access to the mesh.

Each link is encrypted, but each message is decrypted and re-encrypted at each hop of the mesh, so you have to trust all of the nodes. It's also very hard to drop a node onc it is trusted, as each node shares public keys around to make sure all nodes have all public keys. Initial connection to the mesh requires manual key exchange. PITA, but moderatley secure.

All network traffic is encrypted, it will flood each mesh link with a minimum amount of bandwidth to foil traffic analysis.

Key exchange

"Initial connection to the mesh requires manual key exchange. PITA, but moderatley secure."

IIRC, key exchange is where most encryption schemes fall down. If this ever takes off I'd guess 99% of users will trade keys over plain ol unencrypted SMTP.

Nice summary though - this really does look interesting.

For readers of Pynchon. . .

That's W A S T E, not 'Waste'.

Re:For readers of Pynchon. . .

Above post was not at all offtopic. Crying of Lot 49 is a good nerd book, so go read it.

In the book, W.A.S.T.E is an underground postal system that allowed people to exchange messages without the authorities finding out.

Re:For readers of Pynchon. . .

And I doubt that's a coincidence either considering that's exactly what the protocol seems to do.

Now I've never read the book, but I'd say in an underground postal system every person in the system has to be trusted. Much like this protocol -- each node in the network needs to be trusted.

You have to build your own little underground network with a few trusted friends. This reminds me a lot of the pirate BBS days ... if you wanted access to the 'private' or 'elite' (we didn't use such silliness as 31337 ;) file sections, you had to know the sysop.

This system allowed for only quality 'warez' files because everyone who was allowed to trade files had to be trusted, and therefore they weren't going to damage their reputation by sending crap like you get on P2P nowadays like incomplete packages or stuff that said it was one thing, but really was another thing. Back when trading pirated software was more like a gentlemen's agreement and not the 'o-D4Y \/\/4R3Z!!!!' crap pimply-faced teenagers with nothing better to do do today.

On the other hand, one has to think, 'Who needs it?' Most of us who were in that community back then have merged in with the Open Source community today and if we trade software at all it's with a CD burner over a cup of coffee. ;) OTOH, maybe this is just the thing for people like us.

Just a thought...

Is Groove doomed?

Resolved that: Gnutella aside, this technology is really a direct shot at Groove Networks, the company founded by Ray Ozzie of Lotus Notes fame to sell P2P-derived technology to small and large business.

Discuss.

Re:Is Groove doomed?

If

a) Groove was actually used by anybody and
b) It wasn't such horrible software

then I would say yes. Unfortunately Groove is a solution looking for a problem, and how many people get excited when you hear "designed by the guy that designed Notes."

Re:Beep!

"[...] It makes noises on keyboard/mouse input :-) [...] it is 'cute' enough to impress my girlfriend."

Where do you find a girl that could be impressed that easily? No need for fancy restaurants or expensive gifts, just type on your keyboard and she goes mental.... nice!

1337

Listen port
Listening on port 1337

Somehow I think this is a very well chosen port... ;-)

4 years later May 28th

Did nullsoft do this to thumb its nose at Aol? It was released May 28th 4 years after Aol paid a nice sum to buy Nullsoft.

As for the "What's the point" question...

put on your conspiracy hats...

Think of it this way, these guys know probably better than anyone else NOT on the AOL IM team, just how much of IM conversations are monitored, logged, mined for information, media metrics...etc.

Not to mention, they work in that environment, they prolly want to be able to say "god damn, our executive VP is a bitch" and not have some network engineer provide a log documenting that conversation later.

Yeah, i wish it scalled, but wtf, its opensource. Go make it scale. For now, 10-50 is plenty for most groups of online friends.

Personally, I'd loved to see technology like Pastry [microsoft.com] get hacked into it.

-malakai

Linux port ?

How many minutes before we can see the first Linux port (it works under W$, FreeBSD and MacOS X) ?

Re:Linux port ?

Closer than you think...

I haven't used C in 3 years and I managed to get it to compile with a bit of hacking. As for stability, your guess is as good as mine...

diff -r waste/Makefile.posix waste_port/Makefile.posix
4c4
< RSAOBJS = md5c.o nn.o prime.o r_random.o rsa.o
---
> RSAOBJS = rsa/md5c.o rsa/nn.o rsa/prime.o rsa/r_random.o rsa/rsa.o
7,8c7,8
< CXXFLAGS = -O2 $(DEBUGFLAG) -pipe -march=pentiumpro
< CFLAGS = -O2 $(DEBUGFLAG) -pipe -march=pentiumpro
---
> CXXFLAGS = -O2 $(DEBUGFLAG) -pipe
> CFLAGS = -O2 $(DEBUGFLAG) -pipe
diff -r waste/connection.cpp waste_port/connection.cpp
771c771
< if (::getsockname(m_socket,(struct sockaddr *)&sin,(socklen_t *)&len)) return 0;
---
> if (::getsockname(m_socket,(struct sockaddr *)&sin,(unsigned socklen_t *)&len)) return 0;
diff -r waste/listen.cpp waste_port/listen.cpp
85c85
< int s = accept(m_socket, (struct sockaddr *) &saddr, (socklen_t *)&length);
---
> int s = accept(m_socket, (struct sockaddr *) &saddr, (unsigned socklen_t *)&length);
diff -r waste/srvmain.cpp waste_port/srvmain.cpp
31c31
< #include "md5.h"
---
> #include "rsa/md5.h"
diff -r waste/xfers.cpp waste_port/xfers.cpp
812c812,814
< if (!RemoveDirectory(s)) break;
---
> // The below seems to be from the win32 API. I'll just comment it out and hope it doesn't break anything.
> // Jordan R. Urie
> // if (!RemoveDirectory(s)) break;