Nullsoft's Waste: Encrypted, Distributed, Mesh Net

Myriad writes "Nullsoft, makers of the venerable Winamp MP3 player, released today a secure, distributed mesh-like networking protocal and platform called Waste. This v1.0 beta release uses RSA (key based) and Blowfish encryption for security, and features Instant Messanging and group chat, along with file browsing, searching, and transfer. Waste has been released under the GPL, with source and binaries available here."

Good work

[Anonymous Coward]

Happy to see the spirit of Free Software continues thrive. We've been seeing too many proprietary offerings of late. I'm glad that Nullsoft is "with the program". This is a great idea, and they deserve our support.

Interesting, not your usual peer to peer app.

[rmlane]

Designed for small groups of people (up to 50)

It allows easy colloboration across firewalls, and only one user inside the firewall is required to allow all users inside access to the mesh.

Each link is encrypted, but each message is decrypted and re-encrypted at each hop of the mesh, so you have to trust all of the nodes. It's also very hard to drop a node onc it is trusted, as each node shares public keys around to make sure all nodes have all public keys. Initial connection to the mesh requires manual key exchange. PITA, but moderatley secure.

All network traffic is encrypted, it will flood each mesh link with a minimum amount of bandwidth to foil traffic analysis.

For readers of Pynchon. . .

[BitHive]

That's W A S T E, not 'Waste'.

Re:Gnutella

[terrox]

oops now i realise it is for small secure/private networks - sounds good for VNC type stuff.

Re:License?

[Anonymous Coward]

Well, the Windows version has the GPL in the 'Accept/Don't accept' stage of installing the app, if that means anything to you.

Re:Gnutella - YES

[Anonymous Coward]

Yes, Nullsoft originally created Gnutella then parent company AOL forced them to stop development, but the cat was out of the back and code was leaked/reverse engineered.

Re:fix what needs fixing

[misuba]

Winamp 2.9 is the latest release of the Winamp 2.x codebase, which takes most of the good ideas that went into Winamp 3 and codes them back to an API free of excessive abstraction. It's been out for weeks, if not months. Check your facts before posting.

Re:Hmmm....

[glob]

"undoubtedly call a tool whose sole purpose is to illicitly distribute copyrighted works"

uhh, waste is for small workgroups only ..

WASTE is a software product and protocol that enables secure distributed communication for small (on the order of 10-50 nodes) trusted groups of users.

it's not about p2p file sharing, rather it's a colaborative tool.

sure, you could use to to share illegal stuff, but it's really no different in that respect to email, icq, whatever.

Re:Gnutella

[MacJedi]

Yes, they did. However, AOL didn't like it and got it shut down within the day. Then someone (Justin Frankel?) leaked the source and the rest is history.

/joeyo

GPL Licences

[rmlane]

Quoting from the source:

Copyright (C) 2003 Nullsoft, Inc.

WASTE is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

Re:Gnutella

[Magila]

Indeed, here [slashdot.org] is the original slashdot story. Of course AOL quickly ended development at nullsoft, it lived on after the protocol had been reverse engineered and others picked up where nullsoft left off.

Re:Gnutella

[Anonymous Coward]

As a matter of fact, Gnutella has nothing to do with Nutella, except for the similar name.

As you already pointed out in your links, Nutella is a chocalate spread. It is a FOOD item.

Gnutella is a SOFTWARE item. It is used for P2P (point-to-point) networking. Usually, Gnutella is used to distribute music, although it can be used to distribute any files.

I hope this comment has been helpful in clearing the matter.

They already fixed Winamp, whiner

[Anonymous Coward]

Firstly, the WA2 group backported the two major features of WA3 (video support and the media library) to WA2 and released it as WA 2.9. Development continues on a hybrid tree under the working title WA5 (2 + 3 == 5).

Secondly, not everyone shares your idea of "what they need to do". Winamp is a nice media player, but nevertheless just a media player; to many people, a protocol that facilitates cryptographically secure collaboration is infinitely more useful.

Thirdly, I'm not clear on what obligation you think Nullsoft owes you even when they're on company time, but I wouldn't be surprised if WASTE was written in spare time--you know, for fun.

Yes, it's GPL and it says so...

[malakai]

I don't know, are you a troll?

Try searching on 'GNU General Public License' Einstein.

/*

WASTE - connection.cpp (Secured TCP connection class)
Copyright (C) 2003 Nullsoft, Inc.

WASTE is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.

WASTE is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with WASTE; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/

Re:I have to ask..

[Anonymous Coward]

But you're also right, it won't gain wide acceptance unless there's easy way to connect to the "network".. I just opened the "Network status" dialog, and what do I type in?

There is no network. The goal isn't "wide acceptance". This isn't another way for you to get your mp3s, porn, whatever. Front page of the site, emphasis added:

WASTE is a software product and protocol that enables secure distributed communication for small (on the order of 10-50 nodes) trusted groups of users.

WASTE is designed to enable small companies and small teams within larger companies to easily communicate and collaborate in a secure and efficient fashion, independent of physical network topology.

Re:For readers of Pynchon. . .

[IntlHarvester]

Above post was not at all offtopic. Crying of Lot 49 is a good nerd book, so go read it.

In the book, W.A.S.T.E is an underground postal system that allowed people to exchange messages without the authorities finding out.

Full description of WASTE

[mrklin]

Fresh from http://www.nullsoft.com/free/waste/:

WASTE is a software product and protocol that enables secure distributed communication for small (on the order of 10-50 nodes) trusted groups of users.

WASTE is designed to enable small companies and small teams within larger companies to easily communicate and collaborate in a secure and efficient fashion, independent of physical network topology.

Some bits of information about WASTE:

• WASTE is currently available [slashdot.org] for 32-bit Windows operating systems, and as a limited functionality server for FreeBSD and MacOS X. Porting to other operating systems should be a breeze, as the source [slashdot.org] is provided (and the network code itself is pretty portable).
• WASTE is licensed under the GPL [gnu.org].
• WASTE currently provides the following services:
  • Instant Messaging (with presence)
  • Group Chat
  • File browsing/searching
  • File transfer (upload and download)
• Network architecture: WASTE uses a distributed architecture that allows for nodes to connect in a partial mesh type network. Nodes on the network can broadcast and route traffic. Nodes that are not publicly accessible or on slow links can choose not to route traffic. This network is built such that all services utilize the network, so firewall issues become moot. more information [slashdot.org].
• Security: WASTE uses link-level encryption to secure links, and public keys for authentication. RSA is used for session key exchange and authentication, and the links are encrypted using Blowfish in PCBC mode. The automatic key distribution security model is very primitive at the moment, and may not lend itself well to some social situations. more information [slashdot.org].

Re:Beep!

[BladeMelbourne]

RedHat has apt-get support, although not out of the box.

http://shrike.freshrpms.net/rpm.html?id=393

Don't worry DebianTroll, I will try Debian soon... I have heard many great things about it. My modem connection only achieves 50.6 kbps maximum. I will try to get a copy of Debian 3.0r1 at the next Melbourne Linux User Group meeting.
http://www.mlug.org.au/

Mike

Getting it to work.

[commonchaos]

Looks like you not only have to trade public keys with your friend, but somebody needs to have WASTE on a public IP with port 1337 open.

Re:I have to ask..

[GMC-jimmy]

If your not scared of Beta software, there's an IRC client that supports encryption for queries and even channel messages. You do have to share your key with whom ever you want to be able to read your messages however.

It's KVirc 3 over at www.kvirc.net [kvirc.net].
It's primarily writen for KDE/Linux but they also have a pre-compiled Win32 stand-alone.

Re:Gnutella - YES

[Anonymous Coward]

the code wasn't "leaked" or "reverse engineered" the code was released under the GPL on nullsofts website at the same time as the executable.. exactly the same way as this program has been handled.

They most likely knew aol wouldn't like gnutella at all.

Re:I have to ask..

[spectral]

Eh, yes it does. Otherwise I'd have a lot more connections open while talking to people than just the one single connection to AOL's server. Hence the 'direct connect' button, which then DOES establish a direct connection to the server. Also, ICQ now uses modified versions of the AIM protocol(s) anyway (or at least, can run on them), so all ICQ traffic prolly goes through the servers too.

I bet the other networks are the same. MSN, Yahoo, etc. Direct connections are a bit slower to start up, and a bit more of a security risk, since you now know the other person's IP address.

Re:JabberIM does this

[wossName]

As much as I love Jabber, that's simply not true. Jabber has no widely implemented encryption between all links, and file transfer is not exactly its strong side.

What no LibTomMath for bignum RSA?

[tomstdenis]

Oh darn. Looks like they used some homebrew crap for their bignum stuff.

Common LibTomMath is like a billion times faster [not to mention very well tested]....

Plug plug plug!

http://math.libtomcrypt.org

Tom

Re:downloaded, now what?

[dpu]

i'm going to bite my tongue about "leeches" and actually help a bit here.

reading the docs, it becomes apparent that in order to connect to other people, you need to know their public key, and vice versa. i'm paraphrasing, but that's essentially it :) good luck!

Re:I have to ask..

[daserver]

Well there is a whole network, silcnet, that builds upon irc but makes it safe. It not that far away from 1.0. http://www.silcnet.org/

slighly OT: Jabber communication encryption

[Ahaldra]

*sigh* so many jabber clients - so many implementations. It seems as if noone developing a jabber client actually cared to look into the official proposals.

So, if you are a jabber client developer or intend to become one, see this article [jabber.org] for a proposed handling of Open PGP -type encryption.

Re:Looks great but...

[tamagen]

You need at least one other client running somewhere.

You both need to enter each other's public key into your client to get started. This step shows that you "trust" one another.

Anyone else who wants to join your "network" must also enter one of your existing network members' public key into their client and have that existing member enter the new user's public key into *their* client. This step automatically makes the new person "trusted" by all the other members of the network - the important part is that you don't have to explicitly swap public keys with EVERYONE - just with one member of the network. The client does the rest once you connect to the network - see below.

Now, to get started and initially connect to someone's machine, enter their hostname or IP address (not their "username") into the "Network" window. This primes your client - it will then discover all it needs to know about the other members of the network, since by default, each client will be broadcasting discovery information (usernames, hostnames, public keys).

The "Browser" window shows all the users in the network, but currently ONLY if they are sharing one or more files. So, get each person who joins the network to share at least a test file so that they will always appear in everyone's "Browser" window.

Right-click on any names in the browser window to start interacting with them.

HTH

Re:1337

[Fweeky]

1337 = l337 = leet = elite

Somewhat commonly used to refer to something as good; as in:

"l337, this WASTE thing does exactly what I want"

Re:Gnutella

[lucas_gonze]

This is just plain wrong. The source was never available, leaked or otherwise.

The protocol was reverse engineered, with a little assistance on IRC from deadbeef.

Re:It's a really useful tool for business too

[javatips]

SecureIM only do encryption. There is NO way with SecureIM to be sure that you are talking to the right person.

It would be very easy for some network admin to do a man in the middle attack by intercepting all the trafic between you and your buddy (with the initial key exchange) without you knowing anything about it.

Having a false sense of security is worse that knowing that your communication is NOT secure.

A better way, would be to use PGP to enrypt your communication with your buddy. At least, if your are confident you obtained your buddy real public key, you know you are talking to the right person.

Re:Linux port ?

[dschuetz]

Alright, I think I'm figuring this out. Lack of documentation is something of a hinderance here... It really boils down to there not being any kind of initial configuration system on the server side, so you do all the keygen and profile creation on windows and copy stuff back and forth. Ugly. But, I guess it *is* alpha (though maybe it should be 0.1 rather than 1.0...)

It's compiled (I just made the changes shown elsewhere in this thread). Start up the windows version, create a private/public key pair (using a *server* passphrase, as this will be moved to the server). Oh, also copy the profile (default.pr0) from the windows box to the wastesrv folder, modifying and deleting stuff as appropriate within the file (like I deleted my nickname, etc.)

Export the private key to a file. Move that file to "default.pr4" in the wasteserv folder. Copy the public key to the clipboard, paste that into a file called "default.pr3" in the wasteserv folder (I changed the nick on that line to "server").

Go back to your windows client, and create a *new* private/public key pair, then copy that public key, via the clipboard, to the default.pr3 file, leaving your nick intact.

Copy the public key for the server to the windows client, importing it via the preferences panel. (this was the public half of the first key pair you created, which is now the server key).

Hit the network button, enter your server's IP in the drop-down field at the top, hit connect, and, maybe, it'll work. Maybe.

'course, I'm the only person on my server, so I'm not seeing anything. Gotta get someone else to try this too.

Hope this helps....

Re:Gnutella

[bigberk]

Yes, here's a little background on gnutella and the protocol [umanitoba.ca].

Re:As for the "What's the point" question...

[$carab]

I remember watching on Dateline a couple years back about a murder trial, and apparently one of the major pieces of eveidence was a saved AIM conversation. They got one the AOL execs to testify that there was no way of verifying if it was a real transcript because AOL doesnt keep logs.

I think theres an sf project do do AIM sniffing though, but still, AOL doesnt log your conversations.

Re:Key exchange

[CrypticOutsider]

IIRC, key exchange is where most encryption schemes fall down. If this ever takes off I'd guess 99% of users will trade keys over plain ol unencrypted SMTP.

And what's wrong with that? You're exchanging your public keys.

From the Waste setup guide:

8. At this point you should copy your public key to the clipboard using the button labeled "Copy my public key to the clipboard" and then paste it into an email/IM/whatever to give it to the person(s) you wish to connect to.

9. You should also acquire the PUBLIC key of the person(s) you wish to connect to via some means, and then click the "Import public keys..." button in order to import their PUBLIC keys. Once you import their PUBLIC keys, there should be a message in the setup wizard telling you how many keys are loaded total.

The Right Hand Knows

[fm6]

In fact what we have here is a first cut at a secure distributed network presence system, something that would allow you to run an icq-like network between people you trust without being spied on by a central server. There are many reasons why one would want this: maybe *you* just want to trade copyrighted files, but *I* want to communicate securely and efficiently with my associates.

Besides which, this software isn't particularly useful for illicit file sharing. For that you need a way to get into contact with strangers who happen to have a copy of the file you want to download. The encryption features would actually seem to work against that.

Also, this is technology that might be very useful to AOL. AIM's big drawback is that it's not very secure, and really shouldn't be used for sensitive corporate communication. (Though the engineers at my last employer used it anyway.) AOL could persuade people that are already using AIM for free to upgrade to WASTE in order to secure their communications. Not to mention the other features.

We Await Silent Trystero's Empire!

Re:linux?

[JakusMinimus]

yeah, the root of this is a #define for socklen_t in the non-win32 code (which is already typedef'd in system headers). my solution was to put a #ifdef POSIX around the define.

up and running on linux

[JakusMinimus]

a link to the cleaned up code i am running: http://www.entheal.com/users/dweomer/waste-source- clean.tgz [entheal.com]

my server's public key

WASTE_PUBLIC_KEY 20 2048 entheal.com
ABB44E9339FC6CE16A3C04A9D828AD3F6C78A 308FF66442E35B3F69C2CFC
7AAF98FFFCE94A95E074C6B8F B8F46105A7575A5AB9CFBF9112E1AE13C02
B7CFDA578CD7B 114A64E6B18D9F857BD982E741D2A214EE52878580B51DA
4 081980FA0923244FA59D05FE314347384D23DBD58C736D71D6 D490EFD4D
E3587D463D351236280BCAD18DD40F12D9F0DAF 6C3C88CAB2243A21B7A8D
B0C89075685E12052263C6DD9EA 6809967A7D354037EF00F078E5E298DFC
2E89E43AF161FCF B30B2B41873F0BB34706B4C8EF749B6A3E45135F9F08D
FAF 6F684E29787ECE5FB0DFEBABF904C11327CE085F735C0D7E08 DE811B3
04CEC56742090AA7A714497B9CEF1C35000301000 1
WASTE_PUBLIC_KEY_END

server name is entheal.com (you may have guessed from the public key ... )

Re:Linux port ?

[Bob Uhl]

According to Microsoft [microsoft.com], RemoveDirectory() removes the directory specifed in a C string. The directory must be empty, exactly as with the POSIX rmdir(). The return value is 0 if unsuccessful, non-zero otherwise; this is the opposite of rmdir(). So, it's better to replace that snippet with:

if (rmdir(s)) break;

Re:I have to ask..

[raynet]

Also Irssi and ircII have IDEA patches and they work really well too, been using them for year or two now.

Waste Public Node List

[Str8Dog]

I threw up a forum for people who would like to list their public nodes here [str8dog.com]

Re:Linux port ?

[grazzy]

This code actually does work, with this patch you are able to both transfer files, connect, and chat.

The tricky thing is to set up the server properly.

The easiest way is like someone else pointed out to make a new profile in waste, (copy your own default.pr* files out of the way first).

Then, add your public SERVER key to your public-key list in the windows-client. And add your public-windows-client-key to the list of keys of the server.. (default.pr3).

Dont forget to NOT use a network name ( or make sure they are the same in your default.pr0 files).

If you want to join my server contact me on icq: 706826, or see http://waste.mjoelkbar.net/ which will be online soon.

Re:up and running on linux

[DarkBlack]

If you are using gcc 3.2 as I am on Debian Unstable, you will probably need this patch:

--- waste/Makefile.posix 2003-05-29 11:58:45.000000000 -0400
+++ waste/Makefile.posix.new 2003-05-29 14:00:34.000000000 -0400
@@ -8,7 +8,7 @@

wastesrv: $(OBJS) $(RSAOBJS)
- $(CC) $(DEBUGFLAG) -pthread -o wastesrv $(OBJS) $(RSAOBJS)
+ $(CC) $(DEBUGFLAG) -pthread -o wastesrv $(OBJS) $(RSAOBJS) -lstdc++

clean:
rm -f $(OBJS) $(RSAOBJS) wastesrv

Re:Linux port ?

[grazzy]

Wrong url:
http://grazzy.mjoelkbar.net/waste/ [mjoelkbar.net]

Re:Gnutella

[FLaSh SWT]

Actually, Justin IS in the credits for Winamp3.

He is listed under "Additional programming" which is the third set of credits.

well, the download page just went 404

[ntk]

I guess AOL found out again...

and now W A S T E

[akahige]

AOL must not like W A S T E either. it's been pulled and there's no trace of it on the nullsoft site. hope someone mirrored it...

Found a Mirror

[Anonymous Coward]

while perusing the winamp forums, I found a mirror:

waste installer [blueyonder.co.uk]
waste source [blueyonder.co.uk]

Re: Gone!

[MMHere]

Thread ID#13077 [winamp.com] in a message entitled WASTE gone... RETURNED! (look in the forum CommunityCenter/GeneralDiscussions at forums.winamp.com [winamp.com] has the source and binary posted.

You'll have to register for the WinAmp forums first.

Not sure if the poster hacked/altered them first, but at least something appears to be there. I was unable to grab the installer earlier, but I did grab the .zip for the sources earlier. The .zip I grabbed earlier and the .zip posted in said forum match according to the cmp command.

I'm gonna build from the sources myself rather than run the posted .EXE.

oh well

[WilyKit]

The URL provided is 404.

Looks like they did it again, got AOL Time Warner scrambling and they pulled the plug. (Same thing happened with Gnutella, remember?)

Re:well, the download page just went 404

[Eminence]

Well, all the pages about WASTE are 404 now, WASTE also disappeared from the list of software made by Nullsoft. But - as I said already here - it's already irrelevant, as the GPL-ed source is already mirrored around the world and will be worked on. Soon we will see ports and mutations of WASTE everywhere.

Looks like the guys at Nullsoft learned from Gnutella...

Waste Mirror

[Freaek]

Waste is here [sifnt.net]

Contents of the file are as follows;

waste - network architecture.htm

waste - network architecture_files
waste - security model and implementation.htm
waste-setup.exe
waste-source.tar.gz
waste-source.zip

This will be up until it's not. Enjoy! :)

--Pete (peteg [at] sifnt dot net)

Re:Waste Mirror

[GuNgA-DiN]

I've put up another mirror here [paradigm.nu].