Nullsoft's Waste: Encrypted, Distributed, Mesh Net

Myriad writes "Nullsoft, makers of the venerable Winamp MP3 player, released today a secure, distributed mesh-like networking protocal and platform called Waste. This v1.0 beta release uses RSA (key based) and Blowfish encryption for security, and features Instant Messanging and group chat, along with file browsing, searching, and transfer. Waste has been released under the GPL, with source and binaries available here."

JabberIM does this

[Anonymous Coward]

I think this is a waste of time.

We already have JabberIM [jabber.org] which does this and at the same time provides tunnels to other IM networks.

Five minutes later

[Jacer]

I read the article and immediately got excited. I downloaded all of the software and had it all setup and working within a few minutes. As of right now I'm living in an apartment and have no practical use, but on Monday I'm moving into my dorm room to start my summer class (bleh!) Anyway, I think this is so wonderful! I've been thinking about a secure network computing solution for my three computers when I'm at school. I have my server, workstation, and my laptop that I'd like to tie all together. The leading choice was vpn, but after playing around with this, I do think that running on my server and having the three of them connect to it, and maybe a few of my friends computers on campus, we can create a very nice, effective, small, and secure lan. Then again, after five minutes I haven't decided if the whole reinventing of the wheel is worth it. I'll probably try it out, and setup a vpn server too, and see which I like more.

Download and mirror this

[scrod]

while you can. Remember what happened when they first released Gnutella? If I recall, AOL forced them to pull it within hours (though it was already completely reverse-engineered almost immediately afterward).

License?

[harlows_monkeys]

I just download the source and took a look. No COPYING file. No README. The string "gpl" (case insensitive) does not appear in any of the files.

Worse, there is an "rsa" subdirectory, and the files in there all say they are copyright RSA Data Security, and all rights are reserved. Worse, the MD5 source files contain a license that is incompatible with the GPL.

I'd stay away from waste until they straighten this stuff out.

Re:I have to ask..

[ergonal]

You're right. But you have to remember that, by the brief look of it I got, makes PGP-style stuff a lot easier. And what do most people use IM's for anyway? To chat to their friends? You bet. It wouldn't take long to develop a web of trust of, say, your entire school or workplace. But you're also right, it won't gain wide acceptance unless there's easy way to connect to the "network".. I just opened the "Network status" dialog, and what do I type in? Nothing right now, until I can get someone else to load it up.

Is Groove doomed?

[misuba]

Resolved that: Gnutella aside, this technology is really a direct shot at Groove Networks, the company founded by Ray Ozzie of Lotus Notes fame to sell P2P-derived technology to small and large business.

Discuss.

Re:Download and mirror this

[Farley Mullet]

+4 RTFA [nullsoft.com]! more like it.

And I blockquote:

WASTE is a software product and protocol that enables secure distributed communication for small (on the order of 10-50 nodes) trusted groups of users.

So this isn't really a thing like gnutella. It's an enterprise product. As other posters have noted, it could conceivably be used to share (AOL-TW) copyrighted works, but that doesn't seem to be anywhere near it's main purpose. Heck, AOL is probably releasing the core technology as OSS to get the community to shake it down for bugs, in anticipation of releasing a commercial product built on top of the protocol. Kinda like how Apple has worked on open source technologies like zeroconf, and released commercial products like rendezvous built on the technology.

4 years later May 28th

[Isosonys]

Did nullsoft do this to thumb its nose at Aol? It was released May 28th 4 years after Aol paid a nice sum to buy Nullsoft.

Go read Pynchon

[billstewart]

In "The Crying of Lot 49" [powells.com], which is a nice short fast spacy read, there's a plot thread about competing mail services and a conspiracy that conducts its private communications in a way that, if you refer to the name of the product as "waste" rather than "W A S T E", indicates you're clearly not part of their group. There are also email systems called "Trystero" for similar reasons, and it makes looking at post office boxes in Scandinavia quite silly even without sampling the local agricultural products.

Re:Five minutes later

[graveyhead]

VPN is better if you're a gamer...

Once you've set it up for a firewall, the f/w effectively vanishes inside the VPN. A friend and I struggled with firewall configs for years tweaking for the game of the day. Enter VPN, and now we have a private TCP network without firewalls. Any game supports that, no reconfiguration required.

The other thing is that it is built into w2k (my gaming platform of choice) and XP (friends platform). This means you can be up and running after reading some quick instructions on setting up the server, your shares (properly!), forward one TCP port (yes, only one) from your firewall to desktop, and that's it forever.

Add an uber-IM like Trillian, and that's all you will ever need.

As for the "What's the point" question...

[malakai]

put on your conspiracy hats...

Think of it this way, these guys know probably better than anyone else NOT on the AOL IM team, just how much of IM conversations are monitored, logged, mined for information, media metrics...etc.

Not to mention, they work in that environment, they prolly want to be able to say "god damn, our executive VP is a bitch" and not have some network engineer provide a log documenting that conversation later.

Yeah, i wish it scalled, but wtf, its opensource. Go make it scale. For now, 10-50 is plenty for most groups of online friends.

Personally, I'd loved to see technology like Pastry [microsoft.com] get hacked into it.

-malakai

Linux port ?

[theefer]

How many minutes before we can see the first Linux port (it works under W$, FreeBSD and MacOS X) ?

AOL Time Warner...

[tolarianacademy]

...owns Nullsoft, (as already mentioned by leviramsy) but an interesting theory had been presented to me, suggesting that AOL Time Warner has for some time been planning to trump Apple's iTunes store. Maybe they are planning to power such a service with peer networking? I have never beleived this personally because AOL Time Warner would just as soon want to have everyone surfing from the same servers anyhow, and a decentralized system would only tax their bandwidth more. Maybe...maybe they will release such a service that utilizes both p2p transfers in combination with traditional server-to-client transfers, and maybe use it as an advertising platform for AOL, giving AOL users better functionality, or maybe even restricting server-to-client transfers to AOL users once the service becomes popular. Does anyone else think this idea is bogus? I find it hard to beleive, but I can't figure out how else Nullsoft could be /allowed/ to create this new service.

Here is the full source

[infonography]

Here is the source [gnutenberg.net] for those who are wondering what it's all about.

---

WE AWAIT SILENT TRISTERO'S EMPIRE.

Re:Yes, it's GPL and it says so...

[MisterFancypants]

Yeah but the original poster's question about md5/RSA code still stands...That code is incompatible with the GPL.

Re:Is Groove doomed?

[misuba]

Well, that begs the question: what problem is Waste designed to solve? Who will use it?

It seems to me that secure instant messaging and peer-to-peer file transfer between members of a distributed workgroup serves a real need. I can't imagine that Nullsoft would have developed this unless they saw a need themselves. Other solutions might technically already exist, but they don't appear to be as easy to install. (In that respect I could be wrong about VPN; I haven't looked into it.)

It'll be interesting to see whether Waste follows the path of Groove in the respect of becoming a platform, and providing an API for others to develop new tools.

Revolution of Filesharing?

[cyberm_acc]

I'm suprised no one has mentioned the obvious. This is a terrible blow to the RIAA and the all the people who have been trying to sue filesharers into oblivion.

There are two uses I see for this:
There are going to be groups of people dedicated to one theme, for example, Horror Movies, or Horror Movies with mutant bees, sharing all their Horror Movies, you will need a certain ammount of Horror Movie Uploads for Downloads and noone will ever be to know you had Queen Bee 1-3.

If you replace Horror with new release you get lots of small miniDonkeys, many interconnected and unstoppable.

I'm convinced this is a revolution in filesharing because it solves the two biggest Problems filesharing has, crappy downloads and getting sued.
The downloads will be of really good quality beacause you will be sharing with friends of people you know from chatting and if the put crap in their upload directory they won't be one of your cirle of friends much longer.

Getting sued is obvious, noone will be able to tell what you are doing (the might be able to guess that all those people on cable are not running a vpn yet) as just your circle of friends know. There is still the possibility that one of your friends is a traitor but i would call that a rare chance.

Re:Hmmm....

[Uart]

wasn't Gnutella also originally a nullsoft idea?

Re:Download and mirror this

[Ed Avis]

WASTE is a software product and protocol...

It's understandable for marketeers and Microsoft to say 'software product' as a euphemism for 'computer program', but do hackers have to start doing it as well?

Re:They already fixed Winamp, whiner

[UniverseIsADoughnut]

Hey good their working on the old series, which would show they accept the issues of the 3x series.

I know many people do feel the way I do, talk to most people who have tried 3.0 or even go to their website and see people bitching about it. Winamp is the most used player in windows, second only to WMP, though I wouldn't be surprised if more used. To stop trying to make a decent product and ignore the problems will cause them to loose their marketshare and thus make them worthless, not a very good business model if you want to be around to do other things like protocols.

Also I don't think many people care about this protocol, sure the paranoid types might, but this is very much something most people could care less about.

Also I in no way have said they are obligated to do anything. I was just pointing out how they have gone from something good to complete crap. I don't belive companies own anyone anything unless there was some deal which requires them to.

I doubt it was done in spare time, if it was employees doing something it was during work time, and if there are things that need to be done to your product you don't have "free time" . Free time is when there is nothing you should be doing.

Nullsoft is a company. Time is money for them. Users are money for them. Being a company that gives product away for free, the balance of keaping them is huge. If no one goes to your sight and clicks on ads and so forth they are done.

One last thing, they haven't fixed jake shit. winamp 3 is broken, go to their sight, winamp 3 is what they are advertising. Making updates to an older product is not fixing. To be fixed means they got all the issues sorta out with 3.0 .

Re:Yes, it's GPL and it says so...

[harlows_monkeys]

Oops. I should have grepped for GNU in addition to GPL. I also see they've got a license.txt file, which includes the text of the GPL.

Now if you can just explain away the RSA code that has the license that is incompatible with the GPL, everything will be fine.

Re:License? GPL

[harlows_monkeys]

Seems like conflicting information to me.

I goofed, and grepped for "gpl". "gnu" would have been a better grep term.

However, there's still the rsa directory, which contains stuff not compatible with GPL. (Which puzzles me...since waste is GPL'ed, why didn't they use gmp for the math, or whatever gpg uses?)

Everyone invented Gnutella

[CrazyJim0]

I think hundreds or thousands of coders thought of this shit, especially when Napster got shutdown.

I personally came across it when removing a section of my P2P anti hacking designed for Diablo 1 to be secure even without a central server.

Interestingly enough, I was going to call my Gnutella: Dumpster

Which is cool they're naming their software: Waste

Lets see how it turns out

Re:Linux port ?

[Kompressor]

Closer than you think...

I haven't used C in 3 years and I managed to get it to compile with a bit of hacking. As for stability, your guess is as good as mine...

diff -r waste/Makefile.posix waste_port/Makefile.posix
4c4
< RSAOBJS = md5c.o nn.o prime.o r_random.o rsa.o
---
> RSAOBJS = rsa/md5c.o rsa/nn.o rsa/prime.o rsa/r_random.o rsa/rsa.o
7,8c7,8
< CXXFLAGS = -O2 $(DEBUGFLAG) -pipe -march=pentiumpro
< CFLAGS = -O2 $(DEBUGFLAG) -pipe -march=pentiumpro
---
> CXXFLAGS = -O2 $(DEBUGFLAG) -pipe
> CFLAGS = -O2 $(DEBUGFLAG) -pipe
diff -r waste/connection.cpp waste_port/connection.cpp
771c771
< if (::getsockname(m_socket,(struct sockaddr *)&sin,(socklen_t *)&len)) return 0;
---
> if (::getsockname(m_socket,(struct sockaddr *)&sin,(unsigned socklen_t *)&len)) return 0;
diff -r waste/listen.cpp waste_port/listen.cpp
85c85
< int s = accept(m_socket, (struct sockaddr *) &saddr, (socklen_t *)&length);
---
> int s = accept(m_socket, (struct sockaddr *) &saddr, (unsigned socklen_t *)&length);
diff -r waste/srvmain.cpp waste_port/srvmain.cpp
31c31
< #include "md5.h"
---
> #include "rsa/md5.h"
diff -r waste/xfers.cpp waste_port/xfers.cpp
812c812,814
< if (!RemoveDirectory(s)) break;
---
> // The below seems to be from the win32 API. I'll just comment it out and hope it doesn't break anything.
> // Jordan R. Urie
> // if (!RemoveDirectory(s)) break;

It's a really useful tool for business too

[Eminence]

WASTE is something that is indeed very useful for small company or teams (especially dispersed teams) in larger organizations. In many places one or another IM system is being used to communicate with team members. Over ICQ or AOL contracts and employment conditions are discussed, remarks about contractors and clients are passed etc. That is a huge security leak if you look at it from a certain prospective, especially for some profiles of companies like small consulting firms with employees regularly using clients networks. WASTE is a simple to use and free method of closing that leak.

I know at least two small companies that should adopt WASTE immediately and I would advise them to do so. One is a PR company with 2-10 people offices around Europe, where ICQ is frequently used as a discussion medium. Other is a small consulting company. Someone eavesdropping on their ICQ chats could seriously damage both of them.

Looks great but...

[randomErr]

The software looks great and installed like a dream but How can I test it?

How can I point it at a node that will allow me to try it out? I ask this because what if someone is on the internet and needs to connect to me network. How do I point them to my network?

Re:They already fixed Winamp, whiner

[Anonymous Coward]

Hey good their working on the old series, which would show they accept the issues of the 3x series.

Nullsoft has said from the release of WA3 that it was AOL's spec and AOL's decision to release it in that state.

I know many people do feel the way I do, talk to most people who have tried 3.0 or even go to their website and see people bitching about it.

That's really not relevant to anything I wrote.

Winamp is the most used player in windows, second only to WMP, though I wouldn't be surprised if more used.

Hardly. WA is popular among those 'in the know', but it doesn't have anywhere near the installed base of e.g. RealPlayer.

To stop trying to make a decent product and ignore the problems will cause them to loose their marketshare and thus make them worthless, not a very good business model if you want to be around to do other things like protocols.

Nullsoft's "business model" is that of a wholly-owned subsidiary of AOL. Its purpose is to provide the media player component of the AOL client software. As for "other things like protocols", this is a side project, much like Gnutella. [quote]Also I don't think many people care about this protocol, sure the paranoid types might, but this is very much something most people could care less about.[/quote] Visit the business world sometime. Secure collaboration isn't paranoia; it's a necessity.

Also I in no way have said they are obligated to do anything.

Yes, my mistake. I didn't realize that you presumed to know Nullsoft's business better than Nullsoft.

I doubt it was done in spare time, if it was employees doing something it was during work time, and if there are things that need to be done to your product you don't have "free time" . Free time is when there is nothing you should be doing.

Employees are also people, capable of undertaking projects on their own. Most of the Nullsoft side projects are things that were done on the coder's own initiative and time. Justin, whose project this is, isn't even part of the WA3 group.

Nullsoft is a company. Time is money for them. Users are money for them. Being a company that gives product away for free, the balance of keaping them is huge. If no one goes to your sight and clicks on ads and so forth they are done.

Is the dotcom bubble still intact on your planet? Users who don't pay aren't money, and ads are a tool to alleviate operating expenses, not a profit source.

One last thing, they haven't fixed jake shit.

Is he any relation to Jack?

winamp 3 is broken, go to their sight, winamp 3 is what they are advertising.

The Winamp site calls WA3 "almost as new as Winamp 2". Some advertisement.

Making updates to an older product is not fixing.

It is when the older product is now functionally equivalent and wasn't broken in the first place.

Re:They already fixed Winamp, whiner

[awakened tech]

To a certain extent this protocol is probably far more important than winamp will ever be. We keep hearing predictions of how IM is the next big thing in business, however no buiness is going to touch current IM technologies for two main reasons, security and accessibility (if I have MSN installed I will spend more time chatting to my mates than collaborating with my colleagues). WASTE solves those two problems and therefore enables businesses to seriously look at using IM type technologies in the work place.

Key exchange

[yem]

"Initial connection to the mesh requires manual key exchange. PITA, but moderatley secure."

IIRC, key exchange is where most encryption schemes fall down. If this ever takes off I'd guess 99% of users will trade keys over plain ol unencrypted SMTP.

Nice summary though - this really does look interesting.

Re:It's a really useful tool for business too

[Anonymous Coward]

SecureIM on Trillian isn't really that secure. Someone analyzed it quite a while back and found that it was fairly trivial to crack... With the requisite knowledge, anyhow. I wouldn't be able to do it myself, but I could learn enough to do this if I were so inclined.

It arguably is worse than plaintext, as it gives people the impression that the conversations are secure when the truth is that they are nothing of the sort ... And never mind the plaintext logs that (I'm sure at least) 90% of Trillain users keep on their own computers.

Re:AOL Time Warner...

[afidel]

If I remember correctly Justin's contract basically gave him complete freedom from luser management as long as he didn't do anything illegal. Besides he got so much dough from AOL that he could just work on it at home and release it, though it would lack the Nullsoft name that obviously gets it more press. This would be pretty worthless from AOL/TW's perspective, for that they would probably want something like BitTorrent with user authentication.

Re:For readers of Pynchon. . .

[Surak]

And I doubt that's a coincidence either considering that's exactly what the protocol seems to do.

Now I've never read the book, but I'd say in an underground postal system every person in the system has to be trusted. Much like this protocol -- each node in the network needs to be trusted.

You have to build your own little underground network with a few trusted friends. This reminds me a lot of the pirate BBS days ... if you wanted access to the 'private' or 'elite' (we didn't use such silliness as 31337 ;) file sections, you had to know the sysop.

This system allowed for only quality 'warez' files because everyone who was allowed to trade files had to be trusted, and therefore they weren't going to damage their reputation by sending crap like you get on P2P nowadays like incomplete packages or stuff that said it was one thing, but really was another thing. Back when trading pirated software was more like a gentlemen's agreement and not the 'o-D4Y \/\/4R3Z!!!!' crap pimply-faced teenagers with nothing better to do do today.

On the other hand, one has to think, 'Who needs it?' Most of us who were in that community back then have merged in with the Open Source community today and if we trade software at all it's with a CD burner over a cup of coffee. ;) OTOH, maybe this is just the thing for people like us.

Just a thought...

Re:Hmmm....

[Anonymous Coward]

I remember when Frankel (was it him?) made a plugin for winamp that would draw the oscilliscope over-top of the advert area in AIM's buddy list window.

That was the day I started seeing NullSoft ads appear in there... *HMMMM* ..

Re:Interesting

[kubrick]

... or maybe Nullsoft would like people who are going to make money from it to approach them for a commercial license.

I don't see anything wrong with that -- they're a business, after all.

Re:I have to ask..

[Anonymous Coward]

posting anonymously for obvious reasons:

The unofficial amusing diversion (when things were slow) for members of the security team of the Fortune 100 organization I worked for was to read people's IM conversations that were logged by our IDS. Whether they're being routed through AOL or Microsoft or Yahoo, they're plaintext transmissions to and from a few very well-known port numbers. Think about that the next time you're telling John/Jane exactly which part of them you'd like them to insert in which part of you, and you bring the whipped cream and they'll supply the ball gag, etc. Do you really want the geek sitting at the firewall desk reading that?

Re:Hmmm....

[dir-wizard]

Not entirely true.. I work for a small company, 5-6 people who work out of their homes. Because we cannot get static IP's to everyone communication becomes and issue and a hastle. I see a real need for this kind of software. The encryption is a bonus for companies who don't want their communications listened in on....

Re:Hmmm....

[abulafia]

which releases a program that the RIAA and MPAA will undoubtedly call a tool whose sole purpose is to illicitly distribute copyrighted works....

There is no reason to call it that. It is a communication tool that tries not to leak information. I would encourage RIAA members to use it themselves, to better secure internal conversations against unintentional leakage. I'm sure "they" send files to each other via email from time to time. Isn't this better? What's not to like?

As a long time cypherpunk, I'm glad this is here. Way back in '94, I wrote out a model of this sort of thing, but with decent routing and key exchange, and then got busy working for money. I'm glad someone is doing this, even if it doesn't work on a larger scale.

Please flame the evil cypherpunk vision below.

Re:name "Waste" -- Pynchon's The Crying of Lot 49

[elwinc]

I believe the name "Waste" is a references to Thomas Pynchon's novel "The Crying of Lot 49." In the novel, W.A.S.T.E is either a hoax or a secret system for communication, and (might) stand for "We Await Silent Tristero's Empire." Here's a little quote:

"Last night, she might have wondered what undergrounds apart from the couple she knew of communicated by WASTE system. By sunrise she could legitimately ask what undergrounds didn't....[H]ere were God knew how many citizens, deliberately choosing not to communicate by U.S. Mail. It was not an act of treason, nor possibly even of defiance. But it was a calculated withdrawal, from the life of the Republic, from its machinery. Whatever else was being denied them out of hate, indifference to the power of their vote, loopholes, simple ignorance, this withdrawal was their own, unpublicized, private. Since they could not have withdrawn into a vacuum (could they?), there had to exist the separate, silent, unsuspected world."

Re:Gnutella

[JeffSh]

deadbeef is justin frankel for anyone who is interested. same guy who did winamp, really a great software guy.

the reason why winamp 3 sucks so much, is because it's written by some other guy. justin isn't even in the credits of winamp3 .. sad

Re:name "Waste" -- Pynchon's The Crying of Lot 49

[dav]

Ah! I love this book! I about jumped out of my seat as soon as I saw the trumpet icon :) ...but isn't it supposed to be a muted trumpet?

Nevertheless, it's a great name choice....

Re:The Right Hand Knows

[jafuser]

Your post just made me realize how useful it actually is.

I run a small network in my apartment with my roommates, and we all have various versions of windows, and some computers are "homed" on a different domain, especially if a friend brings his work laptop over during a lan party.

In these kind of environments, windows file sharing seems to be much more hassle than it's worth. On Win2k, it seems like it's a 10 step process just to share a folder. Even after that, it can take one or two minutes just to navigate the windows network to get to the other computer (why is this so slow anyway?).

Sometimes I've gotten so frustrated with it that I'll skip all the windows sharing BS and just upload the files to an FTP site hosted somewhere else on the internet, then have my friend, who is only 10 meters away from me and on the same private network as me, ftp it back down.

Sure, I could put my own ftp server on my machine, but that is too much hassle for a one-time use.

With something like this, it looks like it might be a quick and easy way to do file sharing that sounds a lot safer than most of the the simple alternatives...

Re:What no LibTomMath for bignum RSA?

[Luminair]

Telling Slashdotters won't help.

Here, tell the WASTE folks instead: http://forums.winamp.com/forumdisplay.php?forumid= 154

Re:Gnutella: Ouch this is gone also

[Jouster]

The other fun part was that, the day after the Gnutella debacle, they managed to sneak in a mention of Nutella (and a picture of it!) into their "Ask Nullsoft" section. I wonder if they'll do something similar with WASTE?

Coincidentally, see also this lecture on this history of Gnutella [cf.ac.uk] (warning: PDF), or its handy Google HTML-ized version [216.239.51.100].

Jouster

Has WASTE been removed from nullsoft ?

[Taco Cowboy]

Both the Download Page [nullsoft.com] and the Security Page [nullsoft.com] aren't accessible.

This bring the question of whether WASTE have been removed from nullsoft.com, or not?