Encrypted Torrents Growing Fast In the UK 432
angryphase writes "The British Phonographic Institute (the UK's RIAA) has noticed a significant increase in the amount of encrypted torrents — from 4% of torrent traffic a year ago to 40% today. Whether it follows a trend for hiding suspicious activities or an increased awareness of personal privacy is up for (weak) debate. Either way, this change of attitude is catching the eye of ISPs, music industry officials, and enforcement agencies. Matt Phillips, spokesman for the UK record industry trade association explains, 'Our internet investigations team, internet service providers and the police are well aware of encryption technology: it's been around for a long time and is commonplace in other areas of internet crime. It should come as no surprise that if people think they can hide illegal activity they will attempt to.'"
Re:Could someone clarify... (Score:5, Informative)
Re:Could someone clarify... (Score:5, Informative)
Encryption prevents traffic analysis, which means that a router can't easily detect that something is a BitTorrent connection and throttle it.
Really this seems to be a case of "the more you tighten your grip, the more will slip through your fingers". The excessive amount of filtering first made sure that about everything learned to talk over port 80. Now they'll add encryption over that, so that ultimately a large percentage of traffic will be completely opaque and going through port 80, making it pretty much impossible to filter.
There might be a consequence for the RIAA though: It means that no traffic analysis will tell you what somebody is downloading. Sure you can see which computers and tracker are involved, but you don't know what's the file being transferred. So no way to tell anything by listening to traffic at strategic points, now you need to maintain a connection with a tracker for every file you want to monitor.
As an user this doesn't seem like such a bad thing, but as a sysadmin it has the potential of becoming quite annoying. Read on what it takes to stop Skype from working for a preview of what might become universal eventually.
Re:Is encryption private? (Score:3, Informative)
"I'm not sure if the DMCA says anything about it, but it seems to me that any person looking at any traffic you aren't sending to them is (or should be) illegal. How would this be relevantly different from an illegal wire (phone) tap?"
Because BitTorrent isn't a one-to-one, private transaction. It's anonymous, one-to-many. You make that Kanye West rip available, and anybody with a BitTorrent client can get it. It makes no difference if they're another Kanye West fan, or the record label that would very much like to stop you from distributing their stuff for free.
This is how the record companies bust people: they use P2P clients to see what you're offering. And, no, it's not entrapment. This is a no-free-lunch situation: if you share copyrighted stuff without permission, you're liable to be nailed, and the DMCA can't help you here.
Re:Could someone clarify... (Score:3, Informative)
Encrypted data simply looks random. So does compressed data.
You could of course detect SSL connections (since the protocol is predictable), but that only works if you have some sort of detectable handshake or metadata around the compressed stuff.
Here's one workaround that comes to mind, for example: Establish a completely normal SSL session by HTTPS with another computer, exchange keys, close that connection, then start an encrypted connection using those keys, without any standard magic numbers of any sort.
Then they will throttle all encrypted traffic (Score:4, Informative)
Re:Won't Work (Score:5, Informative)
When I connect to a https site, during the handshake the remote site gives me a copy of its certificate. I (my browser) do two things with that certificate: I validate that the domain name embedded in the certificate matches the name of the website I was asking to connect to, and I verify the signature on the certificate using the public key of the signing authority.
Unless the ISP has private key of the signer, there is no way that they could possibly generate a false certificate on the fly - so I *know* I am talking to the server I wanted to connect to, not to an intermediate proxy server.
once that handshake is complete, I and the remote site have a private encryption key which we both use to encrypt/decrypt traffic between us. The ISP can't do anything with that traffic but pass it through (or block it).
The *only* way that an ISP could get in the middle would be for them to block ports 80 and 443 and insist that you configure your browser to use *their* proxy server. If you ever come across an ISP that does this, don't walk, run, to another ISP.
Re:Could someone clarify... (Score:3, Informative)
Where are the SSL bittorrent trackers? (Score:3, Informative)
This is almost certainly what Comcast is doing. After setting up Azureus to use only DHT and Peer Exchange for peer sources, it is once again possible to seed torrents, in spite of Comcast's evil doings. It is still not at all great, but much improved. Not nearly as good as my new ISP though.
If you run a tracker, please consider using SSL in the future. Ideally, requests for
Re:Won't Work (Score:5, Informative)
You understand how HTTPS works, but not how a proxy works for HTTPS.
When your browser connects to a proxy for an HTTPS method, it makes a CONNECT request. The proxy makes a TCP connection to the IP address and port requested and passes the traffic both ways unchanged and uncached. The browser then performs the usual certificate validation on the contents received from the remote web site.
An ISP could force the use of a proxy. An ISP could disable HTTPS through their proxy. An ISP could slow down HTTPS through their proxy. An ISP could monitor your traffic volume through their proxy (or their routers). An ISP could record every encrypted bit going both ways. An ISP could also corrupt the encrypted traffic bits. But an ISP cannot interpret the bits in your encrypted traffic, nor modify them, in any meaningful way, without cracking the encryption.
Re:Or maybe.... (Score:4, Informative)
There is more than just law enforcement that is interested in the contents. BSA, RIAA and MPAA are the ones I was not mentioning by name. The US post office can open your mail.. But there is a huge red tape procedure to follow. X-ray is one thing to look for explosives. Opening every letter to see if it has the lyrics of a popular song by the RIAA is not permitted by the post office. Inspecting every letter by the DHS for bomb plans is also not permitted, except electronic mail. The post office may know you mailed a CD to your buddy. The package is not inspected to see if it contains the latest teen pop rap.
Online the privacy standards are now seen as a problem to internet users as attacks on users are clogging up the court system an fleecing many to pay the extortion money to the settlement support center. If there was privacy, this would not be a problem.
http://www.p2pnet.net/story/6337 [p2pnet.net]
http://recordingindustryvspeople.blogspot.com/2005/09/suits-against-settlement-support.html [blogspot.com]
http://arstechnica.com/news.ars/post/20051004-5382.html [arstechnica.com]
I did a Google search for the settlement support center. It must not be very popular. I could not find a link to the site.
I had to search for RIAA demand letter to find the info. Even then, I found just refrences to the letter, but not a copy of the letter with information to the settlement support center.
http://recordingindustryvspeople.blogspot.com/2007/04/uc-santa-cruz-passes-along-riaa.html [blogspot.com]
Re:I tracked down the settlement support center (Score:4, Informative)
The page with the link to the letter is here; http://consumerist.com/consumer/riaa/the-riaa-p2plawsuit-letter-sent-to-college-students-241054.php [consumerist.com]
The Settlement demand letter is here; http://consumerist.com/assets/resources/2007/03/riaaletter.pdf [consumerist.com]
https://www.p2plawsuits.com/ [p2plawsuits.com] Settlement support center link is here.
Re:Won't Work (Score:3, Informative)
Windows update is not https, which I've always felt was the biggest security hole in Windows (but maybe there's better security behind the scenes?).
Azureus over I2P (Score:3, Informative)
Let's all switch now and incorporate this by default in any clients...
NOT Troll. (Score:3, Informative)
If you consent, any "illegal search" premise is lost, and anything they plant or actually find will then be usable. It is a dirty trick and cops in the USA have been using it for a long time. They have to get you to consent to a search, even if they trick you into it. Otherwise the court system is still relatively usable to put that cop out on the street, if you're clever.
Surprised? You shouldn't be. They govern by consent, here, there, everywhere, so stop consenting if you don't wish to get trampled along with your rights. You don't have to overthrow them, you merely have to avoid giving in to their tricks. If you consent you have NO excuse for bitching about being abused. You will have given them permission. If you refuse and they assault you, there are plenty of options available to you as you were not the initiator of the aggression and can therefore have a clean conscience, and if you are willing and intelligent enough you can put the individuals in question in the poor house with a well placed lawsuit. And then you can retire