Researchers Outline Targeted Content Poisoning For P2P Data 201
Diomidis Spinellis writes "Two USC researchers published a paper in the prestigious IEEE Transactions on Computers that describes a technique for p2p content poisoning targeted exclusively at detected copyright violators. Using identity-based signatures and time-stamped tokens they report a 99.9 percent prevention rate in Gnutella, KaZaA, and Freenet and a 85-98 percent prevention rate on eMule, eDonkey, and Morpheus. Poison-resilient networks based on the BitTorrent protocol are not affected. Also the system can't protect small files, like a single-song MP3. Although the authors don't say so explicitly, my understanding is that the scheme is only useful on commercial p2p distribution systems that adopt the proposed protocol."
Actually (Score:4, Interesting)
Actually, poisoning P2P networks as a commercial venture could be prosecuted as theft-by-deception.
Stealing bandwidth is a crime. Downloading songs isn't, if you aren't profiting form it.
Freenet is gnutella? (Score:3, Interesting)
I was curious as to how they were poisoning Freenet, which should be robust against this with its Forward Error Correcting.
According to the paper, Freenet falls under the category of the "Gnutella family" (p.2). The Freenet Project that I know is in no way related to Gnutella.
Are they referring to a different file sharing program by the name of Freenet, or is this statement of theirs just plain inaccurate?
Freenet (Score:5, Interesting)
The paper won't download here, so I'm asking without RTFA, but how can this work against Freenet [freenetproject.org]? Do they discuss Freenet in the paper at all? Freenet does chunk-level hashing, and the network enforces that the data matches the hash at all steps. Nodes returning invalid data will rapidly get dropped by their peers. Attacks like this are something that Freenet is explicitly designed to prevent. Also, the anonymity guarantees that Freenet makes would make it hard (potentially very hard) for them to identify a single user, let alone "collusion".
I'm forced to wonder whether the researchers mention Freenet at all, or if the poster is simply lumping Freenet in with other p2p apps that it has very little in common with. (Bittorrent and Freenet should be similar in some ways to their resistance against this attack, but Freenet's strong anonymity guarantees should make it more resistant. The fact that a node engaged in widespread poisoning will have trouble even staying connected makes Freenet even more resistant.)
Re:Freenet (Score:5, Interesting)
This is utterly absurd. The verification on freenet is based on asymmetric crypto. If they haven't broken that, the most they can do is flood the network with corrupt chunks, in which case the software will just start dropping peers who send too many corrupt packets at too high a rate. Translation: you need # of bad guys >> # of good guys to have much of an impact on network quality. And of course it's complete trash against a darknet, but I doubt these guys know what that is.
Given the subject matter, weasel words, and shoddy methodology, I'm about as worried about this as I am about the zombie communist terrorist invasion predicted for 2012.
Re:This needs to be fought (Score:4, Interesting)
So what's wrong by buying a boat, forking out money enough to have people work months and feed their families?
I find this mentality a bit shortsighted: if I would have a pile of money in excess (yes, excess) and would "invest it" (say buy an appartmentblock, cash rent and take from people in that way for my "wellbeing") people don't say a thing.
But when someone aqcuires something, which creates work (luxury items need to be made, people make them, and they're expensive because they're not massproduced, right?) you stimulate an economy and economical activity (people can go to work, do something with their time and get paid) yet that is "wrong" because you can't take a boattrip?
As much I would enjoy excessive luxury as well, spending money stimulates an economy. If you have alot of money, the best thing to "make things happen", and give value is to spend it.
I'm working with banks and wealthmanagement software, I don't have such an abdunce of money as I see passing through our software, yet it creates cashflow and because of that cashflow +100 people here are able to work and drive nice company cars. They are happy. Clients are happy. And those who the people who are happy and comfortable (not excessively) pay to get value from are happy as they can make a business. (80% of the people here order their lunch in a small business who deliver to our office. This means they can bill each day for about 320 to run their business.)
While the economic attitude has proven flawed (growth instead of sustainability and stability). Our economy and wellbeing of those in and around it (you and I buddy) depends on the spending.
I do agree on the point the RIAA is a bunch of greedy bastards. And the value demanded for that music or whatever is not align with the perceived and experienced value delivered. But that is another issue.
Instead of looking down on someone with such a badass boat, ask him you can take a ride, chances are it's a very lonely person misguided trying to acquire wealth sacrificing alot you wouldn't sacrifice. Chances are you get your free ride. I've seen that alot.
Re:Adopting the proposed protocol? (Score:3, Interesting)
There is no need for existing protocols to change. This paper cannot be used to attack them. This paper proposes a new paid-P2P network, one deliberately designed to give a central authority (the RIAA) the power to poison the system.
-
Re:This needs to be fought (Score:3, Interesting)
Ask them. It's been well documented that all this complaining about P2P stuff started when executives were faced with the prospect of telling their shareholders that they failed to meet their projected profit increases. ie: For decades they'd been making more and more money every year, then suddenly when technology created hundreds of other ways to entertain people overnight, they didn't make as much more as they were expecting. (That is: they actually DID make more than the previous years. A lot more, by any sane standard, but not as much more as they had hoped).
They spun around, looking for someone to blame, and rather than noting inconvenient things like increased competition from other media or changes in the way people were spending their time, they heard about Napster, which allowed previous non-customers/non-consumers to jump out of their little section of the Venn-diagram and into the section "non-customer/consumer". They pounced, and pretty much ever since have still been trying to explain to their shareholders that only making four-billion more than last year instead of ten-billion more is because of evil 18th-century sea-fairing thieves.
Re:This needs to be fought (Score:3, Interesting)
You make some good points, but I take issue with the very idea that the record industry is made of nothing but millionaires.
Sure, a small percentage of people in that industry -- whether they're artists or executives -- do very well, but that's the case with every industry. The IT and Internet industries have their own share, from hard-working executives to stock option millionaires who were at the right place at the right time. Of course, most people who work in IT aren't millionaires, but that's also the case for the record industry.
Many Slashdotters fly the jolly roger proudly, but we also claim not to like the Top 40 crap put out by the major labels -- so we're probably pirating mostly indie stuff. It's a safe bet that the indie labels have an even lower percentage of millionaires than the big labels. But if you choose to buy a track from a big label on iTunes, it's a bit like giving money to Google -- sure, a tiny portion of it goes to the guys on top, but most of it goes to the 99% of the rest of the people who are paid by the company.
"I do agree on the point the RIAA is a bunch of greedy bastards. And the value demanded for that music or whatever is not align with the perceived and experienced value delivered. But that is another issue."
Value isn't absolute. iTunes has sold billions of tracks. Their recent experiment of raising prices on in-demand tracks was a success -- they're making more money. Online music sellers have a very good understanding of the pricing that the market will bear. I've lost count of the times that a $0.99 track purchase or a $10 album purchase have given me hours and hours of enjoyment. Some folks will always choose to pirate, and many will use class warfare or the old "music is too expensive!" as their rationalization. But when Slashdotters claim that iTunes has it wrong, it's a bit like when Slashdotters claim that Microsoft should release Windows as OSS or that next year will *finally* be the year that Linux takes over the desktop. Microsoft won't, Linux won't, and although it's counterintuitive to many Slashdotters, Apple and the music industry as a whole are still making a metric buttload of money.
Re:This needs to be fought (Score:4, Interesting)
The luxury industry has been linked with reducing the size of the middle class, since it tends to greater a broader disparity between those providing goods and services and those consuming them. You are certainly correct, of course, that spending money will 'stimulate the economy' regardless if it comes from the rich or the poor. The question is the type of economy you want to stimulate. Luxury spending tends to stimulate the segment of industry that sees little return back at the lower end of the wage pools. They reap higher profits, and provide fewer goods and services, thus tending towards increasing the divide in wealth. Spending in the lower end 'consumer grade' market tends to stimulate an industry that will increase growth where more goods and services are produced.
Henry Ford famously paid his employees enough so they could buy the cars they were building. Imagine what might have happened to the auto industry if he had catered only to the rich? Compare also to Walmart, who also wants to pay their employees enough to buy their products.
Re:This needs to be fought (Score:3, Interesting)
I absolutely love this observation.
Your point is very valid, and the "greedy millionaires taking money from the poor consumer" is a flawed view.
After reading your post I thought over what the "RIAA" means, as a corporate entity to me and what I know about it, and it's shamefully little.
My own knowledge about the RIAA is limited to what I read on slashdot and on newssites, where it profiles itself as an agressive entity.
Which makes me think it's how the RIAA is out of tune with the needs of todays consumers, putting "measures into place", creating discomfort for users who otherwise would've been perfectly happy. Resulting in a greater need or desire for something more align with current media-consumption, which is direct, efficient, snack-sized. But on the other end, a coorporation with a businessmodel that doesn't apply anymore. Which comes back to the "relative perceived value"; if it's hasslefree, you'll pay more to not go through the hassle you experience otherwise.
The problem with anonymous peer to peer (Score:3, Interesting)
is that you don't know who your peers are. They might not even be "peers" in the everyday commonly-understood sense.
Solution: remove anonymity, or at least replace it with pseudo-anonymity. I don't know who the guy that signs his chunks with keyid 0xDEADBEEF is, but I know he's never sent me garbage in the past. The owner of keyid 0xF00C1000 sends me chunks that don't match up with the rest of the content. My computer has a hard disk. It can remember things like this.
Gnutella blacklists mediasentry IPs. IPs are ephemeral. What they ought to do is use a signed protocol, and blacklist bad signing keys. Or better yet, greylist everyone by default and whitelist the ones who show a history of integrity. No wait, program the client to do all that, and don't distribute any lists at all.
Only 7 years too late (Score:1, Interesting)
Companies like Overpeer developed effective P2P poisoning over 7 years ago. Which means they didn't do much research for section 2.2.
(note: I'm posting this as A/C because I not only worked for Overpeer, I actually designed and developed the system used for P2P poisoning which is unpopular on Slashdot. Though people are often under the misconception that we would protect anything and everything, as opposed to just protecting copyrighted material we were paid to protect).
Overpeer's software was VERY effective, and supported many different protocols. While they are correct with some basic points (eg. the hashing and chunking of various networks), their approach could never be financially viable or sustainable.
First, they disregard the fact that making it harder to FIND a pirate file is much more economical than poisoning the ones that are out there. If there are 1000 results out there, and you can manage to be 985 of them, each with a high number of 'sharers', then you never need to send a single byte of the file, just have all your clients be 'busy' and put the client on queue. Most people will think they'll get the download soon enough, and eventually will give up and possibly search again, with the same chances of finding our systems again. note: for some P2P schemes, like BitTorrent, where the search is not part of the network infrastructure, poisoning is the only thing possible.
Second, Poisoning pirate files, as they state, is possible. But it is usually used as something of last resort, or something you want to have happen as little as possible. That is because it is very bandwidth intensive. The biggest cost at Overpeer was bandwidth, and although we implemented file transfer throttling and system-level throttling in our custom software, once you get into this game, especially with things like swarming downloads, you're in for a LOT of file transfers, whether you like it or not.
Third, the second biggest challenge at Overpeer was IP blocklists. IP addresses used for P2P blocking of this type have a limited shelf life, and although usually only the more savvy P2P users will implement blocklists, and they're usually not who you're trying to protect against, once your IP addresses start showing up on blocklists, you usually have to request a new block of IP's from your service provider and return the ones you have, and reassign those IP addresses to the various machines (or routers if using NAT like they do). Which means you had better have programmed for it.
Fourth, they really don't touch on some of the network self protection measures aside from the hashing and chunk hashes involved. It's all well and good to say 'we can protect anything you want on these networks', but at some point you really need to have distributed computing and emulate multiple clients from a single host. Why? Because certain networks implement certain restrictions on purpose to stop people sharing millions of files on a single client connection. For example, most eDonkey servers will limit the number of files you can share with a soft limit (anything above this is not indexed) and a hard limit (trying to share more than this will get you disconnected). So scalability becomes an issue unless you design your software to split your content into 'bite sized chunks' so to speak. Not to mention that on things like eDonkey, you get a lower priority (and often no connction) if you are NAT'd, so their methodology of using NAT without some kind of specialized software also makes no sense.
Fifth, their approach talks about modifying file indexes to have a certain signature. Doing this makes you easily detectable. And they seem to think people on P2P networks aren't good enough to figure this out. They are. You want to look as much like a regular 'pirate' as you can in this game. Any small thing, like a detectable signature will get client writers, blacklist writers and even in some cases network writers writing code that detects your signature and automatically blocks your IP from the
Re:Freenet (Score:3, Interesting)
They won't give up, they are America's propaganda and they have the full backing that entails.