Nullsoft's Waste: Encrypted, Distributed, Mesh Net 674
Myriad writes "Nullsoft, makers of the venerable Winamp MP3 player, released today a secure, distributed mesh-like networking protocal and platform called Waste. This v1.0 beta release uses RSA (key based) and Blowfish encryption for security, and features Instant Messanging and group chat, along with file browsing, searching, and transfer. Waste has been released under the GPL, with source and binaries available here."
Gnutella (Score:2, Insightful)
Re:Gnutella (Score:4, Funny)
Re:Gnutella (Score:2, Informative)
As you already pointed out in your links, Nutella is a chocalate spread. It is a FOOD item.
Gnutella is a SOFTWARE item. It is used for P2P (point-to-point) networking. Usually, Gnutella is used to distribute music, although it can be used to distribute any files.
I hope this comment has been helpful in clearing the matter.
Re:Gnutella - YES (Score:3, Informative)
Re:Gnutella (Score:5, Informative)
/joeyo
Re:Gnutella (Score:4, Informative)
The protocol was reverse engineered, with a little assistance on IRC from deadbeef.
Re:Gnutella (Score:5, Interesting)
the reason why winamp 3 sucks so much, is because it's written by some other guy. justin isn't even in the credits of winamp3
and now W A S T E (Score:4, Informative)
Re:Gnutella: Ouch this is gone also (Score:3, Interesting)
Coincidentally, see also this lecture on this history of Gnutella [cf.ac.uk] (warning: PDF), or its handy Google HTML-ized version [216.239.51.100].
Jouster
Re:Gnutella (Score:5, Informative)
Everyone invented Gnutella (Score:5, Interesting)
I personally came across it when removing a section of my P2P anti hacking designed for Diablo 1 to be secure even without a central server.
Interestingly enough, I was going to call my Gnutella: Dumpster
Which is cool they're naming their software: Waste
Lets see how it turns out
Re:name "Waste" -- Pynchon's The Crying of Lot 49 (Score:5, Interesting)
Re:name "Waste" -- Pynchon's The Crying of Lot 49 (Score:3, Interesting)
Nevertheless, it's a great name choice....
Re:Gnutella (Score:2, Informative)
Hmmm.... (Score:4, Insightful)
AOL Time Warner (IIRC, owners of the second biggest recording company, not to mention one of the major recording studios) owns Nullsoft, which releases a program that the RIAA and MPAA will undoubtedly call a tool whose sole purpose is to illicitly distribute copyrighted works....
A cliche regarding:
...comes to mind.
Re:Hmmm.... (Score:5, Informative)
uhh, waste is for small workgroups only ..
it's not about p2p file sharing, rather it's a colaborative tool.sure, you could use to to share illegal stuff, but it's really no different in that respect to email, icq, whatever.
Re:Hmmm.... (Score:3, Insightful)
And does that fact necessarily matter to the *AA?
By their calculations (Score:5, Funny)
Re:Hmmm.... (Score:5, Funny)
Has WASTE been removed from nullsoft ? (Score:3, Interesting)
Both the Download Page [nullsoft.com] and the Security Page [nullsoft.com] aren't accessible.
This bring the question of whether WASTE have been removed from nullsoft.com, or not?
Re:Hmmm.... (Score:5, Insightful)
That was a joke right? And the moderators who marked it "interesting" and "insightful" really meant to mark it "funny", they just hit the wrong button, right?
In fact what we have here is a first cut at a secure distributed network presence system, something that would allow you to run an icq-like network between people you trust without being spied on by a central server. There are many reasons why one would want this: maybe *you* just want to trade copyrighted files, but *I* want to communicate securely and efficiently with my associates.
As for why AOL lets Nullsoft do things like this, I suppose the choice is either to let them work on what they want to or lose the talent. What Nullsoft is doing is the best thing for the net, and so is the best thing for AOL in the end.
The Right Hand Knows (Score:5, Informative)
Also, this is technology that might be very useful to AOL. AIM's big drawback is that it's not very secure, and really shouldn't be used for sensitive corporate communication. (Though the engineers at my last employer used it anyway.) AOL could persuade people that are already using AIM for free to upgrade to WASTE in order to secure their communications. Not to mention the other features.
We Await Silent Trystero's Empire!
Re:The Right Hand Knows (Score:3, Insightful)
You don't need to be in contact with strangers if all your friends have GBs upon GBs of "shared source".
Re:The Right Hand Knows (Score:3, Interesting)
I run a small network in my apartment with my roommates, and we all have various versions of windows, and some computers are "homed" on a different domain, especially if a friend brings his work laptop over during a lan party.
In these kind of environments, windows file sharing seems to be much more hassle than it's worth. On Win2k, it seems like it's a 10 step process just to share a folder. Even after that, it can take one or two minutes just to
Re:Hmmm.... (Score:4, Interesting)
There is no reason to call it that. It is a communication tool that tries not to leak information. I would encourage RIAA members to use it themselves, to better secure internal conversations against unintentional leakage. I'm sure "they" send files to each other via email from time to time. Isn't this better? What's not to like?
As a long time cypherpunk, I'm glad this is here. Way back in '94, I wrote out a model of this sort of thing, but with decent routing and key exchange, and then got busy working for money. I'm glad someone is doing this, even if it doesn't work on a larger scale.
Please flame the evil cypherpunk vision below.
until when (Score:3, Insightful)
Considering nullsoft, might be a risky move.
Interesting (Score:5, Insightful)
Going through the documentation, I found this:
From here [nullsoft.com]
Note: It might be worth implementing WASTE using a subset of SSL, to avoid any concern of flaws in this protocol. Feedback is gladly accepted on any potential weaknesses of the negotiation. We have spent a decent amount of time analyzing this, and although we have found a few things that are not ideal (i.e. if you know public keys from a network, you can sniff some traffic and do an offline dictionary attack on the network name/ID), but overall it seems decent. The current implementation probably needs work, too.
Which suggests to me that it isn't worth rushing out and developing application with *just* yet, until further reviews have occured (and the protocol has matured/evolved).
Five minutes later (Score:5, Interesting)
Re:Five minutes later (Score:5, Interesting)
Once you've set it up for a firewall, the f/w effectively vanishes inside the VPN. A friend and I struggled with firewall configs for years tweaking for the game of the day. Enter VPN, and now we have a private TCP network without firewalls. Any game supports that, no reconfiguration required.
The other thing is that it is built into w2k (my gaming platform of choice) and XP (friends platform). This means you can be up and running after reading some quick instructions on setting up the server, your shares (properly!), forward one TCP port (yes, only one) from your firewall to desktop, and that's it forever.
Add an uber-IM like Trillian, and that's all you will ever need.
Re:Five minutes later (Score:2)
Download and mirror this (Score:2, Interesting)
Re:Download and mirror this (Score:5, Interesting)
+4 RTFA [nullsoft.com]! more like it.
And I blockquote:
So this isn't really a thing like gnutella. It's an enterprise product. As other posters have noted, it could conceivably be used to share (AOL-TW) copyrighted works, but that doesn't seem to be anywhere near it's main purpose. Heck, AOL is probably releasing the core technology as OSS to get the community to shake it down for bugs, in anticipation of releasing a commercial product built on top of the protocol. Kinda like how Apple has worked on open source technologies like zeroconf, and released commercial products like rendezvous built on the technology.Re:Download and mirror this (Score:2)
Re:Download and mirror this (Score:5, Interesting)
Interesting, not your usual peer to peer app. (Score:5, Informative)
Designed for small groups of people (up to 50)
It allows easy colloboration across firewalls, and only one user inside the firewall is required to allow all users inside access to the mesh.
Each link is encrypted, but each message is decrypted and re-encrypted at each hop of the mesh, so you have to trust all of the nodes. It's also very hard to drop a node onc it is trusted, as each node shares public keys around to make sure all nodes have all public keys. Initial connection to the mesh requires manual key exchange. PITA, but moderatley secure.
All network traffic is encrypted, it will flood each mesh link with a minimum amount of bandwidth to foil traffic analysis.
Key exchange (Score:5, Interesting)
"Initial connection to the mesh requires manual key exchange. PITA, but moderatley secure."
IIRC, key exchange is where most encryption schemes fall down. If this ever takes off I'd guess 99% of users will trade keys over plain ol unencrypted SMTP.
Nice summary though - this really does look interesting.
For readers of Pynchon. . . (Score:5, Informative)
Re:For readers of Pynchon. . . (Score:5, Informative)
In the book, W.A.S.T.E is an underground postal system that allowed people to exchange messages without the authorities finding out.
Re:For readers of Pynchon. . . (Score:5, Interesting)
Now I've never read the book, but I'd say in an underground postal system every person in the system has to be trusted. Much like this protocol -- each node in the network needs to be trusted.
You have to build your own little underground network with a few trusted friends. This reminds me a lot of the pirate BBS days
This system allowed for only quality 'warez' files because everyone who was allowed to trade files had to be trusted, and therefore they weren't going to damage their reputation by sending crap like you get on P2P nowadays like incomplete packages or stuff that said it was one thing, but really was another thing. Back when trading pirated software was more like a gentlemen's agreement and not the 'o-D4Y \/\/4R3Z!!!!' crap pimply-faced teenagers with nothing better to do do today.
On the other hand, one has to think, 'Who needs it?' Most of us who were in that community back then have merged in with the Open Source community today and if we trade software at all it's with a CD burner over a cup of coffee.
Just a thought...
Waste? (Score:2, Redundant)
Go read Pynchon (Score:3, Interesting)
Is Groove doomed? (Score:4, Interesting)
Discuss.
Re:Is Groove doomed? (Score:5, Funny)
a) Groove was actually used by anybody and
b) It wasn't such horrible software
then I would say yes. Unfortunately Groove is a solution looking for a problem, and how many people get excited when you hear "designed by the guy that designed Notes."
Re:Is Groove doomed? (Score:2, Interesting)
It seems to me that secure instant messaging and peer-to-peer file transfer between members of a distributed workgroup serves a real need. I can't imagine that Nullsoft would have developed this unless they saw a need themselves. Other solutions might technically already exist, but they don't appear to be as easy to install. (In that respect I could be wrong about VPN; I haven't looked into it.)
It'll be interesting to s
Beep! (Score:2, Funny)
On their site I found a program called Beep. It makes noises on keyboard/mouse input
http://www.nullsoft.com/free/nbeep
It gets annoying after a while, but it is 'cute' enough to impress my girlfriend. And that matters as much as keeping my RedHat system up2date. LOL
Re:Beep! (Score:4, Funny)
"[...] It makes noises on keyboard/mouse input :-) [...] it is 'cute' enough to impress my girlfriend."
Where do you find a girl that could be impressed that easily? No need for fancy restaurants or expensive gifts, just type on your keyboard and she goes mental.... nice!Re:Beep! (Score:3, Funny)
I've just gotten off the phone with Bruce Perens, talking about that very topic! At the moment, both Bruce and I are too busy to devote much time to our Debian-focused e-newsletter, Elitist Open Source Zealot Virgin. As you may be aware, I am totally consumed with my current Windows port of apt-get, and Bruce has a full time job just keeping the hobos and crack junkies out of his cardboard box underneath the 23rd Street rail bridge.
Sincerely,
Debian Troll.
well... (Score:2, Funny)
1337 (Score:5, Funny)
Listening on port 1337
Somehow I think this is a very well chosen port...
4 years later May 28th (Score:5, Interesting)
As for the "What's the point" question... (Score:5, Interesting)
Think of it this way, these guys know probably better than anyone else NOT on the AOL IM team, just how much of IM conversations are monitored, logged, mined for information, media metrics...etc.
Not to mention, they work in that environment, they prolly want to be able to say "god damn, our executive VP is a bitch" and not have some network engineer provide a log documenting that conversation later.
Yeah, i wish it scalled, but wtf, its opensource. Go make it scale. For now, 10-50 is plenty for most groups of online friends.
Personally, I'd loved to see technology like Pastry [microsoft.com] get hacked into it.
-malakai
Linux port ? (Score:5, Interesting)
Re:Linux port ? (Score:5, Interesting)
I haven't used C in 3 years and I managed to get it to compile with a bit of hacking. As for stability, your guess is as good as mine...
diff -r waste/Makefile.posix waste_port/Makefile.posix
4c4
< RSAOBJS = md5c.o nn.o prime.o r_random.o rsa.o
---
> RSAOBJS = rsa/md5c.o rsa/nn.o rsa/prime.o rsa/r_random.o rsa/rsa.o
7,8c7,8
< CXXFLAGS = -O2 $(DEBUGFLAG) -pipe -march=pentiumpro
< CFLAGS = -O2 $(DEBUGFLAG) -pipe -march=pentiumpro
---
> CXXFLAGS = -O2 $(DEBUGFLAG) -pipe
> CFLAGS = -O2 $(DEBUGFLAG) -pipe
diff -r waste/connection.cpp waste_port/connection.cpp
771c771
< if (::getsockname(m_socket,(struct sockaddr *)&sin,(socklen_t *)&len)) return 0;
---
> if (::getsockname(m_socket,(struct sockaddr *)&sin,(unsigned socklen_t *)&len)) return 0;
diff -r waste/listen.cpp waste_port/listen.cpp
85c85
< int s = accept(m_socket, (struct sockaddr *) &saddr, (socklen_t *)&length);
---
> int s = accept(m_socket, (struct sockaddr *) &saddr, (unsigned socklen_t *)&length);
diff -r waste/srvmain.cpp waste_port/srvmain.cpp
31c31
< #include "md5.h"
---
> #include "rsa/md5.h"
diff -r waste/xfers.cpp waste_port/xfers.cpp
812c812,814
< if (!RemoveDirectory(s)) break;
---
>
>
>
Re:Linux port ? (Score:3, Informative)
Re:Linux port ? (Score:3, Informative)
The tricky thing is to set up the server properly.
The easiest way is like someone else pointed out to make a new profile in waste, (copy your own default.pr* files out of the way first).
Then, add your public SERVER key to your public-key list in the windows-client. And add your public-windows-client-key to the list of keys of the server.. (default.pr3).
Dont forget to NOT use a network name ( or make sure
Re:Linux port ? (Score:3, Informative)
It's compiled (I just made the changes shown elsewhere in this thread). Start up the windows version, create a private/public key pair
AOL Time Warner... (Score:4, Interesting)
Re:AOL Time Warner... (Score:3, Interesting)
Here is the full source (Score:3, Interesting)
---
WE AWAIT SILENT TRISTERO'S EMPIRE.
Why didn't they call it "Idiot"? (Score:2, Troll)
Another example of the marketing skill of technically minded people?
Re:Why didn't they call it "Idiot"? (Score:5, Insightful)
Revolution of Filesharing? (Score:5, Interesting)
There are two uses I see for this:
There are going to be groups of people dedicated to one theme, for example, Horror Movies, or Horror Movies with mutant bees, sharing all their Horror Movies, you will need a certain ammount of Horror Movie Uploads for Downloads and noone will ever be to know you had Queen Bee 1-3.
If you replace Horror with new release you get lots of small miniDonkeys, many interconnected and unstoppable.
I'm convinced this is a revolution in filesharing because it solves the two biggest Problems filesharing has, crappy downloads and getting sued.
The downloads will be of really good quality beacause you will be sharing with friends of people you know from chatting and if the put crap in their upload directory they won't be one of your cirle of friends much longer.
Getting sued is obvious, noone will be able to tell what you are doing (the might be able to guess that all those people on cable are not running a vpn yet) as just your circle of friends know. There is still the possibility that one of your friends is a traitor but i would call that a rare chance.
Getting it to work. (Score:3, Informative)
daemons name (Score:5, Funny)
It's a really useful tool for business too (Score:5, Interesting)
WASTE is something that is indeed very useful for small company or teams (especially dispersed teams) in larger organizations. In many places one or another IM system is being used to communicate with team members. Over ICQ or AOL contracts and employment conditions are discussed, remarks about contractors and clients are passed etc. That is a huge security leak if you look at it from a certain prospective, especially for some profiles of companies like small consulting firms with employees regularly using clients networks. WASTE is a simple to use and free method of closing that leak.
I know at least two small companies that should adopt WASTE immediately and I would advise them to do so. One is a PR company with 2-10 people offices around Europe, where ICQ is frequently used as a discussion medium. Other is a small consulting company. Someone eavesdropping on their ICQ chats could seriously damage both of them.
Re:It's a really useful tool for business too (Score:3, Informative)
It would be very easy for some network admin to do a man in the middle attack by intercepting all the trafic between you and your buddy (with the initial key exchange) without you knowing anything about it.
Having a false sense of security is worse that knowing that your communication is NOT secure.
A better way, would be to use PGP to enrypt your communication with your buddy. At least, if your a
What no LibTomMath for bignum RSA? (Score:4, Informative)
Common LibTomMath is like a billion times faster [not to mention very well tested]....
Plug plug plug!
http://math.libtomcrypt.org
Tom
Looks great but... (Score:3, Interesting)
How can I point it at a node that will allow me to try it out? I ask this because what if someone is on the internet and needs to connect to me network. How do I point them to my network?
Re:Looks great but... (Score:4, Informative)
You both need to enter each other's public key into your client to get started. This step shows that you "trust" one another.
Anyone else who wants to join your "network" must also enter one of your existing network members' public key into their client and have that existing member enter the new user's public key into *their* client. This step automatically makes the new person "trusted" by all the other members of the network - the important part is that you don't have to explicitly swap public keys with EVERYONE - just with one member of the network. The client does the rest once you connect to the network - see below.
Now, to get started and initially connect to someone's machine, enter their hostname or IP address (not their "username") into the "Network" window. This primes your client - it will then discover all it needs to know about the other members of the network, since by default, each client will be broadcasting discovery information (usernames, hostnames, public keys).
The "Browser" window shows all the users in the network, but currently ONLY if they are sharing one or more files. So, get each person who joins the network to share at least a test file so that they will always appear in everyone's "Browser" window.
Right-click on any names in the browser window to start interacting with them.
HTH
up and running on linux (Score:4, Informative)
my server's public key server name is entheal.com (you may have guessed from the public key
Re:up and running on linux (Score:3, Informative)
--- waste/Makefile.posix 2003-05-29 11:58:45.000000000 -0400
+++ waste/Makefile.posix.new 2003-05-29 14:00:34.000000000 -0400
@@ -8,7 +8,7 @@
wastesrv: $(OBJS) $(RSAOBJS)
- $(CC) $(DEBUGFLAG) -pthread -o wastesrv $(OBJS) $(RSAOBJS)
+ $(CC) $(DEBUGFLAG) -pthread -o wastesrv $(OBJS) $(RSAOBJS) -lstdc++
clean:
rm -f $(OBJS) $(RSAOBJS) wastesrv
The good, and the bad.... (Score:5, Insightful)
While on the surface, this might seem like a reinvention of IP tunnelling and VPN's, there are a couple of important features bundled in that set it apart:
1. It turns each node into a router. While you can establish a VPN with other tool kits, you still have to enable and configure the routing manually.
2. It's entirely user-land - it's a standalone program that a user can plop on their machine and be on their way.
The best part about it is that you can get through firewalls. The worst part about it is that you can get through firewalls.
Most people are pretty polar in their opinions of firewalls, with most of those people seeing them a fascist mechanism to control what they can see. In some (perhaps most) cases, that can be true. However, firewalls are much more than that: They can (and often are) used to protect YOU, the clueless end-user, from the other bad people on the Internet.
After I clear out counters on firewall rules, it's not uncommon to see 10-20 (sometimes more) incoming attacks within 5 seconds.
So, this will be great for letting people browse the web from work. On the other hand, it will expose them to propagation of worms and attacks which would have otherwise been caught by the firewall.
Is this a good program? Overall, I think that it's a good thing that NullSoft created it. We simply need to realize that with all of the benefits it brings, it will also bring a few negatvies with it.
steve
Waste Public Node List (Score:3, Informative)
well, the download page just went 404 (Score:4, Informative)
Re:well, the download page just went 404 (Score:3, Informative)
Looks like the guys at Nullsoft learned from Gnutella...
Found a Mirror (Score:5, Informative)
waste installer [blueyonder.co.uk]
waste source [blueyonder.co.uk]
Waste Mirror (Score:3, Informative)
Waste is here [sifnt.net]
Contents of the file are as follows;
This will be up until it's not. Enjoy! :)
--Pete (peteg [at] sifnt dot net)Re:I have to ask.. (Score:3, Interesting)
Re:I have to ask.. (Score:4, Informative)
Re:I have to ask.. (Score:5, Insightful)
Re:I have to ask.. (Score:5, Insightful)
The next time you want to have a chat with a friend, but you don't exactly want the contents bouncing all over the internet in plaintext, this looks like the perfect application. Reminds me somewhat of a program called SIMP [winfosec.com], which is a minimalistic Blowfish-ized IM program.
Re:I have to ask.. (Score:2)
Eh, no it doesn't. Even early versions of ICQ had direct communication between clients. Only if a client is offline does it go through a server. There is no way in hell that the servers could survive otherwise.
Although the messages are in clear text, so someone could sniff them. OTOH the same is true with email.
Re:I have to ask.. (Score:5, Informative)
I bet the other networks are the same. MSN, Yahoo, etc. Direct connections are a bit slower to start up, and a bit more of a security risk, since you now know the other person's IP address.
Re:I have to ask.. (Score:4, Informative)
It's KVirc 3 over at www.kvirc.net [kvirc.net].
It's primarily writen for KDE/Linux but they also have a pre-compiled Win32 stand-alone.
Re:I have to ask.. (Score:3, Informative)
Re:I have to ask.. (Score:4, Insightful)
Re:fix what needs fixing (Score:5, Informative)
Re:fix what needs fixing (Score:2)
How about you read my post again before you tell me what to do. I said "2.81 or whatever the latest 2x version is" . so that's 2.9 I never carved my answer in stone, I made it clear that I was not sure what the latest version was.
They already fixed Winamp, whiner (Score:3, Informative)
Secondly, not everyone shares your idea of "what they need to do". Winamp is a nice media player, but nevertheless just a media player; to many people, a protocol that facilitates cryptographically secure collaboration is infinitely more useful.
Thirdly, I'm not clear on what obligation you t
Re:They already fixed Winamp, whiner (Score:4, Interesting)
I know many people do feel the way I do, talk to most people who have tried 3.0 or even go to their website and see people bitching about it. Winamp is the most used player in windows, second only to WMP, though I wouldn't be surprised if more used. To stop trying to make a decent product and ignore the problems will cause them to loose their marketshare and thus make them worthless, not a very good business model if you want to be around to do other things like protocols.
Also I don't think many people care about this protocol, sure the paranoid types might, but this is very much something most people could care less about.
Also I in no way have said they are obligated to do anything. I was just pointing out how they have gone from something good to complete crap. I don't belive companies own anyone anything unless there was some deal which requires them to.
I doubt it was done in spare time, if it was employees doing something it was during work time, and if there are things that need to be done to your product you don't have "free time" . Free time is when there is nothing you should be doing.
Nullsoft is a company. Time is money for them. Users are money for them. Being a company that gives product away for free, the balance of keaping them is huge. If no one goes to your sight and clicks on ads and so forth they are done.
One last thing, they haven't fixed jake shit. winamp 3 is broken, go to their sight, winamp 3 is what they are advertising. Making updates to an older product is not fixing. To be fixed means they got all the issues sorta out with 3.0 .
Re:They already fixed Winamp, whiner (Score:3, Interesting)
GPL Licences (Score:2, Informative)
Quoting from the source:
Yes, it's GPL and it says so... (Score:5, Informative)
Try searching on 'GNU General Public License' Einstein.
Re:Yes, it's GPL and it says so... (Score:3, Interesting)
Re:Yes, it's GPL and it says so... (Score:3, Interesting)
Now if you can just explain away the RSA code that has the license that is incompatible with the GPL, everything will be fine.
Re:License? GPL (Score:3, Interesting)
I goofed, and grepped for "gpl". "gnu" would have been a better grep term.
However, there's still the rsa directory, which contains stuff not compatible with GPL. (Which puzzles me...since waste is GPL'ed, why didn't they use gmp for the math, or whatever gpg uses?)
Re:JabberIM does this (Score:5, Informative)
Re:downloaded, now what? (Score:5, Funny)
You need to have friends, dude! :-)
zRe:linux? (Score:3, Informative)
Re: Gone! (Score:4, Informative)
You'll have to register for the WinAmp forums first.
Not sure if the poster hacked/altered them first, but at least something appears to be there. I was unable to grab the installer earlier, but I did grab the .zip for the sources earlier. The .zip I grabbed earlier and the .zip posted in said forum match according to the cmp command.
I'm gonna build from the sources myself rather than run the posted .EXE.