You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
I got a Cease & Desist Letter!
- Thread starter Heidi 4
- Start date
"Security through obscurity" is a phrase being tossed around by those who don't really understand much of anything.
There is nothing obscure about the techniques that BearShare uses to digitally sign query hits or require challenge/response authentication in host connections - they are all built from sound, proven cryptographic primitives that are published and well documented.
If we were using obscurity, we would have made up our own cryptographic algorithm - this would be a poor choice.
So when you hear someone say "security through obscurity" in the context of BearShare, this is clear sign that they don't know what they are talking about.
There is nothing obscure about the techniques that BearShare uses to digitally sign query hits or require challenge/response authentication in host connections - they are all built from sound, proven cryptographic primitives that are published and well documented.
If we were using obscurity, we would have made up our own cryptographic algorithm - this would be a poor choice.
So when you hear someone say "security through obscurity" in the context of BearShare, this is clear sign that they don't know what they are talking about.
braidensmommy
New member
I don't think any of us are happy about the split. And if anyone can give an idea how to apply security across gnutella as a whole I'm sure the developers would be all ears.
Dickie Back
New member
Ok!
But if CycloCide beats me now its your fault!
Morgwen
But if CycloCide beats me now its your fault!
Morgwen
FYOP- Ruler of none
New member
I got a Cease & Desist Letter!
that's an obvious lie. Vinnie, we are not all unskilled users. Your encryption sheme is proprietray and undocumented, no other GDF member does use it. Commonly known as security through obscurity.
you need a little bit more then insulting or badmouthing open source software. Please read the thread on Zeropaid (link above). It explains why so called secure channels can not work, why it's a pure marketing gag.
I know Vinnie tries to give himself an
that's an obvious lie. Vinnie, we are not all unskilled users. Your encryption sheme is proprietray and undocumented, no other GDF member does use it. Commonly known as security through obscurity.
you need a little bit more then insulting or badmouthing open source software. Please read the thread on Zeropaid (link above). It explains why so called secure channels can not work, why it's a pure marketing gag.
I know Vinnie tries to give himself an
leenibee .
New member
I got a Cease & Desist Letter!
Its nice that you show your true face... the next time one of your knights will tell me something about fair competition will see a link to this thread here!
And don
Its nice that you show your true face... the next time one of your knights will tell me something about fair competition will see a link to this thread here!
And don
I got a Cease & Desist Letter!
You know security within the bearshare net and within the Gnutella net is an illusion, the developers should find the best way for the whole net...
what Vinnie is doing he uses the way he likes most but this is SURE not the best way...
About the split, what will happen next? Limewire and other commercial vendors will start to add similar features, this will kill the net... but Mr. Falco is prepared it seems like he is planning something like this...
He should be fair and leave the net if he thinks that Gnutella isn
You know security within the bearshare net and within the Gnutella net is an illusion, the developers should find the best way for the whole net...
what Vinnie is doing he uses the way he likes most but this is SURE not the best way...
About the split, what will happen next? Limewire and other commercial vendors will start to add similar features, this will kill the net... but Mr. Falco is prepared it seems like he is planning something like this...
He should be fair and leave the net if he thinks that Gnutella isn
seekin an answer
New member
I really don't want that, but I don't see an alternative. If you look at LimeWire's host graph, there has been a sharp increase in the rate of decline of the network size. It started about 3 weeks ago, and it coincides with reports of an increase in fake query hits and download troubles.
There was also a recent paper that shows that all it takes is a small decimation of a population in order to cause a catastrophe. In Gnutella's case, targeting less than 1% of the high-volume servents sharing files can cause a mass exodus of users from the network.
Therefore, the choice is in the hands of the users.
Notice that FastTrack, AudioGalaxy, iMesh, et. al. all have proprietary networks and they have the highest download success rate and best search results.
And no, Secure Channels authentication features are not vulnerable to a replay attack.
And even if they break the key, we have facilities for rotating the key schedule from an external source using special messages which are digitally signed. The method used to rotate the key schedule is such that a client has no knowledge of the "next" key in the rotation until a piece of a secret share (Shamir's secret sharing algorithm) is retrieved.
Besides, reverse engineering is a violation of the DMCA, and no legitimate company that receives venture capital would dare to do such a thing - they have too much to lose.
Comments welcome.
There was also a recent paper that shows that all it takes is a small decimation of a population in order to cause a catastrophe. In Gnutella's case, targeting less than 1% of the high-volume servents sharing files can cause a mass exodus of users from the network.
Therefore, the choice is in the hands of the users.
Notice that FastTrack, AudioGalaxy, iMesh, et. al. all have proprietary networks and they have the highest download success rate and best search results.
And no, Secure Channels authentication features are not vulnerable to a replay attack.
And even if they break the key, we have facilities for rotating the key schedule from an external source using special messages which are digitally signed. The method used to rotate the key schedule is such that a client has no knowledge of the "next" key in the rotation until a piece of a secret share (Shamir's secret sharing algorithm) is retrieved.
Besides, reverse engineering is a violation of the DMCA, and no legitimate company that receives venture capital would dare to do such a thing - they have too much to lose.
Comments welcome.
yes, this is not even ONE solution, "secure channels" do not work! The Zeropaid thread explains why Vinnie's "secure channels" are an illusion.
I wonder what Vinnie has thought, if he did consult a lawyer before? I have the suspicion that "secure channels" have nothing to do with security, they are a secret attempt to split Gnutella into smaller proprietary network$.
Money not security.
I wonder what Vinnie has thought, if he did consult a lawyer before? I have the suspicion that "secure channels" have nothing to do with security, they are a secret attempt to split Gnutella into smaller proprietary network$.
Money not security.
B
BriarKat
Guest
I got a Copyright Violation Notice from MPAA/BSA for File Sharing on Gnutella and FastTrack!
Summary:
People are getting Copyright Violation Notices from the Business Software Alliance (BSA) and Motion Picture Association of America (MPAA) via their ISPs saying they have broken the Digital Millenium Copyright Act (DMCA) and Copyright Act for File sharing over the Gnutella and FastTrack peer to peer networks as well as IRC and others. At least 17,000 incidents have been recorded. They have the IP address, time of transfer, file name index, file sizes, protocol and program names as evidence.
Digital Millenium Copyright Act (DMCA), Title 17 United States Code Section 512.
Copyright Act, Title 17 United States Code Section 106(3).
Here's some more info I found reading the DMCA and searching with queries like
WIPO WTO DMCA TRIPS MPAA BSA ISP OSP Gnutella FastTrack etc.
Did the ISPs violate privacy rights?
No. They forwarded the notice and didn't share my E-mail or home address.
The MPAA or BSA can subpoena my contact info and the ISP must comply but the info can only be used for the Copyright Case.
Did the MPAA or BSA violate privacy rights?
No. My IP and file index were offered by me to the Public p2p net.
Do they have to prove I don't own the material in question?
No. Distributing copyrighted material is illegal even if you own it.
Do they have to prove that I shared copyrighted material?
Yes. Just the filename and size should not be enough to prove the material was actually copyrighted and not just named like it. For example I had a movie with the words "is FAKE" added to it, but it was still included in the violation list.
I don't know if they had a sample of the file contents. The collection methods from RangerInc are secret.
Are users who aren't doing massive transfers going to face this?
Yes. It is bots collecting this data, so there will be no "flying under the radar"
Because bots are cheap and easy and will lower the horizon of the radar to the ground.
Will this kind of thing happen in other countries?
Yes. This is happening in Canada and the US right now. Also there is a global agreement on Intellectual Property which is enforced by the World Trade Organization and overrides all WTO countries laws. The DMCA is how the USA is complying with this treaty. The EU and Russia are working on their versions of these laws right now.
What are the penalties?
Your ISP can cut off your service before proving anything. Just "good faith" by MPAA or BSA is enough. If your ISP doesn't cut you off they lose their "common carrier" immunity from liability. Qwest and @Home ISPs are two that are taking part. If you are found guilty the penalties are upt to $500,000 and ten years in prison. If you choose to challenge the notice then you MUST agree to be under US Federal jurisdiction, even if you live in another country.
Here's more info and some links ...
The Information is gathered by RangerInc Corporations bots.
They were hired by the MPAA and BSA.
The bots have been running since April of 2002.
http://www.rangerinc.com/solution/solution_main.htm
Reverse lookup on www.rangerinc.com/
shows
I.P. 216.122.215.13
An arin whois query from http://ws.arin.net/cgi-bin/whois.pl
on 216.122.215.13 to find out who actually owns it
shows
LightRealm Communications (NETBLK-LR-BLK4) LR-BLK4
216.122.0.0 - 216.122.255.255
HostPro, Inc (NETBLK-HSTPROSEA-NETBLK204) HSTPROSEA-NETBLK204
216.122.204.0 - 216.122.223.255
If your client for Gnutella FastTrack IRC etc allows you to filter hosts then add
216.122.*.*
to your block list.
That should stop them from connecting unless they change hosts
providing the bots run from that IP range and don't spoof their address when connecting to your client.
Here are some more links.
Another customer cut-off
http://www.ekosweb.com/wipout/essays/0904guha.htm
OSP requirements (take-down) or be liable
http://www.arl.org/info/frn/copy/osp.html
More info for those who have been notified or want to learn more.
http://www.chillingeffects.org/dmca512/faq.cgi#QID132
Also please check out
http://www.eff.org
http://www.anti-dmca.org
http://www.macfergus.com/niels/dmca/index.html
I'm dial-up 56K now. But when I get broadband again I'm going to drop Gnutella and only use encrypting and anonymizing apps like Filetopia http://www.filetopia.org and FreeNet http://freenetproject.org
Summary:
People are getting Copyright Violation Notices from the Business Software Alliance (BSA) and Motion Picture Association of America (MPAA) via their ISPs saying they have broken the Digital Millenium Copyright Act (DMCA) and Copyright Act for File sharing over the Gnutella and FastTrack peer to peer networks as well as IRC and others. At least 17,000 incidents have been recorded. They have the IP address, time of transfer, file name index, file sizes, protocol and program names as evidence.
Digital Millenium Copyright Act (DMCA), Title 17 United States Code Section 512.
Copyright Act, Title 17 United States Code Section 106(3).
Here's some more info I found reading the DMCA and searching with queries like
WIPO WTO DMCA TRIPS MPAA BSA ISP OSP Gnutella FastTrack etc.
Did the ISPs violate privacy rights?
No. They forwarded the notice and didn't share my E-mail or home address.
The MPAA or BSA can subpoena my contact info and the ISP must comply but the info can only be used for the Copyright Case.
Did the MPAA or BSA violate privacy rights?
No. My IP and file index were offered by me to the Public p2p net.
Do they have to prove I don't own the material in question?
No. Distributing copyrighted material is illegal even if you own it.
Do they have to prove that I shared copyrighted material?
Yes. Just the filename and size should not be enough to prove the material was actually copyrighted and not just named like it. For example I had a movie with the words "is FAKE" added to it, but it was still included in the violation list.
I don't know if they had a sample of the file contents. The collection methods from RangerInc are secret.
Are users who aren't doing massive transfers going to face this?
Yes. It is bots collecting this data, so there will be no "flying under the radar"
Because bots are cheap and easy and will lower the horizon of the radar to the ground.
Will this kind of thing happen in other countries?
Yes. This is happening in Canada and the US right now. Also there is a global agreement on Intellectual Property which is enforced by the World Trade Organization and overrides all WTO countries laws. The DMCA is how the USA is complying with this treaty. The EU and Russia are working on their versions of these laws right now.
What are the penalties?
Your ISP can cut off your service before proving anything. Just "good faith" by MPAA or BSA is enough. If your ISP doesn't cut you off they lose their "common carrier" immunity from liability. Qwest and @Home ISPs are two that are taking part. If you are found guilty the penalties are upt to $500,000 and ten years in prison. If you choose to challenge the notice then you MUST agree to be under US Federal jurisdiction, even if you live in another country.
Here's more info and some links ...
The Information is gathered by RangerInc Corporations bots.
They were hired by the MPAA and BSA.
The bots have been running since April of 2002.
http://www.rangerinc.com/solution/solution_main.htm
Reverse lookup on www.rangerinc.com/
shows
I.P. 216.122.215.13
An arin whois query from http://ws.arin.net/cgi-bin/whois.pl
on 216.122.215.13 to find out who actually owns it
shows
LightRealm Communications (NETBLK-LR-BLK4) LR-BLK4
216.122.0.0 - 216.122.255.255
HostPro, Inc (NETBLK-HSTPROSEA-NETBLK204) HSTPROSEA-NETBLK204
216.122.204.0 - 216.122.223.255
If your client for Gnutella FastTrack IRC etc allows you to filter hosts then add
216.122.*.*
to your block list.
That should stop them from connecting unless they change hosts
providing the bots run from that IP range and don't spoof their address when connecting to your client.
Here are some more links.
Another customer cut-off
http://www.ekosweb.com/wipout/essays/0904guha.htm
OSP requirements (take-down) or be liable
http://www.arl.org/info/frn/copy/osp.html
More info for those who have been notified or want to learn more.
http://www.chillingeffects.org/dmca512/faq.cgi#QID132
Also please check out
http://www.eff.org
http://www.anti-dmca.org
http://www.macfergus.com/niels/dmca/index.html
I'm dial-up 56K now. But when I get broadband again I'm going to drop Gnutella and only use encrypting and anonymizing apps like Filetopia http://www.filetopia.org and FreeNet http://freenetproject.org
Princess Pritchy
New member
If they are relying on bots there are two possible way to fix it.
1. Jam the bots.
2. Make source untraceable.
Any ideas for how either could be achieved?
1. Jam the bots.
2. Make source untraceable.
Any ideas for how either could be achieved?
Wtekal Aooriq
New member
I don't think dismissing the potential for security on gnutella is necessarily going help anything. Even if it can't be worked out it's worth a shot. And just from the surface knowledge (read "underlying concepts") I have of encryption and validation techniques I do know there are ways to increase security dramatically in a proprietary system (such as bearshare's secure channels).
I'm doing the best I can to see if these concepts can be applied to something like gnutella without giving so much control to a governing body like the GDF that, given something like a court order, they could shut the network down (as could happen with revokable certificates).
It's a tough problem to tackle and I'm probably not going to be the one to solve it, but I'm not going to dismiss the possibility.
Um, Morg.. in one breath you just complained about the split and in the next you just advocated BearShare leaving Gnutella.. that's what the split is dude.
I'm doing the best I can to see if these concepts can be applied to something like gnutella without giving so much control to a governing body like the GDF that, given something like a court order, they could shut the network down (as could happen with revokable certificates).
It's a tough problem to tackle and I'm probably not going to be the one to solve it, but I'm not going to dismiss the possibility.
Um, Morg.. in one breath you just complained about the split and in the next you just advocated BearShare leaving Gnutella.. that's what the split is dude.
Alright im upgraded to "knight" They are better looking, get armor and a nice sword, a stead and all the wenches they want so i cant complain..
Fair competition why dont you do gnutella and p2p a favor and explain that to the trade groups!
They are the ones who are trying to get rid of P2P by hiring firms to monitor and spam gnutella, send automated notices to users to weaken and eventually shut down the network. Making security related features needed in the first place. They are the ones who are continuing to sure programs and are now trying various ways through legislation to stop P2P. While this is happening how can there be fair competition when someone else is trying to destroy you can the competition?
Should they be allowed to send fake data, target users and target users? No of course not but how do you prevent it without losing the "open network" if it truely is a open network shouldnt they also be entitiled to know about whatever security plan is implemented to stop them or have it be compromised? That is the million dollar question..
Fair competition why dont you do gnutella and p2p a favor and explain that to the trade groups!
They are the ones who are trying to get rid of P2P by hiring firms to monitor and spam gnutella, send automated notices to users to weaken and eventually shut down the network. Making security related features needed in the first place. They are the ones who are continuing to sure programs and are now trying various ways through legislation to stop P2P. While this is happening how can there be fair competition when someone else is trying to destroy you can the competition?
Should they be allowed to send fake data, target users and target users? No of course not but how do you prevent it without losing the "open network" if it truely is a open network shouldnt they also be entitiled to know about whatever security plan is implemented to stop them or have it be compromised? That is the million dollar question..
Con Asskicker
New member
I was silent because nobody did really care (especially developers which gave me a troll rating), not that I was convinced clustering from those commercial vendors has a non-harming effect on Gnutella. I see Bearshare's politics getting worse and the marketing "arguments" more ridiculous.
PS: Reverse engineering is not forbidden in Europe.
PS: Reverse engineering is not forbidden in Europe.
Michael Crump
New member
I got a Cease & Desist Letter!
Yes of course and now ALL developers should fight also instead of solving the problems together...
Ah I forget Vinnie need some features that others don
Yes of course and now ALL developers should fight also instead of solving the problems together...
Ah I forget Vinnie need some features that others don
lizroswelluk
New member
1.) Find out where they are located, tell the USA that "terrorists" are camped there, sit back and watch the bombs drop
2.) That would require proxies which is in no way efficient or entirely untraceable. (Unless someone comes up with another method.)
2.) That would require proxies which is in no way efficient or entirely untraceable. (Unless someone comes up with another method.)
No my problem is not the split, my problem is that he forces others to act like he want, or do you think the other developers will watch and say Ok we will be fair (especially the commercial ones)... and this will destroy the Gnutella net. So he should create his own net and he can make his own rules... but before he destroyed the Gnutella net!
Morgwen
Morgwen
mad skillz
New member
Actually, despite the various breaches possible with different encryption schemes that thread brought up none of them. The only thing relevant that was shown there was some **** anonymous poster jumping to the conclusion that everything was dependent on the EULA alone. Talk about insecurity
[No insults please]
[No insults please]