Combining BitTorrent With Darknets For P2P Privacy

CSEMike writes "Currently popular peer-to-peer networks suffer from a lack of privacy. For applications like BitTorrent or Gnutella, sharing a file means exposing your behavior to anyone interested in monitoring it. OneSwarm is a new file sharing application developed by researchers at the University of Washington that improves privacy in peer-to-peer networks. Instead of communicating directly, sharing in OneSwarm is friend-to-friend; senders and receivers exchange data using multiple intermediaries in an overlay mesh. OneSwarm is built on (and backwards compatible with) BitTorrent, but includes numerous extensions to improve privacy while providing good performance: point-to-point encryption using SSL, source-address rewriting, and multi-path and multi-source downloading. Clients and source are available for Linux, Mac OS X, and Windows."

Source?

[Anonymous Coward]

Hmmm. The "get source" button goes to an email form for me. Does anyone know whether the source is freely distributable? If so, could someone please upload it as a torrent?

Re:why? its all legal

[Anonymous Coward]

I'll be charitable and assume you are just uninformed. Inform yourself. [schneier.com]

Re:Source? GPLv2, Java

[hannson]

We're just packaging up the source now (we just released this today), and will post a link on the website soon. Thanks!

This is the reply I got from using the mail form.

Re:Been done, and better supported.

[L4t3r4lu5]

It's a darknet [wikipedia.org], therefore invite-only.

It relies on the model that "my friend knows 4 people who use that service, so I can acces my friend's connection to those 4 people. Those 4 people know 3 people each, so I can access those 4 people, and another 12. Those 12 people know..." and there we have a large, private, trusted network.

Plus, there's no need for any particular darknet to connect to another. you can run your own darknet between your friends, not connected to any other darknet.

How about...

[Rhabarber]

freenet [slashdot.org] (there is a dark net mode since version 7).

I remember people arguing dark mode being an anonymity thread itself. I case you computer is seized you and your 'friends' are immediately identified as part the of same conspirative group (based on client's friend list). Might rather be a problem in totalitarian systems where being suspicious is enough to face personal detriment (no pun intended).

Not a new idea

[Burz]

Try the following:

I2P net [i2p2.de]
MUTE/ Kommute [sourceforge.net]/ Ants/ Dargens
Alliancep2p.com
Filetopia.org
GNUNet
Rodi
Emscher ...and probably more.

Some of these like I2P use bittorrent over their anonymized network (a BT client is built into I2P but you can use some others... Note that Azureus aka Vuze has I2P support built-in!)

just use freenet

[AlgorithMan]

just use freenet [freenetproject.org] together with frost [freenetproject.org]

this [127.0.0.1] is an index of all (?) "freesites" - you can visit as soon as you have freenet running

for linux users:
wget "http://downloads.freenetproject.org/alpha/installer/new_installer.jar"
java -jar new_installer.jar
cd "/path/to/freenet/"
./run.sh restart
mkdir frost
cd frost
wget "http://mesh.dl.sourceforge.net/sourceforge/jtcfrost/frost-04-Mar-2008.zip"
unzip "frost-04-Mar-2008.zip"
chmod +x frost.sh
./frost.sh

you need to have java and I don't remember whether you need to run this as root. iirc you don't. The filename from the sourceforge link will vary - just check http://sourceforge.net/project/showfiles.php?group_id=25070 [sourceforge.net]

After viewing the demo video

[Burz]

OneSwarm seems to have a lot more polish than the P2P networks I listed: In-browser previews, codec translation of media files, integration with GoogleTalk, etc.

The basic transfer functionality appears to be similar although based on the invite-only darknet idea. Personally, I do not think these darknets offer much advantage, as the other P2Ps (and also Tor) offer anonymity by maximizing the number of participating nodes... which provides resistance to authorities trying to social-engineer and recruit their way into smaller friend-based networks.

Re:About time

[dgatwood]

Actually, assuming you're talking about an unmonitored repeater, you aren't knowingly doing anything, and thus, you should, at least in theory, be protected under the same sorts of DMCA exemptions as any other internet service provider that passes pirated/illegal content during the normal course of IP-based routing.

That said, if you do pass something inappropriate, IP number alone is almost certainly sufficient probable cause to obtain a search warrant. Having the same protection as an ISP doesn't mean they can't charge you with a crime or sue you for copyright violation, doesn't mean they can't confiscate your equipment, and doesn't mean the charges won't stick if they find evidence of the crime or copyright violation on your computer.

In short, if you are an innocent repeater, you are probably protected (though you may incur significant difficulty getting your confiscated equipment back), but if you are abusing your status as a repeater to mask the fact that you are doing something wrong, chances are they'll find you through some other means outside the scope of the protocol itself---possibly even outside the scope of the Internet entirely.

Re:Why not just put an encryption layer on top of

[Anonymous Coward]

Because the investigators don't eavesdrop on your connections. They come into the network as a peer and ask your client to send them chunks of whatever file you are currently sharing. It's very easy for them to do:

1. Search torrent site for popular movie/artist name
2. Download torrent
3. Connect to tracker, get peer IP addresses
4. Connect to peers, ask for parts of the file
5. File a John Doe lawsuit and subpoena ISPs for customer details

Encryption occurs between peers - so your ISP can't decode the traffic, but the investigator can, because it is a peer.

Re:I don't understand.

[complete loony]

But even if somebody is friends with the MAFIAA, that doesn't mean they can work out who you are. If the protocol is built correctly, (no I'm not going to read it) you would have to compromise every relationship between sender and receiver to work out who anybody else really is.

Nodes on this network know their immediate neighbors (friends), and pass messages around, but don't necessarily know anything about who the end points are.

Re:funding

[brusk]

No, he's referring to a bounced check. There's a $25 fee for that.

Re:Dumb

[evanbd]

Freenet [freenetproject.org] has an answer to the trust chaining problem. Each user (when in darknet mode, anyway -- there's also a non-darknet option) only talks to their friends. Trust is not transitory; if I want data you have, it has to get routed over trusted links. Obviously there is a latency and bandwidth penalty for this, but it's probably smaller than you'd think -- the network topology is well behaved, so playing 6 degrees of separation works fairly well. If someone screws up and lets the MAFIAA on, then I don't care -- it's only a problem for the people who trusted them. The darknet style links compartmentalize the damage. (It's actually even better than that, thanks to plausible deniability arguments I won't get into, as long as they only have a limited number of compromised nodes.)

Of course, the bootstrapping problem -- you need users to get content, and you need content to attract users -- is very real. If there are easy magic solutions, I haven't heard of them, and Freenet doesn't have them. It's still a small niche network, with a limited though nonzero amount of content.

If you're curious about how attacks work in the context of a strong darknet like Freenet, I suggest you ask around on the irc channel / mailing lists. Yes, there are attacks that will work -- the Freenet authors won't try to pretend otherwise. What Freenet *does* do is make those attacks very difficult with only comparatively modest assumptions about trust.

Re:About time

[morghanphoenix]

I've been doing BitTorrent over TOR for a while now. What makes this so great?

And this is one of the reasons I closed my exit node.

Re:About time

[Dunkirk]

Tin foil hattery aside, your best defense is a combination of reasonable doubt (the foundation of TOR, Freenet, and these new darknets) AND STRONG NON-PROPRIETARY WHOLE HARD DRIVE ENCRYPTION.

I wouldn't put away the TFB just yet. I'm just cynical enough to believe that just about ANY court in the USA would demand you turn over your encryption key under threat of simply being in contempt of court. A judge can basically throw you in jail until you comply, and that doesn't even allow your case to proceed. Even if you somehow worked around this, not giving up your key would be seen as an admission of guilt. Look, I know it's wrong -- fifth amendment and all that -- but this is reality here, and the republicrats don't really care any more.

Re:Not a new idea

[Anonymous Coward]

Freenet sucks for P2P sharing/storage; believe me I tried using it for P2P. The network is -not- designed for that; it's content model is designed specifically for relaying small static files and storing them forever. So say you try to insert a 700MB ISO file, what will happen is that you'll be sitting for an entire day waiting for all the keys to insert, you then insert the freesite, publish the CHK@ for your file, only to find out that half the keys for your file are missing, the other half take forever to retrieve, and everyone hates you because you're abusing the system anyway.

Re:This is clearly a criminal tool

[Tubal-Cain]

The RIAA have this idea that filesharing is, by definition, sharing of files covered by their copyright. So they attack indiscriminately. [slashdot.org]

The government has this fascination with invasion of privacy.

Re:Trust no one

[javvee]

That's the whole point, a tear will only affect locally. You, as an individual, simply don't add people you don't trust. If you don't have friends you trust today, you'll have to get them to start using the app and share your poems with them. In time the net will grow.

Re:This is clearly a BS tool

[Saffaya]

It has something to do with what all cartels do :
Jack-up the price of a product by artificially restricting its availability.

Examples that come to mind are the DeBoers cartel for diamonds, or the cartel of the music industry.

And btw, the US department of Justice does officially refer to the music industry as a cartel.

Re:This is clearly a BS tool

[Tom]

Here is what has changed:

Germany used to have a law that makes "private copies" legal. Where "private copy" is defined as making a low number (five is generally regarded as the "magic number") of copies for personal use of friends (with "friend" being defined as persons you have a close personal relation with, so most of your 1624 Internet "friends" wouldn't count).

It was perfectly good and everyone was happy. This law was, for example, what made it legal over here to create a mix tape (or CD) for your girl-/boyfriend. Or to say "sure, no problem" when your best friend said "wow, that's a cool album. Can you make me a copy?" - even the music industry seemed to be ok with it (free advertisement) and it made sure that law enforcement didn't have to waste resources on the ridiculous.

For the past four years or so, the music industry has changed its mind and pressured, bought, lobbied, etc. our lawmakers into changing the law. And they've finally succeeded (last year, I think).

And that does apply to the non "Arrr!" crowd. These changes make 15 year old teenagers who are in love into criminals. It makes grandma a criminal if she records her favourite song from the radio. It makes you and your wife criminals if you put a copy of the CD you bought on both yours and hers MP3 player.

PS: Don't lecture about loopholes and exceptions in american copyright law, I'm talking about german law and this whole virtual property rights bullshit is highly international.

Re:We already have this; it's pretty much worthles

[ultranova]

There have been BitTorrent clients for I2P for years now. They're useless, largely, because anonymous networks are nightmarishly slow and unreliable, and very, very few people bother to upload anything interesting (at least in my opinion).

Ironically enough, Freenet is actually pretty fast nowadays. Still nowhere near BitTorrent, but automatically dividing each file into multiple pieces and the mechanism which causes each piece to become hosted in more peers the more it is accessed results in automatic load-balancing and a torrent-like effect. It's certainly much faster than Tor, and not subject to DoS attacks.

Before anyone accuses me of trolling, I've been using TOR off and on at home since 2005, and I've experimented with I2P for about 6 months in the wake of whistleblowing of the NSA wiretapping program.

Tor isn't a darknet. It's an anonymizer. The fact that you're running a Tor node is not hidden; only what you're doing with it is. Even then there's a simple way of locating hidden services: simply correlate the uptimes of the server in question with the uptimes of Tor nodes.

Freenet doesn't have that problem, since accessing inserted content doesn't require contacting the node that inserted it; however, on-demand insert by Frost might cause a vulnerability, if the attacker controls a node adjacent to yours, since they can then see that a disproportionate amount of pieces for that file are coming from your node. Premix routing should fix that once implemented.