"The company doesn’t reveal how it works, but they appear to be flooding clients with fake information, masquerading as legitimate peers."
"For a month Pirate Pay’s technology protected the film “Vysotsky. Thanks to God, I’m alive,” (distributed by The Walt Disney Studios Sony Pictures Releasing company) with moderate success."
It's probably based on the problem of malicious clients in the network consensus problem. It states that if more than a third of all clients are malicious it is not possible to come to a consensus.
The solution would be to have a trust of clients. Where every clients vouches for another. The most important thing is that it has to use certificates, if not you get the following problem.
I am client 'c'. I heard from client 'a' that client 'b' is dirty. So I tell this to client 'd', but the truth is I'm lying. However now the problem is: Is 'a' lying about 'b' or am I ('c') lying about 'a'? However having the messages signed by the clients solves this problem.
It always seemed to me that the simplest way to protect content is to just upload a bunch of garbage with the same file name making it impossible to locate the actual movie, app, etc. It doesn't seem like it would require a lot of sophistication either. It could probably be done effectively, even showing a 90-minute repeating trailer for the movie or something similar. I think a lot of people pirate simply because it's the easiest way to get a movie. If paying $9.99 becomes the easiest way, then a lot of casual pirates will just buy it.
Virus writers seem to like this technique, uploading garbage to usenet. (50Kb files pretending to be a feature film, etc). I've always wondered why movie studios didn't do more of that.
For films and the like it might be easy to get around this - the release teams could sign their releases. It might be theoretically difficult for them to get their public keys out into the ecosystem, but it would be pretty easy in practical terms.
For arbitrary data you could possibly have a rating/tagging system. I guess the content industries could fudge the votes, but if the votes were tied to identity/pseudonyms they'd have to be clever to beat any kind of data analysis.
The effectiveness would probably depend on how many garbage alternatives you provided, and how sophisticated/varied their uploading is. Too many bad files and voting and signing might not be practicable, and you'd have to resort to some kind of automated spam-detection. White-listed sources are workable in the worst case, but I'm sure there would be other, better ideas around.
Signing pirated media? Would the release teams really want to give the RIAA the ability to cryptographically prove that they were the ones who released the material?
No but if you're caught with a hard drive full of pirated material AND the encryption keys for those releases then you're gonna have a hard time in court. The keys need not be government issued to prove you're responsible.
Scene groups provide nfo files with their releases. Those nfo files could contain a cryptographic signature proving the authenticity of the rip.
Essentially, the way it works is that for a given group there are two keys: A private key `P` (that only the group has), and a public key `Q` (that everyone has). For a file `F` the "signature" is the output of some function `sign(P, Q, F)`. The function `sign` is specially chosen so that the output can be validated without access to `P`, but cannot be efficiently forged without it.
As other posters have pointed out, this means that if `P` is kept secret then all signed releases can be authoritatively linked to the people who provided them. Finding `P` on someone's thumb drive is a smoking gun. To be honest, I don't think this would be a big worry, but I'm not in the scene and I don't know how the people in it think.
Classic scene groups are not interested in having their releases spreading on torrent sites, so including any signatures would be helping with what they don't want to happen in the first place.
That said, a third party could add a signature. But in practice a cryptographically secure signature isn't even needed. It boils down to a reputation system, so that you can associate a torrent file with quality and this has already existed since forever on sites like the piratebay in the form of uploader usernames. A lot of torrents are uploaded by the same users, users who have a history of quality torrents. In contrast, a hollywood uploader would never have any actual quality torrents in the account history. So in conclusion, this problem was already solved ages ago.
The warez group CORE sign their releases with CRCs in their NFO files. They distribute a checker program called core10k.exe which ironically often turns up with malware injected into it on p2p sites.
Yeah but that is to check the file integrity, that's something entirely different. Anyone can calculate a CRC checksum for any garbage files they want, upload it and label it as a CORE release. There is no way to verify that the release is genuine. And if you temper with an authentic release, for example introduce some malware, you can simply recalculate the checksum itself. This would be impossible if the release would be cryptographically signed because you would need COREs private key to generate a valid signature.
This doesn't work on sites like The Pirate Bay where trusted uploaders make it easy to find what you're looking for. If my torrent was uploaded by eztv then I know what I'm getting.
Definitely wouldn't change anything for people who are determined. But it probably would reduce casual pirating & it's so simple I just am surprised we don't see more of it. Not saying that I want it to happen, just surprised.
It definitely works on usenet - virus spam can make some things impossible to find.
Not too many 'casual' pirates download from usenet. They just go to The Pirate Bay and the comments will always tell you a file is fake before you hit the download link. These fake torrents do exist in large numbers but they're trivial to avoid.
Each layer is a different tracker. The amount of the layer that is blue is the % of nodes on that tracker that are seeders. The orange part is the % that are peers (not seeding). Usually the graph looks more like the one for Lost - mostly orange peers with a few blue seeders. The unusual ones are mostly made of nodes that are (claiming to be) seeders.
I wonder if this might have anything to do with more people trying to use hacked up BT clients in the hopes of avoiding ISP crackdowns supposedly imminent in the US (and already in effect in other countries):
"uTP on the other hand allows BitTorrent nodes to dynamically adjust bandwith congestion at the protocol level and also provides some additional functions, like support clients using low bandwidth or sharing ADSL line with a web browser."
In other words, this isn't a threat to Bittorrent as a technology alone, yet. I wonder how much of an impact it makes on uTP-enabled clients and if you'd be better off disabling it if you connect to an affected swarm.
Correct me if I am wrong: won't those uTP forged/bad "datagrams" be dropped by the client when hash don't match ? And then wouldn't the client ban those source IPs from its pool of connected peers ?
In other words, the techniques these anti-piracy outfits appear to be using to prevent people from sharing copyrighted movies could be illegal. If that is the case then the movie companies who hire these anti-piracy outfits may be complicit in cybersecurity crimes.
I'm sure the DoJ will be handing out indictments in the very near future. <sarcasm/>
It's unfortunate that the only data that really gets protected in the US is Hollywood's.
I do not pretend to understand very much of the original post. The TorrentFreak "translation" did make it a bit more clear, but I'm pretty much boiling this down to, "somebody is trying to poison the Internet -- if not now, then sometime soon".
It's easy to forget how young a medium the Internet is and that there are going to be a lot of pitfalls along the way that we haven't begun to imagine. This seems to be one of those. I guess the question that I have is simple: what happens next?
Somebody's up to something and it's most likely not good. Who that somebody is, no one is sure. To be honest, they're not even entirely sure what it is they're up to.
Discussion: http://news.ycombinator.com/item?id=3966774