[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[freehaven-dev] comments on Gnutella

Seen on cypherpunks...

---------- Forwarded message ----------
Date: Sun, 7 May 2000 18:07:27 -0400
From: David Marshall <marshall@athena.net.dhis.org>
Reply-To: cypherpunks@openpgp.net
To: Multiple recipients of list <cypherpunks@openpgp.net>
Subject: Re: Napster + StegoMPEG: prelude to eternity

keyser-soze@hushmail.com writes:

> Since the advent of Wrapster (a WinZIP-like tool for converting any group 
> of files to a MP3-like appearance) some cleaver users have included the 
> original (and hopefully correct) file length as part of the name.  This 
> is especially handy for the longer warez files, but could be used for Eternity 
> purposes.  I have yet to see a single music MP3 on Napster including the 
> file length.  Those with this addition are likely to be favored over the 
> common variety, displacing them and encouraging the retention of Eternity 
> MP3s.

Ah, so that is what is behind the bogus search results like "Hacker

Napster is centralized and only works with MP3 files. You connect to
one of many centralized Napster servers, perform a search, and get 
a list of results. 

A similar project, Gnutella, works for any kind of file. It's
distributed. Unfortunately, it's very vulnerable to DoS attacks: all
someone has to do (and this has been done) is spam a bunch of
bullshit searches across the network, and it propogates like the
Morris Worm until either it hits the end of the chain or the TTL
of the request is exceeded. Gnutella would work for what we're talking
about probably better than Napster would, but it has a lot of

* It's a bandwidth hog.
* Searches tend to take quite a while. This is an artifact of the system.
* There's no way to request a file listing for a user. Instead, one
  has to perform a search for a substring (e.g. ".mp3").
* It would be helpful if popular files were cached at intermediate
  points, and if cached files were marked as such. This would increase
  performance because you're actually grabbing the file off of a wide
  pipe instead of some 28.8kbps dialup user who will disconnect in 5
  minutes. The author of the "gnut" client is working on this, I believe.
* The existing clients leave much to be desired. (I don't know about
  the Windows clients, since I refuse to use that OS.)
* The potential for abuse is huge, and has already been partially
  realized. People spam B.S. searches all over the place like
  "METALLICA SUCKS!!!!!". Some other dillweeds have hacked their
  clients to return bullshit responses to search requests such as "THE
  RIAA IS WATCHING YOU," or sending back file lists with invalid
  pointer IPs (e.g.,, etc.)
* As with anything else, people mislabel files. I would imagine that 
  people trying to download music videos in MPEG format get porn
  a lot of the time. Someone was complaining on IRC a few nights ago
  that he tried to download some MPEG of 
* Resume capability in the clients I've used is apparently
  nonexistant. (Gnubile and Gnucleus, to be precise).
* Operations aren't anywhere near anonymous. As I recall, whenever you
  submit a query, your IP is sent along with it. I know that when you
  request a file, your IP is known to the sender, as the entire thing
  is peer to peer. The danger of this is highlighted by a recent
  scandal by ZeroPaid.com, which set up a bunch of files which were
  titled in such a way as to make them "obvious" child porn. The idea
  was that anybody attempting to download the files must be a child
  pornographer. Links to the full story and a discussion concerning it
  are available on Slashdot. Needless to say, the potential for
  abuse and misuse here is *HUGE*, since many people do a search, 
  pull down all the files which come back, and then review them
  later. Then there are people who cache files, and so on.

And of course there are problems with the organizational skills of the
users. It would be nice if someone searching for porn could specify
that. File descriptions and category fields might help here.

The resource requirement problems will probably be fixed out of
necessity, since Gnutella doesn't scale too well right now. I'm not
holding my breath for privacy concerns, though.

Systems like Gnutella tend to work better for people with big pipes
than they do for dialup users. If everyone had broadband, a kind of
CROWDS system could even be set up for these kinds of programs.

No, I am not volunteering to revamp Gnutella. 

> So has anyone developed an MP3 stego program?

You can't stego the source audio file prior to encoding,
because MP3 is lossy compression. Unfortunately I don't know the exact
format of the MP3s, so I can't comment on whether one could play with
the LSBs of the compressed data.