All the Perl that's Practical to Extract and Report

Countermeasures

ziggy on 2002-09-04T14:47:25

I came across an article recently (sorry, I forget where) that the most effective way to undermine a peer-to-peer network used to illegally copy copyrighted songs is to flood it with bogus files (proper filename and length, but containing nothing but noise). This won't completely eliminate illegal copying, but it will reduce it to small communities (i.e. everyone in the same dorm). This is an effective countermeasure because it's focused; RIAA wants to prevent outright copying of songs from Metallica and Eminem, while small indie artists like Stinking Lizaveta or the Lee Harvey Keitel Band actually want peer-to-peer networks to distribute music to their fans.

Another variation on this same theme: wireless chaff. Basically, spew bogus 802.11 packets into the air to confuse anyone trying to hack into a WLAN. It doesn't prevent abuse of an access point, just makes it sligthly more difficult for an attacker to sniff the important bits out of the air.

Poisoning P2P

vsergu on 2002-09-04T15:34:35

Sounds like this Business 2.0 article, referenced in this Slashdot article.

Re:Poisoning P2P

ziggy on 2002-09-04T15:39:44

Yep. That's the one. I was reading Business 2.0 on the train yesterday.

MD5 checksum

cbrooks on 2002-09-04T18:06:20

Couldn't a simple MD5 checksum and comparison to some database of checksums for known songs avoid this sort of problem? Of course, then you might have a problem of record labels forging bogus checksums to trick P2P clients into accepting bogus music. Hmmm. Some company could start a business signing the checksums....

In fact, the record labels themselves could sign the checksums, and charge for a subscription to the checksums, rather than the music itself. Cheaper than building their own platform....

Re:MD5 checksum

pudge on 2002-09-11T02:35:38

You can't really do a checksum of an MP3 reliably ... you and I could both rip a CD, with the same settings, and get different files with different checksums.

Re:MD5 checksum

cbrooks on 2002-09-11T13:26:47

Hmmm. If the idea is to allow anyone with access to a P2P network to rip a song from a CD and make it available for sharing, they could each rip songs of slightly different length, or songs that begin or end with slightly different amounts of white space, etc. Each of these files would generate a different MD5 checksum. So, (if that is the point that you are making) then you are right -- I didn't really give that possibility much thought.

However, it seems like there are two very different approaches along the same lines that would still work:
  • Develop an algorythm* that generates a signature based on the different notes that are played, the distance between the notes, the timbre of the instruments, etc. Then, issues like white space before and after a song would not matter. (Although clearly, depending on the amount of fuzziness allowed by the algorythm, two different versions of the same song (perhaps live vs. studio recording) would not be likely to match). So, this solution is not a "simple MD5 checksum" as mentioned in my post, but I think it would accomplish the same goal.**
  • If there was anything interesting in my post, it was the idea that an opportunity might exist for a company to sell the signatures of songs, while giving away the songs themselves for free. Therefore, the recording studios could still distribute "official" length versions of songs with associated checksums, and provide a subscription product for a fee which would identify those official versions. The real issue is whether there is enough chaff in the P2P network that people would be willing to pay to separate the chaff from the wheat.
* A fair amount of work seems to have been done on this problem. See, for example, this link or this one.
**Of course, one necessary characteristic of said algorythm is that it needs to be difficult to generate the same checksum for different songs -- it needs to be non-trivial to generate "signed" chaff.

Re:MD5 checksum

ziggy on 2002-09-11T14:22:26

I think you're way overthinking the issue.

The first generation of p2p was random file sharing that aggrevated RIAA, but delighted many artists. RIAA wants to prevent people copying the new Eminem or Metallica albums (even before they're released). They're trying to use the law to stop p2p because they're claiming they're losing money (they're not, but they are losing absolute control).

The first generation solution to this new technology is a technological answer: adding chaff to the p2p network to discourage widespread copying. This addresses the real problem: user behavior. Legal solutions try to reduce the supply (unsuccessfuly), while adding chaff changes the dynamic and reduces demand.

The second generation of p2p will involve some form of cryptography, but simple MD5 checksums are insufficient because of the nature of mp3/ogg encoding. Sharing signed files is likely to have some benefit - you can establish a "web of trust" on the people who create/publish files. If you download an unsigned file, you're on your own (and you may have downloaded some chaff). If you download a file signed by someone you trust, then you're likely to avoid downloading (and re-publishing) chaff.

Of course, this brings another up another issue: accountability.

Re:MD5 checksum

pudge on 2002-09-11T15:00:44

Actually, your method is being researched, but by the people who would use it to destroy P2P music-sharing. They get algorithms to identify songs based on their content and then use that as evidence to attack the network and persons using it.