p2pnet - rss feed: Time to WASTE?
p2pnet news view Freedom | P2P:- “WASTE is a tool that is designed to permit secure distributed collaboration and communications for small trusted groups of users,” said p2pnet way back in 2004.
“WASTE is a software product and protocol that enables secure distributed communication for small (on the order of 10-50 nodes) trusted groups of users,” says the sourceforge site.
“WASTE is designed to enable small companies and small teams within larger companies to easily communicate and collaborate in a secure and efficient fashion, independent of physical network topology.”
Excellent. So what happened to it?
Big Fly Net is wondering the same thing.
Says glider >>>
I had been following, on and off (mostly off lately), the permutations of Jonathan Frankel, the mastermind behind WinAMP and Gnutella. I knew he’d sold WinAmp to AOL and, by most accounts, had sorely regretted the decisions (as expected, WinAmp began to, well, suck as soon as AOL acquired Nullsoft). Anyway, it was at AOL that Frankel developed Gnutella, but AOL, in deference to the RIAA, and in an effort to distance itself from filesharing, told Frankel to kill the project, and a related project called WASTE.
So Frankel quit. And the rumor was that he took WASTE with him - a better p2p system that would be totally invisible to anyone but those using it. (WASTE was sort of like a p2p-specific version of the Free Network Project, which was introduced around 2000, but only recently got off the ground.)
Frankel called it WASTE after Thomas Pynchon’s WASTE (from The Crying of Lot 49), which is a renegade underground postal system operating in plain sight of the status quo, but remaining undetected. A version of the full story is here, but suffice to say I lost track of the WASTE project.
Until now. WASTE was registered at sourceforge in 2003 and enjoyed a few years of development, then quietly died before it really got going. However, just over a year ago the WASTE forum at sourceforge received this post:
“Is WASTE alive again? I’m not really sure. After 3 years on the internet, it’s actually more relevant than it was way back in version 1.0b. With government wiretapping, ISP logging, and general sneaky spying, it’s a great time to keep your private matters … well … private … With that, I’d say it’s time to kick this dusty old project back into gear.”
Sadly, to be honest, not much appears to have happened since the announcement (it’s still at v1.5-beta 4), but I think he’s right.
So let’s help get this dusty old project back into gear.
Start by getting WASTE and setting up your own darknet.
Here’s what it says on the sourceforge info page >>>
WASTE creates a network of hosts, making whatever connections possible, and typically routes traffic via the path of lowest latency (which effectively ends up as load-balancing, though it is far from ideal).
With at least one host outside of firewalls (or behind a firewall but having one incoming port open), a WASTE network can enable all supported services (including chat and file transfer) between any two hosts.
WASTE uses three main classes of messages: Broadcast messages, routed reply messages, and local management messages.
Broadcast messages are sent from a host when the host wants to either notify or request information from all hosts on the network.
Routed reply messages are sent in response to a broadcast message, routed back to the host that initially broadcast the request.
Local management messages are sent directly between two nodes to negotiate link configuration parameters etc.
The network messaging structure is flexible and there is plenty of room for new message types to enable new services and functionality.
Each link on the network is secured and authenticated, but messages are not secured point to point, which means a trusted user on the network can theoretically spoof and/or sniff traffic. For more information, see the security section.
Security
WASTE builds a distributed network of hosts, and secures each link in the network. In securing each link, WASTE also authenticates each link using public keys.
WASTE also provides a mechanism for hosts on this network to exchange keys automatically with each other once a host is trusted on the network.
How WASTE Secures Links
WASTE secures the links of the WASTE network by using RSA to exchange session keys and authenticate the other end of the connection. Once the hosts have authenticated each other and both have the correct session keys, the connection is encrypted using Blowfish in PCBC mode (using different IVs for each direction of the connection). The oversimplified process for bringing a link up is (see comments in the code and the code itself for a more in depth view):
Both sides exchange public key hashes, and verify that they know that hash
Both sides exchange session keys and challenge-response tokens encrypted with each others public keys.
Both sides decrypt and verify the challenge-response tokens, and begin encrypted communication (a stream of messages, each message is verified using an MD5).
There’s a lot more to it than that, but that’s the basic idea. The reality of it is that there is also a “Network ID/Name” feature that allows you to easily keep networks from colliding, as well as efforts to obfuscate the whole process (to make WASTE connections difficult to detect). Another unique feature is the way session keys are exchanged and combined so that in order to decrypt past (recorded) traffic, both private keys of a connection need to be recovered.
Note: It might be worth implementing WASTE using a subset of SSL, to avoid any concern of flaws in this protocol. Feedback is gladly accepted on any potential weaknesses of the negotiation. We have spent a decent amount of time analyzing this, and although we have found a few things that are not ideal (i.e. if you know public keys from a network, you can sniff some traffic and do an offline dictionary attack on the network name/ID), but overall it seems decent. The current implementation probably needs work, too.
Why WASTE requires a trusted group
Since the security in WASTE relies on encrypted links, and messages are not encrypted point to point, a node on the trusted network could easily sniff or spoof messages. So yes, your friends can spy on you. But you were not really worried about them, were you?
How WASTE Prevents Information Leakage
WASTE makes an effort to prevent information leakage. WASTE sends all traffic through the same encrypted link(s), and does not (by default) bring up or drop connections in response to any user actions. WASTE messages are sent completely inside an encrypted channel, so a snooping party would have a VERY difficult time determining what kind of traffic is being sent across a link, or where the traffic originated from, or where the traffic was headed to. And because there may be redundant paths in the network, and traffic is load balanced across those paths, it further complicates things.
In addition, WASTE has an optional saturation feature, in which connections can be saturated to a particular rate (with random data, if necessary), so that a snooping party cannot see how much real data is being moved.
How WASTE Exchanges Keys Between Trusted Hosts
In order for two WASTE hosts to connect to eachother, they need to know eachothers public keys. This can happen two ways. The first way, which is how you would initially connect to a WASTE network, is by manually exchanging public keys. This is clunky, and generally a PITA.
Once a WASTE host is on a WASTE network, however, it can (and is by default) be configured to automatically exchange public keys with other hosts on the network. This happens through the secure links of the network.
The main drawback to this is that it is very difficult to remove a key from the network. Each node on the network that that person could potentially connect to has to remove the key. This may be addressed in a future version.
Big Fly Net says it’s, “made up of several bloggers with a general interest in the Web, coding, security and privacy in the digital age, computer games, and dabbling with electronics (among other things).
“Some might call that ‘hacking related’ - which is fine, as long as you understand that real hackers do not engage in criminal activity.
“Hackers make things, or make things work better … they don’t break things and they don’t steal.”
Stay tuned?
Not only but also, what’s Frankel up to these days?
Jon Newton - p2pnet
.
.Stumble It!
Use free p2pnet newsfeeds for your site. It’s really easy!Subscribe to p2pnet.net | | rss feed: http://p2pnet.net/p2p.rss | | Mobile - http://p2pnet.net/index-wml.php
Net access blocked by government restrictions? Use Psiphon from the Citizen Lab at the University of Toronto. Go here for details. Download here.
July 14th, 2008 at 12:31 pm
Last I heard, Frankel was working on a line of guitar FX pedals - he seems to be a brilliant guy but maybe that doesn’t always imply a long attention span. So is WASTE abandonware? It’s hard to say. How do you distinguish between an invisible success and an invisible failure? Maybe the internet’s full of happy WASTE users, privately chatting and sharing files in groups of ten to fifty, and we just haven’t been invited to the party. But somehow I doubt it - people talk, and even if we weren’t invited to the party I think we’d know there was a party going on.
But even if WASTE hasn’t conquered the world it isn’t completely dead. It looks like someone’s still maintaining the code, and there’s at least one public network (maybe two) where you can try out the software with a group of strangers - not quite what WASTE was designed for, but maybe it will encourage a few people to start their own networks. And if it works as intended, we’ll never know.