P2P File Sharing 102: the REAL nitty gritty
p2pnet news view Freedom | P2P:- Continuing from my previous article, P2P and File Sharing 101, let’s choose a file sharing protocol by what it does, or can do, and not by who makes it.
There are alot of them out there now, and I’ve diverged from this avenue by the development of a ‘proprietary’ platform. Building your own tool is more for the power users to investigate, but not an impossible task. In choosing a protocol, you should ensure it does the following;
»»» Is it a closed loop system? By this I mean it can’t have open access just any asshat can connect to with freely available tools. There should be some function of ‘logging’ in. Unfortunately, most of these tools expose your IP address, so only use these safely.
»»» More importantly, does it use encryption!? AES 256 is sufficient, but if you can find SHA 512 all the better. If you’re a power user, build your own from open source.
»»» Another good ‘do’ that’s not directly related to file sharing safety (but, well, I guess it is) is: Do you use encryption at all? Locally? Now I know alot of this sounds all cloak and dagger, but this is serious. Do you tweet with a profile that contains all your ‘IRL’ info? Or do you PGP your e-mails? There’s a level of tolerance that needs to be observed. Just nonchalantly dancing your way around the internet isn’t the smartest thing to do. Stomping around the internet with muddy boots that lead directly back to you is just insane, IMHO.
The MAFIAA is only suing the low hanging fruit …
If you’re not outraged, you’re not paying attention
I’ve always been a proponent of watching my enemy, his bobs, his weaves. For the longest time the NSA was the ‘defacto’ hit squad when it came to cybercrime, taken over when the OSI died out.
Now with the ‘Department of Homeland Security -’preserving our freedoms!!’ with a get-out-of-jail-free-to-fuck-anyone card, and Canada adopting the we-dont-need-no-stinkin-warrants approach to your personal data, I’d pay attention.
I mean cmon, a UK couple arrested for using FaceBook? South Carolina Sheriff wanted to arrest Michael Phelps for a picture on FaceBook?
Is anyone out there listening? Hello?
These things are bad m’kay.
»»» Here’s a list of clients you don’t use:
- Ares Galaxy
- eMule
- Azureus
- DC++
- Shareaza
- Burst!
- ABC
- Freenet
- MLDonkey
- Kceasy
If you have one or more of these installed, you’re beyond help and should stop reading this article now. Either throw your computer away, or go get your kids to show you how to uninstall it and nuke your OS.
What you should be using is
»»» usenet - duh. Everything you ever wanted is there. Everything. It’s the basis for all file-sharing since its debut by Tom and Jim in ‘79. It is also the ONLY place CP can be found anymore. It’s also the leverage the MAFIAA is using to block access to it.
»»» FTP – double duh. I know these are primitive protocols, but they’re what work best. Protocols that leave very few ‘footsteps’ are ideal to ensure you’re anon online. There are a zillion hosts that’ll let you host files like RapidShare. Give your buddies access and use Gopher or something that encrypts. Starting to get the idea?
»»» Haxial: KDX - While I don’t endorse these skr3ptkiddies, they do offer a training-wheels-client/server for the novice. Adam Hinkley originally wrote Hotline and ‘ended up’ on the wrong end of the stick, and then KDX was born. Same back end, pretty front end. I think when Adam sold out, he built a back-door into it. We never confirmed it because by and large we don’t use it. It works.
»»» First Class - Only for the power user. The underground uses this extensively. It’s a business tool that’s very high end, and not for the novice. It’s not listed as a file sharing tool, and was never designed as such. BUT – it can be used for many things. Primarily used by schools and businesses to collaborate, it has a sync gate function that’s unbelievable. [We] only have hacks for FC 7 prior to it being bought by Open Text. I’ve been out of touch for some time, but I think everyone stopped at 7. It’s very hard to hack, only for the power users.
On a side note of FTP, at one time Apple had free iDrive which allowed anon users to get hdd space for free.
In early 2001, Apple hosted the largest percentage of copyrighted material, rated around 78%, of all that was available at the time.
Irony? I don’t think so. I think it’s that we stay ahead of the curve.
Aaargh matey.
Free TPB!
- surfer, your friendly neighborhood pirate – p2pnet
February , 2009
Use free p2pnet newsfeeds for your site. It`s really easy!
Subscribe to p2pnet.net | | rss feed: http://p2pnet.net/p2p.rss | | Mobile – http://p2pnet.net/index-wml.php
Net access blocked by government restrictions? Use Psiphon from the Citizen Lab at the University of Toronto. Go here for details.
February 24th, 2009 at 3:09 pm
This kind of feature and other original P2PNet stories are why I and a lot of other people here in Europe keep coming back.
Well done Surfer! It is good to see something honest written by someone who really knows what he is talking about!
February 24th, 2009 at 3:26 pm
Surfer:
0) How do you best employ encryption? across entire HDD? Specific files? Harddrive Sector? HDD block (usually 512B)? Usability is important, so is performance hindered via the use of encryption?
1) How do you use PGP on something like Yahoo Mail or GMail? What if you are using the web client and NOT the client that comes with your OS (Evolution or Windows Mail or Mail from Apple)? /* Why would you not use a host email client? Easy, if you’re used to formatting your Windows partition every 6-9 months for 7 years, you would lose your emails unless you kept them backed up on the web server hosted by GMail or Yahoo Mail or whatever */
2) What if you do not engage in file sharing, use an OS-based firewall (monitoring software ports), and have the firewall in your router enabled(even if it is owned by your ISP)?
3) Just how smart are these USAF hackers? Do they really have the ability to hack into any computer, any OS, at any security level, through any firewall (ie: Sandstorm)?
4) Would DPI be actually able to decipher your AES128/256 or SHA-512 or Elliptic Curves 512 encryption scheme and what impact would the encryption/decryption process on your host system or file transfer performance?
February 24th, 2009 at 4:22 pm
0) Imagine how you would feel when the ‘thought police’ kicks in your door and you don’t have time to get your computing habits in order. As for encryption, the more the better.
1) Who keeps emails for 7 years ?!?!. Dude, archive shit. PGP will encrypt the entire message and can be de-crypted with your public key. Just control your public key, or generate a new one.
2) If you don’t own your equipment, you don’t own any privacy, period. It would scare you what ISPs currently monitor, much less what they are going to do.
3) LMAO.. USAF Hackers, heheheh, snort. Its the guys that got busted for hacking that currently work for the DHS that I would worry about.
4) DPI couldn’t tell jack shit about an encrypted stream. Shows as garbage, they can only monitor how much of it. (filesize).
stw
February 24th, 2009 at 7:03 pm
@ surfer:
I love it when you talk dirty. heh
Cheers!
February 24th, 2009 at 7:28 pm
FTP – BY way of knowledge USE Sftp
usenet given
add utorrent in there as we do not want to patronize hte enemy by using htere tools either
Here is a neat thing to do.
get a server , install file zill ftp server
, then install rtorrent( with ssl),
change limits.conf to handle large file sets.
install encrypted remote desktop tools and server locally and remote.
Notice “encrypted”
then you get a hacker to give you a linux log wiper for your Server
have it run as a cron ( this is an automated process that will run via a script at certain times , and is one reason linux is far more powerful then windows) job as you wish.
then get pgp desktop and encrypt everything while not in use
create a custom instant messenger that has SSL direct person to person chat ability.
go get a outsource audio chat server make it so that you cna encrypt along at either ends via SSL again.
hand keys out to who ever as best you can without internet if possible.
double firewall yourself
if you need windows place it on top of vmware
BTW on top of that pgp desktop encryption use another one and don’t tell no one which.
Double encryption = literally UNCRACKABLE.
If you can design things make a client for YOUR trackers site and make it so ips can only be seen by admins and mods.
Lot less to worry about when its a handful a people isn’t it. Then have them ban all other clients, and make it so a periodic update is required to change the programs headers so as to prevent some one pretending to be that client and data mining.
In irc chats connect via SSL , make sure your client can also encrypt on its own and that all people are able to do same, all it takes is one arse and its all for nothing.
So who am i. I am retired scene, yes that’s right and ive been doing the above for last 8 years, haha its all just routine now.
if everyone did all this, the court cases would be extremely hard to happen.
February 24th, 2009 at 7:33 pm
and you’d be surprised how long an ISP in canada is actually keeping records too. They are waiitng for hte laws to change and use those records against a lot of you.
and if you have ever seen a nasa encrypted file you know what encryption is about.
Mkaes ya wonder why space shits need to be encrypted…..
OH YA one other tip
NEVER …I REPEAT NEVER GOTO GOVERNMENT WEBSITES
they log that ip and you will be visited and scanned
February 24th, 2009 at 7:35 pm
ENCRYPT IT ALL @reader
also when deleting use the military grade delete …twice
lets just say when that happens and because a that hackers actually have 7GB of DRM development by the top 30 companies with some shoe company at its core.
haha
ya boot time
February 24th, 2009 at 8:37 pm
chronoss, Shhhh.
February 24th, 2009 at 9:38 pm
‘who said I was paranoid? and why do they want to know?’
February 24th, 2009 at 9:59 pm
K, So i’m not Linux litterate here. Windblows is what i’m stuck with, and i do what i can.
I own my modem, and ive got a router i’m not using right ATM, so im wondering if sticking that
in-line with the modem will get me a bit more security???
I will take any advice (good or bad) that you guys can offer!!
stw:)
February 24th, 2009 at 10:47 pm
sticking it in-line will get you more security. readup on no-brainer items to block shit like :43 telnet. comcast still has some switches with port 43 open, and we hijack class c IPs all day long. talk about spoofing.
stw
February 24th, 2009 at 11:08 pm
Not to be a downer but with all you guys have described can you actually use your desktop or laptop? What can you actually do? Are you able to play games? Research for your wedding? Are you able to job search, as some sites are government sites? What about figuring out what procedures you require for filing your income tax online or finding out the nearest MTO (Ministry of Transportation Ontario) or…
The easiest and truly safest way is to… disconnect yourself from the web! Nothing can hack you now! Turn off all blue-tooth, wireless, and infrared hardware.
Your computer is now 100% secure.
On a more serious note, what are you trying to protect that you need to lock your system down like it were Fort Knox? If the government wanted to know more about you, they’d get to you one way or another; your bank, unless you’re paid in cash and you keep it under the mattress, your friends, your family, your shopping habits, your eating habits, what you borrow from the library, what videos you rent (if you do) or movies you see (if you do), etc…
And believe me, if the government wanted to find out about you and they knew you were a computer nut who would definitely lock your system down as if you were NASA, they’d find another way to watch you.
February 24th, 2009 at 11:37 pm
you are making assumptions that are not from educated reasoning Robert. I am pretty from-the-hip and I tend to tell it like it is. But, honestly, I think your overview of encryption is blased, and indifferent. You are typical statistics that we call ’sheeple’. One of the masses. You don’t encrypt to ’save your ass’ you encrypt as an accepted step of the process. (Research show that you do a, b and c. et al) Am I not explaining myself correctly? u wanna stomp around in dirtboots, go right ahead. be my guest, you are then, by default, hanging fruit.
Its not overkill to control your own private information, you should always exercise your right to control your information. You should control its use.
‘Just cause I read it somewhere’ doesn’t wash on P2Pnet, we are informed here.
http://www.letmegooglethatforyou.com
February 24th, 2009 at 11:48 pm
‘I love it when you talk dirty. heh’
Jon writes so much better than I do. I forget the colorful language I use to get my point across.
thanks Paulus for sticking in there, tell your friends..
thanks Jon, its just my style…
consider this article an editorial/blog/comments/editorial/doodad
stw
February 25th, 2009 at 12:12 am
Surfer,
I don’t think you know me well enough to call me one of the masses.
You do not have control of your information is my point. You never will.
Did my professor (Founder of Certicom) lie when he said that 90% of the security effort of a corporation is to block people from coming in, but 90% of the theft occurs from within the system and without the use of technology. If I wanted your financial/health/employment information I don’t need to hack your system to get it. I know you realize that.
And no, to me you are not explaining yourself very well. I find your answers quite difficult to understand, it is as if you’re speaking with encryption or intentionally being elusive. I am not referring to PGP or any technical terms either.
I’ve spoken with a few experts in the field who’s job is to protect the corporate network (no, not BestBuy, CWCEC for example) and they explained statistically, even just a firewall, regular updates to security patches, router firewalls, etc.. would keep most hackers away. What I found most interesting was that it was not worth the investigative effort to try to hack your system, for whatever reason, as they could easily acquire the information through the sources (banks, health records, library, etc…).
NOTE: By referring to the experts I am NOT assuming I am one of them or they know more than you or any other interpretation to promote a sarcastic comment.
Surfer, when you are answering questions, it seems like you’re making a lot of assumptions about what people do/don’t do rather than ask them first and then you treat them as such, which is often belittling and condescending. Perhaps that is your nature and that’s OK, I’ll keep that in mind in the future. But unfortunately, I don’t know if I want to ask you any more questions.
I also don’t follow ” ‘Just cause I read it somewhere’ doesn’t wash on P2Pnet, we are informed here.” Where did I imply that? I am simply asking for clarifications and when I ask “will this not lock your system down to the point where you can’t use it” does NOT mean I am criticizing your efforts! It seems you took it that way. Those are legitimate questions, not loaded questions or “please, I’m cocky, chew me up and spit me out” questions.
The comment about disconnecting from the web was an attempt to express humour. The rest about the government using other ways to find out about you… do you believe this is false in theory and not executed in practice? I am asking legitimately, no sarcasm.
Basically, Surfer, there are ways of illustrating to someone they are misinformed that is helpful and non-confrontational, and I am struggling to find that in your responses.
February 25th, 2009 at 7:58 am
well, then I apologize Robert. I am condescending that way, I jump to the conclusion that most of the people on the internet have no clue and we call them sheeple, no offense meant.
If I am being cryptic in my responses, it is mainly because I write articles here, and answering your questions, each one could be an article itself. So instead of posting an article sized response, in the future, I will address each of your questions and write an article about it. Remember, when I post, it is for everyone to read, not just as a response to your questions, so I make general comments to the masses, nothing personal.
hth
stw
February 25th, 2009 at 8:05 am
if you are honestly interested in my opinion, most arent
. Then I will make a concerted effort to distinguish your posts with authentic answers in the future, and add you to my list of non-sheeple, concerned, internet users, that I won’t condescend to.
hthm
stw
February 25th, 2009 at 9:53 am
‘0) How do you best employ encryption? across entire HDD? Specific files? Harddrive Sector? HDD block (usually 512B)? Usability is important, so is performance hindered via the use of encryption?’
I will try and do one at a time, you asked alot of questions.
I use macs, so what I describe should be translated into whatever platform you use. I encrypt entire drives, especially the ones that I use for the server. Macs have a built-in utility that encrypts the entire drive, and demands a password to mount the device on startup. There is no impediment to performance using this feature. I encrypt them @ AES 256, solely for that this level of encryption is sufficient for my needs and cannot be readily hacked or bypassed in any known fashion. This eliminates the need to selectively encrypt this or that, while omitting files/folders for whatever reason. This policy covers everything. Simply unplugging the machine or hdd will reset the device and then demand password to re-mount it. For sensitive e-mails that I don’t want intercepted, or read by 3rd parties, I use PGP. I also use several free web based email accounts to bounce/forward from one to the other to obscure the source IP it was sent from. An email contains what is known as a ‘header’, this has information on the protocol used to send the message, the IP it was sent from, and the mail server IP that received it. Typically, this information contains the ‘last’ bounce, and does not contain a trail from whence it came. So using two emails, one as an intermediary to forward incoming and outgoing emails is sufficient to remove any footprints left behind, and with the body of the message encrypted using PGP, it makes it just that much harder to eavesdrop. The DHS is using terrorism as an excuse to basically spy on anyone they want, in the name of national security. I do not like this, therefore I go out of my way to take steps to foil these asshats.
February 25th, 2009 at 9:59 am
the above is me, sorry, I forgot to ’sign in’.
February 25th, 2009 at 10:31 am
@Surfer:
WOW! That really does explain a lot. I too use a Mac (2.16 GHz MBP). It was the first step towards a home audio studio (I will use external eSATA II Oxford 912 chipset FireWire 800 interface with Hitachi SATA II HDD’s). I was reading up on the FileVault and the only problem someone had was that if a sector of your HDD becomes corrupt, you lose everything, as opposed to just the file associated with that sector. So I guess the solution to that would be to decrypt and back it up semi-frequently. Unfortunately, I don’t file share with this machine; I don’t file share at all anymore. When I am ready to do that it will be with my own music. At which point the double encryption on an older laptop method will be used. I have other intentions but I can’t publicly post them, we know the **AA reads these.
Very soon there will be a standard on HDD encryption from the FW on the drive. I wasn’t fully in the loop on that at my previous employer (they design systems on a chip and the one I worked on was for SCSI RAID Controller with encryption) but there’s an article on it here:
http://arstechnica.com/hardware/news/2009/01/hard-drive-manufacturers-unveil-disk-encryption-standard.ars
One interesting component of the article I like is the claim that your property will be less valuable, even hardware, because it wont’ be usable. The HDD simply will not work, even when removed in an attempt
Typically emails don’t contain a trail of IP’s? So much like IP Packets then? I haven’t read up on email protocols, just TCP/UDP/ICMP. I’ll have to find another email client, as a mediary. With PGP though I’ll need to send out my Public Key for family who are anything but tech savvy to be able to read my emails. (They STILL ask how to dub VCR to VCR or how to use the universal remote to watch a DVD). Hopefully that won’t be an issue. And you’re write, “Who keeps emails for 7yrs” I guess I don’t need to. I’ve backed some up before and… not once have I really needed to view them.
Again, WOW and thank you for the info. I will keep the questions to a minimum. You answered quite a few with that paragraph.
February 25th, 2009 at 11:25 am
‘2) What if you do not engage in file sharing, use an OS-based firewall (monitoring software ports), and have the firewall in your router enabled(even if it is owned by your ISP)?’
This is not bad. I would put heavy emphasis on owning your own router. This will work as a port forwarding, firewall and DHCP client all in one. Be sure and block UDP. If you are ONLY using the hardware provided by your ISP, then this leaves you open to all kinds of monitoring. I have heard reports of ISPs ‘pinging’ your ‘modem’ some 200x/sec. Your ISP uses UDP to typically assign you a dynamic IP, or ‘chat’ with the hardware, this is one required function, and one invasive function. Because it is their equipment, they can legally do anything with it and not tell you, so who knows what they are looking for when they ping your device some 200x/sec, block UDP and this stops.
because you are on a mac, you already have superior defenses against the pc tools of the world, but I would still suggest using the built-in firewall for incoming filtration, a router against ping floods and ddos attempts (remember all the bots and worms out there think your machine is a pc), and get yourself LittleSnitch to foil outgoing connections from software that ‘phones home’.
stw
February 25th, 2009 at 11:26 am
oh, and FileVault is HIGHLY recommended by all factions of the underground. top notch tool, 5 stars.