I got a Cease & Desist Letter!
 

Did you get a Cease & Desist letter? Want to know what to do if you get one?
The EFF put together a new site "ChillingEffects.org" at
http://www.chillingeffects.org/

"The Chilling Effects project works by publishing cease-and-desist letters received by Internet
users and providing detailed information about the relevant legal rules. For example, if an
Internet user receives a letter demanding that she remove a synopsis of a "Star Trek" episode
from her website, members of the Chilling Effects team would post the letter online, embedding
it with links to information about basic copyright protections, the rules governing synopses, and
the fair use doctrine.

"EFF receives hundreds of requests for help and information from recipients of
cease-and-desist letters," said EFF Legal Director Cindy Cohn. "This project should help
individuals gain access to greatly needed information as well as allow us to track who is sending
these letters and research larger trends."

(you should make this sticky or at least add the link to your sites)

Great idea, but unfortunately the site doesn't exist. Maybe they were asked to 'cease and desist'.

The site works for me

This one could use a sticky, Morgwen :) It'll help people understand their rights and the legal mumbo-jumbo. For instance, take this Q and A from a C&D letter (found at http://www.chillingeffects.org/prote...gi?NoticeID=95):

paste it in here with any info you deem necessary deleted :)

Ok!

But if CycloCide beats me now its your fault! :)

Morgwen

I dont' find the site amazingly helful. It posts explanations of terms to some degree, but it doesn't really conclude anything about individual letters. Interesting site though.

I got a Copyright Violation Notice from MPAA/BSA for File Sharing on Gnutella and Fas
 

I got a Copyright Violation Notice from MPAA/BSA for File Sharing on Gnutella and FastTrack!

Summary:
People are getting Copyright Violation Notices from the Business Software Alliance (BSA) and Motion Picture Association of America (MPAA) via their ISPs saying they have broken the Digital Millenium Copyright Act (DMCA) and Copyright Act for File sharing over the Gnutella and FastTrack peer to peer networks as well as IRC and others. At least 17,000 incidents have been recorded. They have the IP address, time of transfer, file name index, file sizes, protocol and program names as evidence.

Digital Millenium Copyright Act (DMCA), Title 17 United States Code Section 512.
Copyright Act, Title 17 United States Code Section 106(3).

Here's some more info I found reading the DMCA and searching with queries like
WIPO WTO DMCA TRIPS MPAA BSA ISP OSP Gnutella FastTrack etc.

Did the ISPs violate privacy rights?
No. They forwarded the notice and didn't share my E-mail or home address.
The MPAA or BSA can subpoena my contact info and the ISP must comply but the info can only be used for the Copyright Case.

Did the MPAA or BSA violate privacy rights?
No. My IP and file index were offered by me to the Public p2p net.

Do they have to prove I don't own the material in question?
No. Distributing copyrighted material is illegal even if you own it.

Do they have to prove that I shared copyrighted material?
Yes. Just the filename and size should not be enough to prove the material was actually copyrighted and not just named like it. For example I had a movie with the words "is FAKE" added to it, but it was still included in the violation list.
I don't know if they had a sample of the file contents. The collection methods from RangerInc are secret.

Are users who aren't doing massive transfers going to face this?
Yes. It is bots collecting this data, so there will be no "flying under the radar"
Because bots are cheap and easy and will lower the horizon of the radar to the ground.

Will this kind of thing happen in other countries?
Yes. This is happening in Canada and the US right now. Also there is a global agreement on Intellectual Property which is enforced by the World Trade Organization and overrides all WTO countries laws. The DMCA is how the USA is complying with this treaty. The EU and Russia are working on their versions of these laws right now.

What are the penalties?
Your ISP can cut off your service before proving anything. Just "good faith" by MPAA or BSA is enough. If your ISP doesn't cut you off they lose their "common carrier" immunity from liability. Qwest and @Home ISPs are two that are taking part. If you are found guilty the penalties are upt to $500,000 and ten years in prison. If you choose to challenge the notice then you MUST agree to be under US Federal jurisdiction, even if you live in another country.

Here's more info and some links ...

The Information is gathered by RangerInc Corporations bots.
They were hired by the MPAA and BSA.
The bots have been running since April of 2002.
http://www.rangerinc.com/solution/solution_main.htm

Reverse lookup on www.rangerinc.com/
shows
I.P. 216.122.215.13

An arin whois query from http://ws.arin.net/cgi-bin/whois.pl
on 216.122.215.13 to find out who actually owns it
shows
LightRealm Communications (NETBLK-LR-BLK4) LR-BLK4
216.122.0.0 - 216.122.255.255
HostPro, Inc (NETBLK-HSTPROSEA-NETBLK204) HSTPROSEA-NETBLK204
216.122.204.0 - 216.122.223.255

If your client for Gnutella FastTrack IRC etc allows you to filter hosts then add
216.122.*.*
to your block list.
That should stop them from connecting unless they change hosts
providing the bots run from that IP range and don't spoof their address when connecting to your client.

Here are some more links.

Another customer cut-off
http://www.ekosweb.com/wipout/essays/0904guha.htm

OSP requirements (take-down) or be liable
http://www.arl.org/info/frn/copy/osp.html

More info for those who have been notified or want to learn more.
http://www.chillingeffects.org/dmca512/faq.cgi#QID132

Also please check out
http://www.eff.org
http://www.anti-dmca.org
http://www.macfergus.com/niels/dmca/index.html

I'm dial-up 56K now. But when I get broadband again I'm going to drop Gnutella and only use encrypting and anonymizing apps like Filetopia http://www.filetopia.org and FreeNet http://freenetproject.org

If they are relying on bots there are two possible way to fix it.

1. Jam the bots.
2. Make source untraceable.

Any ideas for how either could be achieved?

1.) Find out where they are located, tell the USA that "terrorists" are camped there, sit back and watch the bombs drop ;)

2.) That would require proxies which is in no way efficient or entirely untraceable. (Unless someone comes up with another method.)

BearShare 3.0.0 has a Secure Channels feature that makes it impossible for companies to snoop on your shared files and cause exactly this kind of problem (among other things).

Wow
 

Hey Vinnie, that sounds amazing! Where can I get more info about these Secure Channels?

Re: Wow
 

was that sarcasm?

no it was not. honestly! sorry i'm not a frequent visitor of bearshare.net, any links to more specific information about that feature would be greatly appreciated.

Secure Channels: Disappointed.
 

This is not quite what I've expected.

First, it's not a technical solution but a legal one. whatever authorization methods are used, I'm sure they can be circumvented. the authorization handshake can be logged, if there's a digital key inside the servent it can be extracted, and will sooner or later.

Second, it only works because bearshare uses closed code. this is no offense against closed source products, but i'm sorry that it is not a possible solution for open source servents.

Third: You can choose to receive all query replies, downloads and uploads only from other BearShare clients?? did i understand that correctly??? the word blackhole is known to you, isn't it??? man, you're really provoking the next flamewar...the only reason why those anti-clustering folks are silent now is because they were told that clustering is not a bad thing as long as the servents respond to queries from outside the cluster...if this feature was enabled by all of your users gnutella would be only one last tiny step away from a private bearshare network: stop connecting the cluster to the gnutella environment, for it is not interested in their messages anyway...i took it for mere conspiration theory, but i get the impression that you are really moving in that direction, one step with every major release. do you want that? i thought you didn't...

Re: Secure Channels: Disappointed.
 

I really don't want that, but I don't see an alternative. If you look at LimeWire's host graph, there has been a sharp increase in the rate of decline of the network size. It started about 3 weeks ago, and it coincides with reports of an increase in fake query hits and download troubles.

There was also a recent paper that shows that all it takes is a small decimation of a population in order to cause a catastrophe. In Gnutella's case, targeting less than 1% of the high-volume servents sharing files can cause a mass exodus of users from the network.

Therefore, the choice is in the hands of the users.

Notice that FastTrack, AudioGalaxy, iMesh, et. al. all have proprietary networks and they have the highest download success rate and best search results.

And no, Secure Channels authentication features are not vulnerable to a replay attack.

And even if they break the key, we have facilities for rotating the key schedule from an external source using special messages which are digitally signed. The method used to rotate the key schedule is such that a client has no knowledge of the "next" key in the rotation until a piece of a secret share (Shamir's secret sharing algorithm) is retrieved.

Besides, reverse engineering is a violation of the DMCA, and no legitimate company that receives venture capital would dare to do such a thing - they have too much to lose.

Comments welcome.

Re: Secure Channels: Disappointed.
 

I was silent because nobody did really care (especially developers which gave me a troll rating), not that I was convinced clustering from those commercial vendors has a non-harming effect on Gnutella. I see Bearshare's politics getting worse and the marketing "arguments" more ridiculous.

PS: Reverse engineering is not forbidden in Europe.

Re: Re: Secure Channels: Disappointed.
 

But its forbidden in the EULA.

For e.g. german law (european law too?) an EULA on install time does not care, it's void. I'm no lawyer, at least it can not limit basic rights, free speech or reverse engineering are some.

Btw, for an application that mainly is used to copy/hurt DMCA protected material, an EULA building on DMCA is a funny thingie. ;) Oops, I shouldn't have mentioned this....

Re: Secure Channels: Disappointed.
 

I said ONLY time will tell who is right... now I see I was right, after Vinnie confirmed his future split!

@ Vinnie

And now what next? Will you use Gnutella as a leeching pool, or will you be "fair" and leave the net?

Morgwen

Re: Re: Secure Channels: Disappointed.
 

Yes,

the most of the other developers don´t visit bearshare.net I ask me why? Do they really don´t care? Or are they really fearing a possible split?

Btw, not only you get a TROLL status, but I don´t care what Vinnie and some of his knights say, the most people are with us but they are to lazy to fight!

This sucks!

Morgwen

Re: Re: Secure Channels: Disappointed.
 

It doesn't have to be. Since there are gnutella nodes located in the U.S. you can sue an entity that reversely engineered an authentication handshake in the U.S. although the entity might originally be located in Europe.

Re: Re: Re: Secure Channels: Disappointed.
 

In any event, reverse engineering or not, there are plenty of landmines and obfuscation techniques that will buy us many months of time before the security is compromised (even if it is illegally compromised).

There are encrypted portions of code which will be in the final release that aren't even going to get used for quite some time, we will be activating these additional security methods as the existing ones get broken.

True, even these additional hidden techniques will eventually be broken, but I have planned for that, instead of assuming that the protection methods are unstoppable.

Fortunately, with peer to peer software, frequent updates ensure that we will be able to combat the evils of corporate hacking as they appear.

Re: Re: Secure Channels: Disappointed.
 

Eh? Is Morpheus being "fair" by releasing millions of buggy servents?

Probably not, but you complaining about it isn't likely to change anything.

Re: Re: Re: Secure Channels: Disappointed.
 

good point... against bearshare

Re: Re: Re: Secure Channels: Disappointed.
 

Its nice that you show your true face... the next time one of your knights will tell me something about fair competition will see a link to this thread here!

And don´t point to Morpheus, you are not a better guy because some other are bad too...

And I hope that some people wake up know!

Morgwen

Re: Re: Re: Re: Secure Channels: Disappointed.
 

Alright im upgraded to "knight" They are better looking, get armor and a nice sword, a stead and all the wenches they want so i cant complain..

Fair competition why dont you do gnutella and p2p a favor and explain that to the trade groups!

They are the ones who are trying to get rid of P2P by hiring firms to monitor and spam gnutella, send automated notices to users to weaken and eventually shut down the network. Making security related features needed in the first place. They are the ones who are continuing to sure programs and are now trying various ways through legislation to stop P2P. While this is happening how can there be fair competition when someone else is trying to destroy you can the competition?

Should they be allowed to send fake data, target users and target users? No of course not but how do you prevent it without losing the "open network" if it truely is a open network shouldnt they also be entitiled to know about whatever security plan is implemented to stop them or have it be compromised? That is the million dollar question..

Re: Re: Re: Re: Re: Secure Channels: Disappointed.
 

Yes of course and now ALL developers should fight also instead of solving the problems together...

Ah I forget Vinnie need some features that others don´t have, he has to sell his $19,95 client - and don´t tell me now anything about the Spyware version...

Do you think the open source clients, or the non-commercial clients will act this way?

What do you think will happen if Vinnie proceed this way? I think the commercial clients will start to block each other, this will destroy the Gnutella net, nice future!

Vinnie has proven here that he don´t want to work with other developers together , he ONLY wants to earn money...

Morgwen

Re: Re: Re: Re: Re: Re: Secure Channels: Disappointed.
 

You mean the one where everything is opt-out?

While I admire open source, and while I firmly believe that BearShare will be open source in the not too distant future (after some rather challenging problems that have been pointed out get solved), it is unfortunate that open-source Gnutella servents have a critical vulnerability - they cannot implement secure security features.

Not to worry - if the situation gets out of control we will move the secured features to a second, parallel private Gnutella network and give users the option of operating on either one. The "regular" Gnutella network (open source, vulnerable to spammers) will be freely supported by our public.bearshare.net host cache, and the "secure" Gnutella network (read: proprietary BearShare network until we can figure out how to open it up without allowing it to be attacked) supported by a private anchor server which accepts no incoming connections and cannot be attacked.

Re: Re: Re: Re: Re: Re: Re: Secure Channels: Disappointed.
 

Of course ssh, SSL, PGP and all good commonly used secure protocols or hashs are available as open source.

So why security by obscurity? Instead of working on a better protocol, Bearshare tries (again) to get an advantage from proprietray extensions. Needless to say what's good for Bearshare isn't automatically good for Gnutella.

Re: Re: Re: Re: Re: Re: Re: Secure Channels: Disappointed.
 

Oh yes I expected this... the standard exuse...

They are checked by default right? And you know the most people install what is checked because they think they NEED these progs, and if you start now to tell me something that this is mentioned... you know exatly that the most people don´t read the terms, so you provide these Spyware crap to a large number of user...

And I have read your plans to FORCE the people to buy the PRO version:

http://www.bearshare.com/forum/showt...0&pagenumber=1

And now tell me why the people should use your advertising client, if they can better clients for free - like Gnucleus, Shareaza or soon Xolox!

This really sounds to me like you planed it well and for a long time, like I said it several times! So you want to leech from the Gnutella net as long as possible and if the net is destroyed you switch to your private net... Vinnie this sucks hard!

Morgwen

Bearshare is splitting Gnutella
 

to give it a name.

Re: Bearshare is splitting Gnutella
 

Zeropaid has it too:

BearShare Blocks other Gnutella Clients
After months of badmouthing and disadvantaging other clients here is it finally. From Bearshare.Net: "You can choose to receive all query replies, downloads and uploads only from other BearShare clients". In clear works again: Bearshare is splitting the network! Remember the words from hackmaster Dr. Damn: Be nice and play fair. Uninstall BearShare.

http://www.zeropaid.com/news/article.../06272002g.php

Skins for Gnotella 1.05
 

I have Gnotella 1.05 and can't find any skins or information on it, what happened to Gnotella and how come it is no longer supported?

Re: Re: Re: Re: Re: Re: Re: Re: Secure Channels: Disappointed.
 

And now tell me why the people should use your advertising client, if they can better clients for free - like Gnucleus, Shareaza or soon Xolox!

You shouldn't use anything, unless you want to; no one is forcing you. Like you said, their are other clients out there. Use the one you like and get on with your life (or get a life), instead of argueing about trivial things.

So you want to leech from the Gnutella net as long as possible and if the net is destroyed you switch to your private net...

BearShare can upload and connect to every other client, so it isn't leeching off of anything. The only difference is if the rest of gnutella dies, BearShare users would have something to fall back on.

Of course ssh, SSL, PGP and all good commonly used secure protocols or hashs are available as open source. So why security by obscurity?

Even though the source to generate the encrypted data is available (ssh, SSL, PGP), the encryption algorithms are soo strong that it would take a LONG time for anyone sniffing the traffic to figure out what the data is. By the time they could crack the encrypted data, the encryption system would probably be changed and they have to start all over. You would need the special key to decrypt the data immediately.

This is the problem faced on gnutella when using a key-pair (private/public key) system. If you have an open source client that contains the keys needed to decrypt/encrypt the data... anybody can take the source, rip the keys and then decrypt/encrypt whatever they want. This is where security through obscurity comes into play. If others don't know the keys, don't know how the security works... it will be hard for them to crack. Otherwise you just go on blocking hundreds of IPs, or develop a centralised control system. This is not good.

These secure channels aren't the best solution, nor are they an absolute form of protection... but it's something! Does anyone else (Morgwen, Moak) have a better (non-proprietary) solution that everyone could use? No? That's what I thought.

Re: Re: Re: Re: Re: Re: Re: Re: Re: Secure Channels: Disappointed.
 

"Security through obscurity" is a phrase being tossed around by those who don't really understand much of anything.

There is nothing obscure about the techniques that BearShare uses to digitally sign query hits or require challenge/response authentication in host connections - they are all built from sound, proven cryptographic primitives that are published and well documented.

If we were using obscurity, we would have made up our own cryptographic algorithm - this would be a poor choice.

So when you hear someone say "security through obscurity" in the context of BearShare, this is clear sign that they don't know what they are talking about.

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Secure Channels: Disappointed.
 

that's an obvious lie. Vinnie, we are not all unskilled users. Your encryption sheme is proprietray and undocumented, no other GDF member does use it. Commonly known as security through obscurity.

you need a little bit more then insulting or badmouthing open source software. Please read the thread on Zeropaid (link above). It explains why so called secure channels can not work, why it's a pure marketing gag.

I know Vinnie tries to give himself an übercoder attitude. He likes to talk about multithreading, completition ports and encryption. All sounds great for unskilled users but after a closer look it's marketing most times. The so called secure channels provide no security in real world, they split Gnutella.

LOL Vinnie, I'm sure any server without internet connection can get a great NSCA firewall certification. Oh wait I have a even better idea, switch off the server, it's totally secure then and can not be attacked.

Re: Bearshare is splitting Gnutella
 

yes, this is not even ONE solution, "secure channels" do not work! The Zeropaid thread explains why Vinnie's "secure channels" are an illusion.

I wonder what Vinnie has thought, if he did consult a lawyer before? I have the suspicion that "secure channels" have nothing to do with security, they are a secret attempt to split Gnutella into smaller proprietary network$.

Money not security.

Re: Re: Bearshare is splitting Gnutella
 

Actually, despite the various breaches possible with different encryption schemes that thread brought up none of them. The only thing relevant that was shown there was some **** anonymous poster jumping to the conclusion that everything was dependent on the EULA alone. Talk about insecurity :p



[No insults please]

insulting is low, moderators please have a look on it.

aww.. don't tell me you're the same "anonymous"? :p

Re: Re: Re: Re: Re: Re: Re: Re: Re: Secure Channels: Disappointed.
 

I am no developer... but I said that the developers should work together and find a solution for the Gnutella net. But Vinnie walks again alone and is splitting the net with his GREAT new features...

Morgwen

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Secure Channels: Disappointed.
 

I don't think any of us are happy about the split. And if anyone can give an idea how to apply security across gnutella as a whole I'm sure the developers would be all ears.

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Secure Channels: Disappointed.
 

You know security within the bearshare net and within the Gnutella net is an illusion, the developers should find the best way for the whole net...

what Vinnie is doing he uses the way he likes most but this is SURE not the best way...

About the split, what will happen next? Limewire and other commercial vendors will start to add similar features, this will kill the net... but Mr. Falco is prepared it seems like he is planning something like this...

He should be fair and leave the net if he thinks that Gnutella isn´t secure enough but he needs the Gnutella net as a leeching pool!

Mrgone there is no exuse for such actions...

Morgwen

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Secure Channels: Disappointed.
 

I don't think dismissing the potential for security on gnutella is necessarily going help anything. Even if it can't be worked out it's worth a shot. And just from the surface knowledge (read "underlying concepts") I have of encryption and validation techniques I do know there are ways to increase security dramatically in a proprietary system (such as bearshare's secure channels).

I'm doing the best I can to see if these concepts can be applied to something like gnutella without giving so much control to a governing body like the GDF that, given something like a court order, they could shut the network down (as could happen with revokable certificates).

It's a tough problem to tackle and I'm probably not going to be the one to solve it, but I'm not going to dismiss the possibility.

Um, Morg.. in one breath you just complained about the split and in the next you just advocated BearShare leaving Gnutella.. that's what the split is dude.

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Secure Channels: Disappointed.
 

No my problem is not the split, my problem is that he forces others to act like he want, or do you think the other developers will watch and say Ok we will be fair (especially the commercial ones)... and this will destroy the Gnutella net. So he should create his own net and he can make his own rules... but before he destroyed the Gnutella net!

Morgwen

i live in the uk, do i have to worry about this?

Re: Re: Re: Re: Secure Channels: Disappointed.
 

Damnit Vinnie, go get a lawyer and quit trying to do this legal stuff yourself.

Everyone is missing the big problem, we would have to depend on your ability to PROTECT YOUR EULA.

So I want to know, how many $$ did you put in a fund to protect all of us in a law suit against the RIAA enforcing your EULA? If they violate your EULA and you win against them, does that mean the copyright violation charges against one of us are dropped or do we still get fined and you walk away with a million in settlement?

Now if you put in several hundred thousand to protect us all, I would be happy to jump on the BearShare BandWagon and become a BearShare BrownNoser and even donate some $$ to the separate TRUST FUND managed by a neutral party.

What would actually hold up in court is if every BearShare node on the [now] separate BearShare Network had the ability to allow PASS THROUGH file transfer, and no one can tell if it's being used or not, so then you have no idea where the file originated, and can claim in court "that file could have come from anywhere, not just my node".
(for those of you who are about to post "that would slow down the network", don't bother posting and use the search button)

How do you justify that feature? Oppressed countries like China need it bad.

Go pass that by your lawyer after you get one that is, and all you who have (come with) this idea should too.

Why isn't file pass through working in this version of BearShare?

freenet-style transfers through multiple nodes are the future of filesharing [read: free exchange of data]. freenet, however, has a good number of issues that make it quite hard to use, and anyways, it was neither meant as a filesharing network nor is it mainly used as one. nevertheless gnutella could learn a lot of these secure transfers. would they slow down my downloads? certainly they would. but if i got the choice between speed and security, i would go for security.

the perfect P2P Network of the future would use gnutella's decentralized selfstructuring network model, error-tolerant information storage methods like kademlia and untraceable data transfers like those of freenet. ah yes, and public key cryptography because of them spooks that pay my isp to log all my traffic...arghs, i guess it's still a long way to go until we get there, but i have some hope left...

ps: Vinnie, good luck with your proprietary bearshare network, you're gonna need it...