Peer-To-Peer News - The Week In Review - August 26th, ’23

[JackSpratts]

Since 2002


































"It’s like Tor and IPFS had sex and produced this thing." – Christien Rioux






































August 26th, 2023




Veilid: A Secure Peer-to-Peer network for Apps that Flips off the Surveillance Economy

‘It’s like Tor and IPFS had sex and produced this thing’
Iain Thomson

DEF CON Infosec super-band the Cult of the Dead Cow has released Veilid (pronounced vay-lid), an open source project applications can use to connect up clients and transfer information in a peer-to-peer decentralized manner.

The idea being here that apps – mobile, desktop, web, and headless – can find and talk to each other across the internet privately and securely without having to go through centralized and often corporate-owned systems. Veilid provides code for app developers to drop into their software so that their clients can join and communicate in a peer-to-peer community.

In a DEF CON presentation today, Katelyn "medus4" Bowden and Christien "DilDog" Rioux ran through the technical details of the project, which has apparently taken three years to develop.

The system, written primarily in Rust with some Dart and Python, takes aspects of the Tor anonymizing service and the peer-to-peer InterPlanetary File System (IPFS). If an app on one device connects to an app on another via Veilid, it shouldn't be possible for either client to know the other's IP address or location from that connectivity, which is good for privacy, for instance. The app makers can't get that info, either.

Veilid's design is documented here, and its source code is here, available under the Mozilla Public License Version 2.0.

"IPFS was not designed with privacy in mind," Rioux told the DEF CON crowd. "Tor was, but it wasn't built with performance in mind. And when the NSA runs 100 [Tor] exit nodes, it can fail."

Unlike Tor, Veilid doesn't run exit nodes. Each node in the Veilid network is equal, and if the NSA wanted to snoop on Veilid users like it does on Tor users, the Feds would have to monitor the entire network, which hopefully won't be feasible, even for the No Such Agency. Rioux described it as "like Tor and IPFS had sex and produced this thing."

"The possibilities here are endless," added Bowden. "All apps are equal, we're only as strong as the weakest node and every node is equal. We hope everyone will build on it."

Each copy of an app using the core Veilid library acts as a network node, it can communicate with other nodes, and uses a 256-bit public key as an ID number. There are no special nodes, and there's no single point of failure. The project supports Linux, macOS, Windows, Android, iOS, and web apps.

Veilid can talk over UDP and TCP, and connections are authenticated, timestamped, strongly end-to-end encrypted, and digitally signed to prevent eavesdropping, tampering, and impersonation. The cryptography involved has been dubbed VLD0, and uses established algorithms since the project didn't want to risk introducing weaknesses from "rolling its own," Rioux said.

This means XChaCha20-Poly1305 for encryption, Elliptic curve25519 for public-private-key authentication and signing, x25519 for DH key exchange, BLAKE3 for cryptographic hashing, and Argon2 for password hash generation. These could be switched out for stronger mechanisms if necessary in future.

Files written to local storage by Veilid are fully encrypted, and encrypted table store APIs are available for developers. Keys for encrypting device data can be password protected.

"The system means there's no IP address, no tracking, no data collection, and no tracking – that's the biggest way that people are monetizing your internet use," Bowden said.

"Billionaires are trying to monetize those connections, and a lot of people are falling for that. We have to make sure this is available," Bowden continued. The hope is that applications will include Veilid and use it to communicate, so that users can benefit from the network without knowing all the above technical stuff: it should just work for them.

To demonstrate the capabilities of the system, the team built a Veilid-based secure instant-messaging app along the lines of Signal called VeilidChat, using the Flutter framework. Many more apps are needed.

If it takes off in a big way, Veilid could put a big hole in the surveillance capitalism economy. It's been tried before with mixed or poor results, though the Cult has a reputation for getting stuff done right.
https://www.theregister.com/2023/08/..._privacy_data/





Last Rites for the UK's Online Safety Bill, an Idea too Stupid to Notice it's Dead

Snoopers Charter: Dead cows don't snitch
Rupert Goodwins

Opinion Information wants to be free. This usefully ambiguous battle cry has been the mischievous slogan of hackers since early networking thinker Stuart Brand coined it in the early 1980s. Intended as part of a discussion about the inherent contradictions of intellectual property, it has bestowed irony in many other places since.

Veilid would seem to be one such place. The open source project has recently announced a secure communications framework, designed for decentralized peer-to-peer use through a multi-hop mesh routing system that combines strong encryption with untraceability. In particular, it is designed to be included in any app that wants to have impervious comms without central servers or third-party visibility. This is new, at least as far as its functionality is not tied to narrow use cases, and important. You never, ever want to roll your own networks, cryptographic systems or security management: now you don't have to.

The irony comes from Veilid's origins, the legendary Cult of the Dead Cow hacker collective. Like Tor before it, where the US Navy intelligence agency gave us an intelligence agency resistant network, Veilid isn't so much poacher turned gamekeeper as the creation of a mirror world. Information may want to be free, but it also wants to be free from interlopers and snoopers. If Veilid achieves its aims of a massive global network of mesh nodes, it will gain that freedom by becoming far too expensive to break.

This is particularly timely, as it is not just another nail in the coffin of state efforts to defeat personal secure encryption by diktat, but a permanent mausoleum as monumental as the Pyramids of Giza.

Backdoor backwardness

The official madness over data security is particularly bad in the UK. The British state is a world class incompetent at protecting its own data. In the past couple of weeks alone, we have seen the hacking of the Electoral Commission, the state body in charge of elections, the mass exposure of birth, marriage and death data, and the bulk release of confidential personnel information of a number of police forces, most notably the Police Service Northern Ireland. This was immediately picked up by terrorists who like killing police. It doesn't get worse than that.

This same state is, of course, the one demanding that to "protect children," it should get access to whatever encrypted citizen communication it likes via the Online Safety Bill, which is now rumored to be going through British Parliament in October. This is akin to giving an alcoholic uncle the keys to every booze shop in town to "protect children": you will find Uncle in a drunken coma with the doors wide open and the stock disappearing by the vanload.

That assumes the best case scenario, where the deliberately weakened encryption needed for state access somehow resists attack by others. In practice, as those who actually understand encryption have said at endless length, it is impossible to guarantee or even expect this. Companies which don't deliberately compromise user security will be fined – hence Signal, WhatsApp and others have said they'd leave the UK rather than comply. In practice, this will mean geo-locking their apps in the App Store and Google Play to prevent installation to UK devices, a move that will hurt ordinary people but which is absolutely no barrier to anyone with motivation. Like criminals.

It is just stupidity stacked on incompetence balanced on political Dunning Krugerism, and the advent of Veilid drowns the lot in a tidal wave of foetid futility. What can a government do about a framework? What can it do about open source? The idea behind Veilid is to add end-to-end, peer-to-peer encrypted functionality to any app that can use it, which by itself is a force multiplier for privacy. The intent is for developers to integrate the framework as any other, as a seamless part of their products. As it stands, if the Online Safety Bill becomes law, then developers who do this will be excluded from UK commercial activity.

Software doesn't have to work like that, as users of open source audio and video tools already know. Codecs can come encumbered with patent and licence fees that exclude them from shipping with FOSS products. Make them external, optional libraries, and the FOSS product can ship and user install the libraries themselves. Those libraries aren't functional products until that point, which makes them trickier to attack legally.

Smack 'em in the supply chain

It is entirely possible to see not just Veilid but other end-to-end encryption systems taking this approach, a UK-only product that complies with the Snooper's Charter but which has the potential to pick up protection from another block of software, which doesn't itself need the ability to communicate with anything. It's not ideal, and opens up the potential for supply chain attacks and user confusion, but these are fixable with a bit of thought and care. Unlike the state strategy which promoted this little bit of evolution.

The only way to outlaw encryption is to outlaw encryption. Anything less will fail, as it is always possible in software to create kits of parts, all legal by themselves, that can be linked together to provide encryption with no single entity to legislate against. Our industry is fully aware of this. Criminals know it too. Ordinary people will learn it as well, if they have to. This information is free to everyone – except the politicians, it seems. For them, reality is far too expensive.
https://www.theregister.com/2023/08/...column_monday/





Zadie Smith, Stephen King and Rachel Cusk’s Pirated Works Used to Train AI

Works by thousands of authors also including Margaret Atwood, Haruki Murakami and Jonathan Franzen fed into models run by firms including Meta and Bloomberg
Ella Creamer

Zadie Smith, Stephen King, Rachel Cusk and Elena Ferrante are among thousands of authors whose pirated works have been used to train artificial intelligence tools, a story in The Atlantic has revealed.

More than 170,000 titles were fed into models run by companies including Meta and Bloomberg, according to an analysis of “Books3” – the dataset harnessed by the firms to build their AI tools.

Books3 was used to train Meta’s LLaMA, one of a number of large language models – the best-known of which is OpenAI’s ChatGPT – that can generate content based on patterns identified in sample texts. The dataset was also used to train Bloomberg’s BloombergGPT, EleutherAI’s GPT-J and it is “likely” it has been used in other AI models.

The titles contained in Books3 are roughly one-third fiction and two-thirds nonfiction, and the majority were published within the last two decades. Along with Smith, King, Cusk and Ferrante’s writing, copyrighted works in the dataset include 33 books by Margaret Atwood, at least nine by Haruki Murakami, nine by bell hooks, seven by Jonathan Franzen, five by Jennifer Egan and five by David Grann.

Books by George Saunders, Junot Díaz, Michael Pollan, Rebecca Solnit and Jon Krakauer also feature, as well as 102 pulp novels by Scientology founder L Ron Hubbard and 90 books by pastor John MacArthur.

The titles span large and small publishers including more than 30,000 published by Penguin Random House, 14,000 by HarperCollins, 7,000 by Macmillan, 1,800 by Oxford University Press and 600 by Verso.

This comes after a lawsuit filed last month by three writers – Sarah Silverman, Richard Kadrey, and Christopher Golden – alleged that their copyrighted works “were copied and ingested as part of training” Meta’s LLaMA. The analysis revealed that the three plaintiffs’ writings are indeed part of Books3.

OpenAI, the company behind AI chatbot ChatGPT, has also been accused of training its model on copyrighted works. Clues to the sources of OpenAI’s training data lie in a paper released by the company in 2020 that mentions two “internet-based books corpora”, one of which is called Books2 and is estimated to contain nearly 300,000 titles. A June lawsuit states that the only websites to offer that much material are “shadow libraries” such as Library Genesis (LibGen) and Z-Library, through which books can be secured in bulk via torrent systems.

Shawn Presser, the independent AI developer who originally created Books3, said that while he is sympathetic to authors’ concerns, he made the database so that anyone could develop generative AI tools and worries about the risks of large companies having control of the technology.

While a Meta spokesperson declined to comment on the firm’s use of Books3 to The Atlantic, a Bloomberg spokesperson confirmed that the company did use the dataset. “We will not include the Books3 dataset among the data sources used to train future versions of BloombergGPT,” they added.
https://www.theguardian.com/books/20...ed-to-train-ai





Dropbox Advanced Plan No Longer Offers 'as Much Space as You Need'

User abuse and crypto miners forced Dropbox to introduce a storage cap.
Matthew Humphries

Dropbox will no longer offer unlimited storage on its Advanced plan due to a growing number of users abusing the policy for unacceptable use cases including cryptocurrency mining.

In a blog post, Dropbox explains that it originally decided to offer its Advanced subscription without a cloud storage limit so that businesses "don’t have to worry about scaling storage as their teams grow." However, some users have been seriously abusing the feature.

Dropbox discovered "a growing number of customers" were signing up for Advanced in order to take advantage of the unlimited storage for unacceptable use cases. They include mining cryptocurrency and Chia, reselling the storage to others, and unrelated individuals pooling their storage for personal use.

The extent of this misuse meant that the abusers would "frequently consume thousands of times more storage than our genuine business customers." That can lead to an unreliable service for everyone, so Dropbox decided it's time to switch to a metered model.

Going forward, a Dropbox Advanced plan with three active licenses (costing $24/user/month after a 30-day free trial) will share a maximum of 15 terabytes of storage. Every additional license will unlock a further 5TB of storage.

Dropbox says it will work with the less than 1% of users currently consuming more than 35TB of storage to "make the transition easier." Any Advanced accounts using less than 35TB will be able to keep the amount of storage they are using at no additional cost and will get an extra 5TB of pooled storage for five years.

Last year, Dropbox announced plans to increase the security of its service by implementing end-to-end, zero-knowledge encryption. The company has also been looking beyond cloud storage with new features to attract more customers.
https://www.pcmag.com/news/dropbox-a...ce-as-you-need





Unveiling the Mechanics of Torrent Sites: A Glimpse Behind the Curtain (How Torrent Sites Work)
Adjamkwalim Akum-Yong

For those who prefer a more visual experience, you can also watch a video version of this article here. This video provides a concise overview of the behind-the-scenes workings of torrent sites and how they facilitate the sharing of content in the digital world.

Torrenting has become a prominent method of sharing and distributing files across the internet. Behind the scenes of this seemingly simple and efficient process lies a complex network of technology and collaboration. Torrent sites have emerged as central hubs for accessing a wide array of content, from movies and music to software and books. In this article, we delve into the intricate workings of torrent sites and shed light on the mechanisms that power them.

Understanding Torrents

Before diving into the workings of torrent sites, it’s crucial to grasp the concept of torrents themselves. A torrent is a small file containing metadata about the content to be shared. This metadata includes information about the files, their sizes, the structure of the content, and the structure of the torrent network. It also contains a list of “tracker” servers and sometimes “peers” — users who are already downloading or sharing the content.

The Torrenting Process

1. Creating a Torrent: Anyone with content to share can create a torrent file using a torrent client. This file acts as a map that guides users and their torrent clients on where to find the content across the network.
2. Uploading the Torrent: Once the torrent file is created, it’s uploaded to a torrent site or a similar platform. This is where torrent sites come into play. They act as search engines and repositories for these torrent files.
3. Indexing and Search: Torrent sites index the torrent files, making them searchable by users. Users can search for specific content they want to download, such as movies, music, software, or books.
4. Downloading the Torrent: When a user finds the desired torrent on a site, they download the torrent file to their device. This torrent file doesn’t contain the actual content but rather the information needed to connect to other users sharing the same content.
5. Connecting to Peers: The torrent client on the user’s device uses the information in the torrent file to connect to peers who are also downloading or sharing the content. Peers are users who are part of the torrent network.
6. Piece-by-Piece Downloading: Instead of downloading a file from a single source, torrenting involves downloading small pieces of the content from multiple peers simultaneously. This process not only accelerates the download but also ensures resilience in case a peer goes offline.
7. Seeding: After downloading the entire content, users can choose to continue sharing the content with others. This is known as seeding. The more seeders a torrent has, the faster it can be downloaded by new users.

Behind the Scenes: Torrent Site Infrastructure

Torrent sites operate through a combination of server infrastructure, user collaboration, and sophisticated algorithms:

1. Server Setup: Torrent sites utilize servers to host torrent files, index them, and provide a user-friendly interface. They also run databases to manage metadata and user interactions.
2. Search Algorithms: Torrent sites employ search algorithms that sift through the vast database of torrents and present relevant results to users. These algorithms consider factors like seeders, leechers, and user ratings to prioritize quality torrents.
3. User Interaction: Users can comment, rate, and provide additional information about torrents. This interaction helps filter out fake or malicious torrents and enhances the overall user experience.
4. DMCA Takedowns: Torrent sites often face legal challenges due to copyright infringement. They may receive DMCA (Digital Millennium Copyright Act) takedown requests, leading to the removal of specific torrents or even the entire site.
5. Mirror Sites and Proxies: To circumvent censorship and access content that might be blocked in certain regions, mirror sites and proxies replicate the content of the original torrent site, allowing users to access it via alternative URLs.

Conclusion

Torrent sites have revolutionized the way content is shared and distributed online. Behind their seemingly straightforward interfaces lies a complex interplay of technology, user collaboration, and legal considerations. Understanding the mechanics of torrenting not only provides insight into the workings of these sites but also highlights the broader issues surrounding copyright, digital rights, and online freedoms. As technology continues to evolve, the landscape of torrenting and its underlying mechanisms will inevitably adapt, shaping the future of content sharing in the digital age.
https://medium.com/@akumyongt/unveil...k-2a317dcd3354
















Until next week,

- js.



















Current Week In Review





Recent WiRs -

August 19th, August 12th, August 5th, July 29th

Jack Spratts' Week In Review is published every Friday. Submit letters, articles, press releases, comments, questions etc. in plain text English to jackspratts (at) lycos (dot) com. Submission deadlines are Thursdays @ 1400 UTC. Please include contact info. The right to publish all remarks is reserved.


"The First Amendment rests on the assumption that the widest possible dissemination of information from diverse and antagonistic sources is essential to the welfare of the public." - Hugo Black