File-Sharing Program Slips Out of AOL Offices

[goldie]

Quote:

Originally posted by theknife
hey multi...enlighten my feeble mind, then:

with regards to security and the posting of keys, i was under the impression that it did not matter if our keys were public, because in order for someone else to get on the network, we would also have to load their key. therefore, some intruder could have everyone's key but as long as no one loaded his key, he would never have access. this is not correct?

of course, i just woke up and if my logic is deeply flawed, feel free to point that out

Ditto for me too..................<yawn>

Good question..............we need an absolute (not a perhaps) answer here i'd reckon.

Still - ya never know who's Relating Important Associations to Aggressors

~or~

Making Problems Accelerate Amongst us.

~or~

Initiating SneakyProcedures.

[theknife]

morning Goldie

i helped myself to some of those classic CBSRMT episodes last night - how many of those can you get on a cd?

[Mazer]

I leave for a couple of days and am hopelessly behind again. So here's my key.

WASTE_PUBLIC_KEY 20 1536 Mazer
B6FEEF3C6319E648D7BDB3D67749652571066A6EAB5D9B32125824F7CE50
336EB181AEFAFEC4527FC74518B54F64BB8F35D62F96069B703DAD92D9A8
46B137C3100A40F78AC34A6ADE21AB5C738C05896535F698F8C9770D7899
DFFED417B9B564A80E11ABAA40F560A3649EF5A5B25D3E27B3B06540A5B2
915F1076EEBC0D90F4AF6FE432941AA971B213F4A51B16CCB631EA561879
54C392CE71FD5C8665386FFF39FD4AC853DD69096183443AB8A2F0AA06A9
59A30D2DCB1709DCEF2EC9090003010001
WASTE_PUBLIC_KEY_END

[JackSpratts]

Quote:

Originally posted by Ice
again.

P.S. I CAN HEAR YOU SNICKERING JACK

not me ice! i just did a system restore last night too after a bad nimo pac install. sysrestore and i are quite close.

wb mazer!

- js.

[multi]

look guys i'm only just trying to learn this thing as well...but pleased to help
there is one that is far more knowlegable
who sees all ... dare not mention an utterence of an utterence

yes i am testing and u are quite correct sir
...maybe its just the ips that worry me...

though they might not get in thru on"this" app...u know what i mean...
pirate pete with his 1337 port scans ..sold out to cheap nasty riaa men types

do they actually exist?
are they reading my very words...?©2003

LOL

[Mazer]

Well, waste is a lot better than Gnutella was when it first came out. I wonder how popular it will be.

[JackSpratts]

Quote:

Originally posted by Mazer
Well, waste is a lot better than Gnutella was when it first came out. I wonder how popular it will be.

if our networks success is any indication, i think every kid on the planet is going to love this. small groups of friends permanently connected to form massive harddrives. it's going to be as influential as frankel's gnutella, and even more subversive. plus, it works a lot better. searches are instant.

keep handing out those subpoenas riaa and pretty soon you’ll have placed the world beyond your reach, and onto protected networks like waste.

- js.

[multi]

its been going 212450 seconds or 3540 minutes or 59 hours...

[pod]

Quote:

Originally posted by theknife
with regards to security and the posting of keys, i was under the impression that it did not matter if our keys were public, because in order for someone else to get on the network, we would also have to load their key. therefore, some intruder could have everyone's key but as long as no one loaded his key, he would never have access. this is not correct?

With someone's public key, you could decode the traffic encrypted using that person's key. The traffic would have to be sniffed on the wire, as you can't be an active participant of the network without someone accepting your key.

The network name prevents network collisions, so that if you inadvertantly join two networks they won't crosscontaminate each other.

There are also session keys which prevent decoding of recorded encrypted streams, but I don't know much about this scheme.

[JackSpratts]

Quote:

Originally posted by theknife
i was under the impression that it did not matter if our keys were public, because in order for someone else to get on the network, we would also have to load their key. therefore, some intruder could have everyone's key but as long as no one loaded his key, he would never have access. this is not correct?

yes, that's correct. we've actually tested this today, logging on with the proper network name and a starter ip but without an invited key - the way "someone curious" might try who has been reading this thread for instance. so what happens is you can see the network and the ip's but you can't see any folders or files. you can’t browse or download. you can’t participate; you can’t lurk. you'd have no idea who had what or even if anyone had anything at all. you might be able to tell that some network activity was occurring, but you'd be at a loss to tell what kind it was, plus it’s easy for the network to send up chaff to further confuse the sniffers. finally if you somehow managed to break into a data stream you'd be hard pressed to make sense of it since it's pretty well encrypted with some decently powerful mojo.

but if you keep the name of your network private, outsiders can’t get on at all.

since friends, families and most groups aren’t going to be posting their network names on bulletin boards, let alone their keys (unlike we brave souls here at napsterites) these networks will be humming along in blissful obscurity all over the internet, and exchanging a lot of data easily and efficiently. you can expect this will make a lot of people very happy, and a handful of people very nervous.

welcome to the future. again.

- js.

[theknife]

in other words, someone could theoretically monitor you as an individual, from info gleaned from your posted public key, but they would not be able to monitor the network. so posting public keys is maybe not a smart idea?

btw, pod - i think you got more stuff that i never heard of than anybody i ever came across online....

[multi]

i think the general idea would be not to
be quite so public....

but this is a sort of review on the fly i guess...

[Mazer]

It's not unsafe to post public keys because public keys are used for encripting info, and the private keys are used to decrypt it. To read messages on the network without logging on someone would have to steal someone else's private key. It's okay to post your public key, but it's dangerous to import a public key from somebody you don't know.

It would be a good idea to change the netowork name, though. We don't even have to disconnect to do it, I don't think.

[multi]

ok i am into changing the name...
if we all can get in to one of the rooms@the.same.time...

[pod]

Quote:

Originally posted by Mazer
It's not unsafe to post public keys because public keys are used for encripting info, and the private keys are used to decrypt it. To read messages on the network without logging on someone would have to steal someone else's private key.

Here's how this stuff works, from what I know.

When you create your private key, and 'mirror image' public key is created. These are based on some mathematical properties of prime numbers; you pick big enough prime numbers and it becomes computationally infeasible to brute force the private key.

You hold on to your private key, and keep it safe. It's very important. The private key is also protected by a password (more usually and passPHRASE); it is never stored in plaintext.

A message encrypted with your private key will be readable by anyone who has your public key. You publish your public key so that when people use it to decrypt this message they are sure it came from you, because only you have the corresponding private key that could be used to create the message.

When someone wants to send you something that only you can decrypt, they encrypt it with your public key. Now only your private key can decrypt it, and since, again, you're the only person who knows it, only you can decrypt that message.

So if you want secure comms, you exchange your public keys, and send messages to each other using the other's public key.

This how WASTE works. You need everyone's public keys because they all send messages using their private key. Except since it's a network with routing and proxies and such, if you have 3 people, A, B and C, if A sends a message to B, this message could pass through C, which would be able to decode it. IOW, this is not like FreeNet, where the security is end to end and you can't read what's passing through your node (unless it's for you); and this is why you only let trusted people on your network and use a network name to obfuscate matters.

A neat side-effect of this public/private scheme is that if you run a message through a one-way hash function and create a message digest (MD5 does this for example) and encrypt it with your private key, you've created a signature. So you send the signature and the message together (as is or encrypted with receipient's public key), and the recipient can now verify that the message:
a) has not been altered
b) was sent by you

[pod]

Quote:

Originally posted by theknife
btw, pod - i think you got more stuff that i never heard of than anybody i ever came across online....

Yeah, I have some weird shit that maybe a dozen people in the world have heard of

[Ice]

Great post Pod I learnt heaps ty

Oh I just love this bit too:......and this is why you only let trusted people on your network and use a network name to obfuscate matters.

OMG!! just gotta looooove that word..obfuscate

I bet Ramona is spewing he didn't post it first.

What the hell does it mean?

[TankGirl]

Quote:

Originally posted by pod
A message encrypted with your private key will be readable by anyone who has your public key. You publish your public key so that when people use it to decrypt this message they are sure it came from you, because only you have the corresponding private key that could be used to create the message.

A little clarification.... as Mazer already noted, in normal message exchange public keys are used for encryption; private keys are used for decryption. Anybody can encrypt a message with your public key (assuming it is publicly distributed), and without further information in the message itself or communications with the other party you cannot tell who has done the encryption.

This being said, what Pod says is correct too: private keys can also be used to encrypt data - a handy feature for message source autenthication.

Quote:

Originally posted by pod
So if you want secure comms, you exchange your public keys, and send messages to each other using the other's public key.

Yes, although usually the communicating parties want to switch into a more efficient crypto method as soon as they have verified each other's identities with public/private key cryptography. As these more efficient methods (called symmetric ciphers) require sharing a secret key (secret to outsiders), public key crypto needs to be used first to establish a secure channel through which the secret can be safely shared.

- tg

[JackSpratts]

waste users:

the network has a new name.

pm for details.

- js.

this is really such a great thread ... you really know your stuff ...

i noticed that some of you had trouble connecting ... did anyone get a message, when you couldn't connect, saying that it was possibly due to a firewall? just curious ... i don't know what happened, but a friend & i set ours up & we used it & it was working great. then the next time i tried to connect, i couldn't connect, & i got that error message. really frustrating, because it worked so great the 1st time & i didn't change anything (except entering the new ip address) ... i can't imagine what happened the 2nd time. i'm tempted to uninstall & install it again ... what do you think?? thanks for listening ... : )