The blog of content protection

BitTorrent has just launched a new add-on to the P2P client µTorrent (or utorrent): Torrent tweet . The name of the apps is self explanatory. It is a new way to share or chat about a given torrent. The central server, using the hash tage of the torrent, adds a unique tinyurl in the tweet. Thus, it is extremely easy to point to a torrent.

We may be skeptical about its wide usage. File sharing is often done under cover. And anonymity is probably not the salient characteristic about Twitter. Nevertheless, the use is starting and spreading. Some doubts? Choose the last movie you’ve seen at theater. Search for its torrent on Twitter, for instance “Salt + Torrent”. You’ll be surprised by the result.

BitTorrent has created a new convenient way to share torrents When will we see cease and desist notice through twitter?

A team of five INRIA researchers presented an interesting paper at 3rd Usenix workshop on large Scale Exploits and Emergent Threats: Spying the World from your Laptop - Identifying and Profiling Content Providers and Big Downloaders in BitTorrent. The title says everything.

Using a single machine and some “flaws” in BitTorrent protocol, they collected and analyzed 148 million IP addresses involved in more than 2 billion instances of downloads. Then, they tried to identify the content providers and the big downloaders.

For instance, for the content providers (i.e. the person who generated the first torrent of a content), they spied the tracker sites to identify new torrents. If a torrent appeared with only one source address, then it was the address of initial content provider!

With no surprise, they discovered that most of the illegal contents are provided by a limited number of content providers. The distribution shape is very long tail oriented. The top 100 contributors provide about 30% of the contents on BitTorrent! The hosting centers of the initial seeds are mostly in France and Germany but the content providers themselves were from other countries.

Interestingly, they discovered that big downloaders where often hidden behind proxies, Tor or VPN. They also identified some monitoring “sites”.

A nice view of the P2P activity.

French government asked the Conseil d'Etat to review the calculation rules of the levy for private copy. Currently, the government levies a tax on every non volatile storage units. This tax is a levy for private copy. It applies to recordable CD, recordable DVD, hard disks, USB flash memory, memory cards, … Its value is defined by the Commission d'Albis. As an example, the tax for iPhone would be of 7€ (i.e. about $10). The tax is redistributed to rights owners.

In January, three associations of consumers complained to this authority about this levy. The controversy is that the levy takes into account the estimated level of piracy. A recent survey claimed that 40% of the content store on recordable media where coming from P2P. If the levy takes into account piracy, then it covers both private copy (of a legally acquired content) and illegal copy (of P2P downloaded content). Thus, P2P download should not be anymore illegal because integrated in the tax. Meanwhile, the representatives of the consumer electronics boycotted the commission d'Albis for mainly the same arguments.

Thus, they require either to make P2P download legal or reduce the levy. The answer of the wise men will be extremely interesting.

Last year, Pfizer had a serious security breach. Personal records of 17,000 employees and previous employees were available on a peer-to-peer (P2P) network. The wife of a Pfizer employee installed a file sharing software on her husband's company laptop. The configuration was badly set and confidential information leaked. This type of leakage is rather common. In Security Newsletter n°4, I reported a virus using P2P software to distribute random file of a hard disk. Japanese defense plans leaked!

The first-thought recommendations would be to ban P2P software from company's computers. This recommendation has limits:
- P2P software may be useful in some context (and probably will become more prevalent in the future)
- There is no serious way to avoid user to install such software and use it outside the fire walled environment of the company. In fact, it is possible to block installation of software by users, but it becomes quickly a problem for the IT department (cost of installing new software, upgrades, patches, …). It is often not practical excepted in highly secure environment. In any case, in most case, IT aware users will bypass the control.

Thus, the best recommendation I would give is to encrypt all confidential files on the laptop. This answers this threat, because what is shared is encrypted data, i.e. useless, and answers many other threats such as theft of laptops. Obviously the choice of the encryption tool is important (We will report on the latest hack on encryption tools in next security newsletter to be published in a fortnight)

It is also important to remember that you are also at risk at home with your private data. If ever you, or your relatives, use P2P software on your personal computer, check carefully its configuration to strictly sandbox the sharing space. Hoping that there is no backdoor that allows changing it ;-)

In the referenced article, I found also interesting the data mining performed on queries on P2P network. Privacy is even leaking on P2P network usage :-0