Translated from: http://internet.watch.impress.co.jp/cda/event/2006/06/09/12274.html I can't guarantee that everything is translated accurately, interpret at your own risk/leisure. -- Use Winny and your ISP will come visit you? Truth about anonymous P2P. On June 8th at "Interop Tokyo 2006", a BOF titled "A moment of Living with Security" was held by Japan Snort Users Group. Representative director Sugiura from NetAgent and Slashdot editor wakatono were there to discuss the problem of information information leakage with P2P, and the anonymity of Winny and its users. * Identity of the initial uploader can be determined with near 100% accuracy. NetAgent supplies the bridge firewall which blocks Winny and Share traffic, "One Point Wall". Sugiura, who developed the One Point Wall, has deciphered the encryption system behind Winny and Share communication protocols. He said he can see the true state of the so called anonymous P2P systems. Regarding Winny and Share anonymity, users have expectations in: 1. Anonymity of the initial uploader of a file. 2. Anonymity in the users' IP addresses. 3. Anonymity in the download and upload utilization states. 4. Anonymity in the contents of the transferred files to ISPs and network administrators. According to Sugiura, these expectations are far from the truth. First, regarding the anonymity of the initial uploader, "at least for Winny, we can determine this at near 100% accuracy". For Winny, because many nodes can download data at once, it was said that the anonymity of the user who uploaded the file is protected. However, according to NetAgent's Winny detection system, because "we do not monitor the network after the file has been uploaded and dispersed, but monitor it from the very beginning", they are able to determine the initial uploader. For example, for users who are interested in information leakage, they are different from users who are after popular music files, and tend to have feature of waiting longer before being connected by other nodes. If those type of files are kept for a long time by a single user, that user is determined to be the initial uploader. * Once the IP address is known, "users' interests are wide open". Regarding anonymity of the users, because Winny uses TCP/IP, the IP addresses can be extracted. However, even if the IP addresses are known, only the ISPs can know the names and physical addresses of those users. Anonymity of the utilization states, which light users are most interested in, because cache state and content of the downloaded files can be obtained once the IP address is known, all the "user's interests are wide open". Regarding anonymity of file contents to ISPs and network administrators due to Winny's encryption system, Sugiura denies that real-time decryption can be done. According to Sugiura, even though Winny uses RC4 with a weak 4 byte key that is generated dynamically, it is still better than nothing. Sugiura believes "the current state of Winny is that the anonymity of the users is collapsing. Accepting this fact, the number of Winny users should decrease." * For self-protection, do not hand information to people who are still using Winny. According to wakatono, "Winny itself is not wrong", but the problems are "difficulty in being able to control things that should not be spread", "having fatal vulnerabilities", "developers not being able to supply bug fixes because of current controversies", "having known viruses". Particularly, if an attacker appears to take advantage of the vulnerabilities, "about 500000 Winny nodes would become hotbed for bot nets", he warns. Also, he points out how suspicious files are kept in the Winny cache. The data that are being spread by Winny consists of 95% files that violate copyrights, 2% that leaks information, and 1.5% containing malware. "Truth is that damages are much greater than benefits that users may receive." wakatono says: "Winny being an anonymous P2P program is a thing of the past, currently it's completely open. And it's not okay to switch to Share to replace Winny. However, the believers and dreamers and kiddies who believe in the anonymity are still using it now. They think they have spirit, but it's definitely not something to look up to. Not handing information to people who still use things that have known viruses is how to protect yourself. Maybe it's too much to cut ties, but it might be good not to take pictures with them or send them new years postcards." * Files appearing on Winny network disappears in "about 2 weeks". "Files appearing on Winny network never disappears?" There are lots of questions regarding information leakage due to Winny, but according to Sugiura, "unpopular files disappear from the network after about 2 weeks". This is because people who use Winny regularly deletes their cache files at about 2 week periods. However, leaked information disappearing from the network only applies "if they are unpopular files". For example, for customer information leak that was on the news, they became popular files because many nodes started downloading them, so they are not erased from caches. Sometimes, customer information are downloaded to virus infected PCs, so there are cases where they are spread even more. * Having used Winny, there are many chances to get arrested due to copyright violations. It was also discussed what happens if somebody used Winny. Regarding this question, wakatono pointed out "there are cases where people are arrested due to violating copyright laws, but it's not because they used Winny." However, as soon as a node is registered with Winny's initial node list, that can be considered as intent to obtain copyrighted data, and users qualifies as having illegal intent. Also, Sugiura added that "Winny uses TCP/IP layer so it's impossible to remain anonymous, when you are arrested you are arrested. Having used Winny, there are many chances to get arrested due to copyright violations." When asked "if I use Winny to upload something, will I start to receive phone calls?" Sugiura answered "we already made calls." He said there has been episodes where they found nodes that are leaking information, so they extracted the IP addresses and contacted their ISPs to remove them. He shocked the audience by saying that even though not all ISPs respond to these requests like this, there are cases where ISPs decided to visit the homes of the Winny users.