Anonymous P2P Security Cracked?

[Hornet]

Was ANts security cracked?

The ANts protocol has been updated to experimental protocol 0.0.3 due to a possible security threat.

A developer suggested that it was posible to identify the source of files by relating virtual ID to IP by using statistical analysis of the age of messages(ttl). To ensure 100% that this is not posible Gwren has updated the protocol by removing ttl (time to live) and adding a random delay to all messages.

See http://groups-beta.google.com/group/...3f38eb85d328ce



Hornet

[hawkburn]

The fact is that Anonymous P2P is not, infact, anonymous. Granted, it is much safer than FastTrack or the likes, but for another couple of years, there will always be security holes. It's like Windows - once they get most of the things tinkered out, there's something new that is a better concept that everyone gets interested in, which is thusly also full of security holes.

[Watchmen]

Quote:

Originally Posted by Hornet

Was ANts security cracked?

The ANts protocol has been updated to experimental protocol 0.0.3 due to a possible security threat.

no shit :bk

[crackerjacker]

Quote:

Originally Posted by hawkburn

The fact is that Anonymous P2P is not, infact, anonymous. Granted, it is much safer than FastTrack or the likes, but for another couple of years, there will always be security holes. It's like Windows - once they get most of the things tinkered out, there's something new that is a better concept that everyone gets interested in, which is thusly also full of security holes.

I have to state one thing, its definitely safer then fastrack, with respect to the browsing of other files.
On the other hand fastrack users can disable the browser feature on what they are sharing, but their is the issue of partial file sharing on kazaa etc.

hmm interesting news.
good job
thanks for your time

[AussieMatt]

I was always concerned about stat attacks in Ants and the random TTL and pointed it out to Grwen he kept saying the TTL was random and wasnt a problem, but as in all systems there is a threat model that has to shown then its up to the developer to fix the potential threat, thats why Ants is still beta .

[ducttapeBigSexy]

Claiming something is completely anonymous is a pretty big claim. You'd better be able to back it up, and when stuff like this happens, it doesn't bode well. I mean, I realize it's still early, and yes, it is far more anonymous then FT (then again, giving out burned CDs outside the building of a major record label is more anonymous then FT ;) ), but still.

[AussieMatt]

I nave to agree with you ants is'nt 100% annonymous and have stated this in the Ants IRC channel .You also have to remember english isnt Grwens first language so his project decription is to be taken with the grain of salt ,that said WASTE also claims that it is ammonymous on its website as does Blubster so it not just Ants making claims of annominity.
I think the best descripion of software annominity comes from I2P

Quote:

What do we mean by "anonymous"?

Your level of anonymity can be described as how hard it is for someone to find out information you don't want them to know - who you are, where you are located, who you communicate with, or even when you communicate. "Perfect" anonymity is not a useful concept here - software will not make you indistinguisable from people that don't use computers or who are not on the internet. Instead, I2P is working to provide sufficient anonymity to meet the real needs of whomever we can - from Joe Sixpack browsing porn to Tommy Trader sharing files to Irene Insurgent organizing an upcoming action.

The question of whether I2P provides sufficient anonymity for your particular needs is a hard one, but this page will hopefully assist in answering that question by exploring how I2P operates under various attacks so that you may decide whether it meets your needs


.Source : http://www.i2p.net/how_threatmodel

[Hornet]

Quote:

Originally Posted by AussieMatt

I nave to agree with you ants is'nt 100% annonymous and have stated this in the Ants IRC channel .You also have to remember english isnt Grwens first language so his project decription is to be taken with the grain of salt ,that said WASTE also claims that it is ammonymous on its website as does Blubster so it not just Ants making claims of annominity.
I think the best descripion of software annominity comes from I2P

Good post AussieMatt. I think Gwren should put a health warning on the Ants website. So users know what there getting.

According to Gwren:

Quote:

“ANts and MUTE are anonymous, you never know who put the information onto the net,” Gwren explains nicely. “The problem is that you do know who is passing that information on to you. It’s like anonymous mail: you know the postman but you don't know the sender. ANts offers an additional element of security, because the postman cannot read your mail (unless he is the sender himself, but you have no way of knowing this!).”

So Ants protects users by giving them deniability.

see http://www.slyck.com/news.php?story=567

Hornet

[paniq]

Well, most users interest in anonymity is fear of prosecution. Whilst immediate connections may be identified, could they be prosecuted - as you say Hornet it gives users deniability. This for most users would be enough.

However do ISP's have deniability? At present you get MPAA/RIAA threatening ISP's to then warn their subscribers, even though the ISP's say they cannot monitor all the traffic over their servers. So will these warnings continue even when using ANts?

[tsafa1]

keep, in mind that it is possible that you may still get letter or sued just for proxying files. If you are Ants will give you plausable denyability, but yu still have to argue the case. Ants will not send a defense team to your house. You have to make your own lawyers understand how it works and then argue the case to the RIAA/MPAA laywers and then maybe to a court. The diffrence with ants is that you have something strong to fight back with. If you admit are any wrongdoing or settle ants can not help you. I personaly do not think the RIAA/MPAA would start a case agianst you unless they fully understand the program and believe they can win. Otherwise they risk making the prgram an instant success and they would not want that. If they ever did go down that path, they would pick one or two cases where people settled or admitted wrongdoing and try to use that as proof that ants is not safe.

[a3ro3]

We won't know how secure Ants, MUTE, or even Freenet is until some major label starts filing lawsuits. The entertainment industry won't care until those networks actually have a user base that warrants attention. FT, Mp2p, Gnutella, IRC, and eDonkey are keeping them busy.

Of course Freenet doesn't make irresponsible claims of 100% anonymity. They're the only one I can generally trust for the time being. Not only because they don't make bogus claims, but because they've been out there so long and the system is very complex. So much that the effort to track down content sources would be bothersome and costly at the moment.

[AussieMatt]

a3r03 dont look over TOR either the EFF just gave them financial backing to keep the project going ,you can use the TOR proxy for your regular p2p clinet if it has Socks built in .