Thanks, Lucky, for helping to kill gnutella

AARG!Anonymous remailer at aarg.net
Fri Aug 9 13:05:15 EDT 2002


An article on Salon this morning (also being discussed on slashdot),
http://www.salon.com/tech/feature/2002/08/08/gnutella_developers/print.html,
discusses how the file-trading network Gnutella is being threatened by
misbehaving clients.  In response, the developers are looking at limiting
the network to only authorized clients:

> On Gnutella discussion sites, programmers are discussing a number of
> technical proposals that would make access to the network contingent
> on good behavior: If you write code that hurts Gnutella, in other
> words, you don't get to play. One idea would allow only "clients that
> you can authenticate" to speak on the network, Fisk says. This would
> include the five-or-so most popular Gnutella applications, including
> "Limewire, BearShare, Toadnode, Xolox, Gtk-Gnutella, and Gnucleus." If
> new clients want to join the group, they would need to abide by a certain
> communication specification.

They intend to do this using digital signatures, and there is precedent
for this in past situations where there have been problems:

> Alan Cox, a veteran Linux developer, says that he's seen this sort of
> debate before, and he's not against a system that keeps out malicious
> users using technology. "Years and years ago this came up with a game
> called Xtrek," Cox says. People were building clients with unfair
> capabilities to play the space game -- and the solution, says Cox,
> was to introduce digital signatures. "Unless a client has been signed,
> it can't play. You could build any client you wanted, but what you can't
> do is build an Xtrek client that let you play better."

Not discussed in the article is the technical question of how this can
possibly work.  If you issue a digital certificate on some Gnutella
client, what stops a different client, an unauthorized client, from
pretending to be the legitimate one?  This is especially acute if the
authorized client is open source, as then anyone can see the cert,
see exactly what the client does with it, and merely copy that behavior.

If only there were a technology in which clients could verify and yes,
even trust, each other remotely.  Some way in which a digital certificate
on a program could actually be verified, perhaps by some kind of remote,
trusted hardware device.  This way you could know that a remote system was
actually running a well-behaved client before admitting it to the net.
This would protect Gnutella from not only the kind of opportunistic
misbehavior seen today, but the future floods, attacks and DOSing which
will be launched in earnest once the content companies get serious about
taking this network down.

If only...  Luckily the cypherpunks are doing all they can to make sure
that no such technology ever exists.  They will protect us from being able
to extend trust across the network.  They will make sure that any open
network like Gnutella must forever face the challenge of rogue clients.
They will make sure that open source systems are especially vulnerable
to rogues, helping to drive these projects into closed source form.

Be sure and send a note to the Gnutella people reminding them of all
you're doing for them, okay, Lucky?

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com



More information about the cryptography mailing list