So I would like some professional expert opinion to
give her on this issue since it will effect the
copyright inducement bill. Real benefits for
production and professional usage of this technology.
-Henry
My two cents:
When Windows XP SP2 was released the only way to get it (for those of us not part of MSDN at least) was via P2P. The same has been true for countless other large but important software releases on various platforms (particularly ones like Linux that aren't backed by huge corporations with tons of bandwidth to host these sorts of files).
Point is? P2P is extremely valuable for the timely and cost-effective delivery of critical updates to the masses.
I think the clear case is this:
To get effective patch distribution, there needs to be some form
of 'Local distribution'.
I live in an area where there really are no high speed
connection choices that are available for the consumer (aside from
satellite). [no cable, no dsl, only dial-up].
Now, imagine a case where a machine (laptop or otherwise)
that gets connected to a high speed link periodically can distribute
[via home lan, or wlan] to other neighbors computers these patches
that they surely will not download via dial-up. Microsoft recently frowned
on using p2p for this activity (imho, for a semi-good reason, if they
make a minor change to the patch set which then breaks
less peoples computers, it's in their interest to do so, and without
really telling people there was a change, just the checksum and other
technical details may change).
This way people get the latest updates.. but for Joe average user
in my vicinity, it's not really possible to obtain these large patches
without being forced to download them for hours and hours over 26.4k
dial-up..
This plus the ability for the patches to be shared (possibly
automatically) to other users via a home/wireless lan to reduce
having to download 3-4 copies if you have 3-4 machines at home
would be ideal. No need to download hundreds of megs that are dupes.
Basically: p2p as a caching media, i go to the local
hotspot, download the patch and make it available to others that
are 'local' to me so they don't have to go through a painful process
of downloading it themselves at low speeds, or bother with the
ordering process on the website.
- jared
You know, I'm not even sure why it is necessary for us to argue the case for P2P - I see it's primary beneficiary as content providers (the people that make the ISOs, movie trailers, etc... that take advantage of technologies like BitTorrent) - why haven't any of these people stepped up to lobby P2P's benefits? (or if they have, maybe someone can point Henry at these lobbyists?)
Not true. For those of us who host Akamai servers, we could download SP2
with no problems. We did not need P2P, or MSDN. In fact, I would be very
reluctant to trust a Windows update downloaded via P2P.
Peer to peer technology has the potential to allow individuals and organizations with modest means to reach a very large audience with substantial amounts of data. The example of software updates has already been discussed. Companies like Microsoft and Apple can afford to buy very large amounts of bandwidth so they can deliver these files to everyone who wants them individually. However, the same isn't true for free operating systems such as Linux and the BSD family. The technology is also very well suited for distributing free movies digitally, which would otherwise be prohibitively slow or expensive. As such, peer to peer has the potential to be a great asset to audiovisual free speech.
And that's just the obvious examples. Peer to peer technology allows for extremely robust distribution mechanisms, that are very hard to create in other ways. I'm sure in time, there will be more applications for it. For instance, peer to peer would be a great way to distribute large amounts of data to hospitals, fire stations and so on in case of wide-scale emergencies.
Byron L. Hicks wrote:
Not true. For those of us who host Akamai servers, we could download SP2
with no problems. We did not need P2P, or MSDN. In fact, I would be very
reluctant to trust a Windows update downloaded via P2P.
How is the p2p checksum different from any other checksum on the file?
Pete
<quote who="Byron L. Hicks">
In fact, I would be very
reluctant to trust a Windows update downloaded via P2P.
why?
Not only were there many sources all showing the same MD5 hash (and for
the time being, we can still trust MD5...) BUT it was also digitally
signed by Microsoft which was easily verifiable.
Then again, I would be reluctant to install it because I have no idea how
my debian system would respond... 
-david
Not true. For those of us who host Akamai servers, we could download SP2
with no problems. We did not need P2P, or MSDN. In fact, I would be very
reluctant to trust a Windows update downloaded via P2P.
Have you heard of MD5 sum ?
I think you just tripped across the difference between a user and an SP. SPs don't generally have 28 KBPS dial links between them and their upstream, and folks that have 28 KBPS dial uplinks don't generally host Akamai servers. Assuming that just because you have effectively-infinite bandwidth and effectively-zero delay everyone perforce must enjoy that is a bit of a leap...
This kind of a "you're different and therefore wrong" mismatch has made complete hash out of quite a variety of discussions concerning user experience and user requirements on the Internet. Please listen carefully when someone talks about having limited rate access. The assumptions that are obviously true in your (SP) world are completely irrelevant in theirs. If you want their opinions - and this opinion was explicitly requested - you have to respect them when they are offered, not just bash them as different from your experience.
the cynic in me says that the senator is looking for our arguments in
favor of p2p, so that she knows exactly how to argue against us and
exactly how to write a bill to hurt us the most.
recall that feinstein is one of the loudest anti-p2p legislators.
i am not sure anyone should be helping her.
-Dan
yep md5 made the news recently because it's been cracked:
http://techrepublic.com.com/5100-22-5314533.html
http://www.rtfm.com/movabletype/archives/2004_08.html#001055
-Dan
Security by obscurity?
Thats SHA0.
Still a checksum is a checksum, cracked or not.
Tell her to kiss my white ass. She can ask the FBI. Since they are the experts when it comes to P2P.
because legislating in the 'USA' something that is clearly 'global' has
worked so well? politicians looking to get:
1) votes
2) 'political bang for the buck'
3) useless hot air blown up someone's rear
really need to stop trying to legislate behaviour in places they can't
touch... To repeat: "If you make <currently legal Internet thing> illegal
in the US, I'll just move my <currently legal Internet thing> OUTSIDE the
US Borders and give you the middle finger as a salute."
that seems to 'work' well enough:
1) spam
2) hacking
3) Child Porn
4) drug sales
5) p2p network 'stuff' (kazaa was built by some corporation out of
christmas island ?? or was that another of the P2P products?)
-Chris
In my opinion, P2P distribibuted systems are still an active research
area and the more interesting applications aren't out of the academic
research phase yet. Current prototype p2p systems include a
storage-accounted remote backup systems (SCRIVENER) and a webcache
(SQUIRREL). I know of at least two other prototype applications at
Rice that are as yet unpublished.
http://www.cs.rice.edu/CS/Systems/SQUIRREL/default.htm
http://www.cs.rice.edu/CS/Systems/Scrivener/default.htm
We won't know how many of these will turn into production systems for
another few years. Of course, if INDUCE passes, then an unknown
portion of this research area would be made legally questionable. Any
consideration such a far-reaching legal change is at the minimum, very
premature.
Scott
Thats a misleading over simplification. A collision being found implies something different than "its cracked." A weakness that was theorized sometime ago has been demonstrated in practice. Finding collisions and altering files in a useful way to produce a duplicate hash are different things. There are FAR bigger security concerns than this one right now IMHO.
I recall even seeing posts about people claiming this meant original data being reconstructed from the checksum! That would be truly amazing since I could reconstruct a 680MB ISO from just 61d38fad42b4037970338636b5e72e5a. Wow!
---Mike
---Mike
Henry,
So I would like some professional expert opinion to
give her on this issue since it will effect the
copyright inducement bill. Real benefits for
production and professional usage of this technology.
I'm sure you'll hear this from many other people, but one thing that I always
try to discuss when talking about "P2P" is the difference between general
peer-to-peer applications and "illegal music downloads". For example, Voice
over IP systems and the regular PSTN telephone system (same application but a
different network) are peer-to-peer applications running over electronic
networks (sometimes even the same ones). The PSTN is routinely used
to commit all sorts of criminal activity, though I think it's easy to see
how using the peer-to-peer application (i.e. "calling someone on the telephone")
is distinct from committing a criminal act.
Regardless, my guess is that the real interest relates to music trading via
Internet-based "peer-to-peer" networks (Fastrack, gnutella, IRC, etc), so
I'll limit the rest of my thoughts to that. My band is a small, independant
band. We don't have a recording contract nor are we interested in one. We're
not interested in making money by selling CDs (do any artists really make money
selling CDs?) but rather by performing. We want people to listen to our
music, to have easy access to it, and we see this goal one of the best ways to
generate interest in our band and interest in attending our shows. To
accomplish this, we definitely intend to seed the various file-sharing networks
with our MP3s as soon as we're done mastering them. We own the copyright to
our music and view this as the best avenue to distribute our music and, in the
process, generate interest in our band. All other mechanisms for distributing
our music will cost us something, usually money, as well as cost our fans. The
truth is that if someone has to pay to download our music, then it's likely
that they won't since we aren't an established band. Even if some fans were
willing to pay to download our songs, we'd rather that they saved the money to
spend at our shows and we see giving away our digital recordings as a good
way to drive attendence. If this sort of distribution is made illegal,
then we'd be forced to go through a third party to distribute our music and
this would likely require either signing away certain rights to our music,
costing us money, or both. It would also drive up the cost of our music to
our fans and hinder our ability to perform.
Stretching things a little, I'm also worried that other means for
distributing our music would be impacted if music-sharing via peer-to-peer
networks is made illegal. For example, if a friend IM's me over AIM and
asks for a copy of our MP3s, would that also be illegal? If I run a web
server from my home computer, use dynamic DNS to keep my hostname and IP
mapping current, register the location of my MP3 with Google and Yahoo so that
people will download it from me, will that also be illegal? Would Google,
my cable-modem provider, and my dynamic DNS providers be somehow liable for
providing a potentially inducing technology and, as such, prevent us from
doing it? If neither of these distribution mechanisms would be illegal, what
is it about our approach to using Fastrack or gnutella that makes it illegal?
Some people are using these networks to distribute content illegally and I'm
against that. Just because my band wants to distribute its music this way,
doesn't mean that every band has to or should be forced to. However, we see
free and simple access to our music over the Internet as a way to generate
interest in our band and drive people to our local shows without having to go
through an intermediary and without costing us and our fans money.
Eric
Network Engineer, data plumber, and Drummer for
The Amazing Poundcakes (http://www.amazingpoundcakes.com)
Not true. For those of us who host Akamai servers, we could download SP2
with no problems. We did not need P2P, or MSDN. In fact, I would be very
reluctant to trust a Windows update downloaded via P2P.Have you heard of MD5 sum ?
yep md5 made the news recently because it's been cracked:
http://techrepublic.com.com/5100-22-5314533.html
http://www.rtfm.com/movabletype/archives/2004_08.html#001055
It hasn't actually but I guess the differences are to subtle some people to grasp.
It is now possible to generate a collision [*] (ie two files with the same md5 hash) for a given hash. generating a file with a malicious payload that has the same hash as another file is left as an exercise to the reader.
The implication of course is that it's time to switch hash Algorithms to sha-1 or sha-2(224,256,384,512), not that hash algorithms are a bad way to validate integrety of data.
The other component of course is having the hash be signed in some fashion by a trusted third party, such at the package or ditribution maintainer or creator so you validate the hash then verfiy the file integrety. most linux distributions and freebsd images and macosX updates use such a scheme.