Okay everybody, we're going to start up our next talk.
So me and Brian actually go back a long ways, I guess a couple years.
We've been on each other for quite some time.
Almost five years now, I guess.
Time goes by fast. I'm getting old.
Brian Baskin here, I used to work with him at CSC.
I'm going to put a little bit of pressure on him here because Brian, as far as I know,
he's the most accomplished peer-to-peer researcher I know.
Brian actually has the paperwork to prove it.
So Brian, check this out, any network needs to have somebody that knows this kind of stuff.
So Brian is going to spin a little game to you about how you do this.
Any audience of one person, I'm the best there is out there.
So I'll tell you a little bit about myself because frankly, from most of the stuff I do,
people want to know how do I need to listen to the guy standing up there in front of me
before they even open their ears.
So my name is Brian Baskin, Twitter V. Baskin.
I currently am a senior consultant with CMD Labs, a small forensic instant response group
out of downtown Baltimore.
Previously it was 10 years with the DOD Cybercrime Center.
The training academy has one of the technical engineers.
So basically doing all the research on ongoing alerts, threats, forensic responses,
and instant response needs for the community,
and teaching that back to the military for them to use in their operations.
Many years in the forensic field, 10, 15 years or so.
I worked with Marcus for six, seven, eight years.
Johnny Long, myself and him, made one of the first hacking classes for the DOD
to give at the DOD Cybercrime Conference about five years ago,
back when they refused to let anybody in the DOD learn how to hack.
You know, you couldn't teach it. That was a taboo subject.
We found a way to make it happen, and it kicked off well,
and now we're doing it all over the place.
I'm also written a number of books, the latest of which is Dissecting the Hack,
with Jason Street. Some of you guys might know him.
He wrote the fictional side to it.
I wrote the revised edition of the nonfiction side.
So revised. Okay, big differentiator there. Long story.
All right. So what we're going to talk about today is mostly peer-to-peer applications,
the forensics, network trace analysis, basically all the fun stuff that criminals are doing with it today,
and from the forensic side of view, the incident response, or the law enforcement side of view,
what are the current issues that we're seeing on a database?
How do we track it? How do we monitor it? How do we mitigate it?
Or even just bus people using it?
So, first of all, how do we get there without talking about the legalities of which?
You can't read that. It's a nice little picture I actually got from a triton.
I love my records. I just wish they were smaller, more expensive, and illegal to share with my friends,
which is basically how the industry has gone,
taken a great product and just made it even harder to use,
and they wonder why people don't like it.
So, overall, peer-to-peer world.
Now, we have to talk about Kazaa, because Kazaa is the biggest, oldest one of ones out there.
Everyone laughs at it.
Basically, sued into non-existence, for those who are.
They started getting major lawsuits against them here in America.
They moved their operations, sold their operations to Australia Company,
and now the Australia Company is starting to get sued like crazy.
So, they're pretty much dead in the water.
They tried to maintain a respectable business,
where you can actually pay in rent stuff from all their service.
That sucks. No one uses it.
But that was their way of getting away from the court issues and the injunctions against them.
So, Kazaa stayed with them.
Into Linewire, which has hit the news lately,
that that was the main client for peer-to-peer for a while,
made by the guys from Nutella Networks, same guys that made WANAP and all those other apps,
that they were charged this year with copyright infringement,
inducing others to commit copyright infringement.
And then under a court injunction just two months ago, they had to shut down all those services.
And then just last week, they said, yeah, we're done.
We just pulled it completely. We give up.
So, Linewire is dead.
In fact, if you go to the website, you see a nice little legal notice there.
The only reason I bring it up is some of you guys are actually using these tools.
Who cares about Linewire?
No one uses that anymore, but they do.
I'll talk about it a little bit later on.
And then the big one now, the Legale is a bit torn.
The two big cases I try to focus on now is the Pirate Bay, which, god, everyone knows about,
where they were sued, tried.
In 2009, they lost.
They were ordered to pay a $3.5 million fine and a year in prison each.
They appealed. The appeal just finished up two weeks ago.
They lost again.
So, four guys in there.
However, some interesting things coming out due to WikiLeaks.
There's an unreleased cable that's supposed to be coming out in the next three or four weeks
that shows how all the current copyright policies in place in Sweden right now
were actually given to them by America through diplomatic channels.
So we told them, here, here's what you should be doing.
And they said, okay, we'll do all that stuff.
And the country themselves, it hates America around this.
What you see in the corner there in the upper right-hand corner was actually a riot
against America in Sweden over the Pirate Bay raid back in 2006.
At the time, where they were hating America, hating the U.S. copyright organization, hating copyright owners,
we were telling the country, this is what you should be doing against your own people.
So that's a little interesting little kink there.
Owing's Pink Palace is a nice one because that was one of the biggest and largest music sites online.
The guy was taken down. He was sued.
For many years, he was in court for three years.
And their claim was he's profiting off of it. He's making all this money.
He's like, hey, that money went into infrastructure. I made no profits.
I took a little bit here just to buy food, but that's it.
He won. And so he got to keep his money.
That was one of the biggest cases where someone was tried and they won, which is unheard of.
And it just kind of goes to show the global escape here of no matter where you're at,
there is no consistency in the law.
Here in America, you're screwed.
Any torrent server, any here and anywhere in America, any peer-to-peer server anywhere in America, you're screwed.
It's just not going to work.
I know the guys at DOJ Suscepts, they work hard against some of these guys.
Elite Torrents was just shut down three years ago out of Virginia.
Some of the major sites shut down here on a regular basis.
So they play hard here, but then you go overseas and over the water,
a little bit more loose there, depending on where you're at and what country you're in.
And you get the whole now debate.
Again, I'm going into personal opinion here.
I'm here on behalf of my company, but this is my personal opinion.
I'm recording the history of America and what their wants and needs are versus the entire law enforcement community as a whole.
Now, law enforcement people, which is mostly my background from military law enforcement as a contractor helping them out,
they love peer-to-peer. This is great.
This is the low-hanging fruit.
They get sent to play whack-a-mole all day with criminals online downloading illicit material.
And by that, mostly it's child pornography.
This is the bad stuff online. It's just hanging out there.
You can find the people left and right, seize the machines, take them to court, put them in jail all day long.
And they were doing that because the network was there.
But now the recording industry says, hey, we don't like that network because people are sharing music on that.
So we're going to take the entire network down, which is basically what they're doing now.
So you have two sides of the coin here where the network itself is conducive to music being shared, which I hate,
but it's also conducive to being illicit material being shared on it, which everyone hates, but we can take advantage of to catch the criminals.
And by the mere fact that the RIA has taken out these networks means law enforcement loses.
What happens is these criminals who can't find the low-hanging fruit anymore climb higher in the tree.
When you lose LineWire, when you lose Kazaa, you're not going to stop.
These guys just don't stop. Oh, yeah, they took the client down. I'm just going to stop doing illegal materials.
I'm just a start doing illegal activity.
No, they find the next big thing out there, which is usually more encrypted, more secure, harder to detect and easier for them to use.
They just had no clue it even existed because they were using the status quo for so many years.
And that's exactly what we found. When LineWire shut down day one, 24 hours later, all the alternative clients out there, download rates soared.
Over 700 percent increase in downloads to BitTorrent clients and other more secure clients out there within 24 hours after LineWire shut the door.
People wanted it. They were using LineWire, but once it shut down, they said, hey, here's another solution.
Oh, look, it's more secure. I can hide myself easier in it.
And the whole idea there is the more that these networks get shut down, the more they get shut down from all angles, the higher the tree these guys are going to climb.
And the harder the job it is on law enforcement to catch the real bad criminals out there.
And most of the time when I say real bad criminals, I know there's copyright infringement, there's this stuff like that, which, yeah, bad.
But I'm talking about real crimes where people are actually getting hurt on a daily basis, exploited, hurt, abused.
And those are being basically waylaid.
And then you got the really, oh, crap moments where things really do go bad.
For example, some of you guys might realize about a year and a half ago where all the basically schematics and blueprints of Marine One helicopter were leaked out.
We didn't know. All we knew was someone was searching on a peer-to-peer network and found them in a network in Iran on Nutella.
No one knew it leaked out until they found it actually sitting somewhere else in someone else's country, which just happened to be Iran.
Not a good thing. Basically, a DOD contractor in this area had Linewire install the machine and actually sheer out the entire hard drive.
It's kind of hard to do. If you ever use Linewire, it's hard to do that. It's hard to sheer out the entire hard drive.
It warns you multiple times you are an idiot. Do you want to continue being an idiot? Yes. OK.
And that's how it happened. It got leaked out.
One of my great favorite sources back in the late 90s where a postal office employee, a supervisor in Illinois somewhere basically had Linewire installed on his machine, his work machine, sheer out the entire hard drive.
Someone else came along was just searching for documents on the network and found every single reprimand and write-up he did and all his employees in the postal service network.
Decatur, Illinois, if you look it up. So, Social Security numbers, names, offenses with great detail of exactly how fast and the wrong way they parked into a parking spot and that they got laid off basically fired for these offenses.
So, this stuff is just floating out there. People don't know, don't realize it.
Fortunately, because of that, what we have is this brand new law that came out which is going to be pushed through which sucks because it really is going to do nothing.
The HR 1319, informed P2P user act, which all it says, and this was hundreds and hundreds and hundreds of hours of your tax dollars at work for an act to go through to say, if you are going to run, if you're going to develop a peer-to-peer application, you must inform users they're sharing out the hard drive.
That's the entirety of the act. That's all it is. You cannot share the hard drive without warning them.
So, good luck with that.
Now, the clients themselves.
I love sandwich.
How many of you, have you seen a blog post? I haven't even seen it anymore. It's dead. Good riddance.
Kazaa, yes, still in use. The official client, who cares? No one cares about that anymore.
What they found is alternative clients like Kazaa Light and Kazaa Resurrection, which are basically their own separate networks.
They took the DLLs out of the original Kazaa client. They couldn't reverse engineer them. They could reverse most of the protocol information itself, but when they couldn't reverse it, they just stole the DLLs.
They saw the lookups. They saw the calls. They just took the calls and just integrated it into their own client.
It's like, okay, we don't need to reverse engineer it. We'll just steal their makeup. And they built their own network out of it.
So, the Kazaa Light and Resurrection are those. But they are very heavily looked upon by law enforcement and the recording industry groups.
So, yeah, no one really takes it seriously anymore.
Linewire, no one really cares anymore either, even though it's shut down.
One week after they shut down, a brand new edition came out. The Linewire Pirate Edition, which is, that's their logo on the right hand corner.
So, YouTube video is great. You've got a theme from LazyTown. Awesome. That's real talent right there.
Which is great because they actually took a source code from Linewire from years ago, put it out open, and enabled all the features you just had to pay for.
So, they, not only, okay, for a typical Linewire user, oh, they lost a client. Oh, we're too bad. Oh, here's a new one with all the stuff I didn't have to pay for now.
So, they made out in that effect. This did not hurt anyone at all. It actually made it better for the criminals to use by them shutting down the network, as usual.
Historically, it's the number one network we've seen for child pornography cases.
Some of the major operations out there, Operation Clear Play, Operation Pure Precision.
This guy's out in Wyoming. I figure because it's so cold, they've got nothing else to do.
They are like the number one developers on applications to search for CP on the peer-to-peer.
They were all just balled up recently. There's a company called TLS, T-L-O, on Florida where, if you guys never heard of him, there's one guy called Hank Asher.
Every data mining application that the government uses, he developed. He is like the data mining guy, god, of the world.
And he just has a pinchet for people doing illegal stuff on the Internet.
So, he just writes data mining applications. He has terabytes, petabytes of databases that he gives out to law enforcement.
And so, he just balled up these entire groups of law enforcement guys and said, you're going to work for me now. Let's develop this stuff. Let's catch these guys.
So, they're all private. They're out and doing this stuff. And they keep it very secret.
But, yeah, they are definitely burdened by all these networks being taken down, but that's their job to get around it.
And for the most part, too, all this stuff is actually being transmitted in the wire for Kazaa and LineWire itself.
And you see here is a Kazaa catcher where it's just out there. All the streams themselves are going from just a SHA-1 value to the file itself.
When you advertise something, you say, here's the file name, here's a SHA-1 value. The other client says, okay, I want that SHA-1.
And he says, okay, HTTP 200, okay, here's your data. And that's all there is. It's a straight data dump. Carve it out, you're done.
As an admin, it's great because you can just look at what people are downloading. If you like it, just carve it out and watch it yourself.
No effort involved. I didn't say that.
Now, a bit to ourself, this is mostly what we talk about because this is the number one client most people use today.
And I was trying to find some ways of how do you measure how popular something is.
You can't go by downloads per day because that's just useless. No one really looks at that.
This last month, new stats came out over traffic usage, bandwidth usage globally, upstream and downstream traffic.
And in the United States, 53% of all upstream traffic from peers to the backbone is BitTorrent related.
So every byte you count in the air and that lead you from a peer to another network is BitTorrent, 53% of it.
That's actually one of the lowest amounts in the world. China is about 64% and South America is the highest of 73%.
So basically, 73%, basically two-thirds or three-quarters of all data flying across the network down there is BitTorrent.
That just shows you a mass of data being flowing around on a daily basis.
So a lot of the stuff I talked to, I have some basics. I'm going to run through some stuff because I know we're already starting late and going late and it's getting dark.
I still need some FourLoco to kind of keep going here.
We ran out of coffee and it's too early for beer but FourLoco seems like a nice combination of solution there.
Sites themselves, Pirate Bay, BT Junkie, ISO High, if you guys didn't know what these already do now.
Pirate Bay is the biggest one. BT Junkie I love because it's an aggregator site.
Diminoid Pirate Bay themselves are singular sites. They run their own tracker for most cases. They work independently. They're on their own.
Sites like BT Junkie go to all these other sites, dozens of them, and just collect them all together.
So when you go there, you get tap it once and you can hit five different sites, a dozen different sites, 20 different sites simultaneously.
It's great. Legal ones, I have to separate out because there's really none out there.
Linux tracker, yeah, how many of you guys use XQs? I was downloading Linux ISOs.
Bullshit. Someone did that study of how percentage of people who used it to actually do Linux stuff and it was like 4%.
That's nothing. It's illegal. You guys, what's going on in there?
And of course, LegalTorrents.com, one of the least visited sites on the internet.
It's all common media stuff that, yeah.
Private Sites I love. It decides because most of it is segregated out by content.
So you don't have just a general catch-all category here.
You've got individual sites that pertain to specific types of content for their files.
Bid me for educational material, which is documentaries, history channel, HGTV, discovery channel, college textbooks.
That's all they care about is anything educational.
They actually have a very high attendance rate. I don't know why, but that's a great site for a lot of people.
Music, TV, so forth. But there are hundreds and hundreds of these private servers out there.
To get on them, you must register for an account.
But you don't get an account because most of them have very closed registration periods.
So you must be invited in by someone else who's already on the site.
And if you piss off the site, you lose your account.
And the person who invites you loses their account.
So there's a lot of circle of trust involved in that, which I'll talk about a little bit more later on.
Just because I like to give statistics of what's out there right now.
This is stuff that most people just know of is what's popular.
But as of right now, this is the Pirate Bay Top 100.
So as of last night, the Big Bang Theory Season 4 Episode 10 was posted that day.
And it already had Cedars and Leachers, 50,000 people involved in the network.
So if you look at the right-hand side, you see the columns SC and LE. Those are Cedars and Leachers.
Basically just people inside the network. Cedars are people who have already downloaded the whole thing.
Are just hanging around to share it out to other people.
But 50,000 people inside of that, Vampire Diaries, 40,000, Fringe, Inception, and so forth.
A lot of movies. Down at the bottom, Call of Duty, Black Ops. 13,000 people.
So that's the only game that made the list.
Now that's from the Pirate Bay itself. You look at what I mentioned, BT Junkies, an aggregator site.
It goes through all the sites that combine the stats together.
So here's what BT Junkies saw.
Inception, number one, with 240,000 people.
So it did look at one single site. It looked at dozens of sites.
People sharing the exact same file and culled them together.
So it found 155,000 people seating and 90,000 people leaching it out.
Followed by sources of printers, Scott Pilgrim, also a movie, Robin Hood, and then, God, give me the Greek.
Easy A, stupid movies.
Beyond the clouds, remember that?
And the cup, horrible stuff on there.
Yes, people have no taste on the Internet.
If you didn't realize that, you do now.
Just kind of showing, and to a lot of people I talk to, to put it in their minds of how large this is.
This is 240,000 people at one period of time.
Knowing that every second it goes by, someone is dropping out and someone else is joining in.
So constant flow in millions and millions of people.
And then we look at the bandwidth itself.
This is actually a private site to talk about the top stuff.
Their top file, the top thing recently was Fallout New Vegas and the Call of Duty Black Ops.
But then they also break it down by bandwidth.
So their top bandwidth item was Mass Effect 2, the PC RIP, which contributed to 133 terabytes of data flow.
That's a lot.
So on a one private site, all they do is games.
That's all this one site does.
133 terabytes of data came across that private site for that game.
That doesn't include all the public sites where people are actually getting it as well.
And the biggest thing here is obviously large files, collections of files, seasons of files.
For some ungodly reason, people are downloading a complete series of Beverly Hills 90210.
Seinfeld, God, get life.
But yes, the 100 gigabytes, 11 people are sharing out 100 gigabytes of 90210 seasons.
To go along that thread, a recent study came out.
What is the biggest things we've seen so far?
I have to disarray with some of these things, but here's what they found.
The largest torrent they found to date was the 2010 World Cup collection, which was 746 gigabytes in size.
That's big.
Jason Scott text follows on Twitter.
He put his GeoCities archive up.
That is currently sitting at 640 gigabytes.
He thought he was the biggest for a while and so did everyone else.
But what actually is the biggest was something no one has ever heard of in the world.
Indeed.
I just broke something.
My stuff looks like it's running.
I don't think it's my stuff.
This is still live.
We blew a circuit, I believe.
Does anyone here know anything about computers?
Electricity.
I can't see where the power button is.
It has a power button.
Let's just reset it.
While we're figuring that out, I can read off my screen.
The lie for blues brothers is maybe we blew a fuse.
No man, blues lights are out of the world.
While we're taking a look at that, just to write some things to you.
Here it is coming back on.
Wow.
Adrian, you're the man.
Adrian!
Don't stop that shit.
What can you love, man?
What no one has ever heard of is the ToHoo music collection.
How many of you guys have ever heard of that?
Wow, we've got some serious otakus here.
That is a Japanese game collection of just the weirdest shit you ever see online.
But apparently it is because there's an 800 gigabyte collection of music out there
that is ongoing on a constant basis.
Do you have it?
Oh god, don't reach me back.
Yes, 800 gigabytes, and that grows on a regular basis.
So yeah, there's some weird stuff out there.
The largest one on the single track that they found so far was Heroes 3, season 3, episode 1,
which had 144,000 people.
Now I showed you some bigger ones earlier.
The exception was 240,000, but that was culled through multiple sites all pulled together.
This was from Pirate Bay.
This was one single tracker, one single server, 144,000 people.
The oldest one out there is the Matrix ASCII.
You guys seen it?
They read the entire Matrix movie in ASCII code.
It's great.
It's actually like the movie, but they changed the graphics.
You actually see the faces are made out of characters.
It's a cool thing.
That's actually been hosted continuously since 2003.
And so far, this is actually old because I'm sure it's a lot more now,
the most transferred data ever for a single game or application was StarCraft II.
It's 15.77 petabytes.
I like that secret.
Petabytes, petabytes, petabytes.
That's a thousand terabytes.
That's a thousand gigabytes, which is what?
Petabytes is what?
One million gigabytes?
I don't know.
My math sucks.
It's some ungodly number.
And that game came out what?
Just this year, didn't it?
July.
July.
So in a period of five months, 16 petabytes of data over one game.
Holy shit.
That's a lot of stuff.
Who's paying for that?
Not me.
All right.
So how do we keep these clients actually talk together?
And what we see on our end is to track people who they talk to on a regular basis,
basically like these companies like MediaSentry and SafeNet,
who actually go out there and track people down.
I like to know how they're doing that so we can try to maybe avoid that
or do it ourselves to catch people.
So when you go out to the internet and you look for a file you want,
you find something you want to download, you get a file.
You get these torrent files.
All right.
This is basically a text file.
If you never take a look at it, it's great.
Crack it open.
Open up a notepad.
One of those just includes a URL to a tracker,
which is a server out on the internet that just tracks what people are sharing what file.
When it was created, what the file names are and what client was used
to actually create that torrent file in the first place.
So you can tell if it's a Linux, Mac, Windows person, whatever.
But the entire file itself and the network itself is identified by SHA-1 value.
If you're not familiar with hashes, they take all the data,
they feed it through an algorithm, spits out a 16-byte, 24-byte SHA-1 value.
Give you an example of that.
One million gigabots.
Someone just tweeted me.
If you look at it itself, this is what you see, which is kind of give it a go.
It's in its own special format.
The guy who made BitToy, Bram Cohen, is a genius.
Of course, he's got Asperger's syndrome.
He's like one of those weird, just genius, all-to-all guys.
He wrote the application.
He wrote the protocol.
He wrote the data structure.
Probably all in one night.
So his issue was how do I put databases worth of data into a text file?
This is what he came up with, which basically you read this as D dictionary.
Eight. Okay, you're looking for a field that's eight characters long.
So it counts out eight characters.
It sees a word, announce.
All right, 45 characters long.
Looking for a value that's 45 characters long.
It counts them out.
There's that value.
It's a URL.
You guys are old school with the C null term in there versus Pascal,
number term, number defined variables.
This is all number defined variable stuff.
And you notice the odd thing here too is the second tracker they listed in there
is a.onion address.
You guys know what that is, right?
Tor. Is Tor supposed to be used for peer-to-peer?
God, they hate it when you do that stuff.
They hate it.
People do it, but God, they hate it.
Do not use it for peer-to-peer, people.
This kills the network.
Though in this case, they're using it for the tracker purposes.
While that still probably goes to suck them out,
it's not like it's necessarily transferring through Tor.
It's not the data itself going through Tor.
It's going to be the regular beaconing out to a database on a regular basis.
So yeah, this is a server sitting out in the dark net.
It is just collecting stuff and tracking all the peers in there.
And then the following itself, which was the Venture Brothers,
season four, episode 15.
Venture Brothers people, anyone?
Great show.
So in this follow itself, there are certain portions hashed and not hashed.
Anything that put that word info down is the hash area.
They take that and that's your shot one value.
The cool thing about that is everything before that is not hashed.
Okay, that was stupid.
Everything before that, you can edit to your life's content.
You can do anything you want in that section and no one will care.
But if you edit something down in that hash zone, you change the hash value,
which means no one can connect to you because you're in your own network at that point.
You now have a different hash value than everyone else, you're not going to talk.
But above that, you can do anything you want.
So that's where BTJunkie comes in.
They can add new trackers.
They can add comments.
You can put hidden messages in there.
You have that little comment field.
You can do lots of stuff inside this file and share it with people and no one will know.
And you can actually break it out.
If you break it out logically, this is what it looks like.
Kind of easier to read.
The odd thing here is you take the creation date, which is the number of seconds since 1970,
Unix time.
This was November 10, 2009.
Kind of odd because that tells me this guy's machine was exactly one year off in his date time.
So forensic standpoint, that's really cool to me.
But it shows it actually was uploaded 10 November 2010.
His machine was off by one year.
So you see the files in there, you see the size of them, you see all that good stuff.
However, that's going away.
No one cares about torrent files anymore.
They're dead.
The issue with torrent files was when the Pirate Bay got taken down, you couldn't get on there to download these files.
Where are you supposed to get torrent files from if the server's down?
So they already had a solution in place called Magnet Links.
Anyone who's used E-Donkey 2000 is quite familiar with Magnet Links.
These came about more popularly because of the Pirate Bay being taken down.
When the site went down, people were like, oh crap, where am I going to get my stuff now?
Hey, I don't need it anymore.
We'll just share Magnet Links.
All I have to do is just post this on the website somewhere or in the email or anywhere else,
and you have all the details you need.
Because for a client to join a network, all they need is a SHA-1 value, and that's it.
And the tracker that they're supposed to connect to.
So what this Magnet Link here that shows in the middle is here's a SHA-1 value, here's the URL of the tracker,
and for giggles, here's the display name.
Here's Windows 7, the name of the file you're downloading.
So you just take this value, copy paste it to someone else, they copy it to their client, they're good to go.
So we don't need torrent files anymore.
So all these new mechanisms come out now to replace centralization in the network.
We need web servers to host the torrents.
Not anymore, we got magnifolds.
Okay, we still need trackers.
We still need someone out there to track all the people inside these networks so we know who to connect to.
Well, yeah, they got away with that too.
So because of these sites actually being taken down, a lot of them being moved to Ukraine,
a lot being moved to Romania, but now Ukraine is now prosecuting hard.
State Department's got involved out there to help the law enforcement prosecute these torrent solvers being serviced up out there.
So what solution do we have?
And what they use now is something called the Distributed Hash Tables, DHT,
which means I don't want a tracker anymore, let's get rid of the servers,
let's use a completely peer-to-peer solution in place here.
In a nutshell, you have to have a database somewhere on the Internet
that says these are the IP addresses associated with this file, and so you can join in a swarm.
That way when I join, that database sends me a list of IP addresses, I connect to them and make my data connections.
So where do we put that if not on a dedicated server?
Well, you take a random person on the Internet and just give it to him,
which is basically what they did.
So any BitTorrent client out there running a BitTorrent application
can become a tracker invisibly behind the scenes without any other knowledge.
And what it basically does is it takes a SHA-1 of that file,
and then it takes your client ID, which is the name of your client, the version number, and some random digits,
SHA-1's that, and whoever client is closest to that file, you're the lucky guy.
You get it.
And then as me join the network, I basically go around robbing.
I send a request out, the guy says, nope, not me, I'm nowhere close to that.
He sends off to someone else.
The other guy says, nope, not me either.
It just keeps going around the network until it finds the person who is the tracker for that file.
Basically on how close your hash values are.
This is math.
I know it's hard.
It's late today, so I'm not going to go through this.
And it's XOR math, too, your favorite kind.
So this basically, they take the value of SHA-1, break it in binary, do XOR math on it,
and whatever the closest by distance through the XOR algorithm is to the data is the tracker.
Now, if you go online, offline, if you close your client out and you drop off this,
it takes the database with you.
It's done.
But then it gives it to someone else.
There's backups out there.
It just reduplicates it to the next guy who has the closest SHA-1 value.
So it's a constant database floating through the network.
So you don't need centralized servers anymore.
You don't need centralized machines anymore.
It is completely just sitting out there on the air net.
The bad thing about this and why some sites don't use that right now is because they cannot enforce ratios.
You go to some of these private sites, they like ratios.
Upload to download ratios.
If you download a gigabyte, then you really should upload at least one gigabyte back to other people.
If you don't, we're going to kick your ass off.
If you upload two gigabytes for that one gigabyte, you're great.
So they like that ratio employed to keep good people on the site.
With DHT, there's no tracker.
The tracker keeps track of those ratios.
You lose that server, you lose that capability.
So all your private sites out there don't use this.
They can't.
They still rely on trackers.
But even now, we're seeing clients.
I'm sorry.
Go ahead.
You said that everyone holds, each computer holds a different hash.
It basically becomes a server, right?
Yes.
So when the network person that's coming into their internet connection,
wouldn't that be taxed, the bandwidth, and everyone is trying to connect to this one person?
It would.
The question for the internet is, yes, your machine gets hashed and would it tax your bandwidth
for all the people querying your box to get that data?
And really, there's not that much data flow.
It's just small packets of just text of IP addresses.
And also, in the Cadenium network, my understanding is they have it spread out
to where there's more than one person that has that entry.
And you don't have to actually switch all the way around the entire circle.
I don't know if it's used in a binary search tree or what exactly,
but this node might know, well, I know these other nodes are closer to that number you're looking for.
Why don't you check with them and they say, well, I'm not in either.
So this one over here is a little bit closer.
So each time you like maybe half the distance.
So within a couple of jumps, you have your file and there's multiple people who have it.
And if the machine is shut down gracefully, like Brian was saying, it says, I'm going bye bye.
Can someone else take care of my duties for this?
But even if it doesn't, there's still hopefully some others, at least for a popular file,
that will still have duplication.
So I simplify it greatly on the slides here.
It gets ugly.
It gets cadimalia and the KRAB and some of these different protocols out there.
God, it hurts to read.
Papers written by academics.
Yes. Don't. Go to sleep with that stuff.
And what we're seeing now is all these dedicated clients that are completely decentralized.
They weren't completely decentralized.
Tribbler is a new one that just came out.
And here's an example here where all the discovery, the content discovery,
and all the peer communication is done decentralized using peer to peer.
So it finds other clients who are sharing out archives and they're sharing out their list of files
and they're sharing out other peers.
So without going to a track or without going to DHT, well, using solely DHT,
without going to a website, you could search for content, download it,
and operate completely inside a decentralized network.
So there is, the whole idea here is law enforcement and the government
and copyright owners can't go and just C&D a site, take down a site, and just shut it down.
It's impossible now. It's completely decentralized.
The one thing you hear about Tribbler, it leaves a very messy forensic mess.
Because as you're browsing through all the files out there,
it just goes and downloads all the torrent files for you.
Even though you're not actually engaging in the network,
it goes ahead and downloads the files just to have them ready.
And so you have these big mass structures of these just sitting on your hard drive.
And then, well, I love it because who's to prove intent here?
Like, how do I know you didn't click on that? It's on your hard drive.
I love playing that game.
So you find your peers, you find your data, how does the data actually grow across the network?
And I'm not going to go too deep into this because it gets really deep again.
This is that Bram Cohen stuff, very genius.
He wrote his own data communication protocol called PWP, PeerWire Protocol,
which is a, just a mess.
If you open Wireshark, Wireshark has a disector for PWP.
Just search for BitTorrent.
And his idea is, we'll come up with a packet design where 14 or so different unique messages can be sent of,
I want this piece. I have this piece. I'm not interested in that piece, but I do want that piece.
Who wants this piece?
Now, this is, that's data that goes back and forth.
And even worse, you can combine more than one message per packet.
So one single packet can have, I think, up to four different unique messages in it
that you have to carve in between and evaluate because it's a mess.
Automatically, through software, it's great. It's efficient.
They can work with that. Through Wireshark, ugh.
And what they then use is they take the file, they break it down to these pieces.
So you have a one gigabyte file. You've got this movie you're downloading. It's one gigabyte.
I say movie, really, I'm not condoning, I'm just using an example.
So one megabyte chunk pieces of data.
It then breaks those down to 16 kilobyte blocks of data.
And those 16 kilobyte blocks are then broken down into usually 4K chunks, which are sent one packet at a time.
Now, what I like to do, I like strip data. I like to sniff traffic, strip data out, see what I can find.
It's fun to do that.
Now, the problem with that then is you're looking for individual pieces of data.
Everything in BitTorrent is downloaded, not in sequential order. It's randomized.
When it saves data to a hard drive, it's completely randomized in its way.
So you're looking for basically 4 kilobyte chunks at a time, looking at the index, looking at the piece number,
finding the offset, opening a file in your hard drive, copying the data to that file, 4 kilobytes at a time for a gigabyte file.
This is the old way of doing this when we had to do actual network data analysis of BitTorrent traffic.
It was ugly. Spent hours and hours and hours and hours doing this.
Luckily, one guy's new pearl.
So it can be done.
The worst part of that too is to actually find the data.
When you see that data flowing across the network, all you see is data.
You don't see, oh, this is the data for this movie. It's just data.
So you have to trace back to all the original handshakes between the clients to figure out what shawl 1 they're passing back and forth.
And then when you have a client who's downloading 20 files simultaneously, it gets ugly.
So, yes, we have carved it manually. It's garly ugly.
It took me about five or so hours to do a one megabyte file.
So with these gigabyte files, I estimate it would probably be about 10,000 man hours to do a gigabyte.
So it can be done. Not pretty.
Luckily, some automated tools we use out there.
Just so you know, it's out there and it's being used against you.
There's a tool that the FBI uses called Coolminer.
You guys have heard of Carnivore from the old days?
Carnivore is basically three different applications that worked in tandem to scout, collect, package information and export it out.
This is the export tool, Coolminer.
So they capture PCAPs. It takes PCAPs. It spits out data.
It spits out full IRC transcripts in real time.
I have IM chats and it does BitTorrent files.
It says, hey, here's the files in play. Just dumps them in the hard drive.
It takes a few hours to churn and burn through it, but it does it.
Not many tools can do that.
AccessData has a tool that they bought from Raytheon called Silent Runner.
They claim can do it, but they refuse to show me.
I like AccessData, but I want to see this tool in operation.
So until then, I'm kind of just putting that question mark there.
They also want 30 grand per seat to use it.
So obviously, I haven't tried it yet.
And no, you can't find it on BitTorrent. I tried.
Although you can find some old copies of Incase.
Did not go there.
All right. So kind of getting near the end of this.
I'm going to breeze through some of the forensic stuff,
talk about some of the cool stuff a little bit after that,
of anti-forensics and some of the cool tricks we can play.
Three major clients we look at.
The first one I really don't look at much anymore, the mainline.
Basically off the mainline artery,
Bram Cohen wrote the program, wrote the application, wrote the protocols.
He wrote his own application in Python open source.
So when he came out with a new genius idea,
he developed it, wrote it to the application, and put it out to the world.
Everyone else who's writing clients, they saw that update.
It's a great idea. We'll copy it and put it in our client.
That was how it worked.
So they called it the mainline because everything fed from it.
That's no longer in use.
It's 5.3. It's the oldest version.
It's probably about two or three years old now.
But it's the oldest official version for Mac and Linux.
After that, they said, screw you guys, we're going Windows.
U-Torrent, micro-torrent, however you want to call it,
that is the best, in my opinion, one of the best clients out there.
Easy, simple, small, easy to use.
BitTorrent bought them out.
They say, we love your clients so much, we're going to buy you.
And we're just going to rebrand it as our company.
So U-Torrent out there exists.
And they have a separate product called BitTorrent,
which is the exact same software in 99% of the ways.
Does it get confusing yet?
So we'll talk about those.
And then Vue's, probably known as Asurius, which is his own bag of gravy.
Completely segregated off.
They have their own developers, but they are the geniuses.
They are the smart guys.
Their discussion boards of the new protocols they're figuring out
just leaves ahead of everyone else in the field.
So let's get past the BitTorrent stuff.
The new ones I want to talk about, some of the main things here,
is when you download something and you have a torrent file that you download,
that is being stored on your hard drive.
And it stores it all until you use a profile folder.
So every torrent file you download,
even if you complete the transaction, even if you don't even download the actual data itself,
you just download the torrent file, it's stored on your hard drive in that data.
So the interesting thing about this too is it stores it with your original file name
when you download it, and it keeps it there forever.
So it's kind of funny, you see some of these machines that we take a look at
where years and years and years of downloads, thousands and thousands,
most of them porn related.
And weird because you can see their fetishes change over time.
It gets weird.
So one year they're really into this, the next year,
ooh they just completely changed the 180 on that.
Did not see that one coming.
But it stores it forever and people just don't realize it.
It's just sitting there on the hard drive.
It also stores some great details of where information is kept in there.
So for example, there's a settings for uTorrent that stores their last download location,
what ports they listen on, how many times they've been run,
and how long it's been running for in seconds.
So you can tell this client's been running for years on end versus a week
just by looking at the number of seconds it's been running for.
And yes, didn't you guys know those Wikileaks cable on Justin Bieber's
international itinerary?
I'm sure it's in there somewhere.
Now when BitTorrent bought out uTorrent, they kept the client.
They didn't touch it, but they added something.
They added something called BTDNA,
which was a nice little Windows service that they install on your machine automatically
without your consent that helps you use the ISP bandwidth kindly.
So what it does is instead of going out to the internet and looking for peers immediately,
it looks locally first.
If you're a Comcast user, what BTDNA will do is contact Comcast
and look for other Comcast IP addresses first before going out to the internet.
That way you're downloading from other people inside the local ISP network.
Saves them money. It's good for them. Higher speeds, all that good stuff.
The bad thing about it though is it installs as a service,
and it doesn't hold itself to just BitTorrent.
It does it for all data on your machine.
So all protocols are now being routed through the service
who looks for local machines first.
And then you've got a question, what is it beaconing out to Comcast when it does that search?
So there's a nice little reverse analysis done. I've got the URL up there.
You can email me, I'll give you a copy of these slides if you want.
Where they actually take a look at it. How does that actually work?
This is evil, this is bad. It's out there, and it's not going away.
So people who download the official BitTorrent client have it in their system.
The UTorrent client does not.
Vue's itself. Vue's is nice, completely Java based, works on all the major OSes.
Very aggressive development team.
Want me to add that?
Encryption.
Back in late 2006, early 2007, the very first shutdown was taking place.
A ISP in Canada saw too much BitTorrent traffic going across his network.
So they just said, okay, we're stopping it. It looks for BitTorrent packets and just resets them.
If it sees BitTorrent in the packet header, which is right there plain as day,
it sends back a reset packet and closes connection out.
People getting pissed. How dare you stop me from downloading legal files?
So the obvious solution in place was encryption.
We have to encrypt this data. How do we do that?
Well, Graham Cohen's like, yeah, I don't want to go down that road. That's kind of ewe. That's bad.
These guys like, screw that.
Within a week that they had their own encryption algorithm written together, they threw it in place, it was done.
So in a week it was done, it was in place, people were using it, they forced updates out.
It was in wide use.
And then about two months later, Graham Cohen's like, yeah, maybe I should do encryption. I'll do my own.
So the two are not compatible.
So these guys are very aggressive. They are very smart.
They get the major stuff out there when there's a need.
They get it written, they get it implemented quick before it becomes an issue.
However, it's usually not compatible with a lot of other clients out there when they do it.
But it is a great client. I'd give them credit.
And they try to get legit. They now have their own service, media delivery service.
We actually buy rent movies through that.
The cool thing about here, basically from a forensic standpoint, is again all your torrent files are kept on the hard drive.
What it actually has is an active folder.
So anything you're currently downloading right now, you're currently involved in either as C-Door or as a Leacher,
it stores inside one folder.
Renames it to the SHA-1 value so you can't see Windows 7.torrent.
It just shows SHA-1.torrent.
Stores it in a folder.
And then when you're done, it moves it to another folder called torrents.
And that's kept forever.
It doesn't delete anything ever out of there.
And again, you go back years and years and years and you find some stuff you download and you're kind of scared about.
You want one deleted to hiker your spouse.
So this stuff is permanently stored on there.
The other weird thing I found, and I don't know exactly why it does this,
but every time the used client reaches out to the air net to make a connection,
it grabs its egress netblock.
So it grabs the IP address netblock of its outgoing connection and stores it in the configuration file.
Why? I can't tell you.
But it's really cool stuff because you know exactly when someone is connecting through a Verizon network.
You know when they're connecting through work if they're on a laptop versus a Star Wars Suites hotel network
versus a Starbucks versus Barnes & Noble.
So by looking at that, I can see this person connected through 151.196.IP address to the air net
coming from a Verizon netblock.
So when you look at the laptop, we can see, oh, yeah, this person last connected,
Starbucks, McDonald's, whatever.
Why is this being stored? We don't know, but hey, it's good stuff.
And just for cool giggles, they also keep running totals of how many things you've totally downloaded overall,
how much data you've downloaded in bytes and uploaded, and how long you've been up running in seconds.
This does not have anything to do with anything. They just like to store it for nothing.
So you have a file on your hardware that says you've downloaded 6 million files totaling 6 petabytes of data.
All right. So that's the basic first slide.
So what do we do to bypass and get around this?
So how are the criminals actually operating to hide themselves on the air net from detection?
How are people downloading stuff inside their own work networks without being able to determine
that they're using BitTorrent traffic in the first place?
Obviously, you can't see the cat, so it must be working.
Co-location is the new big thing.
So obviously, if you go out and you download BitTorrent data, that is clear as day in network packets.
You see the BitTorrent stuff. Even in cryptic, you see little telltale signs that the traffic is in place.
There's a tool out there called Sandvine.
Sandvine was a tool in place used by Comcast when they started shutting down BitTorrent traffic about two years ago.
Sandvine is used by tons and tons of companies.
That's their job is to block network connections.
So what these guys realize is, hey, let's just not use BitTorrent.
Let's not use BitTorrent from server to my machine.
Let's use the BitTorrent stuff. Let's keep it up there in the cloud.
So basically, there's a co-location server out there that does the BitTorrenting for you.
You give it the Torrent file. It downloads it. It stores it on the hard drive.
And then you download it using regular HTTP or FTP.
So for a network administrator who's looking at network logs, you don't see BitTorrent.
You just see an HTTPS, an FTP, or an SFTP connection being added to an IP address.
How many of you guys even look in detail at that stuff? Probably nothing.
If you're looking for peer-to-peer, you're going to look for peer-to-peer.
If it's not peer-to-peer, you don't care.
So sites out there like Peer Harbor, you pay a monthly rate.
They have very fast bandwidth. They just download it for you.
You get it from them when you're ready.
Other ones out, there's lots of services like that.
You can also see a lot of VPN services in play.
VPN directly for BitTorrent traffic.
Pirate Bay, their name is everywhere.
PYB Beyond, the political party, runs the site. Everything's hosted there.
When Pirate Bay was raided back in 2006,
they were housed in the same data center as the political party Pirate Bay in Sweden.
Actually, if you go out to YouTube and look for Pirate Bay raid, you can see the surveillance camera footage
of the responders raiding the data center.
They recorded it all on the surveillance camera, put it on YouTube. It's awesome.
So the Pirate Bay guys are really, really big on avoiding police and avoiding detection.
So they start their own VPN service called iPredator.
Basically in Sweden, they passed a law in 2009, October, called the iPred,
the Intellectual Property Rights Enforcement Directive.
It says all ISPs must maintain logs for X number of days,
and if they are maintained, they must be given to police upon request immediately.
Okay, that's kind of scary stuff privacy-wise.
So what iPredator does is their VPN services say, we don't keep logs.
There are no logs here at all.
So police can come knocking on all they want. We've got nothing to give them.
And they run the service, and they're still running,
and if you can traffic your data through them,
it runs through them and they keep no logs at all of who you connect to.
They're just one of many services to do that.
And then just the other week, we had this huge DHS takedown,
so you guys might be aware of,
where 82 domains were basically taken down by Department of Homeland Services ICE,
Immigrations and Customs Enforcement.
What they did was basically went to the DNS records and redirected all DNS queries
for those domain names to an ICE server.
They had this big thing up there, hey, this domain's been seized.
We now control it. Yeah, they can do that.
Basically, Customs and Immigration, anything coming in this country or out of the country, they control.
So they're looking mostly as far as counterfeit goods, guest bags, you know, sunglasses, all this BS stuff.
Counterfeit sunglasses being sold or being shipped here into America and being sold on websites,
they take an interest in that.
So when a website goes up here in America that sells counterfeit brand-name goods, they shut it down.
What we found in that was they took a few different torrent sites down.
They really had nothing to do with their jurisdiction.
I'm sure that's going to come out later on as soon as they determine to find some way to justify it.
But right now, there's really just really no clue.
Well, that just happened in late November, and that got a lot of people up in the air.
It's like, wow, this is really bad. How can this happen?
How can ICANN allow this to happen to just let a US law enforcement company come in
and just take down domain names anywhere they want?
So the guys behind Pirate Bay say, you know what, we're going to stand up for this.
We're going to create a whole new DNS system, a peer-to-peer DNS system.
Now, these solutions were already in place.
There's already been peer-to-peer DNS for years.
No one uses it. No one cares.
There was never a motivator to use these services before in the past.
Peter Sunday from Pirate Bay, he's like, you know, this is going to be my – I'm going to take issue with this.
I'm going to do this.
So he started a rally. He's like, we're going to put this out there.
So.p2p. That was the site he set up.
Now, p2pdnsatbaywords.com.
Basically, you can track the progress of it.
They're looking through all the solutions.
There's like four different applications out there right now, open source for peer-to-peer DNS.
And they're going to find one and just start rolling it out to people.
You know, this is our way of running our own DNS.
We're going to just disable ICANN enforcement.
So along with that, too, is a lot of service is going to be run over BitTorrent.
It's actually used in the BitTorrent traffic itself to feed through DNS traffic and feed through all kinds of traffic.
And right now, legal side, that happens a lot.
BitTorrent is used all over the place.
World of Warcraft.
All updates through World of Warcraft are done through BitTorrent without your knowledge.
Unfortunately, what most people find is they have gigabytes of bandwidth being used on their machine to send updates to other people across the world.
That's – I take issue with that. Don't use so many people's bandwidth.
Facebook, their entire back end structure is all duplicated across the world using BitTorrent.
So a lot of people are using it already to deploy code and data and stuff more than just regular files across.
So after Facebook uses it, and that was kind of a prime example, they say, hey, we've got thousands of servers.
They all have to be running the exact same build at all times.
And so if I need to push an update out here, it needs to replicate immediately to thousands of other servers.
And they realize, hey, we'll just use BitTorrent.
That's the best solution in place.
And someone says, hey, that might work for DNS because DNS is exactly the same thing.
You make an update, it needs to be laid out to everyone else immediately.
So watch for that the next few months.
Client side, the nice little application called PeerBlock, and this is what we track and read on a basis
because it's a service that runs on your Windows machine, this blacklist.
So you have a blacklist of law enforcement or anti peer-to-peer services out there, of educational institutions,
of just all different kinds of different companies, which if it sees any outgoing or incoming UDP or TCP packets,
too many of those IP addresses, it just blocks them immediately.
So and it finds they aggressively maintain that list and they update every two days.
So what we found is even major corporations, like my webmail just stopped working one day.
And after three days of troubleshooting, I realized, oh, yeah, it's got big red signs all through this application
of my company name showing up.
So it does disrupt regular communications.
And it works across the board.
Any service off your machine that makes a packet incoming or outgoing runs through this and gets blacklisted.
Just because I'm getting tired now, I've got two slides left.
Actually, my voice.
One last cool little thing we'll play with is this tracker check.
The idea out there is you've got these private trackers.
You've got private services out there.
To get in, you must be invited in 90 percent of the time.
However, there's little loopholes.
Every now and then they open up an open registration period, usually for a day, usually no more than a day,
maybe just a few hours where they say, hey, we need fresh blood.
We need more turnover.
We need more eyes on our ads.
So we're going to open up our open registration.
And by word of mouth, it fills up.
So what this application does, and you can kind of see a list down there at the bottom of some of the trackers it tracks,
it looks at these different sites to find out when they're open for registration.
And it notifies you, hey, this site's open.
Click here to register.
And it checks basically using a reg expression against that page looking for keywords.
If they exist, it's open.
It was kind of dead in the water for a while.
It just kind of sat stagnant.
But then last month, the developer says, hey, I got a brand new version.
I'm doing some cool stuff.
It'll be out early 2011.
So it's still in active development.
And then just this last fall, he had a great idea.
I'll set up a Twitter account.
And so instead of actually using the client, you can follow Tracker Checker.
And it says, hey, this site is now open.
This site's now closed.
This site's now open.
This site's now closed.
And just track it all through Twitter to see when sites open up.
He also, if you go to his website, has just a master list of every private tracker that he's aware of.
There's hundreds of them out there.
Just if you want to spur your curiosity of what kind of content is sitting out there.
Spoiler alert, 80% of it's porn.
But yeah, shocker.
But there's a lot of movies.
And just how people are separating stuff out and how people are separating the data into these sites, a master list out there for people to track.
I'll leave it at that.
I'm tired.
It's getting late today.
It's actually dark outside.
I know we were already running late today.
Can I take any questions from you guys?
How does Peer Block compare to Peer Guardian?
Peer Block replaced Peer Guardian.
So Peer Guardian's completely dead now?
Peer Guardian's basically dead.
It's deprecated.
And so Peer Block is the current one.
Because Peer Guardian stopped working with Windows 7 Vista, I believe, at a certain point.
So Block just began a new version, forked off.
And that's a new one.
Questions?
As far as this is concerned, I'm not sure if there's some kind of liability issue.
But as far as tracking people down who are on a particular torrent, is there anything legally complicated with joining the torrent?
Now granted, you might be joining something that's contraband.
You might be sharing back stuff that is copyrighted material.
And then in that case, you're kind of giving out the copyrighted material.
So is there anything bad about joining a torrent to find out who's in that torrent?
And then just doing a net stat over and over again and just blogging everybody with the net.
That's what law enforcement does.
That's what these companies do.
They join the torrents to see who else is on there.
That's how they track them.
You were saying that some of the data was copyrighted.
But in a longer period of time, can you say that you were, when you were on analysis, that there was a little bit of an effort so that individuals were pulled from pieces?
Those data information are actually being backed up, letting you know how long that peer is going to be there.
So is there any beaconing or two to peers themselves?
You didn't allow us to maintain how long that file was sharing.
Oh, right.
Well, there were certain sites that actually told peers to put back their data.
How long would they be there?
So that the peers themselves beaconed back to track them.
Yeah, I mean, I'm just going to call for an X number of months or days.
Let me come back to that.
Let me close off here as I open up for the next speaker.
But I want to thank you guys.
I'm not being unallocated, but definitely.
Definitely support your hackerspaces.
Reverse space, unallocated.
Support them.
Give them the help they need.
Appreciate reverse space for having us here.