advertisement

Article:
  It Doesn't Pay to be Popular
Subject:   Yes, but the problem is not specific to BitTorrent
Date:   2003-05-31 15:58:35
From:   eggboard
Response to: Yes, but the problem is not specific to BitTorrent

You're reading the context wrong, and it is, in fact, different with direct download.


In the article, I cite the general problem as: "In peer-to-peer systems, however, you can't necessarily be sure that a given file is the same an author meant to upload, that the file has been vetted for viruses, or that each version of the file throughout a network is the same as every other file." Then I mention BitTorrent's method of crypto as a specific example of trying to solve one part of the problem that doesn't actually verify or vet the file. So that's a general-to-specific example, not a condemnation of BitT above other P2P.


Second, many sites do employ a variety of methods including MD5 and public key signing to ensure that a direct download is as promised. MD5, of course, only ensures that a file matches what's said on a Web site or in an email or newsgroup posting. If you use the methods recommended to obtain the verification of public keys used to sign downloads out of band (that is, not via a Web site or through email directly), then when you download a file, you can verify that the person or organization that you think created the file did, in fact, sign the file and it's been untampered with. (The cases in which this is a problem involve a lack of out-of-band confirmation of the public key, and so were more like just checksumming not ensuring integrity.)


So you're definitely RIGHT in that the problems are P2P based, but they're exacerbated by a distributed mechanism in that the "author" doesn't define where the downloaded file is authoritative from.


Obviously, a way to make this work better would be to tie in Web sites or subsites on a Web site that managed the crypto: signed files, etc., and have a streamlined method of obtaining keys or keys signed by other keys, so that any file in BitTorrent had to have some identity confirmed at the end of a chain, not just crypto hashing confirmation of the individual file.


It's definitely a global problem, but it's "solved" in the sense that sites like apache.org or sendmail.org use mechanisms that allow verification. If those files are then distributed through BitTorrent those same methods of verification work.
Main Topics Oldest First

Showing messages 1 through 2 of 2.

  • Yes, but the problem is not specific to BitTorrent
    2003-06-02 14:34:31  anonymous2 [Reply | View]

    I think you're missing something. BitTorrent implements the solution you describe.

    You as the author create the (small) .torrent file with the checksums in it. You host this on your webserver and link to it. The first step of a BitTorrent session is for the user to download these checksums directly from you.

    Then BitTorrent does its peer to peer magic and retrieves the actual file (your pdf). The client checks the pdf against the .torrent file to ensure that what the user gets is exactly what you created.

    If you still disagree, please read about the BitTorrent protocol. It's a very different beast than the Kazaas and Gnutellas of this world. For example.. there is no search engine built in. A user doesn't search inside BitTorrent for your book to obtain it. She goes directly to your website and clicks the BitTorrent link that you have set up. Thus her client can guarentee that she gets exactly what you want to give her.

    Of course, as you mention, there is still a stigma against peer-to-peer programs in general. This is probably because most of these programs are really designed to make it easy to illegally share copywrited work.

    BitTorrent is different. It's designed from the ground up to solve the very problem that you are having. As people get more comfortable using it, I think the stigma will begin to fade.
  • Yes, but the problem is not specific to BitTorrent
    2003-06-02 14:34:09  anonymous2 [Reply | View]

    I think you're missing something. BitTorrent implements the solution you describe.

    You as the author create the (small) .torrent file with the checksums in it. You host this on your webserver and link to it. The first step of a BitTorrent session is for the user to download these checksums directly from you.

    Then BitTorrent does its peer to peer magic and retrieves the actual file (your pdf). The client checks the pdf against the .torrent file to ensure that what the user gets is exactly what you created.

    If you still disagree, please read about the BitTorrent protocol. It's a very different beast than the Kazaas and Gnutellas of this world. For example.. there is no search engine built in. A user doesn't search inside BitTorrent for your book to obtain it. She goes directly to your website and clicks the BitTorrent link that you have set up. Thus her client can guarentee that she gets exactly what you want to give her.

    Of course, as you mention, there is still a stigma against peer-to-peer programs in general. This is probably because most of these programs are really designed to make it easy to illegally share copywrited work.

    BitTorrent is different. It's designed from the ground up to solve the very problem that you are having. As people get more comfortable using it, I think the stigma will begin to fade.