Snowden Archive - The Answer Is... Peer to Peer File Sharing

The Answer Is... Peer to Peer File Sharing

Summary

In 2004, BitTorrent traffic was responsible for two-thirds of all traffic on the internet, and BitTorrent wasn't even the most popular peer-to-peer file-sharing tool. The File-sharing Analysis and Vulnerability Assessment (FAVA) pod began researching P2P tools and protocols, such as BitTorrent, DirectConnect, eDonkey, KaZaA, and several others, to develop methods to search this traffic for intelligence. "We have developed the capability to decrypt and decode both KaZaA and eDonkey traffic to determine which files are being shared, and what queries are being performed."

Collapse DetailsExpand Details

Document’s Date

Jun. 22 2005

Publicly Available

Sep. 13 2017

DYNAMIC PAGE -- HIGHEST POSSIBLE CLASSIFICATION IS TOP SECRET // SI / TK // REL TO USA AUS CAN GBR NZL (U) The Answer Is... Peer to Peer File Sharing FROM: FAVA Pod (S3T1) Run Date: 06/22/2005 (U) One corresponding question might be: What technology is responsible for nearly twothirds of all Internet traffic? In fact, CacheLogic conducted a study (available at www.cachelogic.com) examining traffic from January 2004 through June 2004 which showed that over one-third of all Internet traffic is due to a single Peer to Peer (P2P) application: BitTorrent. Let's take a moment to ponder this. Think of all of the non-P2P traffic out on the net: web, email, voice over IP (voip), etc. It turns out that BitTorrent is responsible for more traffic than all of these -- combined! (U) This is due in large part to the types of files typically shared using BitTorrent, namely movies and TV shows (many in High Definition!). What is even more amazing is that BitTorrent isn't even the most popular file-sharing application. The P2P-focused website Slyck.com publishes the number of users currently connected to many of the popular P2P networks, and the two filesharing applications with the most users as of June 2005 are eDonkey and KaZaA with approximately 5 million and 2.5 million users respectively. (U) If you're asking yourself what is a Peer to Peer application, you are not alone. Peer to Peer file-sharing is a relatively recent addition to Internet communication methods. In its most basic sense, P2P applications provide a way for two users to share files directly, without having to put the files on a central computer. The first P2P system to gain notoriety was Napster. That system became the target of the Recording Industry Association of America (RIAA), since many users were illegally sharing copyrighted music files. Many of the popular P2P networks today continue to be targeted by the RIAA for the same reason. (S//SI) This is the backdrop against which the File-sharing Analysis and Vulnerability Assessment (FAVA) Pod began its research**. The first task was to find ways to efficiently identify P2P traffic to allow further processing. eDonkey has been a particular success story in this regard as we can identify most eDonkey traffic now by examining only a few bytes in a packet. (S//SI) One question that naturally arises after identifying file-sharing traffic is whether or not there is anything of intelligence value in this traffic. By searching our collection databases, it is clear that many targets are using popular file sharing applications; but if they are merely sharing the latest release of their favorite pop star, this traffic is of dubious value (no offense to Britney Spears intended). Hence the next task was to decode the traffic of these P2P applications. As many of these applications, such as KaZaA for example, encrypt their traffic, we first had to decrypt the traffic before we could begin to parse the messages. We have developed the capability to decrypt and decode both KaZaA and eDonkey traffic to determine which files are being shared, and what queries are being performed. (TS) The latest success on the KaZaA project was developing the ability to parse out the registry entries on a hard drive. Stored in the registry are e-mail addresses, country codes, user names, location of the downloaded files, and a list of recent searches -- encrypted of course. (S) Using these tools, we have discovered that our targets are using P2P systems to search for and share files which are at the very least somewhat surprising -- not simply harmless music and movie files. With more widespread adoption, these tools will allow us to regularly assimilate data which previously had been passed over; giving us a more complete picture of our targets and their activities. (S) The file-sharing applications the FAVA Pod has examined are: BitTorrent, DirectConnect, eDonkey, FastTrack (KaZaA), Freenet, Gnutella, Gnutella2, JoltID, MSN Messenger, Windows

Messenger, and Yahoo Briefcase. If you have a target using any of these applications or using some other application which might fall into the P2P category, please contact us -- we would be more than happy to help. ** Note: (S) The Pod Research Program, S3T1, resides in the Technical Advocate Office. For more information, type "go pods" in your favorite browser. "(U//FOUO) SIDtoday articles may not be republished or reposted outside NSANet without the consent of S0121 (DL sid_comms)." DYNAMIC PAGE -- HIGHEST POSSIBLE CLASSIFICATION IS TOP SECRET // SI / TK // REL TO USA AUS CAN GBR NZL DERIVED FROM: NSA/CSSM 1-52, DATED 08 JAN 2007 DECLASSIFY ON: 20320108