Resistance is futile.

By Jon Newton - p2pnet.net

If you're a Borg, you'll know what that means. And if you're a label, you've been warned.

Because EarthStation5 is looking for beta testers for its new ES5 p2p software which, it promises, "Protects Users' Privacy and Provides Complete User Anonymity".

"ES5 is the 'Holy Grail of File Sharing' because it provides anonymity for people sharing and downloading files," says ES5 president Ras Kabir. "Users no longer have to be concerned about what they are sharing, or with whom they are sharing because there is complete anonymity."

He says his brainchild uses SSL Encryption to stop third parties (Who dey? heh) from monitoring users' file sharing activity and provides users with IP address anonymity through proxy servers.

"ES5 is the only P2P program that integrates seamlessly with PGPDisk (a free security program) that lets users fully encrypt the contents of their 'Shared Media Folder' so no one other than the user can view the contents of their files, such as a spouse, parent, child, employer, school administrator, or IT department," states Ras.

AND ... ES5 dynamic, random ports and encrypted UDP search protocol, "ensures that no one, including the users' ISP, can block or throttle a user's ES5 file sharing activities or even know the person is using ES5. All file sharing activities look like normal web browsing."

Deadly.

Laid out as a galaxy, ES5 features user planets with no hard links to the network. Instead, they, "float in a galaxy, a virtual, distributed super-base of file information. To find a resource, you explore instead of searching".

ES5 also has password protection and the ability to preview a download. Additionally, it supports all types of files - not just music and video - and has integrated media management to organize and play music and video files easily.

"You can get lost in ES5 and not come up for days," an ES5 beta tester is quoted as saying. "I've got two movies coming in while I'm watching a third and downloading music at the same time. The movie audio is playing in one ear, and I'm sampling songs in the other."

ES5 automatically removes missing files from returning search results so only files that are readily available are shown. ES5 has incorporated all the advanced P2P file sharing technologies found in other clients including auto- resume downloads, metadata support, previewing and more.

Nor, swears Ras, does ES5 bug users with pop-ups or spyware and, "To attract a large user base quickly, ES5 has integrated the web's most popular services yet, charges no usage fees. Its free dating service allows users to meet other 'Life Forms' with similar appetites and 'download' them into their own life."

ES5 also has free text/audio/video chat system so up to seven users can chat in the same room with full audio and video capabilities meaning they can see each other in real time.

Like Kazaa's Sharman Networks, EarthStation5 is incorporated on the South Pacific Island of Vanuatu, as well as in Palestine.

"To avoid the potential for litigation that has dogged the makers of Kazaa, and Grokster and wiped out companies such as Napster, AudioGalaxy and Scour, EarthStation5 has its offices and its infrastructure in the West Bank and Gaza City, where it is not illegal to develop and distribute peer-to- peer file-sharing technology," says Ras, adding that ES5 is made up of, "Jordanians, Palestinians, Russians and Israelis of all faiths.

"Believe it or not, we all love and respect each other. We work and play together. On many occasions our families eat at the same dinner table. We trust each other and are very close friends. As a group, the most important things in our life are our families and, of course, our friends.

riiiight

DUDE! If this software can actually get Palestinians and Israelis to work and play together, it must be revolutionary! I'd like to see the RIAA target this file sharing system.

Beam me up scotty

This IS the next generation. I'm liking this. I sure hope the Beta test goes well and this goes gold.

Has anyone tried this yet?

Here's the problem with it. They're still dodging the issue by hiding things. More security for privacy. Out of jurisdiction.

On one hand, this is a leap forward for the important uses of P2P, like medicine, legal, technological research and a lot of other things.

But music, art and books are not created to be hidden from the world. Locking them down is not the answer. Inevitably, much material will be lost to history. If it's anything like the software biz, 15 out of 16 copies won't be accessible in 20 years, as the Internet Archive illustrated at the DMCA.

My plan is much simpler. Fair for Share(tm). Only authorized music. All legal. All others screened out. We don't care who the listeners are, unless they want to tell us. No spy bots necessary.
No DRM.

About the trademark... If you are an independent artist and NOT in any way affiliated with the RIAA, you may use this at your own discretion. There will never be a charge or license fee of any sort.

Do a voice-over. Say "Fair for Share". Make an mp3 of that. But you don't necessarily have to put that version on your CD.

We have a great thing going here at DMusic. This our little community, although the population seems to be increasing. I don't want to compete with that or any other music site.

What we're trying to do is answer the question not addressed by the article above. Even though an artist may offer their music for download at DMusic, technically, there still exists an issue of whether or not the person who downloaded can redistribute it over the P2P net.

You have to write to each and every artist to find this out, as directive will attest.

If we have to, that's exactly what we'll do. If we have 5 songs or 500 ready, www.fairforshare.com will open on July 4. It's Independents' Day.

And you'll finally be able to tell the difference. No one has even tried yet.

This is very kewl, but will it be able to withstand the attacks from the RIAA. It is only a small reach for the RIAA to begin sending viruses thru the P2P systems. Will this new system be able to protect its users from that?

Correct George, i can attest.
What do u think of this software?, it sounds cool and i would say that it is here to stay.
P2P will only advance in many areas. George, the best thing you can do is get your software out in the open, make your mark in history with your software and ideas, others will do what they want.
Thanks`

No ads and proxy servers... is Bruce Wayne running this outfit? Who's got such deep pockets for this?

I really don't think they should tout that people can use this at work and not get scoped by their IT department because that is a baldfaced lie. Any IT hack worth his salt can track down pure excessive bandwidth just by watching the lines. An 800mb full length movie would tend to stick out. You can't surf THAT fast.

I want to see if this proxy anonymizer really works. Also, how they intend to dodge prosecution.

George, I agree with you, but it's a Nirvana/Samsara thing.

Yes, music should be free, downloaders should not be criminalized, and we should all become one with the music, loving and fostering musical diversity and growth, so that we finally are one with each other and every voice can be heard. Nirvana.

Unfortunately, the world doesn't work that way yet, and not everyone is in a position to fight. College students and people who share internet connctions with families... these people have alot to fear, and hiding is the best recourse. We live in a world where greedy people want to hurt us, and we must prepare for it, and that is Samsara.

Now, before I Kill the Bhudda any worse, I do think that the RIAA's main achilles heel is P2P, and that anything which is good for P2P undermines them, because it means that they don't control the distribution channels.

-- Funksaw.

Have any of you people actually used it? I have. Its bad. The interface is a massive triumph of style over useability, replaceing simple and well understood labels with scifi-style and cunfuseing terms (download speed becomes velocity for example). The search system covers far too few users. Proxy support and encryption are nice ideas I suppose. Proxy support depends on finding a publicly accessible unfiltered proxy, and they are hard to find because they usually get abused by hackers or spammers. The networks no harder to shut down than gnutella. The search dialog is just stupid, there are a lot of catagories to search in (audio, video, images, text, other, ETC) yet there is no way to search all catagories. It doesn't support all files, only those on its long list of extensions, which is fine until you want to find source in a .tar.gz archive. Finally, the networks propritary.

On the bright side, its good to see any new network available. The best this can become through is a sort of fasttrack-2 with proxy and encryption.

First of all, the phrase "tar.gz" has always bugged me

Answers to all the questions boil down to the software and the music, but don't forget about the artists. The artists are the one and only key to the success. If I am wrong, this idea will fail because it was not supported by artists.

Nothing else can kill it.

The RIAA does not apply. Neither does the DMCA. For us to add a song into the database, it must be freely offered by the artist/copyright owner, either in writing or explicitly making this apparent by the use of the "Fair for Share" voice-over.

So instead of worrying about what we CAN'T share, we limit the search results to the known authorized versions only. All the songs are directly licensed and, therefore, the DMCA does not apply.

As for the RIAA and viruses, things like that...
Because we're starting from scratch, we have a very short list of authorized songs. They all came directly from the artists. They are known good copies.

As long as each copy we use either comes directly from the artists, or we do the voice-over with their permission, we start with good copies. We can even host the first 500MB or so. No legal issues.

The artist has complete control. Let's say that you have 5 songs posted on DMusic or elsewhere. You don't mind if people download them all for their personal use, but you would hate to see your entire CD end up on the P2P net.

Of those 5 songs, two of them are your favorites and you think maybe they could go somewhere if enough people heard them. If those are the only two of your songs that are authorized as Fair for Share, then that's all we'll ever return as search results.

As we go on, we can identify users who are redistributing verified copies and add their results to the list. With a peer review system in place to eliminate those which would seek to pollute the musical gene pool.

Even if a bogus song did manage to sneak in from time to time, the authorized use would significantly outweigh the unauthorized uses. Grokster and Morpheus got off on the "potential" for non-infringing uses. Ours requires no defense at all.

No security. There's nothing to protect. All open source. You can help us make it better. No privacy concerns. Total anonymity for the users. Verification of files only if you want to share into the net. No copy protection, limited life span, copying restrictions or any other DRM foolishness.

And your CD version does NOT have to contain the same Fair for Share voice-over.

Any questions?

If you dont like .tar.gz, you can use .tgz instead Ignoreing any questions about the format itsself, its one of the most popular for distributing source code. (Perhaps because it preserves *nix permission flags, so the executables stay executable?).

Im not quite sure what gdZiemann is talking about. I could improve on a fair for share voice over through. Modulate it in hex-coded sine wave tones. The message would last about one second, so could be left on CDs, and could be decoded by anyone with a wave editor

Actually, we've tried this program and it is very good...guess it depends on your computer, but we like it so far!

You gus may have missed my sarcasm, which is all the reference to tar.gz was.

As long as tar.gz does not evolve to feather.gz, or tarNfeather.gz...

I like goldenpi's idea on the Fair for Share thing. The voice-over could be abused to the point where the artist puts it at the beginning, end and during the solos. Universal currently does this with their promos. I downloaded the new Godsmack album and at random intervals, though only during parts where no singing was going on, I heard "Property of Vivendi/Universal Records".

Like I said, saying "Fair for Share" could potentially be abused by artists/groups who don't want you listening to MP3. Besides, I'm one of those who's annoyed by voice-overs, even on radio. A better way should be found.

If I think of anything, I'll say something.

Hey guys .tgz is a format used under slackware and few other distrobutions. What is slackware? It is a linux distibution. If I would have to express my personal flavor I would say redhat. Been a linux user for a good deal of time already.

Microsoft & Riaa & SCO what a bunch of freedom lovers! They are all out to abuse America. I hope that American people realize that they are being hurt in one way or the other. SCO is also based in Germany right?

NiceGuy -- Good points. Everything is open to abuse. Everything can be hacked. Voice-overs ARE annoying.

If an artist does not want their music shared, it will not appear in our search results. Our search results will only return matches to our list of authorized songs. The artist has to give them to us willingly or they will not be included.

Voice-overs are optional but -- they remove ANY question about whether the song is authorized for re-distribution by the general public.

The law does not apply. The RIAA has no authority, power or jurisdiction.

"One-Click Proxy Server - ES5 provides users with the instant ability to transmit and download via a "proxy server." Not to be confused with a corporate
firewall/proxy/socks proxy, ES5 allows users to send connection requests through intermediary proxy servers located throughout the world so that the
download destination of a file cannot be traced by any entity whatsoever."

I bow to the people who implemented this.
Thank you.

It's quite clear that such programs like this indirectly encourage illegal usage and trading of copyrighted files. It can't really be stopped, so just score one for tech developments.

Here's one for the abuse of a voice-over or encoded wave at the beginning. It could be used to plant a subliminal message. Then, the RIAA could pay an artist to put their work on the Fair for Share service and when someone downloads it, it has a malicious message within saying something to the affect of "Downloading is a crime, don't do it."

Now, I know for a fact that I'm immune to this type of persuasion. I've tried subliminal learning tapes with no effect and I don't hop up and grab a drink whenever I see a Pepsi/Coke/Sierra Mist commercial.

Hmmm, now what we need is someone to figure out how someone could do this and write a detection program to root them out. For all we know, it's already happening.

So what's stopping them from putting a subliminal message in their song in the first place?

Which may be the *real* reason why they don't like MP3 - maybe the subliminal messages they put in the CDs that we don't conciously hear ARE the subliminal messages that get stripped away by the encoding!




Why is everyone looking at me like I'm crazy?

I've used this program numerous times, and still do time from time, when I have the time.

Yes, it does use some confusing terms, but I do believe they have a skin ready for the final release that puts it in what everyone else is used to.

The reason the searching sucks is because there's far to few users either using versions that are too old, and the servers don't support those, or people are leeching.

The proxies are actually relatively easy to find. There's numerous sites out there that offer free poxies. Just load em up. Sure, you might have to do that once a day or so, just to see if you have your list blank or not. That's not too big of a deal.

The program itself does look like shit. Numerous beta testers have complained about it. I think the developers just give us all a bit of lip service in that department and tell us that they're working on it, but I don't think they really are.

The developers themselves sometimes seem stupid. I know there's been numerous times where I had to keep on simplifying the bug problem I was having (which made it hard for me since I told them exactly what I did).

There has been an official release version, but a lot of beta testing is still going on. The program overall is pretty stable. There's going to be a few bugs here and there. That's not too big of a deal for more security.

Shinkaide did hit the nail on the head with this one. It seems the developers of this don't care about who the files belong to. If it's out there, they'll share it.

And what if Funksaw is right?

Not likely. Someone would have noticed by now.

Fogcity ,
"This is very kewl, but will it be able to withstand the attacks from the RIAA. It is only a small reach for the RIAA to begin sending viruses thru the P2P systems. Will this new system be able to protect its users from that? "

It's amazing (what ya said). It would be _wonderful_ if RIAA started to spread the viruses and other illegal stuff (eg trojan horses), because we would FINALLY have the reasons to shut them all in prison (what they deserve). And, as far as I know America, they _would_ land there up. But I fear, that they are not so stupid ... Ya know, they are aware of having millions of enemies , who would exploit any crime they commit to wipe them.
-- Critto

1. If the RIAA started sending actively nasty files over p2p they would make sure they were legally safe first.

2. They wont use sneaky methods unless legal attacks fail, as they have with kazaa. Dud MP3s perhaps, but malicious executables are strictly a last resort. First they try setting lawyers on the networks, then they use dud MP3s, then they run campaigns to send infringement notices to ISPs for individual users compined with a scare campaign. Only if all those fail will anyone consider using the banned weapons

3. Dont worry about trogens. Worry more about what happens when you give a paranoid copyright enforcer a few gigabit lines and a small supercomputer.

The RIAA can try to infiltrate this p2p program with fakes and dupes all they want. If they don't already, they're going to implement a verified files feature. The RIAA can try to clog this one up all they want, it won't work to well in that department.

Verified file systems offer a central weak point for legal problems. Im amazed sharereactor hasn't been shut down yet.

goldenpi, wouldn't that all depend on where it's based at? If copyrights basically don't exist in that country, how cold that pose for legal problems?

If this program works as well as they say, porn addicts are going to love it. I'm also curious as to how the programmers will get paid for it, donations I guess.

As far as I know, they plan on making a commercial version for companies and selling it to them. How they're going to market that is beyond me.

guys, stay off ES5, it's BAD to da BONE. I stumbled on this while cruising the waves of the net.


http://www.zeropaid.com/news/articles/auto/10022003i.php
EarthStation 5 P2P application contains malicious code
posted by random nut on October 02, 2003 @ 11:14am


ES5 info
EarthStation 5 (aka ES5, aka ESV) (http://www.earthstation5.com and http://forums2.es5.com/) is a P2P application first released about 6-12 months ago. The people behind ES5 claim that ES5 is the most secure P2P software in the world. They also claim that they are security experts, and that they have more than 15 million simultaneous users on-line 24/7. In comparison Kazaa, the most popular P2P application, only has about 4 million simultaneous users on-line at any given time of day.

Malicious code
There exists malicious code in ES5.exe's "Search Service" packet handler. By sending packet 0Ch, sub-function 07h to the "Search Service"'s IPort, a remote attacker could delete any file the user is sharing. If the remote attacker uses "filenames" with a relative path in them (eg. "......WINDOWSNOTEPAD.EXE"), the remote attacker could also delete files in eg. the windows and windowssystem32 folders, or any other folder on the same partition as any of the shared folders. Since most users using Windows are in the Administrators group, a remote attacker could also delete the C:BOOT.INI file which is a required boot file used by ntldr.

IMPORTANT: This is not a bug! They intentionally added this code to ES5.

Vulnerabilities
There also exists a lot of other vulnerabilities in ES5 (eg. DoS attacks, buffer overflow bugs, and so on), but these all seem to be unintentional. Another advisory may have more info on these vulnerabilities, but I'm not their beta tester so don't hold your breath.

Conclusion
The people behind ES5 have intentionally added malicious code to ES5. If you have followed the ES5 discussions on message boards and read what the ES5 people have said and done (eg. DoS attacking BitTorrent sites), this comes as no surprise. The question then is "why did they do it?" I'm sure they won't tell us, but here's a theory: They could be working for the RIAA, MPAA, or a similar organization. Once they have enough users on their ES5 network, they would start deleting all copyrighted files they own which their users are sharing. The users wouldn't know what hit them.

Tested ES5 builds
ES5 build 1266

ES5 build 2180 (latest version)

MD5 sums of files
MD5 sum (using RFC 1321 source code) of tested files (just in case the ES5 people will remove the malicious code w/o changing the build number)

e35838ef6668abe883344e3a7e734794 *es5beta1266.exe
ce44a1f0542b9132f2debd9866febc65 *es5beta2180.exe
373c30ba0e8b1dce05dcab2acce94a77 *es5_build1266.exe
915de0f8e72be40bf071a86bc9dc2626 *es5_build2180.exe

2,244,663 es5_build1266.exe (ES5.exe - build 1266)
2,347,063 es5_build2180.exe (ES5.exe - build 2180 - latest version)
4,436,309 es5beta1266.exe (ES5 installer - build 1266)
4,553,325 es5beta2180.exe (ES5 installer - build 2180 - latest version)

The official ES5 installer download URL is http://download.es5.com/es5beta.exe , but check its MD5 sum before installing it in case they changed it.

Credits
me for discovering it (randnut@yahoo.com)

Exploit code
Go to http://www.geocities.com/esvuln to download the exploit binary if you don't want to compile it yourself.

Source code to esv ("ExpoitStation 5" or "EarthStation Vulnerabilities", you decide) but first a little FAQ...

Uninstall Instructions

Kill all ES5.exe processes with task manager (taskmgr.exe)
Try ES5's uninstaller
Delete registry key HKEY_CURRENT_USERSoftwareHelmuthSpeakingForBosko ne
Delete registry key HKEY_LOCAL_MACHINESOFTWAREEarthStation5
Remove the ES5 entry from HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurre ntVersionRun to stop it from running after reboot
Remove the ES5 entry from HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurr entVersionRun to stop it from running after reboot
Delete all files in the ES5 folder (usually in "Crogram FilesEarthStation5"). If files can't be deleted, boot into safe mode and delete them.
Restart computer




Now I wouldn't believe Random Nut that soon, as he is one of the key developers of Klite (=opposition of ES5), but this story will put things in very gloomy light.

http://www.gonze.com/index.cgi/2003/08/02#8-2-3

Sat, 02 Aug 2003

Anatole says:
So I just tried installing ES5 on my Windows machine. The first thing
it did is attempt to connect to an IP in the Gaza Strip. The
administrator for that IP block is someone with an earthstationv.com
email address. Then my keylogger warning program popped up and
complained that the program had attempted to hook to my keyboard. I
killed it, and ran an uninstall. The uninstall failed because some of
its DLL's were still 'in use' despite no matching processes. I rebooted
and was able to do a successful uninstall manually. Afterwards, I
checked my registry and removed a fresh entry from "Intertrust," a
company that makes DRM software.

Overall, an entertaining experience.
The earthstation5 folks strike me as sleazy.

NOW THAT SOUNDS DOWNRIGHT ALARMING!!!!


Or how about http://www.securitynewsportal.com/cgi-bin/cgi-script/csNews/csNews.cgi?database=JanCC%2edb&command=viewone&id=47

EarthStation 5 P2P application contains malicious code - Not a bug - It was deliberate
This is not a bug! They intentionally added this code to ES5
10-03-2003 09:15:30 AM CST -- from the Full Disclosure mailing list


EarthStation 5 (aka ES5, aka ESV) (http://www.earthstation5.com and http://forums2.es5.com/) is a P2P application first released about 6-12 months ago. The people behind ES5 claim that ES5 is the most secure P2P software in the world. They also claim that they are security experts, and that they have more than 15 million simultaneous users on-line 24/7. In comparison Kazaa, the most popular P2P application, only has about 4 million simultaneous users on-line at any given time of day. There exists malicious code in ES5.exe's "Search Service" packet handler. By sending packet 0Ch, sub-function 07h to the "Search Service"'s IPort, a remote attacker could delete any file the user is sharing. If the remote attacker uses "filenames" with a relative path in them (eg. "..\..\..\WINDOWS\NOTEPAD.EXE"), the remote attacker could also delete files in eg. the windows and windows\system32 folders, or any other folder on the same partition as any of the shared folders. Since most users using Windows are in the Administrators group, a remote attacker could also delete the C:\BOOT.INI file which is a required boot file used by ntldr.

There also exists a lot of other vulnerabilities in ES5 (eg. DoS attacks, buffer overflow bugs, and so on), but these all seem to be unintentional. Another advisory may have more info on these vulnerabilities, but I'm not their beta tester so don't hold your breath. The people behind ES5 have intentionally added malicious code to ES5. If you have followed the ES5 discussions on message boards and read what the ES5 people have said and done (eg. DoS attacking BitTorrent sites), this comes as no surprise. The question then is "why did they do it?" I'm sure they won't tell us, but here's a theory: They could be working for the RIAA, MPAA, or a similar organization. Once they have enough users on their ES5 network, they would start deleting all copyrighted files they own which their users are sharing. The users wouldn't know what hit them....continued...

Click here to read the full report in the Full Disclosure mailing list at Insecure.org

UPDATE : Within a few short hours of this story hitting the media the folks over at ES5 scrambled and uploaded a new ES5 installer. The new installer has not been tested yet, but you can be pretty sure that they have removed their malicious code and will soon claim that the original reports about them putting malicious code in their P2P warez were lies... We shall see what they "officially claim happened. Builds 1266 and build 2180 were the ones tested and found to contain malicious code

And now the question is : How many of the ES5 users will dump that software off their machines and how many will continue blindly trusting ES5 to be ethical.. My bet is that the majority of them are so addicted to sucking down free movies and tunes that they probably have no idea what risk their computers were put at. I hate the RIAA as much as anyone, but to deliberately choose to run an 'untrustworthy' warez is just foolish. Nuff said.