A few years ago, EFF debunked an anti-P2P packet filtering technology sold by Audible Magic. Twice. The notion that universities can just buy a piece of software to end file sharing on their networks forever is false. But it keeps coming back.

The latest product of this sort is from a company called SafeMedia. Its website is covered in dramatic marketing newspeak and includes a weird appeal to the Congress to install its software in "every public and private institution receiving Federal funds". So what are they selling, really?

SafeMedia's flagship filtering product is called Clouseau — suggestively named after the hillariously incompetent detective played by Peter Sellers in the Pink Panther movies.

The press release makes some grand and misleading claims:

?Pirates are smart and innovative, and so is Clouseau?. Our technology is dynamic, sees through all multi-layered encryptions, adaptively analyzes network patterns and constantly updates itself. Packet examinations are noninvasive and infallible. There are no false positives.?

Wow. We wonder if it sees through the encryptions with a comically big magnifying glass?

It's hard to be certain from marketing-speak on their website, but it appears that ?Clouseau? works in two ways:

  1. Recognizing protocol-identifying "magic numbers" or other distinctive patterns inside individual packets from a particular protocol (like Gnutella, or eDonkey, etc).
  2. Building up a "profile" of traffic by looking at a series of packets.

A system like this could indeed block many of the p2p protocols that are widely used today (including some encrypted protocols, without breaking the encryption). It certainly isn't, and will never be, "infallible." In fact, the claim is ludicrous. Detecting encrypted file sharing networks is very difficult, and blocking them without interfering with other encrypted protocols like HTTPS, IMAP/S, or SSH is next to impossible.

To illustrate this, suppose that SafeMedia attempts to block a program like Allpeers. They might succeed in doing so briefly, because the program tries to make its encrypted SSL conections over TCP port 36000 at first and only later switches to port 443 (the HTTPS port). On a TCP/IP network like the Internet, eavesdroppers can see the port numbers even if they can't decrypt the traffic. So if Clouseau was clever enough, it would remember the initial 36000 connection and stop that machine from using port 443 later (blocking https websites as a side-effect).

But if Clouseau started doing this, Allpeers could change their software to use port 443 from the beginning. If the SafeMedia engineers were really good, there might be another round of cat-and-mouse as Clouseau tried to perform traffic analysis on the sizes and timings of the encrypted packets, and Allpeers started changing their sizes and timings to look like a more typical https website.

Filtering tools merely drive the development of sharing tools that are resistant to monitoring (including small networks like Allpeers, and encrypted versions of BitTorrent and eMule), and drive students to start using them. They don't get us any closer to a real solution that gets artists paid while letting fans continue to share music. Universities are already being forced to expend significant resources doing the RIAA's dirty work, and they should think very carefully before implementing expensive tools like SafeMedia's.

Related Issues