Re: Fwd: Kazaa file corruption

[Blue Boar <BlueBoar () thievco com>]

Russell S/nillion42 wrote:
> > Problem:
> > Lack of file checksum in kazaa leads to the ability to
> > spread corrupted files and corrupt the dowload of any file.
> >
> > Method:
> > By deleting(replacing with hex 00) the data from a mp3
> > file and leaving the headers you can create a file
> > which has identical filesize (kazaa checks filesize).
> > When a kazaa user downloads a file, multiple download
> > streams can be used, if a stream is created to the
> > corrupted file, it will make the download useless once
> > finished not readily appraent until download is complete.

I haven't looked into why, but I can confirm that I've observed this.  I
had occasion to download some Red Hat ISOs from Kazaa recently, and the MD5
sums on 2 of the 5 didn't check out.  On one, the bad section was 0's.  On
the other, it had a bunch of single-bit errors in one section, the same bit
position each time.  (Comparison done by using the signed MD5 file from
RedHat, and downloading intact copies of the corrupted ISOs from a mirror
site, and then using fc /b .)

I had been under the impression that Kazaa DID use checksums, just that it
had some sort of bug, or was trusting the peers, or something.  I thought
that was what the temp filename was.  (I wouldn't mind someone pointing me
to any good info about the protocol.)

Of course, if someone intentionally or accidentally leaves a corrupted file
lying around, you might download that one on accident.  After all, you only
get to decide based on name.  For example, suppose I chose ISO 2 from the
list, and the one I chose was corrupt, I will continue to correctly
download the corrupt one.  If 5 of the people out of the 50 who have a file
with the same name and size have corrupt ones, and I've picked that one
(because I can't tell them apart), Then I would proceed to get the corrupt
one from up to 5 people, even if some sort of checksum is used.  How could
you tell the two situations apart?

This also came up on this list a while ago in regards to the Kazaa program
itself.  The "Kazaa" you get from downloads.com, etc... is just a stub that
downloads the real Kazaa from the Kazaa network itself.  Naturally, this
leads one to wonder if it's possible to slip in your own version.  If
there's a way to upload modified versions of Kazaa, then hilarity would ensue.

                                                BB