So, let's start with how RIAA is able to find people who might be sharing music. Since I don't know the actual tactics RIAA is using I'll have to guess. But I do know from news reports that one technique is to demand from your ISP the traffic logs when your computer connects to their network. Currently, ISPs have different retention policies on how long to keep these logs, but this is really the reason why that moron AG Gonzales wants to mandate the retention of those logs for a much longer time. In fact, he wants the Justice Department to set the retention time, and that might actually become a permanent retention policy. THIS HAS NOTHING TO DO WITH HOMELAND SECURITY! It's all about the money. Period. Anyway, I'm digressing. Don't confuse these logs with the web logs of a web server. They're not the same thing. Because your ISP knows who has what login credentials and when you login, these logs are the best way to determine the identity of someone. It's true you can use anonymizers and/or TOR (read my article on this website), but in most cases the traffic between your computer and your ISP is not going to be encrypted. Sometimes, disguising your data as being something benign is a good tactic to avoid your ISP knowing what exactly you're sharing. I'll get into a few techniques in a minute, but first let's do some Internet 101.
For those of you more Internet saavy, please bear with me, but this article is really for the laymen and not for security professionals, hackers, etc. Anyway, when you turn on your computer and connect to the Internet, your computer is actually connecting to a another "computer" at your ISP. It is the job of your modem (dialup, cable, dsl) to convert your requests like web browsing in a format that your ISP's "computer" can understand and then route the requests to their destination. These "packets" can be logged, tracked, and even reassembled to be displayed at the ISPs offices. They indicate your activity and what it is you're looking at, listening to, etc, over the Web. That is why RIAA, and also the NSA and the FBI, all salivate when they think about getting their hands on all types of log files that an ISP might hold. So if you start to download mp3s from a website, even if you're doing so through a proxy server or anonymizer software, your identity can still be discovered if the ISPs log files were ever subpoened. As a side note, those of you at colleges and universities should consider this situation applies to you as well, that is why the pricks at RIAA are sending all those letters to your deans.
So, you want to share your legally bought mp3s with your friends but you don't want to be made into a psuedo-criminal and forced to watch that fucking pack of shit-lies video produced by RIAA? Sorry, there's no easy way. In order to protect yourself you're going to have to spend some time learning and reading about how the Internet works and how you can be tracked. But, this article will try to guide you on what techniques will be useful to you in your quest to take back your rights and at the same time fuck over Mitch Bainwol.
The first piece of advice I will give you is to GET OFF WINDOWS. No ifs and or buts. You cannot trust that OS any longer because no one knows how they've been modifying the system in terms of so-called "copyright protection". And it's true the techniques I'm going to describe can work on Windows, but you have to be a bit more technically saavy to set up the Unix emulator Cygwin. Just don't bother with Windows. Period. The techniques I'm going to describe were honed on Linux and I suggest you take the time to learn how to install it and use it. Trust me, it's worth your time.
The second piece of advice is DON'T DOWNLOAD AND STORE MP3S ON YOUR COMPUTER'S HARDDRIVE. Use an external USB drive. Those mini thumbdrives make excellent storage units. Plus, if your computer is ever seized, the first thing the police will do is to mirror your drive for forensics analysis. It's also more preferable that that drive have an encrypted file system on it, but that's beyond the scope of this article. If you're interested, you can read one of my articles I wrote for 2600. In fact, this article has one of the techniques I'm going to write about.
The third piece of advice is to use one machine, preferably a laptop, for downloading, and ONLY that machine. The reason I suggest a laptop is so that you can take it everywhere you go and not leave it sitting at home alone where it can be stolen or carried off in a secret warrant execution.
The fourth piece of advice is to use some sort of anonymizing technique, whether it be web anonymizers or anonymizing software such as TOR. You can read the article I wrote about TOR here, but I should point out that using the TOR network for downloading mp3s can be slow. Also, there are ways to track the real IP address of users who are using TOR. You can read about it here. Moral of the story- don't use a Java-enabled browser.
So, let's get started. The problem with downloading mp3s besides the fact the RIAA-nazis will go apeshit and always assume you are a criminal, is the mp3 format itself. You see, although an mp3 file is technically a binary file it contains headers and sometimes metadata that flag it as an mp3. So, sometimes the fact that you are downloading an mp3 might be obvious to someone sniffing the network or recording your actions. The idea I'm going to suggest is this- convert the mp3 into a type of data that is hard to tell it apart from other legitimate data. And the type of data that pops in my mind is Base-64 encoding. You are actually familiar with Base-64. It is what's used to convert email attachments when sending them over the Internet. So, here's how you do it. You take your mp3 file and on Linux you run this command:
uuencode -m song.mp3 a.txt > a.txt
Depending on what version of Linux you're running, the above command may have to be in an alternate form. Also, this will result in a file size larger than the original mp3. Notice I gave the txt file a different name. My suggestion to you is to not use file names that might suggest that it's a Base-64 encoded mp3. Give it a name that's more innocuous. Stay away from words like "track", "song", "rip", or the real title of the song. You might want to vi that text file to get a good sense of the format of a Base-64 encoded flat text file. That format is important so you shouldn't mess with it. Anyway, to convert that text file back into an mp3 you would run this command:
uudecode -o song.mp3 a.txt
So, what good is an mp3 converted to a flat text file? Well, for one thing when you send it around on the Internet it looks like an ordinary attachment from a network stand point. It's not obvious that it is an mp3. Secondly, you can place it out over the Internet at more places than you could as an mp3. For instance, most of these free websites such as Geocities don't allow certain files to be uploaded, such as mp3s or executable files. But some do. But most nearly all allow a flat text file with a .txt extension to be uploaded. And better yet, if you link to that txt file from another page, eventually Google and Yahoo are going to cache that file, meaning you can bypass the miserly bandwidth limitations that sites such as Geocities imposes on your free website. That is why the OSIN reports are structured the way they are, meaning only simple HTML on the Geocities pages and all images kept seperate on Yahoo Images pages which have no bandwidth restrictions.
But there is a major problem using the above technique. Some sites such as Geocities limits the amount of disk space you get with free websites. At Geocities that is around 15Meg (with a 5 Meg upload limitation). Take into consideration that converting a 3 minute mp3 might take up at a minimum of 3 Megs and it becomes apparent you'll fill up your free website quickly. So, what other options do you have to store your Base-64 encoded mp3s? Most free email sites such as Yahoo and GMail offer at least 1Gig of storage space. So what you could do is send these Base-64 encoded files as an attachment to yourself and use the email account as a storage area. Then when you're ready to share your music you can forward that email to anyone you want.
But the above scenario does have its limitations. For one thing most of these free email sites limit the size of attachments. I believe with Yahoo it's around 10Meg. So what if your Base-64 encoded mp3 is more than 10Megs? Then you're going to have to split it up. There is another Unix command that's been around for a long time called 'split' and you can actually break up your flat text file that was too large. Let's say song.mp3 is slightly less than 15Meg in size. You could break up the file in 5Meg segments this way:
split --bytes=5000k song.mp3
This will result in three files called xaa, xab, and xac. The 'x' is the default prefix, but you can use any prefix you want. Just read the man page for the split command for your version of Linux to figure out what that is. Then you have to convert each of those pieces to a Base-64 flat text file like this:
uuencode -m xaa xaa.txt > xaa.txt
uuencode -m xab xab.txt > xab.txt
uuencode -m xaa xac.txt > xac.txt
Just don't forget the order and which pieces go with which song. As a side note you can actually listen to segments of an mp3 file. Splitting it up like this doesn't hurt the file. Then to convert your large mp3 back, you run the uudecode command on each piece of your Base-64 encoded text files like this:
uudecode -o xaa xaa.txt
uudecode -o xab xab.txt
uudecode -o xac xac.txt
Then all you have to do to reconstitute your complete mp3 file is this:
cat xaa >> newsong.mp3
cat xab >> newsong.mp3
cat xac >> newsong.mp3
The techniques discussed above work well with song tracks off of an album, especially with genres such as pop or country but you probably wouldn't want to use them on something so large as Wagner's Ring Cycle, although it can be done. Use your imagination and be creative. This section is not meant to be definitive, just something to stimulate thought and give you guidance on sharing and storing your mp3s and along the way bringing down the music industry. But let's take this idea further.
Suppose you want to host your music files on your own machine and make them available for anyone to download. Of course, you don't want to do this over a regular connection and you would want to password protect the site so that only people you want to have access to your files can get them. In this example I would use Apache set up to ONLY run as a webserver over https. In that way your ISP will have a difficult time telling what type of data is flowing between your web server and surfers logging in. But remember that by giving out the IP address of your machine may make it easier for RIAA-fuckers to find you. We want to stay away from publicizing any IP address numbers. So how do you do this and still extend an invitation to people you want to share your music with? Well, there is another aspect of TOR you may not be aware of. It's called a hidden service.
A hidden service on TOR is a service that you run on your machine and generally the only way users can get to it is by going through TOR and using the unique identifier that is assigned to your machine in the TOR network once you start up TOR. For instance if you've set up an Apache webserver listening on port 443 (https) someone would access the server by using the unique TOR identifier name you get assigned when you start TOR. That could be something like this:
https://trura89daysnt5634.onion/
Assuming you get TOR and Privoxy set up correctly, setting up a hidden service is very simple. It entails adding two lines to the torrc config file (sometimes located in /usr/local/etc/tor):
HiddenServiceDir /usr/local/var/lib/tor/hidden_service/
HiddenServicePort 443 127.0.0.1:3002
You do have to create that hidden service directory first and the user you run TOR as must have write access to that directory. Also, you'll notice I put port 3002, the port where my Apache is listening since my ISP blocks ports 1024 and under inbound, so I have to use a higher port. What that second line tells TOR is that traffic coming in from port 3002 should be treated as if the calls were coming over https. If your ISP doesn't block inbound traffic to popular ports and you wanted to run regular https that second line might look like this:
HiddenServicePort 443 127.0.0.1:443
So how do you know what your unique TOR identifier is? Inside the hidden_service directory is a file called 'hostname' and that is where you find it. And that is the name you give out to only select people that you want to be able to download your mp3s. Also, don't forget that the '.onion' part is also needed. I haven't gone into much detail in setting up TOR since their documentation is fairly straightforward and easy to understand. You don't have to be a programmer or a sys-admin to install it so any layman can do it. You can find all of TOR's documentation at http://tor.eff.org/documentation.html.en (English. They also have it in other languages) Also I haven't gone into any detail in how to set up Apache because that is beyond the scope of this article. You should consult Apache's documentation. However, you don't have to use Apache and in fact, the TOR website recommends you don't unless you understand how to prevent Apache from giving out your IP address. If you do use Apache make sure you change all the 400 and 500 series error files that Apache uses when someone makes a request for a file that doesn't exist on the server. You've probably seen it before- 403 error. There are other errors that Apache can return and generally it might accidentally give out your real IP. Because those files can be installed anywhere it's hard to tell you where to find them, but a default installation of Apache on Linux tends to dump them under /var/www/error. They are .var files and all you do is edit the section for the default language you are using and remove everything and put your own wording in that section. You don't have to restart Apache for it to take effect.
Well, that's about it. As a personal note from me to RIAA- The way you have conducted this so-called copyright terrorism war on grandmothers, children, and college students is the epitome of avarice and arrogance, even greater than I see from other American corporations. You haven't heard the last from me.