% Waste Network Advisory % June 6, 2003 % jdm, j.miller@shaw.ca - Introduction For those of you who don't know, Waste is a secure P2P and chat client released by Nullsoft. Waste allows users to set their own network name, so that only other Waste users with both your key and the same network name as you. This function can provide some extra security, however it has one major flaw. If your network name is switched not only do you remain connected to your current network, you also connect to the newly specified network. All of the networks you are connected to are merged together, and users of both network will now be able to chat and share files with one another. This could possibly pose a serious threat to a business network if an employee were to change his or her network name allowing outside user to access whatever sensitive file being shared on the company network. ----- - The Problem Under 'file > options > network' one can change the name of his or her network so that he/she can connect to other users with his/her public key using the same network. Once connected to the specified network the user can chat and download files from all other users on the same network. If a user were to change his or her network name mid session, they would remain connected to the current network, and at the same time connect to the newly appointed network. The flaw in this is that both all networks that users is currently connect to merge together, allowing users of both networks to chat and share files with one another. Now any files that may have been "secure" within one network are now available to all other networks that any given user may be connected to at the same time. Fixing this mistake can also be troublesome. If you were to of made this mistake you will first have to change back to your old network name, and wait for any other users on the unwanted network to disconnect before the two networks will become individual again. PLEASE NOTE: There is no reason for a user to change his or her network ID while already on another network, unless the user is completely braindead or too lazy to create a new profile. If a user wishes to access more than one network safely, I suggest that he or she makes a seperate profile for each different network. A new Waste profile can easily be created by going to 'file > preferences > profiles > profile manager'. From there you can then make a new user and key. This new account could then be used to access a seperate network. ----- - The Solution At this point in time the only fix I can see is to disconnect from your current network before changing your network name, and to not share your network name with any troublesome users with your public key. And as mentioned above, I suggest using only one network ID for each user/key that you have created. ----- [Thanks to son4r & Debolaz for their help]