Ask HN: I've Built a DHT Torrent Sniffer and Search Engine. Should I Release?

165 pointsby sylwesterover 2 years ago

Recently I was researching about DHTs and developed a DHT Sniffer in Go which connects to some known DHT Routers and sniffs all the annoucements. I've quickly added ZincSearch and it is now basically a search engine which can search for hashes, name or files contained in the torrents. It is able to index around 5-10k annoucements per second, so the index grows quite fast.Now, I am thinking about releasing it as open-source for others to study, but not sure if I should, because it might be used for "evil".

31 comments

boramalperover 2 years ago

I had been working on this successfully for a couple years in the past before I got tired of it and moved on. I still think it's a magnificent idea, to be able to host your own torrent site and to decentralise the last centralised bit of BitTorrent.<a href="https://github.com/boramalper/magnetico" rel="nofollow">https://github.com/boramalper/magnetico</a>

评论 #33308456 未加载

评论 #33309394 未加载

评论 #33307620 未加载

mutantover 2 years ago

<a href="https://github.com/boramalper/magnetico" rel="nofollow">https://github.com/boramalper/magnetico</a>Someone else did this a while back, universe continues to exist.

brobinsonover 2 years ago

Let it rip. DHT has been around for so long now that whatever bad actors/evil use cases you're imagining have already happened. It sounds like a cool project, and I'd be interested to see it.

评论 #33306388 未加载

majestic5762over 2 years ago

I wrote a similar solution 8 years ago. I repurposed the system to identify IPs owned by the government, and notified them if a malicious copy of Windows (but not limited to) was seeded by them. Meaning there was a chance that an unknown actor had a backdoor in my government's network. If you wanna discuss, I'm happy to talk and even contribute towards a commercial solution majestic.hn@fastmail.com. I didn't pursue this opportunity for money at that time, but I had my fair share of "shoutz". Won't be bad to pick this up again

tmtvlover 2 years ago

Just AGPL it, I hear it's an effective ward against Alphabet.

评论 #33306460 未加载

retonatoover 2 years ago

I have been operating a BitTorrent search engine for a few years (it is closed now), here is some advice if you want to launch it as a public website:1. There is no absence of people opening the kind of torrent indexers, which you have in mind. In 2010s there were 5-10 such sites launched each year, even nowadays there are at least a few new indexers yearly. Almost all are closed within a year or two (at most). There are reasons for that, some are less obvious than others.2. Most likely you will close your site after some time as well, here is why:2.1. It will be difficult to find a hosting, which will tolerate it. Forget about Linode or Digital Ocean or any similar hosting providers - they will suspend your server (first) and account (later) after receiving a few automated DCMA emails. You can use some "second-tier" providers for some time, but eventually even they will get tired of you, you will be out the moment they receive the first paper letter from some law company, which represents some movie company or alike. You can use proxy servers or some other arrangement for some time, but eventually you will decide that it isn't worth the effort.2.2. The same thing is true for domain provider. Yes, there are a few, which are more resilient, than others, but don't expect that they will protect you and your domain indefinitely for $15 per year. If your site is popular enough - the only option may remain to register a new domain every few months and hop between them. Eventually you will get tired of that. It may take half a year or a few years, but you will.2.3. There are no money in torrenting nowadays. Forget about ads or donations - even thepiratebay cannot earn money that way, you will not be able to do that either.2.4. Sadly, torrents are not that popular nowadays as they were 5-10-15 years ago. Some people still use them, but in most developed countries that's more like an exception, than the rule. The rule is netflix, spotify and alike. As a result, if you imagine large and happy community of users around your site - just don't, most likely there won't be any.2.5. Don't expect just to launch a site and rest. You will spend at least 5-10-20 hours per week on its maintenance (fixing bugs, importing/cleaning data, adding new features, etc). It will feel fine at first, but more and more tiring as the months and years go by. Eventually you will get bored and stop any maintenance. Users don't like old/unmaintained sites, so they will be less and less interested in it. Eventually you will decide, that it isn't worth the effort to run it at all.

评论 #33309949 未加载

sascha_slover 2 years ago

I mean, it already exists. [1] Always fun to see what my neighbors behind the same NAT download.[1]: <a href="https://iknowwhatyoudownload.com/" rel="nofollow">https://iknowwhatyoudownload.com/</a>

评论 #33307661 未加载

评论 #33318044 未加载

评论 #33309388 未加载

评论 #33308623 未加载

评论 #33306792 未加载

the8472over 2 years ago

Having seen other indexers before I suspect your implementation isn't spec-compliant or well-behaved (perhaps spoofing node-IDs? causing more traffic than necessary?)If you want to build an indexer you should write a normal implementation and then use <a href="http://bittorrent.org/beps/bep_0051.html" rel="nofollow">http://bittorrent.org/beps/bep_0051.html</a>

评论 #33309037 未加载

r3trohack3rover 2 years ago

You should absolutely open source this. Working with the DHT is a lot of fun, and a great learning exercise.I adapted my local “torrent roulette” application to an electron app that can be shared. My local version downloads the files, but the one I share only fetches the torrents metadata (easy to adapt it back to my roulette approach). I call it Taboo: <a href="https://github.com/retrohacker/taboo" rel="nofollow">https://github.com/retrohacker/taboo</a>The amount of “evil” on the DHT is pretty low. I’ve run mine for a long time, and very rarely get anything evil. I suspect it’s because of how poorly BitTorrent plays with privacy tools like VPN and Tor, IIUC it’s easy to leak identifying information with BT and its high bandwidth.Nearly every “evil” file I’ve found is either: a honeypot with not-evil content or password encrypted (maybe to remove the plausible deniability of a random download?). I don’t know if the encrypted files actually contain evil content, I don’t bother trying to crack them and promptly gshred them.What you will find:* a lot of content illegal under US copyright law* a lot of porn (also illegal under US copyright law)* a metric tonne of fascinating content from other cultures you’d otherwise not be exposed to (also probably illegal under US copyright law)There is very little “legal” content on the DHT, but most of it is falling on the wrong side of intellectual property law. Sometimes password/credit card dumps. I once found some very sketchy schematics of Eastern European military equipment. But that stuff is also really rare in my experience.If you do play with these systems, I’ll leave the same warning I left on the Taboo repo:> Note: I AM NOT A LAWYER! To my knowledge, there aren't any other systems doing this that you can run on your laptop. I suspect the nuance of how Taboo works isn't going to be appreciated by your local law enforcement. If you don't want to test the legality of Taboo in court, I'd strongly recommend either: running a VPN (less safe) or not using Taboo (most safe). If you want to use Taboo with a VPN, may I suggest putting some money in an envelope and sending it to Mullvad?Adding this on after reading your comments elsewhere in the threads:If you're worried about Intellectual Property enforcers using this for evil, I wouldn't worry too much about it. BTDigg already exists. Not that what you're doing isn't novel or exciting (great work on this BTW) - but DHT indexing is an art thats already being practiced. Cat is out of the bag.

评论 #33308494 未加载

评论 #33309011 未加载

0dayzover 2 years ago

I would recommend writing down the worst and best case scenarios that could happen with your software, then determine if you notice either that through severity or quantity the software outweighs the positives, don't release it.

jrm4over 2 years ago

Please do. This old-ish timer is kind of blown away by the idea that you shouldn't.Nothing evil about being a modern archivist/librarian, despite what big companies would tell you.

pdimitarover 2 years ago

I imagine any bad actors who store IPs of torrent seeders have done so a long time ago already so your software will not do any harm that hasn't been done already.Go for it and open-source it.

hardwaresoftonover 2 years ago

Would you mind explainng why you chose ZincSearch? Curious on why you picked it over some of the other non-ElasticSearch/OpenSearch alternatives (Meilisearch, Typesense)

BLKNSLVRover 2 years ago

I'll add to the chorus of people saying "yes, release it".If you're worried about blowback as a result of "evil" uses / users, is there a way to release it (somewhat) anonymously, so it's difficult to be traced back to you?

qualudeheartover 2 years ago

Which evil usages are you concerned about? I think it would be very useful for the public.

评论 #33306338 未加载

icpmolesover 2 years ago

Is it basically btdig.com ?

评论 #33306608 未加载

评论 #33306507 未加载

keroroover 2 years ago

torrent-paradise [0] is a go project which seems to do the same as your project and has existed since 2019. It’s since gone down but remains up on IPFS [1] but its index hasn’t updated since January.[0] <a href="https://github.com/urbanguacamole/torrent-paradise" rel="nofollow">https://github.com/urbanguacamole/torrent-paradise</a>[1] <a href="https://cloudflare-ipfs.com/ipfs/QmQjsKamNFZRvCMXDvZXQmRYjsmSkmZG5pBCTY4LtMj8hs/about.html" rel="nofollow">https://cloudflare-ipfs.com/ipfs/QmQjsKamNFZRvCMXDvZXQmRYjsm...</a>

评论 #33309031 未加载

compressedgasover 2 years ago

Consider that such already is available as open source in Go even.

joeman1000over 2 years ago

Please release it. We are in dire need of good torrent search without ad-trackers or other nasty stuff.

navjack27over 2 years ago

That would be very useful... Just release the code and building instructions.

arthurcolleover 2 years ago

Magnetissimo did this too, and he's still around.

bArrayover 2 years ago

At the very least, please do a write-up for us on how you're achieving 5-10k announcements a second.

gwnywgover 2 years ago

I was planning to start learning GO, I'd be definitely interested to learn from your project :)

gloosxover 2 years ago

You should def release it, what else can you do with it? Just let it rot and fade away?

2Gkashmiriover 2 years ago

yes please. you are not responsible for any "Evil" users of the software might do. This is not even about enabling bad stuff, this is just natural progression of technology.

评论 #33305828 未加载

hombre_fatalover 2 years ago

This is a good example of our hubris as developers. We like to think our project will have some impact on the world when in reality you’re extremely lucky if anybody notices much less cares. ;)

thinkmcflyover 2 years ago

I think you should. From my understanding, use of DHT is already dead in the eyes of most torrenters

acehwover 2 years ago

it's a tool. What people use it for is their business.

yieldcrvover 2 years ago

yeah release it

ehPRethover 2 years ago

please do!

dontbenebbyover 2 years ago

>Now, I am thinking about releasing it as open-source for others to study, but not sure if I should, because it might be used for "evil".For evil? I wouldn't worry about that. Not now.You should put prominent warnings it's not "consumer grade" or whatever, but I think there's more value in sharing your code than there is risk someone will perform an attack they otherwise couldn't. Conversely, the second amendment wasn't just meant to apply to guns -- in America, "arms" can absolutely mean "cyber".Now, to be fair... the NRA is basically a way for boomers old enough to get "reoccurring income" to write off donations to the GRU on their taxes at this point, but there was a time in this country[0] when they used to give people who had a re-occurring subscription were sent a video called "Stop! Don't touch!!" (or something to that effect), which was meant to be their first lesson on guns -- and make no mistake, when you "cyber", you're reaching into the toolbox.There was a period in the 2000s where it was EXTREMELY difficult to get some of these tools up and running, and then, in parallel, you could also experience hardware or driver issues, and people quite rightfully used to scare the everloving shit out of the type of person who would bring esoteric knowledge to light too quickly.Even if you knew exactly which commands to run, in which order, you had to deal with stuff like the fact the drivers for Airport literally won't go into monitor mode, which is when you tell the radio in your laptop to store not just the packets addressed to it, but any packets that happen to... drift on by.I really cannot emphasize enough how hilarious it was to me that it took until about twenty goddamn twenty[-1] for some folks to realize the main benefit to "cyber" is that it's remote -- since I was about twelve years old, I've run into people who do... very rude things with the computer, paired with wielding the fact that in the united states, possession of what is now being called "CSAM" was what's called a "strict liability" offense -- pair that with gatekeeping access to the title "security researcher" and it led to a very uneven playing field.(They'd also do things like say oh, gee, you can't get a security clearance if you engage in software piracy, while also telling folks it's probably better to just torrent stuff than use some shady torrent site... and mentioning they have a security clearance in another thread or whatever.)Now, if this program was, say, a script that spiders through a hard drive using the Luhn algorithm[1] to suss out if the drive contains PII or automates bringing down one's wireless interface, changing the MAC address, then bringing it back up... that might be something you might not want to give to your enemies by putting onto Github or whatever.Myself, I usually still stick to the Pirate Bay -- I've still got a backlog of stuff I haven't watched... it feels like just a short time ago I was getting all emo I had no one to watch "Cats"[2] with, ha-HA!!But this? I think you're good to go, and I thank you for taking the time to learn the version control system and share your code.If anything, you'll be aiding public health. Streaming services are abusive... I own very few movies since I've moved around so much -- it became a running gag with my exes -- but it's like back when cable briefly wasn't going to have commercials, then within pretty much one generation they added them right back in addition to collecting the subscription money[3]... those sorts of people should be shown that video from the 80s of the one KGB defector explaining that America is unique, and there is nowhere else to defect to.(He was right, and if you abuse your access folks might be unwelcoming.)-- [-1] I purposefully waited about two years to make that joke... at least two times.[0] (I'm posting from my home)[1] I was told it's used to verify something is a CC # but apparently it can get some false positives -- that wasn't mentioned last time I looked it up, hehe: <a href="https://en.wikipedia.org/wiki/Luhn_algorithm" rel="nofollow">https://en.wikipedia.org/wiki/Luhn_algorithm</a>[2] Did you people forget that they called it Redphone because it was supposed to REDUCE tensions?[3] <a href="https://web.archive.org/web/20150501092025/nytimes.com/1981/07/26/arts/will-cable-tv-be-invaded-by-commercials.html" rel="nofollow">https://web.archive.org/web/20150501092025/nytimes.com/1981/...</a>