I want to read this topic and I have to go through your idiotic rants.

Just wanted to say I agree with #67.
You can’t get fakes if you DL torrents
from the trusted uploader’s account.
All you need is common sense

You saw an “invisible” forum?
You’re really stupid and you’re hallucinating now

get well soon LoL

let ssee where they at public…..

Good discussion. Something definitely needs to be done on the technology side to reduce the number of fake torrents. Your ideas of PGP/GPG signatures sounds like a good start.

@48: You mentioned that a PGP signature wouldn’t really help because fake uploaders could supply their fake aXXo key, for example, and so the fake torrent would falsely validate correctly.

This is a good point. So what else could we do? Part of the way PGP public keys appear to work is to have a trusted place where people can acquire the public key in the first place for any given individual/uploader. These already exist: they’re called PGP public key servers.

If these PGP public key servers require too much personal information for registration, we could create anonymous PGP public key servers if the existing PGP public servers don’t provide enough anonymity. Trackers/torrent sites can then check the public key registered with the user name/ID at these (anonymous) PGP public key servers with the public key used to sign the uploaded torrent.

The only new requirement for users wishing to upload torrents then is to register a public key with an (anonymous) public key server.

@48: The point you made about 3.7Gb file being used to generate a signature taking a very long time is another good point, but this can be alleviated by employing your followup statement of using the MD5/SHA1 hash of the content instead. It’s okay if there are collisions, the point being that the likelihood of collisions is extremely small, and almost non-existent if someone is trying to duplicate content (fake) to have exactly the same SHA1 hash.

You said that you could easily make a fake file and give it the same MD5/SHA1 hash as the aXXo release, then paste everything from aXXo’s post (public key, signature etc.) into your fake post. This wouldn’t work if you adopt the strategy I mentioned above coupled to your (good) suggestion of using the MD5/SHA1 hash. For example, you could generate the SHA1 hash for the content. Then generate the signature for the SHA1 hash using your *registered* public key on a PGP public key server. Trackers and torrent sites could simply verify that the SHA1 hash is correct for the content using the uploaders p2p client, and then the torrent could be “signed” by signing the SHA1 hash. So these are the steps in point form:

The uploader performs the following prior to making their torrent content available:

1. Generate a SHA1 hash for the content.
2. Sign the SHA1 hash using their public key available on an (anonymous) PGP public server. This will generated a Signed-SHA1 key.
3. Upload their torrent using their p2p client providing the SHA1, Signed-SHA1, user name/ID.

The tracker/torrent site would then perform the following steps at the beginning of the upload process:

1. Confirm the SHA1 hash for torrent content using the uploaders p2p client.
2. Obtain the public key of the uploader from the (anonymous) PGP public key server using their user name/ID.
3. Confirm that the Signed-SHA1 hash resolves to the original SHA1 hash using the public key to decrypt the Signed-SHA1 hash.

And voila! No more fake torrents from uploaders posing as others.

Now, a fake uploader not using any of the popular names aXXO, KlaXXoN could still upload a fake as a different/new user and have their public key registered on the (anonymous) PGP public key server. In this case, one additional piece of information that the trackers/torrent sites could obtain from the (anonymous) PGP public key servers is the time that the user has been registered with the PGP public key server. The tracker/torrent site could have new registrants tagged as “untrusted”. In fact a new column could appear in every tracker/torrent site listing showing the level of public trust associated with a given uploader. The longer they’ve been registered, coupled to the greater number of non-fake uploads, the greater their trust rating.

Users uploading fakes would have to change their registration and user names frequently and re-register as new users on the PGP public key servers because the trackers/torrent sites would tag them with a very low trust rating given their previous fake uploads.

Thoughts?