Nullsoft WASTE is a mesh-networked p2p filesharing and chat application for Windows and slightly for Unix.
The acronym WASTE is ostensibly a reference to "We Await Silent Tristero's Empire" or W.A.S.T.E., which "is an acronym printed on mailboxes used as an underground message system in Thomas Pynchon's 'The Crying of Lot 49'."(1)
So just what does WASTE do that makes it worth all the furor? It provides communications within a network of computers, directly connected or not, secured using public key cryptography. It uses a mesh design, which means that users need not have a direct connect between one another to share data, and allows users to transfer files, and chat alone or in groups. In other words, it is a collaborative tool both for sharing files and information in a secure fashion, though its crypto is not exceptionally strong.
In other words, small groups of users (WASTE is designed for groups of five to fifty) can use it to create a private peer to peer filesharing network. Because it uses no central server, it is not vulnerable to legal attacks such as those which terminated Napster. Because it uses public key cryptography, it is vulnerable only to brute-force attacks. The program allows key sizes up to 4096 bits, which is a fairly large key.
Perhaps the most interesting aspect of this program is the networking. All messages are sent across its mesh network, meaning that any node willing to route (whether or not to route is configurable) will pass packets, and all packets whether file, message, or public key transmission are carried over the waste network. This means that as long as you can access anyone who can access the network, and is willing to route, then you can access the network. This is extremely useful when you have a limited number of IP addresses and/or you are using NAT. A server can be set up (or just another client) to receive communications, usually on port 1337. Then all of the machines on your local subnet can access the network through that machine, and in turn be accessed through it as well. However, if those machines create a connection to some other system, then it is also brought into the network. In this way the network gains some level of fault-tolerance, much as multi-homing and dynamic routing lend the same tendencies to the internet.
Waste was distributed both as a Win32 binary and as source code for both Windows (Using Microsoft Developer Studio) and Unix, namely FreeBSD and MacOS X. There is also a quick "port" to Linux from the FreeBSD which involved only minor changes. The Unix version however is currently only a server and not a client. It would be possible to set it up to receive files pushed to it but you cannot browse files or participate in chat from Unix. Apparently WINE is not sufficient to the task of running WASTE, either, so currently there is no working client solution for Unix. However, as the source code was released, it is most likely only a matter of time before that particular issue is resolved.
The following few paragraphs apply to the original version of WASTE. Any information contained in the technical section may or may not apply to your version. Setting up WASTE on a Windows system is simplicity itself, but making the Unix server work may not be as easy. For FreeBSD or MacOS X/Darwin, the procedure is simply to run a make in the source directory, using the appropriate Makefile; Makefile.posix for FreeBSD, or Makefile.darwin for MacOS X. (Windows users will be using the WASTE.dsp file if they are trying to build this software from source.) There is also a patched version for Linux running around, based on a quick patch by "grazzy" (see http://www.mjoelkbar.net/). In order to build that version it may be necessary to add "CC=g++" to the Makefile, and also possibly to add "#include <string.h>" to blowfish.c.
Configuring the server is much more difficult than building it. The easiest and best way to go about it is to set up a windows client (If you have already set up your windows client, first preserve the Default.pr? files from your WASTE install directory, usually C:\Program Files\WASTE, as they hold your keys and configuration) and then move the configuration files to the Unix system. They will also need to be renamed to change their first character from uppercase (Default) to lowercase (default) so that the "wastesrv" binary will be able to locate them.
The most annoying thing about this process is the initial key exchange. Using vmware, bochs, or a similar program to set up one end on a virtual windows machine is one solution; I myself used vmware to streamline the process. However, it is far from impossible to do with one system. One should set up the server process' config files, and then export the public key to the clipboard, and paste it into a file. The config files can then be moves to the other system, and your client-end config files reloaded or generated by creating a new key pair. Now, import the server's public key into WASTE, and export your client end's public key into a file. Transfer this file to the Unix host, and add it to the end of the file "default.pr3", the file in which public keys are stored. Now, start wastesrv and attempt to connect to that machine's address from your windows client. If all is well, you should get a good connection. Unfortunately the server has no interface and so in order to add public keys to it you must add them to the end of the default.pr3 file and then cycle the server; it will not check the file for updates while running.
WASTE was released under the GNU Public License (or "GPL") by Nullsoft on Wednesday, May 28, 2003, and removed from the website Friday, May 30, 2003, leaving behind only this notice:
NOTICE OF UNAUTHORIZED SOFTWARE
An unauthorized copy of Nullsoft's copyrighted software was briefly posted on this website on or about Wednesday May 28, 2003. The software was identified as "WASTE" (the "Software") and includes the files "waste-setup.exe", "waste-source.zip", "waste-source.tar.gz" and any additional files contained in these files.
Nullsoft is the exclusive owner of all right, title and interest in the Software. The posting of the Software on this website was not authorized by Nullsoft.
If you downloaded or otherwise obtained a copy of the Software, you acquired no lawful rights to the Software and must destroy any and all copies of the Software, including by deleting it from your computer. Any license that you may believe you acquired with the Software is void, revoked and terminated.
Any reproduction, distribution, display or other use of the Software by you is unauthorized and an infringement of Nullsoft's copyright in the Software as well as a potential violation of other laws.
However, neither Nullsoft nor its parent company America On-Line (AOL) has provided any further explanation. The release was made from an official Nullsoft web site in the same manner as other Nullsoft releases, so it is difficult to give the notice any credit. As it was released under the GPL, assuming the release was not made by someone incapable of acting as an "agent" of Nullsoft, it would seem to be intractable.
However, WASTE is not GPL compliant and in order to legally distribute WASTE you must remove the RSA encryption code which makes it allegedly secure. This is because the RSA code belongs to RSA Data Security, Inc. and it is not GPL-licensed. Otherwise you are in violation both of the GPL and of U.S. copyright law.
What is far from being resolved is the fact that Nullsoft is now claiming that the release was unwarranted and that the license granted to the software (Again, it was released under the GPL) is revoked. This leads to a range of possibilities for the software's future. Obviously, now that the cat has been released from the proverbial "bag" there is no putting it back. People will be using WASTE until something superior comes along to displace it, though it will likely not enjoy the broad support that would have already come without this legal SNAFU, at least until the situation is cleared up. There are a limited number of reasonable scenarios here:
- The release was the result of the site being illegally hacked and the software being made available by someone not an employee of Nullsoft. The GPL does not mandate distribution to the world, only that those who receive a distribution must receive the source code as well, and they can do anything they like with the source code as long as it remains covered by the GPL. (There is more to it than that, but that is the situation in a nutshell.) This is the only scenario in which the software would probably become "illegal".
- The release was made by an agent of Nullsoft, the ostensible owners of the software (though Nullsoft is in turn owned by AOL) without permission from AOL or even in contradiction of a prior agreement with AOL to have all software approved before release. While this would be bad for the person or persons responsible for the release, and for Nullsoft, the distribution would have been through legal means and all those who received a copy of the software would have a legal right to continue to posess the source code, if not the binary. Binary releases could reasonably be illegal, but armed with the source code, anyone with the proper development toolchain can produce another binary, and distribute it freely.
- The release was made by an agent of Nullsoft, in accordance with a prior agreement, or in accordance with usual procedure. In this case, the software is completely unencumbered, and there are actually possible lawsuits against Nullsoft for attempting to contravene the GPL at this late date.
While there are possibly other outcomes, these are ranked among the most likely.
There is a derivative of Nullsoft WASTE known simply as WASTE on Sourceforge at http://waste.sourceforge.net or http://sourceforge.net/projects/waste/, depending on which view you would like (home page, or sourceforge project.) As of April 14, 2004 the admins are do0d, kompressor, scytale0, and sh4rd. The original version (for Windows) is 1.1, which added some logging and other chat options. Currently the Win32 client's latest revision is 1.4 alpha 2, and there is a MacOS X client whose version is 1.0f. This software is not GPL compliant, as it carries the copyrighted RSA code.
There is also another patched version of WASTE called Wasted which also contains the illicit RSA code. It appears to be a bugfix release. Apparently, the source code for this release is stored on the sourceforge site for WASTE.
Sometime in March of 2004, VIA Technologies, Inc. released their own version of WASTE, VIA Padlock SL. VIA Padlock is a series of technologies (or buzzwords) intended to enhance security or accelerate cryptographic processes. Padlock SL "...implements the Quantum-based VIA PadLock RNG [...] and the VIA PadLock ACE..."3
Quantum-based VIA PadLock RNG (Random Number Generator), and the VIA PadLock ACE (Advanced Cryptography Engine) supporting AES encryption. The VIA PadLock Hardware Security Suite is integrated into the C5P Nehemiah core VIA Eden™, VIA Antaur™, and VIA C3™ processors.4
In other words, this is a port of WASTE which supports the encryption acceleration features of some of VIA's neat little low-power CPUs. The real news here however (besides a major company picking up a piece of software which, according to Nullsoft and AOL, was released illicitly) is that the new system features a Qt-lib GUI on both Linux (specifically Redhat 9.0) and Windows (specifically 2000). Furthermore, this version of the software uses freely available AES encryption code (when it's not using the hardware AES engine in the Stepping 3 and higher Nehemiah CPUs) so the encryption engine is fully GPL compliant.
VIA removed the package from their website on April 16, 2004. The reasons for doing so are unclear but it is certain that their release was not GPL-compliant. For instance, the interface code was not released with the software, which is GPL-licensed (though they may have intended it to be.) Since the GPL requires including all code necessary to build the binary package, this is a GPL violation. Note that the AES code (which replaces RSA in Padlock SL) is GPL-licensable as per the license information in the top of each related file: "...provided that this notice is retained in full, this product may be distributed under the terms of the GNU General Public License (GPL)..."6 Therefore it is possible that VIA intends to bring it back with proper license compliance at a later date.
- NaNaKat, W.A.S.T.E.. e2node. NaNaKat, May 4, 2000.
- WASTE (NOTICE OF UNAUTHORIZED SOFTWARE). Nullsoft, 2003. (http://www.nullsoft.com/free/waste/)
- VIA PadLock SecureLine (SL) Utility. Via Technologies, Inc. April 14, 2004 (http://www.viaarena.com/?PageID=399)
- VIA PadLock Hardware Security Suite. Via Technologies, Inc. April 14, 2004 (http://www.via.com.tw/en/padlock/padlock_hardware.jsp)
- Gladman, Brian. Cryptographic Technology Interests. (http://fp.gladman.plus.com/cryptography_technology/index.htm)
- Gladman, Brian, aesopt.h. Padlock SL Source code version 01.09. April 3, 2004.
- RSA Laboratories, rsaref.h. WASTE source code version 1.0. 1991.
- sh4rd, VIA Padlock and WASTE updates. (http://sourceforge.net/forum/forum.php?forum_id=368414) (Forum post)