Digital materials can be protected from failures by replicating them
at multiple autonomous, distributed sites. A significant challenge in
such a distributed system is ensuring that documents are replicated
and accessible despite malicious sites. Such sites may hinder the
replication of documents in a variety of ways, including agreeing to
store a copy but erasing it instead, refusing to serve a document, or
serving an altered version of the document. We describe the design of
a a Peer-to-peer Information Preservation and Exchange (PIPE) network:
a distributed replication system that protects documents both from
failures and from malicious nodes. We present the design of a PIPE
system, discuss a threat model for malicious sites, and propose
basic solutions for managing these malicious sites.