kos13

Employees
 View Profile  See their activity

  • Posts

    750

  • Joined

  • Last visited

  • Days Won

    92

 Content Type 

Posts posted by kos13

  7. SyncApp: progress

    in Sync General Discussion

    Posted

    We are going to start distributing new version of SyncApp in a couple of days. Before it will go to users on our waiting list or as update to our current users, we would like to show it to people on this forum.

    You helped us a lot in making the product better. We want to express our gratitude to you, by sending new version of SyncApp to you first.

    Please PM me with your email and I will send you a link to new build.

    Thank you for your help

    kos

  17. A thought it was secure ?

    in Sync General Discussion

    Posted

    We do talk about two different scenarios:

    1. Tsu, was talking about the case, that someone will hit the same secret unintentionally. I.e. not trying to hack (brute-force) a specific account, but rather will hit the Secret that is already used by someone. In such a case you just hit the right combination. Google protection against of brute force won't help in such case.

    2. Brute-force attack. We already have brute force protection on server, and maybe will add it to client later. However, using brute-force attack against of at least 21 bytes random key, that requires at least 20 ms to verify 1 combination, doesn't make any sense at all.

    Why Google introduced protection against of brute-force attack? Because users use passwords like "123", "password", "hello123". In this case, brute-force attack based on vocabulary is very effective.

    Developing login/password authentication is simple, everyone uses it and concept is well known to users. However it is so insecure, that we decided to go hard way and introduced concept of Secret to mass market.

    We would take time to explain any single security concern you might have. Secret approach is by far more secure than any login/password solution. It is in line with RSA private/public key authentication, which is a strongest authentication from a security perspective.

  18. If You Have Sync Issue

    in Sync Troubleshooting

    Posted

    If you have Sync issue, then we are here to help you. Having right problem description and logs will mean that your problem will be fixed in a matter of hours.

    Just email us at syncapp@bittorrent.com and we will answer any question you might have.

    If you will do few steps in advance, that will help us significantly. Please note, that in most cases we will need logs from BOTH (!) machines.

    Step 0. Describe your problem

    Don't forget to describe your problem or put link to the forum post in your email.

    Step 1. Turn on Debug Logging.

    Windows: Shift + Right-click Sync icon in system tray and select "Enable Debug Logging".
    Mac: Shift-click on Sync icon in system tray and select "Enable Debug Logging".

    Linux: create file debug.txt with contents of FFFFFFFF in the .sync folder. You can find the .sync folder in the same directory where the btsync binary is located. If you are running binary in config mode, you'll need to put debug.txt into your storage folder.

     

    Step 2. Reproduce issue

    Please let Sync collect logs for at least 15 minutes to get enough information.


    Step 3. Attach log file to your email.

    Windows: %APPDATA%\BitTorrent Sync\sync.log and sync.log.old
    Mac: ~/Library/Application\ Support/BitTorrent\ Sync/sync.log     and sync.log.old
    Linux: ./sync/sync.log and sync.log.old

     

    If you are running Sync in config mode, you'll need to put debug.txt into the defined storage folder.

  20. A thought it was secure ?

    in Sync General Discussion

    Posted

    They can't access my e-mail account my random luck because a username and password match has to be made. In the case of a secret they only need to randomly get the same secret as me.

    Consider this string uuuuuuuuuuPPPPPPPPPPP. This is 21 characters long alpha numerical string. What are the chances that if I randomly generate this string and will use it as uuuuuuuuuu@gmail.com with password PPPPPPPPPPP I will crack someones gmail account?

    Just think about email and password combination as one string. something like youremail@gmail.comAndHereGoesMyPassword I randomly generate this string and try to find a collision with someones gmail account. What are my chances?

    Cracking SyncApp secret significantly harder, since it uses all bits in byte, while gmail uses only letters, numbers and some special symbols, so it uses not all 8 bits.

    Since we removed limitation on Secret length, you could add email in front of 21 characters Secret and use it as your Secret, so people have to guess your email and Secret.

  21. A thought it was secure ?

    in Sync General Discussion

    Posted

    Problem is that they don't need to crack, can be an unlucky collision. Chances are small but they are still there if there is no way to guarantee a unique secret.

    But how does SyncApp know which computer has the files beloning to my secret? If I enter my secret on another computer the original computers need to know what computer was added and how to reach that computer.

    There is no service that guarantees uniqueness of private key that is used by certification authority, your bank, NASA, FBI, White House or any other organization. So how they could be sure that nobody will crack it in unlikely collision? And there are teams, organizations and countries that intentionally want to crack it. Without any luck, so far.

    SyncApp allows you to use your own key of any length. We are sure that key of 21 truly random bytes are enough, but you are free to use any key you want.

    And it wouldn't be less secure if it used two secrets. Compare it to having an account for each computer to log on to and from which to manage sharing folders with other accounts and a separate secret that is also needed to access folders but isn't stored centrally.

    One time password's goal is to avoid exposing secret to insecure media like emails or IM. So, if somebody will gett access to your email, he won't be able to reuse the one time password to connect to your computers.

    It will take decades for a super computer to guess that specific secret but it can take but a second for a random computer to accidentally generate a secret that is allready in use somewhere else. Give a thousand monkeys a thousand typewriters and there will be a day when a monkey writes Hamlet.

    With no guarantee that a secret is unique there will always be a change, however small, that someone will get your files.

    All security is based on the fact, that probability of discovering encryption key is so close to 0, so everyone could sleep at night :)

    But let me ask you a question.

    Assume person has less than 10 characters before @ in his gmail address, strongest possible password and it is 11 bytes. What will be easier to crack SyncApp secret or his Dropbox/Gmail/Bank account?

  23. A thought it was secure ?

    in Sync General Discussion

    Posted

    One time password - is shorter secret that could be used only once. When you generate OTP on one device it will wait till the first device is connected using this OTP, and then will provide full Secret to this device over secure channel. This way OTP password can be shorter, easier to enter, plus you could distribute it over IM or email, since it will become useless after first connection of device.