• Posts

  • Joined

  • Last visited

  • Days Won


btusername's Achievements

Advanced Member

Advanced Member (3/3)

  1. +1 couldnt say it any better myself. I cant recommend this product to anyone until the security claims are validated
  2. please keep in mind that your keys, no matter how they are generated, how long they are, or how random, are not secure in any way if you send them via insecure methods like unencrypted email chat facebook, aol, yahoo this includes all communications that are "secured" with SSL unless they are using DHE or some form of PFS (perfect forward secrecy). This is because, the ssl keys are being handed over due to gag orders and wire taps required by the NSA and government. This is also thought to not be only obtainable by the NSA due to speculation that is off topic. But in short, your keys and data are only as secure as your weakest link, and that would be at this point sharing the keys to sync, the storing of those keys, etc. Some one earlier mentioned using GPG/PGP to encrypt the keys I believe. I would ask, if your going to take the time and effort to encrypt the keys, why not just encrypt whatever it is your sharing, and sync it with other methods.
  3. since the source insn't open, we cant trust what the application claims to due and is therefor insecure. if, however, the sync protocol is opened up for the public (not just internal developers), than an open source alternative could be created and modified to preform other functions as desired.
  4. I think the more important, and accurate question to ask is; 1. How does BT plan to monetize their heavy investment of BT Sync. .... any guesses
  5. to assume we aren't the product would be a leap also. We just don't know, that's the problem. just to confirm no official announcement has been made on syncs licensing right?
  6. i'll at least ponder the notion, maybe you are correct. I agree.
  7. If the option is to use GPG/PGP, or some form of encrypted chat to send the keys to be shared, wouldn't / shouldn't I just use GPG to encrypt the file im trying to share anyways, at which point i could use any syncing / sharing service. To sync with someone else requires that you share your key, and if you cant share that key securely .. then you can't sync securely. To say sharing your key is outside of Bt Syncs scope is to say that sharing your key so that you can Sync securely it outside of BT's scope and defeats it purpose. BT doesn't have to even develop a secure way to share keys or communicate, just implement already existing features, team up with up and coming services like, or at least inform users that your security is dependent on the secrecy of that key, and that sending keys via unencrypted chat or email like facebook, yahoo, aim, aol, gmail, google hangout, outlook, etc is insecure.
  8. there is a million and one ways the key could be obtained prior to me being able to "write it down" (which is very inconvenient) and there is no way for me to confirm that this doesn't occur without the source being open.
  9. Your exactly right, and it's already happening. IE: backdoors to your data
  10. wouldn't really be wise as if someone finds your secret key, they could easily decode the base 64 and get your email address and password.
  11. thats like saying linksys, belkin, or asus only has to develop a router to transfer your data, not secure it by using some fancy wpa2 encryption. do they need to develop new ways to communicate securely? No, but they could. should they implement already existing features to secure your data and the applications reputation? of course they should. This application is built around one single premise, sharing your key. Your advocating that the most important aspect of this application is not the burden of the application and protocol developers?
  12. is the TOS, EULA, and PP for sync the same as those listed for the main BT projects? These listed don't yet mention the Sync product.
  13. when you are required to share your key to sync data, it becomes the burden of the application to offer ways to share that key securely. This is undoubtedly the weakest link. one time keys are not suitable for all syncing needs solved, yet not implemented in this application.