NeoXiD

Members
  • Posts

    16
  • Joined

  • Last visited

  • Days Won

    2

Everything posted by NeoXiD

  1. Hi Mike Thanks for your message. I only barely watched the development of Sync 2.0, as I've already guessed in the past that such things are probably going to happen. I had also written a statement about that on GitHub and stopped development altogether. They've introduced new protocols, a lot of reverse engineering would be needed and with Sync 2.0 it might get even more legally questionable if you start with bypassing pro-only restrictions. BitTorrent Inc. said in the past that they're going to tolerate my project for now and I'm not sure if they would still do so nowadays. I'd rather like to see a new solution/product, completely written from scratch and opensourced. Even if I'm going to create a new tracker emulator, people would still have to use closed source software and ugly hacks and workarounds. I would no longer trust BTSync for any seriously secret data and would suggest treating it like Dropbox or similar cloud storage providers, in terms of security. To cut a long story short, I never expected them to release an opensource version and now it's even more unlikely - they'll probably never do, so even if you create a full working tracker/relay emulation, people would still have to use software which can't be properly audited and maybe even includes backdoors. You never know... Best regards NeoXiD
  2. > http://forum.bittorrent.com/topic/25855-release-own-tracker-for-usage-within-companies/
  3. That's not a tracker, these are static IPs. (And this feature isn't even implemented in the mobile applications...) And this might work if you've got around 3-4 clients and you own all of them... But what if you want to share some files with friends, coworkers, ...? Ask them for their IPs and update them all of the time? Request some dynamic DNS domains from them? That's clearly no tracker replacement. And I would also claim that a single computer which accepts incoming connections does not act as a relay server, otherwise this option would not be needed. Ofcourse, you can get some server which is public reachable and let it sync all the files, but it will not help with "relaying"/"supporting" a 'direct' connection between two other peers.
  4. You've mentioned another good point, thanks @CptDerp. owncloud isn't really an alternative imho and Tahoe-LAFS is a bit complicated. I've tested both of them already, but I didn't found something yet which is as simple and works out-of-the-box like BTSync does. But unfortunately it is very unlikely that BitTorrent Inc. will ever release BTSync as an open-source application, so we have to trust this 'blackbox' or just don't use it anymore. But truly some statements which are mentioned on their homepage are probably marketing bs and nobody can tell how secure BTSync really is.
  5. I've just posted a long thread about this, you can read it at http://forum.bittorrent.com/topic/26538-concerns-about-the-security-of-btsync/. It describes all the data which gets transfered and all possible security problems. For general use, you should be fine with BTSync, but always think carefully about trusting some closed-source softwares.
  6. Hello there I'm the developer of sync.io, a private tracker server made for BitTorrent Sync. This project is inofficial and not finished, but some people are already using it. To accomplish this project, I had to reverse engineer a lot of the used protocol and can therefore give you some details about the security of BitTorrent Sync. First of all, BTSync is not 100% private as it might be mentioned on some pages. Think about the following thing: You've got 5 clients, all with the same secret, located on some different networks worldwide. How do they find each other? They've got not chance without any external help. This is where BitTorrent Sync's tracker server comes to help - some "share identifier" (not the secret) will be transmitted to the tracker server including your private & public IP address. You will get all active peers as a reply, and can therefore establish some direct connections. You're affected by some really secure firewall rules? The relay server comes in place - it will be a middleman between two peers and all the data will be transmitted over the relay server if no direct connection is possible. You can easily see this when BTSync shows a "cloud" symbol next to a peer. Summary of data BitTorrent Inc. gets from you: ​the private and public IP address of all connected peersthe share secret (I do not know yet how it will be generated, it is related to the secret keys but can't be reversed, I think)unique identifier (will be generated for each installation, you can also say 'unique peer id' to thisif no direct connection is possible: packets containing the destination peer id & the encrypted dataNormally they'll only have your IP address and a unique peer identifier and they could do some statistics about the average amount of shares a BTSync user hash, but they do not see any share names or the data. If a relay server gets used, all the encrypted data gets sent over their servers. If the encryption is secure and correctly implemented, this won't be a problem. But if there are some big mistakes or flaws, they could easily intercept the traffic and decrypt it. And if they would be able to decrypt the data of one peer, they would know every other peer (including their IPs) which has access to this share, thanks to the tracker server. And yes, I know, a tracker server -is- necessary. So, these are some things you should know. I do not want to accuse BitTorrent Inc., but you never know how things look like. No one also knows how the encryption works in detail - everything is closed-source and can not be checked by anyone else. Reverse engineering of the binaries is also forbidden, and it looks like they want to release a enterprise version with private tracker & relay support, so they're not that happy about opensource-solutions like 'sync.io'. Also, some other notice: They've mentioned somewhere that they are unable to shutdown the BitTorrent Sync service. This is not 100% correct. Indeed, it is correct for LAN-only environments with activated peer discovery. But what if they shut down the tracker and relay servers? External connections would not be possible anymore. To cut a long story short: They could shutdown BTSync (except the LAN feature), they can -maybe- intercept your traffic and decrypt it, depending of how "secure" the encryption really is (and if relay servers are being used, which is often the case for mobile connections). Things I would wish for the future: Easy support for own tracker and relay servers, a open and world-readable documentation about the protocol, API without any 'stupid' (excuse me) API keys which can be limited and maybe open-source the application all together. I might sound paranoid but I regard security a lot. And I just wanted to share my thoughts with all the BTSync users. Do not accuse me for hating BTSync, I really love its simplicity and it works fine, but I am always doubtful about such sync tools. Thanks for reading the whole post, Regards NeoXiD
  7. Sorry for that issue. I've just refactored huge amounts of Sync.IO, the code is now much more readable, structured and also includes more checks, so bad stuff like that should not happen again. Still, like for every node.js application, I can highly recommend forever, a node module which keeps a process up and running. (And restarts it, if some fatal should occur) Roadmap: Implement relay server support (a bit hard to test though), refactor the webinterface (code could be a bit more clean), implement a statistics page, find some better ways to use sync.io instead of messing around with DNS records and code some tests to fight against bugs. Regards NeoXiD
  8. Good news, a BitTorrent Inc. employee just confirmed that sync.io does not violate the Terms of Service. Therefore I will continue with this project as soon as I have some free time left.
  9. I do, although I do not have enough time to work actively on it. I had some first successful tries with a private relay server, but there are still some things to improve. Still waiting for an answer, contacted some employees, but it seems like they are all still enjoying their holidays
  10. Hm, I did not know that the protocol might be also affected by this ToS? I've understood that only reverse engineering the binary would be forbidden... Anyways, thanks for the hint @GreatMarko. I just wrote a private message to an BitTorrent employee and will freeze this project until these questions are resolved. Regards NeoXiD
  11. As lolcat said, the secret keys are not handled by an external server. A hash will be generated out of the secret key, which will be then used to announce the share at the tracker and search for other peers. Notice: sync.io does currently only support a private tracker server, you will still use the BitTorrent Sync Relay server for outgoing connections. (Means that if no direct connection can be established because of NAT, firewalls..., your data gets transfered over the relay server. Encrypted ofcourse) I am still reverse engineering the relay server protocol and I've already made some success, although I don't have much time right now. As soon as this feature is finished, you could realize a private BTSync environment where BitTorrent Inc. isn't involved. But otherwise I will fully support your idea, tricking the client with DNS isnt that comfortable. (Although if your company uses Active Directory Services, it will be really easy to realize.) It would be really nice to hear an opinion of a BTSync dev. Happy new year, Regards NeoXiD
  12. Thanks for the great feedback so far. If anyone wants to try it out without installing sync.io, they could also use http://ares.snapserv.net:4000 for testing purposes. To do this, one method would be overriding the DNS record for t.usyncapp.com and setting it to 176.9.229.90. Your share(s) should immediately pop up there as soon as you restart BTSync. Only use this for testing purposes, this tracker isn't always available. Right now I am working on a private relay server, which will be seamlessly integrated into sync.io. So far I achieved the first few things, so that featue should probably follow soon. And I've achieved another thing: Modifying the BTSync client binary for Windows so that it will always point to 176.9.229.90. Although, this binary edit has some limitations and it seems like it would violate the ToS, which is quite unfortunate. :/ @frater: That would be a great idea. Because there are always 2 servers involved (relay & tracker), the following schemata could be used: SADF7893ASD....@domain.com => Share: SADF7893ASD.... , Tracker: t.domain.com, Relay: r.domain.com
  13. They announce a hash (identifies the share, will further analyze how it will be generated), their local IP and a unique peer identifier, which seems to be choosen randomly as soon as you start the application for the first time.Here's a link to my test environment: http://ares.snapserv.net:4000 You will see there what information gets published. Before anyone starts with messing around there, no sensitive data is stored on my test env.
  14. Hey there! First of all, I would like to say thanks to the developers of BitTorrent Sync. The application is fantastic and can handle large amounts of data. Although, there are some features missing: Own tracker and relay servers! We would have really loved to use BT Sync within our company, but without an own tracker and potentially relay server that's a no-go... So, I made some research and it seems like there isn't anything on the roadmap to make own trackers possible. That's why I've decided to start up Wireshark and analyze the tracker protocol. Soon I had all the necessary things together and I started working on writing a private tracker server. Here's my result, called sync.io. It is written in NodeJS and can handle a huge amount of load. Also, as a little gimmick, I've added a web status page which shows all announced shares and their peers. So far I've tested my private tracker server with about ~50 clients and didn't have any problems at all. Ofcourse, BitTorrent Sync does not offer the native ability to choose your own tracker server, so you will have to do some workarounds like editing your hosts file, overriding the DNS record (we did that in our company) or making some fancy firewall rules... You can read more about that at Github, were I've described everything as precisely as possible. So, feel free to test it out! If there are any suggestions, problems or something else, I will be glad to help out. The next thing on the roadmap of sync.io is an inbuilt private relay server... Regards NeoXiD
  15. As some other people already mentioned, thanks for the great work! I am currently using BTSync to sync 4 desktop clients - and it works like a charm. Unfortunately, there is one big feature missing in the mobile apps: Custom fixed port & predefined hosts - I was never using any "multicast detection", "trackers", "dht" oder whatever. I was always using predefined hosts, thats why I would need that feature in the mobile app. Please do not tell me to use "Search in LAN network" or how it is called, this feature does not work over VPN connections... Regards NeoXiD
  16. Do you (or anyone else) know if this setting is also available within the Android App? I had some issues that some files were not syncing until I deleted them on my Android smartphone, so I might think I'm running into the same problem. If that setting does not exist, this would be my biggest wish for now.