NeoXiD

Members
  • Content Count

    16
  • Joined

  • Last visited

  • Days Won

    2

Posts posted by NeoXiD

  1. NeoXiD,

     

    In light of the unfortunate developments surrounding btsync 2.0 your work on a private tracker has become more important than ever to those of us who loved btsync the way it was before it was ruined.

     

    I hope that you'll continue development on this important tool.

     

    I've managed to get it running, however the status page does not display any information in the fields (no fields really, just column headers).  It isn't of terrible importance, but thought you should know.

     

    I'm using btsync client 1.4.111

     

    Warmest regards,

    Mike

     

    Hi Mike

     

    Thanks for your message. I only barely watched the development of Sync 2.0, as I've already guessed in the past that such things are probably going to happen. I had also written a statement about that on GitHub and stopped development altogether. They've introduced new protocols, a lot of reverse engineering would be needed and with Sync 2.0 it might get even more legally questionable if you start with bypassing pro-only restrictions.

     

    BitTorrent Inc. said in the past that they're going to tolerate my project for now and I'm not sure if they would still do so nowadays. I'd rather like to see a new solution/product, completely written from scratch and opensourced. Even if I'm going to create a new tracker emulator, people would still have to use closed source software and ugly hacks and workarounds. I would no longer trust BTSync for any seriously secret data and would suggest treating it like Dropbox or similar cloud storage providers, in terms of security.

     

    To cut a long story short, I never expected them to release an opensource version and now it's even more unlikely - they'll probably never do, so even if you create a full working tracker/relay emulation, people would still have to use software which can't be properly audited and maybe even includes backdoors. You never know...

     

    Best regards

    NeoXiD

  2. Also, some other notice: They've mentioned somewhere that they are unable to shutdown the BitTorrent Sync service. This is not 100% correct. Indeed, it is correct for LAN-only environments with activated peer discovery. But what if they shut down the tracker and relay servers? External connections would not be possible anymore.
    You can always create your own tracker and relay server, described below:-

     

    Tracker:- Simply own a domain name (Example.org), have it on a dynamic DNS, constantly update the subdomains with your computers IPs, such as:-

    Laptop.example.orgDesktop.example.orgWork.example.org
    And then just configure BTSync to use those static addresses.

     

    Relay:- Just have a single computer which accepts incoming connections (Easily can buy a cheap VPS to do this). Unfortunately, I'm not sure if it actually needs to have the files on it (If you selective-sync it, then, accept nothing, would it relay the connection?), I could test this if you really want (Would cost a couple cent to lease VPS for two or so hours).

     

    Anyway, one thing I do really dislike about this project is the fact it's closed source.

    That's not a tracker, these are static IPs. (And this feature isn't even implemented in the mobile applications...) And this might work if you've got around 3-4 clients and you own all of them... But what if you want to share some files with friends, coworkers, ...? Ask them for their IPs and update them all of the time? Request some dynamic DNS domains from them? That's clearly no tracker replacement.

    And I would also claim that a single computer which accepts incoming connections does not act as a relay server, otherwise this option would not be needed. Ofcourse, you can get some server which is public reachable and let it sync all the files, but it will not help with "relaying"/"supporting" a 'direct' connection between two other peers.

  3. I ran Btsync over i2p as a test and works well.

    However major problem is there's no way to verify the downloaded packages, and the source is closed. So those should be your two biggest security concerns since we're using a blackbox. If you are security conscious look into Tahoe-LAFS or owncloud project.

    You've mentioned another good point, thanks @CptDerp. owncloud isn't really an alternative imho and Tahoe-LAFS is a bit complicated. I've tested both of them already, but I didn't found something yet which is as simple and works out-of-the-box like BTSync does.

    But unfortunately it is very unlikely that BitTorrent Inc. will ever release BTSync as an open-source application, so we have to trust this 'blackbox' or just don't use it anymore.

    But truly some statements which are mentioned on their homepage are probably marketing bs and nobody can tell how secure BTSync really is.

  4. That does not answer my question, which is a pretty simple one. Or let me put it simpler...

     

    Can anyone/thing at any time or place, regardless of motivation, identify what data I am transmitting, without me deliberately sharing my key with that person/object ?

     

    Option 1) Yes

    or

    Option 2) No

     

    A sharing of knowledge on option 1 (Yes), is optional but would be just awesome.

     

    I've just posted a long thread about this, you can read it at http://forum.bittorrent.com/topic/26538-concerns-about-the-security-of-btsync/. It describes all the data which gets transfered and all possible security problems. For general use, you should be fine with BTSync, but always think carefully about trusting some closed-source softwares.

  5. Hello there

     

    I'm the developer of sync.io, a private tracker server made for BitTorrent Sync. This project is inofficial and not finished, but some people are already using it. To accomplish this project, I had to reverse engineer a lot of the used protocol and can therefore give you some details about the security of BitTorrent Sync.

     

    First of all, BTSync is not 100% private as it might be mentioned on some pages. Think about the following thing: You've got 5 clients, all with the same secret, located on some different networks worldwide. How do they find each other? They've got not chance without any external help.

     

    This is where BitTorrent Sync's tracker server comes to help - some "share identifier" (not the secret) will be transmitted to the tracker server including your private & public IP address. You will get all active peers as a reply, and can therefore establish some direct connections.

     

    You're affected by some really secure firewall rules? The relay server comes in place - it will be a middleman between two peers and all the data will be transmitted over the relay server if no direct connection is possible. You can easily see this when BTSync shows a "cloud" symbol next to a peer.

     

    Summary of data BitTorrent Inc. gets from you:

    • the private and public IP address of all connected peers
    • the share secret (I do not know yet how it will be generated, it is related to the secret keys but can't be reversed, I think)
    • unique identifier (will be generated for each installation, you can also say 'unique peer id' to this
    • if no direct connection is possible: packets containing the destination peer id & the encrypted data

    Normally they'll only have your IP address and a unique peer identifier and they could do some statistics about the average amount of shares a BTSync user hash, but they do not see any share names or the data. If a relay server gets used, all the encrypted data gets sent over their servers. If the encryption is secure and correctly implemented, this won't be a problem. But if there are some big mistakes or flaws, they could easily intercept the traffic and decrypt it.

     

    And if they would be able to decrypt the data of one peer, they would know every other peer (including their IPs) which has access to this share, thanks to the tracker server. And yes, I know, a tracker server -is- necessary.

     

    So, these are some things you should know. I do not want to accuse BitTorrent Inc., but you never know how things look like. No one also knows how the encryption works in detail - everything is closed-source and can not be checked by anyone else. Reverse engineering of the binaries is also forbidden, and it looks like they want to release a enterprise version with private tracker & relay support, so they're not that happy about opensource-solutions like 'sync.io'.

     

    Also, some other notice: They've mentioned somewhere that they are unable to shutdown the BitTorrent Sync service. This is not 100% correct. Indeed, it is correct for LAN-only environments with activated peer discovery. But what if they shut down the tracker and relay servers? External connections would not be possible anymore.

     

    To cut a long story short: They could shutdown BTSync (except the LAN feature), they can -maybe- intercept your traffic and decrypt it, depending of how "secure" the encryption really is (and if relay servers are being used, which is often the case for mobile connections).

     

    Things I would wish for the future: Easy support for own tracker and relay servers, a open and world-readable documentation about the protocol, API without any 'stupid' (excuse me) API keys which can be limited and maybe open-source the application all together.

     

    I might sound paranoid but I regard security a lot. And I just wanted to share my thoughts with all the BTSync users. Do not accuse me for hating BTSync, I really love its simplicity and it works fine, but I am always doubtful about such sync tools. Thanks for reading the whole post,

     

    Regards

    NeoXiD

  6. Good project, thanks. I've used it on osx 2 hours with 3 clients and got crash :(

     

    TypeError: Cannot call method 'toString' of undefined
     
     at SyncServer.module.exports.SyncServer.handlePacket (/Users/user/Downloads/sync.io/app/lib/SyncServer.js:90:29)
        at SyncServer.module.exports.SyncServer.onMessage (/Users/user/Downloads/sync.io/app/lib/SyncServer.js:85:19)
        at Socket.<anonymous> (/Users/user/Downloads/sync.io/app/lib/SyncServer.js:4:61)
        at Socket.EventEmitter.emit (events.js:98:17)
        at UDP.onMessage (dgram.js:437:8)
     
    Any suggestions?
    Thanks.

     

     

    Sorry for that issue. I've just refactored huge amounts of Sync.IO, the code is now much more readable, structured and also includes more checks, so bad stuff like that should not happen again. Still, like for every node.js application, I can highly recommend forever, a node module which keeps a process up and running. (And restarts it, if some fatal should occur)

     

    Roadmap: Implement relay server support (a bit hard to test though), refactor the webinterface (code could be a bit more clean), implement a statistics page, find some better ways to use sync.io instead of messing around with DNS records and code some tests to fight against bugs.

     

    Regards

    NeoXiD

  7. NeoXid created an alternate tracker which could be used instead of the servers of bittorrent. I would like to use btsync to backup medical data, but the fact that currently the secret keys are handled by a foreign server I can't do this. The current clients have to be either patched or misled by a firewall or dns. It would be nice if the current clients get native support for alternate trackers. Preferably at a share level. Does a url already exist for bittorrent sync keys? It would be nice if the alternate tracker could be included... Cheers

     

    As lolcat said, the secret keys are not handled by an external server. A hash will be generated out of the secret key, which will be then used to announce the share at the tracker and search for other peers. Notice: sync.io does currently only support a private tracker server, you will still use the BitTorrent Sync Relay server for outgoing connections. (Means that if no direct connection can be established because of NAT, firewalls..., your data gets transfered over the relay server. Encrypted ofcourse)

     

    I am still reverse engineering the relay server protocol and I've already made some success, although I don't have much time right now. As soon as this feature is finished, you could realize a private BTSync environment where BitTorrent Inc. isn't involved. But otherwise I will fully support your idea, tricking the client with DNS isnt that comfortable. (Although if your company uses Active Directory Services, it will be really easy to realize.)

     

    It would be really nice to hear an opinion of a BTSync dev. Happy new year,

     

    Regards

    NeoXiD

  8. Thanks for the great feedback so far. If anyone wants to try it out without installing sync.io, they could also use http://ares.snapserv.net:4000 for testing purposes. To do this, one method would be overriding the DNS record for t.usyncapp.com and setting it to 176.9.229.90. Your share(s) should immediately pop up there as soon as you restart BTSync. Only use this for testing purposes, this tracker isn't always available.

     

    Right now I am working on a private relay server, which will be seamlessly integrated into sync.io. So far I achieved the first few things, so that featue should probably follow soon. And I've achieved another thing: Modifying the BTSync client binary for Windows so that it will always point to 176.9.229.90. Although, this binary edit has some limitations and it seems like it would violate the ToS, which is quite unfortunate. :/

     

    @frater: That would be a great idea. Because there are always 2 servers involved (relay & tracker), the following schemata could be used:

     

    SADF7893ASD....@domain.com => Share: SADF7893ASD.... , Tracker: t.domain.com, Relay: r.domain.com

  9. Great work, this seems incredibly useful.

    Does the peers only announce the share to the tracker? Is any other information leaked to the tracker?

    They announce a hash (identifies the share, will further analyze how it will be generated), their local IP and a unique peer identifier, which seems to be choosen randomly as soon as you start the application for the first time.

    Here's a link to my test environment: http://ares.snapserv.net:4000

    You will see there what information gets published. Before anyone starts with messing around there, no sensitive data is stored on my test env.

  10. Hey there!

    First of all, I would like to say thanks to the developers of BitTorrent Sync. The application is fantastic and can handle large amounts of data. Although, there are some features missing: Own tracker and relay servers! We would have really loved to use BT Sync within our company, but without an own tracker and potentially relay server that's a no-go...

    So, I made some research and it seems like there isn't anything on the roadmap to make own trackers possible. That's why I've decided to start up Wireshark and analyze the tracker protocol. Soon I had all the necessary things together and I started working on writing a private tracker server.

    Here's my result, called sync.io. It is written in NodeJS and can handle a huge amount of load. Also, as a little gimmick, I've added a web status page which shows all announced shares and their peers. So far I've tested my private tracker server with about ~50 clients and didn't have any problems at all.

    Ofcourse, BitTorrent Sync does not offer the native ability to choose your own tracker server, so you will have to do some workarounds like editing your hosts file, overriding the DNS record (we did that in our company) or making some fancy firewall rules... You can read more about that at Github, were I've described everything as precisely as possible.

    So, feel free to test it out! If there are any suggestions, problems or something else, I will be glad to help out. The next thing on the roadmap of sync.io is an inbuilt private relay server... :)

    Regards
    NeoXiD

  11. As some other people already mentioned, thanks for the great work! I am currently using BTSync to sync 4 desktop clients - and it works like a charm. Unfortunately, there is one big feature missing in the mobile apps:

     

    Custom fixed port & predefined hosts - I was never using any "multicast detection", "trackers", "dht" oder whatever. I was always using predefined hosts, thats why I would need that feature in the mobile app. Please do not tell me to use "Search in LAN network" or how it is called, this feature does not work over VPN connections...

     

    Regards

    NeoXiD

  12. Take a look at the advanced folder preferences at the RO node, you should find a checkbox named "Restore modified files to original version". (I assume you are using 1.2.71)

     

    Do you (or anyone else) know if this setting is also available within the Android App? I had some issues that some files were not syncing until I deleted them on my Android smartphone, so I might think I'm running into the same problem. If that setting does not exist, this would be my biggest wish for now.