Search the Community

Showing results for tags 'security'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Resilio Sync
    • Sync General Discussion
    • Sync Troubleshooting
    • Sync for NAS (Network Attached Storage)
    • Sync Stories
    • Developers
    • Feature Requests

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


AIM


MSN


Website URL


ICQ


Yahoo


Jabber


Skype


Location


Interests

Found 49 results

  1. I use Resilio Sync to sync files among computers within my local network. I've unchecked "Use relay server when required" and "Use tracker server" in preferences for every connected folders. But Resilio Sync still keep making outgoing connections to the tracker server(173.244.217.42 and 2606:2e00:8003:1:ec4:7aff:fe57:108e). Is it possible to disable this? for security and privacy concern.
  2. Hello I just want to know for sure which essential Roaming files I should backup (*.dat ?) to be able to reinstall my Sync settings on a computer from scratch : I whish you add, not a feature, but just a documentation to clarify and officialize this. Sorry I it allready exists, but I don't think so. Thanks
  3. How does the sync work over non-WiFi (3g,4g etc...) How does my phone discover changes on my PC without any central server? Is there an URL with my device key? How does this work?
  4. Does the sync also bring over the file/user privileges with the files? thanks
  5. Can someone confirm whether or not the Government solution provided by Resilio is FIPS 140-2 compliant? Regards, A
  6. I recently did a contract with a Fortune 500 client that requires SAS 70 Type II, SSAE 16, ISAE 3402, and/or SOC2/3 certifications amongst other guarantees like 99.9% SLAs and so on and so forth when working with external vendors. Moving data securely is always a sensitive issue. The company required AES256 at rest and during data transmission. BT Sync (now Resilio) only currently supports AES-128, which is problem number one, but I still floated BT Sync for transmitting large assets that weren't mission critical. During a security review legal called attention to a clause in Resilio's Terms of Use. The proposal to use BT Sync was ultimately shot down because the wording in Resilio's Terms of Use suggested there might be a backdoor in the BitTorrent Sync / Resilio software that allows Resilio and/or its partners to access user assets through an undisclosed channel. The exact complaint was with the wording in the "Terms" as seen when installing or upgrading to Resilio for the first time: https://getsync.com/legal/terms-of-use/ The specific complaint was with section 7.a and 7.b (Investigations). I pointed out that "Materials" was defined as: The problem is that "Your Content" and "User Content," defined in section 2.b, are still open to interpretation in the ToS since "Service" is broadly defined (in section 1.a) as: Section 2.b (Use of Services & Materials) then states: This was the deal breaker because "Service" includes the software used to transfer data (aka BitTorrent Sync or now Resilio), not just the web site(s) and emails. Moreover, the Privacy Policy didn't categorically state that Resilio is incapable of tracking and accessing user files merely that Resilio doesn't -- which could be a matter of choice. I would like to recommend BitTorrent Sync again in the future, but I know many of the clients I work with will go through the same process and ultimately voice the same concerns. Are there any plans to provide clearer language that categorically states Resilio / BitTorrent Sync has no known backdoors that would allow the company or any outside parties from snooping on clients data and no known mechanisms to subvert the security of the software?
  7. Hello, Is there ANYTHING other than the public key and the folder key/hash transferred unencrypted? (In standard folders) Are there plans to open source the client and protocol? Is there a security whitepaper I can read? Thanks for your great work.
  8. Hi, 1st question: Is it from a security point of view relatively safe to directly expose the listening port to the internet? To my understanding this is necessary if I do not want to use a relay server and all devices are NATed? A VPN would restrict use cases a lot. I do of course not expose the Mgmt. UI - not sure how safe that would be at all. 2nd question: Additionally I was wondering why there is no apparmor profile installed by default. Wouldn't that be best practice for applications with direct internet exposure? Thanks, -b
  9. Hello Everyone! I'm thinking about securing usage of BTSync. Encrypted folders are superb but there is a lack of security. It is not in the manual but every instance of BTSync organizes a folder with name .SyncUser with numbers. This folder contains very sensitive information... It contains the keys! Imagine that you are using Synology or Windows. You installed BTSync, set it up, set some encrypted folders, use BitLocker or eCryptFS for your sensitive folders and think that everything is very secure. But.... But the problem is in the process how and where BTSync stores the keys and other core information. It stores that at .SyncUser forlder folders and files. For example, under Windows that folder locates at AppData\Roaming\BitTorrent Sync. And by default this folder is not protected with BitLocker (moverover most of the users don't understand where the BTSync is installed at all). The same thing with Synology or Ubuntu. So if this folder is not secured somehow then someone with admin account at the same computer can easily steal your keys. Or detach your HDD and attach it to another computer, get your private keys and steal all your data. You should pay attention to that and use BitLocker or eCryptFS folders to store BTSync .SyncUser folder. In a case of a server usage - use only encrypted BTSync folders or use BitLocker/eCryptFS with storing of the certificates in TPM module. That will be great if someone give me a clue for the following: a. how to move .SyncUser folder to an encrypted directory at Synology. b. tell me more about different files and directory names inside .SyncUser folder. Thank you in advance.
  10. Would it be madness to make the webgui available publicly, or is this ok as long as you use a strong password? Do attackers have as long as they like to brute force the credentials, or is there some rate limiting and/or IP banning on failed logins implemented by BTSync?
  11. Does BTSync support perfect forward secrecy? The following post suggests yes, but it is kind of old and points to a security page that no longer exists: http://security.stackexchange.com/questions/53981/bittorrent-sync-encryption This page suggests that PFS doesn't apply since Sync doesn't use TLS: http://forum.bittorrent.com/topic/29358-heartbleed-perfect-forward-secrecy/ Is there any further information on this? Thank you, John
  12. I've removed my 1.4 shares, to upgrade to 2.0 shares (of course i've made a backup from the settings and the database). First i've set the new share to be preapproved when new client connects, but even if i approved the connection, the client wrote "waiting for approval". So approvals do not work, it's OK, i don't need it. So i've disabled the approve requirement, and tried again... but the client still writes "waiting for approval" while it isn't needed. Then i said ok, i've just restore to 1.4 database, so restored everything that is related to btsync, but that isn't worked, as the client pc (slow arm pc) started to reindex everything, and ignore the old database. On the windows PC i've also restored everything, but it writes "cannot identify the destination folder", which means that btsync stores some data in somewhere else, not on my computer! So i'm gonna stop using btsync, not just because they released the heavily bugged 2.0 without proper testing, but because btsync 2.0 is communicating and storing data on an external server, which means it's not secure anymore.
  13. The related report: http://www.securityweek.com/command-injection-vulnerability-found-bittorrent-sync
  14. Hi, I installed Bittorrent Sync 1.4.110. I read some topics regarding privacy, and I understand hash is not privacy data. But I would like to use Bittorrent Sync as pure P2P system. Share(mail,copy,QR code) will use internet connection(https://link.getsync.com/~). So I will use "copy key" in settings. I disalbed both "use tracker server" and "use relay server". I believed this will work pure P2P system. But I found my firewall logs continue to show connection between ec2-54-225-196-38.compute-1.amazonaws.com UDP 3000 and my local pc. How can I stop this? To disable "use relay sever" does not work?
  15. Hey. This might be a stupid question. But what exactly happens if a peer with read-only access to a folder modifies or changes it's contents? Or if a large number of users attempt to do it? Is it possible to fake content without the read/write-key in any way? Thanks for the clarification.
  16. Running btsync on Linux will by default create a *publicly-accessible, unprotected* WebUI, allowing anyone on the web to create a sync folder to view and edit files your files (i.e. files in directories writable by you). Could the defaults (used when running btsync without a config file) be changed to prevent this unintended data leak? A temporary workaround is to run `killall btsync` to turn off the WebUI, and then use --config with a config file that sets webui > password to a secure password. You can use `lsof -i` to verify that the WebUI is not running.
  17. We are looking to deploy this product in a environment with over 100 remote locations, and would like the ability to lock down the gui, so shares, settings, and so on are not able to be changed by users. A password would suffice. I believe this will be helpful to many people. Thanks!
  18. Security researches have found out that Bittorrent Inc has access to all your "encrypted files". It's VERY easy for the NSA or other agencies to get access, all they need is to do one of the following: 1. Send National Security Letters to Bittorrent Inc forcing them to cooperate in a "legal" way 2. Hack/Infiltrate Bittorrent Inc 3. Force Bittorrent Inc to cooperate All your keys are transported to Bittorrent Inc. This is a recent change, it wasn't this way in the first versions of Bittorrent Sync. That indicates a deliberate change in order to backdoor Bittorrent Sync. http://2014.hackitoergosum.org/bittorrentsync-security-privacy-analysis-hackito-session-results/
  19. We use this a lot in our laptops, as usually your laptop has a risk to be lost or stolen. It would be huge security add-on if you could remotely lock those synced folders by encrypting them temporaly until you recover your peer device. If you are sure that you peer device has been stolen or totally lost => you want to secure your data by remotely deleting all data in Synced folders and deleta all secure keys in BTSync client!
  20. When I read all this: http://sync-help.bittorrent.com/customer/portal/articles/1628463-link-structure-and-flow I wonder whether bittorrent gets all informations to identify peers by using this link thing and could interfer their communication. juh
  21. Hi, Just have some questions about approved peers so I understand how it works. It's a unit based setting right? I mean if I have 5 units I need to enable the setting on all devices to make sure no content is being shared to anyone else? Can these approved peers be specified in the config file using the username or device name? Thanks!
  22. I have not found one but is there a way to hide "***************" the secret fields in the preferences / settings box so it can only be viewed with a password. I am on OSX Maverick.
  23. Hi, When I click "Generate" for "Shared secret" they all begin with "A". Are they really random? Cheers, Jens
  24. hello together, I ask me if it is possible to get foreign content? is it possible to bruteforce valid keys to get the content from forein persons? or is there a "list" with valid keys in the web? how the client finds the right "server" with the suitable content for the secret key? why do not use a private and a public key or key and passphrase? I think it is not save if anyone can use a bruteforced or traced key without a pasasword or private key to decrypt the content. can someone enlighten me? thanks, ks