ctrlfrk

Short, insecure "secrets"

Recommended Posts

I just tried to create a new synced folder with the secret string "cats", in the hope that some like minded individual had pre-populated it with cat pictures. It got rejected unsurprisingly as it's not very secure, but that was kind of the point.

Is there any motivation behind this limitation beyond security? Would it be possible to relax this requirement through an 'advanced' setting to prevent people from shooting themselves in the foot?

I quite like the idea of globally shared, synced folders centered around topics.

Share this post


Link to post
Share on other sites

Wouldn't this just be a P2P usenet of kind, where, anyone can modify anyone else's items? Personally, I'll stick to usenet for "groups", or, if I'm so inclined to see cats, go to reddit.

As for the topic, what's there to be secure about? If you host a website and make your administrator password "a", then, no shit people are going to log in.

Share this post


Link to post
Share on other sites

As for the topic, what's there to be secure about?

I said insecure. Which is the point. You want people to be able to guess the secret and join in without any prior communication other than both knowing the name of the topic.

And yes there are other ways to share pictures of cats... that's not the point. I'm asking why there is a 41 char minimum on custom secrets and whether or not an option could be added to disable the limit.

Share this post


Link to post
Share on other sites

I said insecure. Which is the point. You want people to be able to guess the secret and join in without any prior communication other than both knowing the name of the topic.

And yes there are other ways to share pictures of cats... that's not the point. I'm asking why there is a 41 char minimum on custom secrets and whether or not an option could be added to disable the limit.

Oh, I didn't even know there was a limit. My mistake, ignore my posts.

Share this post


Link to post
Share on other sites

I'm iffy on this.

I think a BitTorrent 'pseudo DNS' is inevitable, simply because it's easy - the first thing I did was this was share my calibre library of free ebooks (Gutenberg+Baen) among my family using a pseudo-random key.

But - even with the large namespace, how long is it before the same human personalities that gave us Spam and some of the more disgusting trolls out there go hunting for shared folder just looking for *any* folder to put something nawsty into, or deliberately overwrite files - nevermind one as simple as 'lolcat-pics'.

As a practical matter, I can't imagine it will be that long before someone creates a version with that functionality, now that the idea is there, but nonetheless the idea in going to need to be thought through carefully.

Share this post


Link to post
Share on other sites

Imagine if BTSync adds a new kind of secret key, one that allows creation of files, but disallow modification of existing files. Combined this with OP's idea of "short, insecure secrets" -- then it would be possible to create a P2P usenet!

Share this post


Link to post
Share on other sites

Imagine if BTSync adds a new kind of secret key, one that allows creation of files, but disallow modification of existing files. Combined this with OP's idea of "short, insecure secrets" -- then it would be possible to create a P2P usenet!

Other than you'd need to download literally EVERY post out there, which, would be cool and all up until I'm trying to get my connection to download 11TB a day (Source:- https://en.wikipedia...traffic_changes) worth of illegal TV shows, movies, pornography and random encrypted rar archives with MD5 hashes (0-9A-F{32}) as names.

If they introduce a option to view files but not download them until accessed option, and (windows explorer, finder, and whatever desktop client option you use for linux) upgrades so that you can vew 11TB worth of random folders added each day without crashing, then, it'd be cool, however, then it falls back to to requirement of seeders, in which case I'd rather hop onto my real usenet connection and download from there, or, use thepiratebay.

In my opinion, let torrents be torrents, let usenet servers be usenet servers and let bittorrent sync be a P2P version of Dropbox/GDrive.

Share this post


Link to post
Share on other sites

It seems that it is just a matter of time before you begin finding btsync "secret" keys posted to forums and other websites as ways to share movies and such, just like you already find .torrent files at torrent tracker and search websites.

Share this post


Link to post
Share on other sites

Other than you'd need to download literally EVERY post out there, which, would be cool and all up until I'm trying to get my connection to download 11TB a day

Um, no; you'd actually be downloading one Usenet group (say alt.sex.perv.perv.perv) and it can be as specific or limited as you like.

Actually, you can't stop it; BTSync is a pretty small and simple application (much like bittorrent) even now it wouldn't be difficult to make a version without the limits (including the open source one) But you don't actually have to do this to use 'simple' passwords.

The secret that BTSync will accept is a 160bit string in base32 so 'all' you have to do it take the secret you want, put it into a sha1 encoder http://www.webtoolki...avascript-sha-1 if the output is "hex" convert it to base32 http://tomeko.net/on...e32.php?lang=en to give the result ...

cats = R27WAH4LQCGDFOGS7NLQYLQPXW5TRCW5

Enjoy your Cat Pictures. <_<

00000000000000000000000000000000

Share this post


Link to post
Share on other sites

So the read/write secret is customizable.

Is the read-only secret customizable?

Not in the sense you mean, you could do 'Q' filling to pad a short read-write secret to 32 characters but the read only secret is based on an 'encryption' of the read-write secret. There's no technical reason that it has to be as it's actually an independent password but in the current executables it is.

It would be more obvious if the secret share name and password were independent. In that case the read-write and read-only would share the same name but have different passwords.

Share this post


Link to post
Share on other sites

It seems that it is just a matter of time before you begin finding btsync "secret" keys posted to forums and other websites as ways to share movies and such, just like you already find .torrent files at torrent tracker and search websites.

38 Minutes by my count :D

Share this post


Link to post
Share on other sites

Um, no; you'd actually be downloading one Usenet group (say alt.sex.perv.perv.perv) and it can be as specific or limited as you like.

Actually, you can't stop it; BTSync is a pretty small and simple application (much like bittorrent) even now it wouldn't be difficult to make a version without the limits (including the open source one) But you don't actually have to do this to use 'simple' passwords.

The secret that BTSync will accept is a 160bit string in base32 so 'all' you have to do it take the secret you want, put it into a sha1 encoder http://www.webtoolki...avascript-sha-1 if the output is "hex" convert it to base32 http://tomeko.net/on...e32.php?lang=en to give the result ...

cats = R27WAH4LQCGDFOGS7NLQYLQPXW5TRCW5

Enjoy your Cat Pictures. <_<

00000000000000000000000000000000

Well, even if I were to download alt.sex.perv.perv.perv, I'd still have to download everything everyone posted there, and, assuming I had an anti-virus, it'd be going ape-shit.

P.S. I laughed at the Cat Pictures joke.

Share this post


Link to post
Share on other sites

It seems that it is just a matter of time before you begin finding btsync "secret" keys posted to forums and other websites as ways to share movies and such, just like you already find .torrent files at torrent tracker and search websites.

Why would anyone do this over just using a .torrent? Or usenet? Or netcat?

FYI:- Netcat is very good at transmitting files between two nodes you own when scp/network mounting is not possible to use.

Server:-

cat file | nc -l 2345

Client:-

nc $serverIP 2345 > file

Although, I do admit I've never tried it on large files like movies.

Anyway, back on torrent topic, why wouldn't you just use a .torrent? Pretty much the same protocol, but, torrents are made for one load of files to be sent via P2P, bittorrent sync isn't.

Share this post


Link to post
Share on other sites
I'd still have to download everything everyone posted there, and, assuming I had an anti-virus, it'd be going ape-shit.

Hmmm, Actually, no. It's worse then that. Everyone else's AV would have gone ape-shit and deleted all the known viruses ... you'd just be left with the really evil stuff ... :o

NB: I prefer udpcast over netcat; shame that btsync doesn't use multicast for data on the local lan.

Package: udpcast
Description-en: multicast file transfer tool
UDPcast can send data simultaneously to many destinations on a LAN.
This can be used, for example, to install entire classrooms of PCs at
once. The advantage of UDPcast over other methods (such as NFS, FTP,
etc.) is that UDPcast uses Ethernet’s multicast abilities, which means
it won’t take longer to install 15 machines than it would to install
just two.

Share this post


Link to post
Share on other sites

It seems that it is just a matter of time before you begin finding btsync "secret" keys posted to forums and other websites as ways to share movies and such, just like you already find .torrent files at torrent tracker and search websites.

I don't think that there is any reason to use Sync for that reason. Normal private torrent trackers do that fine, and are just as secure as using Sync:

  • To DL .torrent file on a pvt tracker: Are you a member of the private tracker?

  • To find out 'secret' on forum: Who has privileges to see those forum posts?

I do think that a possible use of Sync for piracy could be sharing between friends or families (especially since the software is free and easy to setup). This would make sure that nobody else (anti-piracy groups) would be snooping on your swarm. Another attractive feature of Sync is that the connections between peers are secured with 256 bit AES encryption. Correct me if I'm wrong, but this means that the ISPs of everyone syncing in your "network" are unaware of what is being sent, but they do know how much data and when it was sent.

Of course, this is not the purpose of Sync. It acts as a great DropBox alternative.

Share this post


Link to post
Share on other sites

Sync'd traffic footprint is pretty distinctive, continuous one second pings, tracker pings DHT probes etc etc. So the ISP could be pretty certain that it's btsync but the exact data that's transferred, no they wouldn't be able to see that. The would be able to see the "info hash" values that you put onto DHT or the tracker so if they know of an 'undesirable' btsync share they could tell that you're connected to it. But they wouldn't be able to see the files unless they know the secret as well as the public "info hash" or they can "rainbow table" the hash because it's an insecure key.

From a UI point of view a magnet link and a btsync secret are practically identical. The advantage will be the ability of the distributor to add content to the share without changing the secrets. TPB could in theory distribute their list of magnet links database as a btsync share and keep it up to date without having to continually reissue a new key.

I can't really think of a good use of a plain public RW share; but if you say add something that can check digital signatures on files (giving a form of network wide ownership) a shared permission scheme could be crafted. This would allow you to give the RW key to potentially malicious hosts because their changes would only be accepted kept if they have a good signature.

((Hmm, I sense an API post coming ...))

Share this post


Link to post
Share on other sites
Sync'd traffic footprint is pretty distinctive, continuous one second pings, tracker pings DHT probes etc etc. So the ISP could be pretty certain that it's btsync but the exact data that's transferred, no they wouldn't be able to see that. The would be able to see the "info hash" values that you put onto DHT or the tracker so if they know of an 'undesirable' btsync share they could tell that you're connected to it. But they wouldn't be able to see the files unless they know the secret as well as the public "info hash" or they can "rainbow table" the hash because it's an insecure key.

Technically, I feel that working out the hash from the ISP's point of view is a lot easier than it is from anyone else's. Although it may or may not be legal (No idea, never read my ISP's ToS... it's like 90 pages long), they could easily look through all the history of your activity and look through all the unencrypted locations you may have posted it (HTTPs forums, pastebin, etc...). I'm not saying it's going to work every time (Someone may have httpseverywhere, use a one time secret key, post it on 0bin on their own dedicated site with SSL, connected via a VPN/SSH tunnel to a location that they can't monitor before posting, etc...) but I am saying that it's going to work a hell of a lot more often than just guessing random hashes.

Share this post


Link to post
Share on other sites

I did say an "insecure key".

I know they've tried to pretend that it's not possible but you can still do base32(sha1("cats")) or just do some padding ... CATSIIIIIIIIIIIIIIIIIIIIIIIIIIII is a valid secret.

Hmm, as is CATS1111111111111111111111111111 ...

I can add them both to the windows GUI at the same time ...

Hey KOS13 ... That's a post-20346-0-64858000-1367139462.gif they are the same key.

Share this post


Link to post
Share on other sites
cats = R27WAH4LQCGDFOGS7NLQYLQPXW5TRCW5

I jokingly added that because I was bored:-

02uzrXO.png

Still indexing, at 100MB so far. I probably shouldn't be downloading random files from people, but, eh.

EDIT:- Just what I always wanted, "Cat-Porn.jpg":-

LYRtriD.png

Share this post


Link to post
Share on other sites

Um, no; you'd actually be downloading one Usenet group (say alt.sex.perv.perv.perv) and it can be as specific or limited as you like.

Actually, you can't stop it; BTSync is a pretty small and simple application (much like bittorrent) even now it wouldn't be difficult to make a version without the limits (including the open source one) But you don't actually have to do this to use 'simple' passwords.

The secret that BTSync will accept is a 160bit string in base32 so 'all' you have to do it take the secret you want, put it into a sha1 encoder http://www.webtoolki...avascript-sha-1 if the output is "hex" convert it to base32 http://tomeko.net/on...e32.php?lang=en to give the result ...

cats = R27WAH4LQCGDFOGS7NLQYLQPXW5TRCW5

Enjoy your Cat Pictures. <_<

00000000000000000000000000000000

haha im doing the same, i hash the folder name but the end key is a combination of different keys.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.