Sign in to follow this  
chocobai

How secure is this "random number"?

Recommended Posts

Hi!

If I understood the FAQ correctly, the number to a folder is generated completely random (I'm using Linux computers and a Mac). I know it's unlikely, but someone could hit the same number like I did and get my stuff, am I right?

Also there is no try limit, so someone could just brute force and generate numbers or iterate until he gets some files.

Are those two scenarios possible and is there a plan how to improve this? Maybe a new user has to be allowed by a central device (NAS, optional) before other devices will begin upload to the new user, using certificates or an additional password, also using a limit of false authentications etc.

I'm a bit concerned because if this would work, the attacker would have unlimited time to randomly get files of other people. Wouldn't this get a problem assuming many people would use BTSync so attackers get attracted?

Thanks.

Share this post


Link to post
Share on other sites

There are already a number of topics on this specific question in this forum - try searching for "security", and in addition to the thread that Lighting has highlighted, the topic has also be extensively discussed here

Share this post


Link to post
Share on other sites

Thanks. I searched for keywords like security and I got no results... Probably I wasn't logged in yet or so and didn't notice. Okay, so, statistically it could happen. It may be very, very unlikely, but it COULD happen.

While the risk may be low, is there already a plan to include (i mean directly in btsync, I know about truecrypt and similar things) something that (optional) improves this situation?

It would be great if the client could send a notice to the receiver that this folder is encrypted so the receiver could automatically decrypt it using a key file or something.

I'm really excited about the project and I am currently using it for sharing non-sensitive data with colleagues. Works great so far. Awesome work.

Share this post


Link to post
Share on other sites

Okay, so, statistically it could happen. It may be very, very unlikely, but it COULD happen.

While the risk may be low, is there already a plan to include (i mean directly in btsync, I know about truecrypt and similar things) something that (optional) improves this situation?

Please refer to the other related threads on this topic, including this thread, this thread and this thread - your questions/concerns are covered in a number of previous threads, with comments/responses from the developers themselves

Share this post


Link to post
Share on other sites
Okay, so, statistically it could happen. It may be very, very unlikely, but it COULD happen.

NO, in non-technical terms, it is completely impossible.

It's far more likely that you'll copy and paste your secret into this forum without noticing it.

R27WAH4LQCGDFOGS7NLQYLQPXW5TRCW5

Share this post


Link to post
Share on other sites

It's far more likely that you'll copy and paste your secret into this forum without noticing it.

I like that idea - it's probably more likely that you'll accidentally call a random phone number that happens to belong to a hacker, who before you know what's going on hypnotises you into giving him your secret. So I guess we should encourage the devs to make btsync even more secure, and in the meantime chocobai can work on his anti-hypnotism techniques :)

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this