I apologize ahead of time -- Can the dev's stop being assholes and release the crypto/architectural documentation please?

[Heavensrevenge]

I really do apologize for that and I hope I'm not banned but this really needs to be said again.  The dev team really needs to stop being assholes and ignoring the need to release the specifics about this protocol and documentation regarding the protocol for this and now, eventually, BT-chat to show it is solid and really is a wonder of engineering.

Yes your solutions work pretty darn good, but you are preventing your own growth by withholding such critical documentation and specifics about how this operates and if we can actually trust anything to these protocols.

 

Until the documentation is published I can not vouch for BT-Sync anymore, you've waited too long for no reason, and IF your solution really is secure, well then prove it, and you'll have nothing more to prove than by showing your technical capability is as much as it seems to be.  Being closed source doesn't help, without it you will never see it grow regardless of how well it works, sort of like driving down the road in a 1/2 built dune-buggy.  Sure it works, but it feels HORRIBLE and is horrible to drive. So if your keeping it closed to keep everyone out of the secret of how bad your implementation is then fine, that's reasonable, but it still wont gain anyone's confidence to rely on you for real tasks.

 

Until anything is published I will have to actively warn but also discourage the use of this and BT-Chat until you actually pull your act together and do the right thing.

 

I will be hoping for it, and I will be eagerly awaiting the good news IF it ever comes.

 

Sincerely,

Eric

[dmason]

I'm irritated that there isn't more information available. I won't get upset about it unless they offer the enterprise solution with the same information being absent. I can daydream about the project going to an open source license but with the enterprise beta signups I have reservations about that ever happening.

[xmanz]

As every researcher will tell you, the most basic rule of cryptography definded by one of Kerckhoffs' principle is:

NO SECURITY THROUGH OBSCURITY

i.e. the security of the system should not be dependant on the secrecy of the emplyed algorithms, but only on the secrecy of the keys.

Sadly, as it stands, i cannot ascertain whether or not this is the case for BTSync.

 

Wherever this cannot be ascertained, one may assume one of two things a possibility as follow.

1. hidden implementations point to weak, i.e. arbitrarily secure systems
2. presence of "backdoors"

 

A reminder on the basic levels of security by descending order of security:

• unconditionally secure
• conditionally secure
• very well reviewed
• barely reviewed
• secret

 

You don't have to release it under Open Source, but at least make review possible!

[Heavensrevenge]

It is a shame they haven't prioritized it, I'll be hopeful but won't hold my breath.

 

I just hope I reminded these people instead of think we'll forget about it and just ignore their lack of documentation with our ignorance be their bliss.

[dmason]

Hopefully being mentioned on last week's Security Now will get some more people aware of the importance of it all. FWIW communicating those things to the public is pretty darn important. 

[baz]

Honestly, I'd be happy if they even selected a group of security researchers to get an inside look at the way they have this setup. I personally don't have the time to sift through and analyze it myself. I imagine there are plenty of people out there like me who would be perfectly content if we saw security analysis from 4-5 reputable security experts. Steve Gibson is a great start, and he's already requested such a review.

 

Why the hold up? It's starting to make things smell funny.

[crash893]

+1

[tommyent]

Yeah I'm not really understanding why they have yet to address this situation at all. I work with a few companies that keep asking but won't use it until something is released and I'm sure there is many more and then you have someone like Steve Gibson reach out to you because he's excited about the project and would give his seal of approval.  

 

[crash893]

unfortunately Its been my experience that the Devs (or at least the devs that frequent this board) are not what you would call "people persons"

 

I would hate to see something so cool die on the vine because they don't want to address the peasants.

[crash893]

13 days later.......................

[tjarra]

Bittorrent Sync is great!

 

 

Now practice what you preach

[dmason]

Hopefully we'll get more than marketing with a 1.2.x release. They seem to be pretty hard at work on it.

[Chymera]

Yep, +1 on this. There is way too little documenation on Btsync available. Tried to do a proper GNU/Linux package for this, but I ended up having to go windows-style and put everything in an /opt/  subdirectory because I just don't get how it works 0.o.

[crash893]

.

[Shot2]

Hopefully we'll get more than marketing with a 1.2.x release. They seem to be pretty hard at work on it.

What are they busy with, that's the question of the superbanco. They might as well have spent 15 days working hand-in-hand with their legal team and the NSA on how to implement a backdoor, fwiw. (just kiddin' )

[crash893]

Im sure they are very busy but even a simple "Hey details are due out on 1/1/2014" or "when we release 1.2 we will give you details".

 

 

How long does it take to write back and at least acknowledge the question

[joebush]

The devs don't have any authorization to release any information about the protocol behind this product. It's fully up to the company to make that decision. This product is also still experimental. The client as well as the protocol are still being developed, so it would make no sense to release any information.

 

I'm all for full disclosure of the protocol, and preferably open sourcing the client as well. And after this project is launched as a consumer product, I will be equally disappointed if this isn't done. But until it's ready, all we can do is test the software.

[btusername]

+1

couldnt say it any better myself. I cant recommend this product to anyone until the security claims are validated

[pankid]

I have been wanting to impliment btsync at my work, but I am not really comfortable doing so because of the lack of information.

[Killa]

It is understandable that the dev team is unwilling to release the source code, as there is a company behind BTsync, trying to keep an advantage over the competition. We will consequently never have certainty that there is no NSA backdoor. Still a "whitepaper" giving some insights on the way keys and encryption are managed might help trusting BTSync a little bit more. 

[Joselito]

It seems to be quite clear that the protocol is not going to be opened. This means btsync is dead since its security can never be verified and trusted (Snowdons docs about NSA eavesdropping, backdooring and weakening security means nothing closed will ever be trusted again). And do you trust a tracker on the internet that controls access to your devices ???

 

Fortunatelly there are people working on alternative and open protocols: https://github.com/jewel/clearskies is still early but looks good.

Maybe clearskies will not really take off but other will since there is interest for this kind of stuff.

So please stop asking/begging. Use your feet

[Harold Feit]

It seems to be quite clear that the protocol is not going to be opened.

Based on what exactly?

[Joselito]

Cool. I've not been around the forums for a while, so i probably missed  a post.

So you're confirming/stating that the protocol is stable and will be made public ?

[Harold Feit]

It's not stable yet, but there is the intention to make it public when it is.

[dmason]

It's not stable yet, but there is the intention to make it public when it is.

 

That's great news!