Heavensrevenge

I apologize ahead of time -- Can the dev's stop being assholes and release the crypto/architectural documentation please?

Recommended Posts

I really do apologize for that and I hope I'm not banned but this really needs to be said again.  The dev team really needs to stop being assholes and ignoring the need to release the specifics about this protocol and documentation regarding the protocol for this and now, eventually, BT-chat to show it is solid and really is a wonder of engineering.

Yes your solutions work pretty darn good, but you are preventing your own growth by withholding such critical documentation and specifics about how this operates and if we can actually trust anything to these protocols.

 

Until the documentation is published I can not vouch for BT-Sync anymore, you've waited too long for no reason, and IF your solution really is secure, well then prove it, and you'll have nothing more to prove than by showing your technical capability is as much as it seems to be.  Being closed source doesn't help, without it you will never see it grow regardless of how well it works, sort of like driving down the road in a 1/2 built dune-buggy.  Sure it works, but it feels HORRIBLE and is horrible to drive. So if your keeping it closed to keep everyone out of the secret of how bad your implementation is then fine, that's reasonable, but it still wont gain anyone's confidence to rely on you for real tasks.

 

Until anything is published I will have to actively warn but also discourage the use of this and BT-Chat until you actually pull your act together and do the right thing.

 

I will be hoping for it, and I will be eagerly awaiting the good news IF it ever comes.

 

Sincerely,

Eric

Share this post


Link to post
Share on other sites

I'm irritated that there isn't more information available. I won't get upset about it unless they offer the enterprise solution with the same information being absent. I can daydream about the project going to an open source license but with the enterprise beta signups I have reservations about that ever happening.

Share this post


Link to post
Share on other sites

As every researcher will tell you, the most basic rule of cryptography definded by one of Kerckhoffs' principle is:

NO SECURITY THROUGH OBSCURITY

i.e. the security of the system should not be dependant on the secrecy of the emplyed algorithms, but only on the secrecy of the keys.

Sadly, as it stands, i cannot ascertain whether or not this is the case for BTSync.

 

Wherever this cannot be ascertained, one may assume one of two things a possibility as follow.

  1. hidden implementations point to weak, i.e. arbitrarily secure systems
  2. presence of "backdoors"

 

A reminder on the basic levels of security by descending order of security:

  • unconditionally secure
  • conditionally secure
  • very well reviewed
  • barely reviewed
  • secret

 

You don't have to release it under Open Source, but at least make review possible!

Share this post


Link to post
Share on other sites

It is a shame they haven't prioritized it, I'll be hopeful but won't hold my breath.

 

I just hope I reminded these people instead of think we'll forget about it and just ignore their lack of documentation with our ignorance be their bliss.

Share this post


Link to post
Share on other sites

Hopefully being mentioned on last week's Security Now will get some more people aware of the importance of it all. FWIW communicating those things to the public is pretty darn important. 

Share this post


Link to post
Share on other sites

Honestly, I'd be happy if they even selected a group of security researchers to get an inside look at the way they have this setup. I personally don't have the time to sift through and analyze it myself. I imagine there are plenty of people out there like me who would be perfectly content if we saw security analysis from 4-5 reputable security experts. Steve Gibson is a great start, and he's already requested such a review.

 

Why the hold up? It's starting to make things smell funny.

Share this post


Link to post
Share on other sites

Yeah I'm not really understanding why they have yet to address this situation at all. I work with a few companies that keep asking but won't use it until something is released and I'm sure there is many more and then you have someone like Steve Gibson reach out to you because he's excited about the project and would give his seal of approval.  

 

:(

Share this post


Link to post
Share on other sites

unfortunately Its been my experience that the Devs (or at least the devs that frequent this board) are not what you would call "people persons"

 

I would hate to see something so cool die on the vine because they don't want to address the peasants.

Share this post


Link to post
Share on other sites

Yep, +1 on this. There is way too little documenation on Btsync available. Tried to do a proper GNU/Linux package for this, but I ended up having to go windows-style and put everything in an /opt/  subdirectory because I just don't get how it works 0.o.

Share this post


Link to post
Share on other sites

Hopefully we'll get more than marketing with a 1.2.x release. They seem to be pretty hard at work on it.

What are they busy with, that's the question of the superbanco. They might as well have spent 15 days working hand-in-hand with their legal team and the NSA on how to implement a backdoor, fwiw. (just kiddin' :D)

Share this post


Link to post
Share on other sites

Im sure they are very busy but even a simple "Hey details are due out on 1/1/2014" or "when we release 1.2 we will give you details".

 

 

How long does it take to write back and at least acknowledge the question

Share this post


Link to post
Share on other sites

The devs don't have any authorization to release any information about the protocol behind this product. It's fully up to the company to make that decision. This product is also still experimental. The client as well as the protocol are still being developed, so it would make no sense to release any information.

 

I'm all for full disclosure of the protocol, and preferably open sourcing the client as well. And after this project is launched as a consumer product, I will be equally disappointed if this isn't done. But until it's ready, all we can do is test the software.

Share this post


Link to post
Share on other sites

It is understandable that the dev team is unwilling to release the source code, as there is a company behind BTsync, trying to keep an advantage over the competition. We will consequently never have certainty that there is no NSA backdoor. Still a "whitepaper" giving some insights on the way keys and encryption are managed might help trusting BTSync a little bit more. 

Share this post


Link to post
Share on other sites

It seems to be quite clear that the protocol is not going to be opened. This means btsync is dead since its security can never be verified and trusted (Snowdons docs about NSA eavesdropping, backdooring and weakening security means nothing closed will ever be trusted again). And do you trust a tracker on the internet that controls access to your devices ???

 

Fortunatelly there are people working on alternative and open protocols: https://github.com/jewel/clearskies is still early but looks good.

Maybe clearskies will not really take off but other will since there is interest for this kind of stuff.

So please stop asking/begging. Use your feet ;)

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.