Cries of spies as audit group finds possible 'backdoor' in Bittorrent Sync Popular file sharing platform BitTorrent Sync is 'probably' leaking hashes to its website and access to shared data, a group audit has found. The platform downloaded some 10 million times allowed users to synchronise data over networks using encrypted peer-to-peer at speeds said to be 16 times faster than Dropbox, using …
Shit I switched to BT Sync after DropBox bcome a bit dubious. Please don't tell me I am going to have to go back to USB keys...
What I don't like about the article, which feels a little be trolly, is the fact that it mentions that BTSync "might" be leaking hashed, that there is a "probable" situation and as of yet everything was "unconfirmed"...
"Might", "probable" and "unconfirmed" are on about the same level of security as every piece of software every written. This actual article just "might probably" be a little bit pre-nuptial due to it's "unconfirmed" statements. I can understand that the El Reg hack might retourque that it is a heads-up but I would be inclined to disagree until something a little more substantial is included...
A FOSS alternative to BitTorrent Sync is http://syncthing.net/.
Anybody tried it?
Beat me to it: why trust a closed-source program? While open/closed tells you nothing about how good the programmers are, or the underlying ideas, at least with open it is possible[1] to audit the code and much harder to conceal back doors[2].
[1] Possible yes, but not necessarily going to happen.
[2] Back doors are still possible, but code changes/commits need a bit more explaining.
I take that back, just had a cursory look at the code and found stuff like this without any comments:
bs, _ = base64.StdEncoding.DecodeString("H4sIAAAJbogA/0SPsW4iMRCG+3sKM0I6W7L8AKCrTtw16ZIOURh7nDXx2pvxLAQtvHucJZBuPP413/fb/DomS6YvfkwoYbDV2TQQuo4Nk801WUZQJljHhc4Slo/tM1uO7l9MWJ+K9Uigt7B8Bw3LjnkAHcbsOJYsrd6riZBHyuKxdGqKQS7c5bJwphFD/JjHOoY2Ku6onETGk9gQFZLwt4zJ598sUoOJOsNF+KJrkYu4XRCFxO2AqAO6GCL6Baj10ZLwf6zxGJCkWn/L7OU0Ulpt7wLamTc867vEzhxKzBJA6R65K34F/zcvoAdLtq8rgKtqSeewVvlTVk3eENaSjtgeLYJzgUfg9n9Ax3LGtYj2TaD0seL1ulPrX58AAAD//wEAAP//1rAncZcBAAA=")
gr, _ = gzip.NewReader(bytes.NewBuffer(bs))
bs, _ = ioutil.ReadAll(gr)
assets["angular/angular-translate-loader.min.js"] = bs
So sorry "Syncthing" but unreadable code for me means untrustworthy code.
Khaptain, Christian here from BitTorrent. These claims have been debunked: http://forum.bittorrent.com/topic/32592-bittorrent-sync-security-is-our-highest-priority/
While I believe these guys had good intentions, they were still clear that their post was not a professional assessment of Sync's security. Unfortunately, it is being interpreted as such.
Sync has gone through rigorous third party review and has been deemed sound.
Hi Christian ,
Thanks for taking the time to reply. I can easilly understand the difficulty that an article such as this can create for a team of developers/business and the pain in the arse consequences of repairing the damage.
As I mentioned though, this article was a little bit "trolly" on behalf of El Reg, who are sharing a little bit of fear-mongering whislt riding on the back of "An unnamed research group operating under the popular Hackito conference"...
And as much as it is always required to read certain El Reg articles with a pinch of salt, articles such as this do make alarm bells ring. As a recent example, we have all seen what has happend to TruCrypt....
I truly hope that the finding are purely hypothetical but meanwhile it is becoming increasingly difficult to trust anything web facing even when encrypted. Snowden has lifted the lid on practices far beyond everyones initial thoughts, we are now absolutely convinced that the 3 letter agencies have the capacity and do actively exploit weaknesses wherever they can.
I am sure that BtSync is used for many private files, although personally I have nothing major to lose other than a few ideas, I am sure that there are others who have a lot more vested interests in not having their work "perused" by others.
I fully sympathise with your teams position and hope that you can quickly overcome this "bump"...
I just dropped BTSync for daily use after the monstrous 4.x upgrade. That it is closed ought to have served as adequate warning, but as long as I had it running and not syncing to anything "Just in case" I had a use for it on my smartphone I was exposed. But, in keeping with my recent tendency to pull out of the cloud and instead centralise everything at home accessed by VPN, I decided to remove the BTSync risk. And not a moment too soon, by the looks of it. :)
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
