back to article Cries of spies as audit group finds possible 'backdoor' in Bittorrent Sync

Popular file sharing platform BitTorrent Sync is 'probably' leaking hashes to its website and access to shared data, a group audit has found. The platform downloaded some 10 million times allowed users to synchronise data over networks using encrypted peer-to-peer at speeds said to be 16 times faster than Dropbox, using …

  1. Khaptain Silver badge
    Thumb Down

    Say it ain't so Joe

    Shit I switched to BT Sync after DropBox bcome a bit dubious. Please don't tell me I am going to have to go back to USB keys...

    What I don't like about the article, which feels a little be trolly, is the fact that it mentions that BTSync "might" be leaking hashed, that there is a "probable" situation and as of yet everything was "unconfirmed"...

    "Might", "probable" and "unconfirmed" are on about the same level of security as every piece of software every written. This actual article just "might probably" be a little bit pre-nuptial due to it's "unconfirmed" statements. I can understand that the El Reg hack might retourque that it is a heads-up but I would be inclined to disagree until something a little more substantial is included...

    1. Dan 55 Silver badge

      Re: Say it ain't so Joe

      A FOSS alternative to BitTorrent Sync is

      Anybody tried it?

      1. Paul Crawford Silver badge

        Re: Dan 55

        Beat me to it: why trust a closed-source program? While open/closed tells you nothing about how good the programmers are, or the underlying ideas, at least with open it is possible[1] to audit the code and much harder to conceal back doors[2].

        [1] Possible yes, but not necessarily going to happen.

        [2] Back doors are still possible, but code changes/commits need a bit more explaining.

        1. Paul Crawford Silver badge

          Re: Dan 55

          I take that back, just had a cursory look at the code and found stuff like this without any comments:

          bs, _ = base64.StdEncoding.DecodeString("H4sIAAAJbogA/0SPsW4iMRCG+3sKM0I6W7L8AKCrTtw16ZIOURh7nDXx2pvxLAQtvHucJZBuPP413/fb/DomS6YvfkwoYbDV2TQQuo4Nk801WUZQJljHhc4Slo/tM1uO7l9MWJ+K9Uigt7B8Bw3LjnkAHcbsOJYsrd6riZBHyuKxdGqKQS7c5bJwphFD/JjHOoY2Ku6onETGk9gQFZLwt4zJ598sUoOJOsNF+KJrkYu4XRCFxO2AqAO6GCL6Baj10ZLwf6zxGJCkWn/L7OU0Ulpt7wLamTc867vEzhxKzBJA6R65K34F/zcvoAdLtq8rgKtqSeewVvlTVk3eENaSjtgeLYJzgUfg9n9Ax3LGtYj2TaD0seL1ulPrX58AAAD//wEAAP//1rAncZcBAAA=")

          gr, _ = gzip.NewReader(bytes.NewBuffer(bs))

          bs, _ = ioutil.ReadAll(gr)

          assets["angular/angular-translate-loader.min.js"] = bs

          So sorry "Syncthing" but unreadable code for me means untrustworthy code.

          1. wikkity

            Re: but unreadable code for me

            Apart preferring that that big hardcoded would be defined differently, the rest of the code is perfectly readable. Had browse though some of the code and it would appear to be easy to follow and understand.

          2. phil dude
            Thumb Up

            Re: Dan 55

            A good call there. Have an upvote for the main reason I want DRM to be stripped from HTML5 - use it to sign, not obscure.


          3. Martin-73

            Re: Dan 55

            Even when decoded that bunch ends up as some pretty obscure binary... so ...err yeah what you said

    2. Salts

      Re: Say it ain't so Joe

      @ Khaptain

      Although it is a bit like saying there is going to be a murder in Texas on Friday night, it is still worth having the heads up about any threat.

    3. ChristianAverill

      Re: Say it ain't so Joe

      Khaptain, Christian here from BitTorrent. These claims have been debunked:

      While I believe these guys had good intentions, they were still clear that their post was not a professional assessment of Sync's security. Unfortunately, it is being interpreted as such.

      Sync has gone through rigorous third party review and has been deemed sound.

      1. Khaptain Silver badge

        Re: Say it ain't so Joe

        Hi Christian ,

        Thanks for taking the time to reply. I can easilly understand the difficulty that an article such as this can create for a team of developers/business and the pain in the arse consequences of repairing the damage.

        As I mentioned though, this article was a little bit "trolly" on behalf of El Reg, who are sharing a little bit of fear-mongering whislt riding on the back of "An unnamed research group operating under the popular Hackito conference"...

        And as much as it is always required to read certain El Reg articles with a pinch of salt, articles such as this do make alarm bells ring. As a recent example, we have all seen what has happend to TruCrypt....

        I truly hope that the finding are purely hypothetical but meanwhile it is becoming increasingly difficult to trust anything web facing even when encrypted. Snowden has lifted the lid on practices far beyond everyones initial thoughts, we are now absolutely convinced that the 3 letter agencies have the capacity and do actively exploit weaknesses wherever they can.

        I am sure that BtSync is used for many private files, although personally I have nothing major to lose other than a few ideas, I am sure that there are others who have a lot more vested interests in not having their work "perused" by others.

        I fully sympathise with your teams position and hope that you can quickly overcome this "bump"...

  2. 2460 Something
    Black Helicopters

    "Bittorrent Inc has access to all your encrypted files"

    What .. so can we just quote him directly from now on? You know that if any truth comes from this they will just purport that they told us ages ago.

    1. Bob Wheeler

      And the full quote from the article is...

      "There is nothing even close to 'Bittorrent Inc has access to all your encrypted files'."

  3. psychonaut

    The writer needs to proof read. It's a painfull read. Shell out for a few commas next time.

    1. Destroy All Monsters Silver badge

      Phew Phew Phew!

  4. Sebby

    Thank God

    I just dropped BTSync for daily use after the monstrous 4.x upgrade. That it is closed ought to have served as adequate warning, but as long as I had it running and not syncing to anything "Just in case" I had a use for it on my smartphone I was exposed. But, in keeping with my recent tendency to pull out of the cloud and instead centralise everything at home accessed by VPN, I decided to remove the BTSync risk. And not a moment too soon, by the looks of it. :)

  5. Irongut Silver badge

    Bak To Skool

    Darren Pauli needs to go back to school, barely scaping a pass at GCSE English just doesn't cut it. This sentence is particualrly nonsensical:

    "One BitTorrent Sync staffer 'kos13' moved to quash the security hole was a deliberate backdoor."

    1. Destroy All Monsters Silver badge

      Re: Bak To Skool

      'Twas typen in the pub downstairs, so cogratulate instead!

      1. Bloakey1

        Re: Bak To Skool

        "'Twas typen in the pub downstairs, so cogratulate instead!"

        Surly "cogratulate" is a spelnig misteak? nut gud two meak spelnig misteak wen takking peas.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022