[Gllug] Bittorrent and security?

Chris Bell chrisbell at overview.demon.co.uk
Sat Aug 21 11:59:48 UTC 2004 

On Fri 20 Aug, Andrew Roberts wrote:
> 
> On Wed, 18 Aug 2004 10:55:31 +0100 (BST), Chris Bell  
> <chrisbell at overview.demon.co.uk> wrote:
> 
> > Hello,
> >    I have a local proxy box providing quick access to Debian files  
> > without
> > excessive loading on the internet, but it seems that the new preferred  
> > means
> > of connection is via bittorrent cooperative servers. While it appears  
> > that
> > the data should be encrypted and safe, I feel uneasy about security when
> > there are many unknown boxes linked together, and there are so many  
> > people
> > using open relays to distribute worms. It is not unknown for well  
> > maintained
> > servers to be broken, but I feel I can place more trust in the large
> > academic and ISP mirror sites than huge numbers of small sites run by a
> > variety of users.
> >
> 
> http://bitconjurer.org/BitTorrent/FAQ.html
> Question: How do I know the download isn't corrupted?
> 
   The system I have been using (jigdo - jigsaw downloader) downloads the
latest skeleton CD set with command files and signature direct from one of
the main Debian servers. My local apt-proxy mirror already has most of the
Woody (stable) and Sarge (testing) distributions. The jigdo facility then
builds the latest CD set using my local mirror as a proxy server, and does
security checks on all files and also the complete rebuilt CD's.
   My local proxy can download files from any mirror sites that I specify,
including the large academic mirrors and my ISP, so reducing the load on the
Debian servers. The weekly set of skeleton files did not appear last week,
but may appear again this weekend.

   The new bittorrent system appears to use a similar skeleton CD frame
downloaded from the main site, together with software located on many main
mirror sites, but relies on file sharing between many clients using local
software installed at every linked site, all acting as open relay servers
for encrypted files, with file checking on arrival. This would seem to be
reasonably secure if all sites can be trusted, and reduces the load on all
main mirrors. Bittorrent will run on a variety of operating systems,
including M$.

   Unfortunately absolute security can not be guaranteed, and even well
organised and administered main sites can be cracked. The main Debian site
was found to have a probe installed using a developer's password after his
personal machine was cracked, so all files on their complete system had to
be checked last year.
   There are even doubts about the security offered using SHA-1 and MD5
encryption after several researchers recently suggested possible ways of
cracking the code, and it may be possible to crack MD5 using a reasonable
computer within a few hours, or SHA-1 using linked clusters. If bittorrent
could be broken on any OS it could provide a linked cluster of computers
owned by a variety of users expecting a large amount of internet access.

-- 
Chris Bell

-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list