Ratio Vulnerability in BitTorrent Discovered

An anonymous reader writes "The "vulnerability" has been tested on all the major torrent trackers that use the torrentbits source code. The idea is that you will sniff your torrent info using the HTTP Analyzer and with Firefox you will update your stats to the tracker being identified as a client."

Neccessary Exposure

[Sv-Manowar]

As much as many people will ask if disclosure was a good idea in this case, it's important to remember that if one person can find this vulnerability and make it public, an unknown number of people could have found it and be making use of it in the background. The functionality of BitTorrent depends on clients seeding copies of the file back into the network after having downloaded, and a vulnerability like this in a significant amount of trackers could easily cause serious damage to the operation of many torrents.

Re:Was it good to publicise this?

[zegebbers]

According to the IE7 thread, the only way to force fixes is by disclosing vulnerabilities. Goose, gander etc I suppose

Re:Was it good to publicise this?

[Sorthum]

Actually, this is a common concern among security folks. "If we announce a bug, those who don't patch are going to get pwned."

Only security researchers generally don't use the term "pwned" in their press releases...

Re:Was it good to publicise this?

I'm going to be a bit vitriolic, but you deseve it.

Was it really a good thing to make this public?

Yes, it was. This way, all people will know about the vulnerability, and we can get around to design something better - instead of it spreading among leachers and not to the general population.

Won't this cause a new wave of leechers?

That's part of the idea. Bittorrent is an open protocol, and when everyone knows about the vulnerability - it's a tad more pressure on various developers to remove the design flaws.

A lot of trackers are built on torrentbits.

So fucking what? Do you want to tell mother nature not to send a hurricane against New Orleans, because it will be a disaster? No, you won't.

What you will do, on the other hand, is try to design something that works. If it doesn't work, it's back to the drawing board. Keeping silent is what companies such as microsoft think is a good idea. It is not. It's a hellish bad idea. You'll have various scum abusing the vulnerability without everyone knowing about it. You'll have admins having these kind of thing biting them in the ass without being prepared for it.

Publishing this kind of information, even though when it's a deep design flaw in the trackers such as this, makes it easier to cooperate and eliminate the fuckups. Keeping silent about it doesn't do any good at all.

Did you know that various worms abused sendmails "debug" command in eariler years? And that it gave you a root-shell on the mailserver? No? Well, it wasn't very smart - and a lot of people knew about it, without giving it much publicity. It was way larger than this idiotic flaw, but it was your idiotic idea about 'shutting up about it' that caused the havoc.

One should always disclose security flaws. No exception. Even though if hundreds of millions will be caught in the middle. It's the only way to ensure that it'll be fixed, and that everyone will know about it - at least everyone that cares enough to follow the news.

Now onto an idea on how to fix this garbage. It's not a bug in the bittorrent protocol, as it won't affect how much various people send to eachother. It'll mainly affect statistics on various sites, and whether you will be banned or not. Personally I think the solution is for every client to upload how much their peers have sent them - and for the peers to check that amount. Think of it as 'trusted third party'. If any of the peers disagree too much about the amount over time, they discontinue talking to each other - and the client that disagrees logs an 'objection' with the torrent-server. If we're talking several gigabytes of data, it should be very easy to spot by the administrators. Especially if it's the same peer that gets flak all the time.

Of course, this will be problematic when you think about NAT's, as various computers behind NAT-devices will check their internal IP, and not the external one. That, however, is not the responsibility of the trusted third party, but the responsibility of the peer. Unfortunately this will make things more difficult, but hell, it's a tradeoff in any case. This might be solved through in-band communication with peers telling each other who they think the other party is.

Ahwell. Enough ranting.