DEF CON Bittorrent Configuration Guide Announcement

This is the first part of several announcements about how DEF CON is moving to a more secure and privacy oriented deployment on all of our services. In part 1 I'll talk about what DEF CON is doing with our bittorrent file sharing, the next part will address our eMule / ED2K / KAD sharing.

DEF CON currently shares our content using bittorrent (very popular) and the eMule ED2k and KAD (not very popular) networks. We also run to act as one of the bittorrent trackers we use in our torrent files. We've done this for a couple years, but as part of a new years resolution we have or will be doing the following to max out our security and privacy for these services in 2015.

- Enable protocol encryption: We support encryption (obfuscation) but don't require it to connect. From what I can tell it is RC4 and designed in late 2006. It apparently is not even encryption, but obfuscation. [1]

- Disable DHT: Because we run a tracker and only server content, we don't go looking for other clients to download from [2], the DHT feature isn't necessary for us to enable. It also helps us disable another UDP service that can be abused.

When building torrent files there are a couple options to increase security:

- Don't use any trackers that use udp or http in your torrent files: Not many trackers that I've found support https, but it solves a couple of problems at the expense of some speed and CPU cycles on the tracker side. This is where DEF CON is moving toward, modern CPUs are plenty fast.

- We support web seeds and will use https exclusively to provide a direct download option in the future. Our older torrents include two seed links, one link for http and one for https for maximum compatibility.

For we have moved to only serving over TCP to not be an attractive UDP DDoS amplification target.

- We only serve torrents over https: We are now sending http redirects to https for people hitting our tracker over http. In the future we will regenerate all our torrents to use only https trackers and only https web seed links. Again I bet this costs us some traffic, but because we give away our content for free there is no lost monitization for us to worry about. Instead we are trying to walk the walk and learn what it takes to share as securely as possible.

- To do: Find other popular trackers that support https we can use when rebuilding torrents.

When the torrent file is complete and ready to be promoted it is critical you protect it as best you can, as it acts as a protection against someone breaking into your server and altering your media files. If they do that the checksums in the .torrent will fail and the down-loaders will discard the infected files. To get around this attackers would want to modify your torrent file to allow the altered files to be served. Don't let this happen! Serve from a static file server over https, set the torrent immutable, etc. You want all roads pointing to your well protected and https linked torrent files.


In our next installment I'll cover our eMule / eD2K / KAD configurations and strategy.

The Dark Tangent