How safe / private / secure is boxee?

**ahreno** · December 8th, 2008, 01:33 AM

I'm just curious as to how safe this whole system is... In a few different ways...

1. Is "someone" tracking what I download?

2. Is "someone" tracking what I watch? Lets face it ... pirated movies and tv shows is a big part of boxee ... whether it's ofically supported or not... the built in torrent downloader is a good example. What happens when someone watches the latest blockbuster movie thats still in theaters? Could Fox or Warner Brothers or someone pay boxee to tell them who's watched it along with their IP addresses? Not saying that they WOULD ... but could they?

3. what happens if/when someone hacks boxee.tv. The login to your online account uses no encryption and pages aren't secure. If someone can get a hold of all our accounts exactly what can they find out? I know they would have the abbilty to add RSS feeds... is there possible ways for them to do damage?

4. is there anything in place to prevent the people at boxee from scanning our hard drive / network / computers and compiling a list of all our media along with our IP address?

I think these are all important questions / issues that need to be discussed. this is a great program and will probably become the center to a lot of home theaters... hopefully it can become nice and secure... and more importantly ANONYMOUS.

**Sultan** · December 8th, 2008, 01:40 AM

I strongly second that. The social aspect is nice, and is a huge part of Boxee, but I'd like the option to use it anonymously.

**agentlame** · December 8th, 2008, 02:33 AM

1. No.
2. No/Yes (See post below) (Note: No part of boxee is designed with piracy intended. How people use technology is their own choice.

)
3. What happens if someone hacks gmail?
4. Yes. (Boxee's private setting)

check-out this thread: http://forum.boxee.tv/showthread.php...ht=dirty+movie

let me know if you still have questions.

**ahreno** · December 9th, 2008, 01:52 AM

1. Do you mean that absolutely zero information about what I download via the built in torrent app is sent to or through a boxee server? I figure that no one is currently monitoring peoples downloads... but is any info on what is downloaded sent through boxee (and therefore a log kept) even simple things like what .torrent files were added to a que.

2. of course it's not designed to support piracy but if some evil doer got a hold of boxee and wanted to download something from that damn pirate bay that i try so hard to get shut down... what exactly is sent from my boxee install to the boxee server? is the actual file name sent? this.movie.is.a.cam.of.a.blockbuster.avi or is it the name resolved to Blockbuster Movie before it hits your servers. Is my IP address logged at anypoint?

3. hacking gmail and hacking boxee are very very different things. For very starters the login at gmail is secured with 128bit encryption. Boxee has no encryption. I'm far from a hacker but I'm going to take a wild guess and say it would be exponentially easier to gain access to boxee accounts than gmail accounts.

And say someone DOES get in. How much interaction would the be able to have with my actual boxee install? Of course on the surface all they're able to do is add rss feeds... but worst case scenario woudl be?

4. from what i understand setting something to private does not remove it from being 'seen' by boxee. It still will show up in my feed but just won't be visible to the outside world... so i assume it's still logged somewhere by boxee.

Not trying to set off tin hat sirens or anything... but it would be really sad if thousands of people based their entertainment centers around boxee then the RIAA got wise and subpoenaed boxee for their log files and finds IP address and media libraries of everyone. Not that it would happen... but it COULD. And it can be prevented if logs are handled with security and anonimity in mind.

any developers able to chime in on this? I'm far from being able to success exact ways on how to accomplish it...

Also another thing... how secure / anonymous is the bit torrent client? Does it black list any of the peer guardian lists? Does it support anonymous bit torrent? Encrypted bit torrent?

**agentlame** · December 9th, 2008, 05:10 AM

Originally Posted by ahreno

1. Do you mean that absolutely zero information about what I download via the built in torrent app is sent to or through a boxee server?

i am. the source code is up.

2. what exactly is sent from my boxee install to the boxee server? is the actual file name sent?

you didn't read the link i posted... no file names. only titles, and on if resolved by imdb. (resolution is done locally.)

3. And say someone DOES get in. How much interaction would the be able to have with my actual boxee install? Of course on the surface all they're able to do is add rss feeds... but worst case scenario woudl be?

the best i can glean is that you're implying a man-in-the-middle attack? which, if happened, they would get control of the settings you see at: app.boxee.tv

4. from what i understand setting something to private does not remove it from being 'seen' by boxee. It still will show up in my feed but just won't be visible to the outside world... so i assume it's still logged somewhere by boxee.

you're confusing boxee with boxee.tv... boxee sees all your local files. boxee.tv only sees what boxee sends it. setting a source in boxee to 'private' stop boxee form sending info to boxee.tv

Not trying to set off tin hat sirens or anything... but it would be really sad if thousands of people based their entertainment centers around boxee then the RIAA got wise and subpoenaed boxee for their log files and finds IP address and media libraries of everyone. Not that it would happen... but it COULD.

it is not only tin hat, it's nonsensical. it could not happen. that would be like the riaa subpoenaing every isp log, ever. you we have entire amendments about this. but that's not here-nor-there, because you can set sources to 'private'.

Also another thing... how secure / anonymous is the bit torrent client? Does it black list any of the peer guardian lists? Does it support anonymous bit torrent? Encrypted bit torrent?

none of the above.

i'm not a dev, but i've answered these questions a lot.

that having been said, you might want to look over the source. mostly libBoxee.a.

**agentlame** · December 9th, 2008, 05:22 AM

also, if you're REALLY concerned, you cold modify libBoxee.a to send everything to 127.0.0.1. and re-compile your own super-secure version.

**cscan** · December 9th, 2008, 07:05 AM

<< 3. What happens if someone hacks gmail? >>

I don't think this is a very adequate response. I think it's reasonable to ask Boxee to use SSL to encrypt our passwords when logging in -- that's a basic feature of any Internet-based system.

I don't think a super-secure, encrypt-everything version is needed, but basic login protection is not much to ask, no?

**agentlame** · December 9th, 2008, 09:26 AM

Originally Posted by cscan

<< 3. What happens if someone hacks gmail? >>

I don't think this is a very adequate response. I think it's reasonable to ask Boxee to use SSL to encrypt our passwords when logging in -- that's a basic feature of any Internet-based system.

I don't think a super-secure, encrypt-everything version is needed, but basic login protection is not much to ask, no?

you are correct... and i agree 100%.

perhaps that answer was less-than-constructive.