is the source of the downloadable plugin somewhere?

[fernandezpablo85]

I'm talking about these two:

[ghost]

I agree with Fernandez and please can you provide a Linux version too? Why would I trust you? I don't want to install a black box on my computer. Moreover, I'd like to know whether your plugin relies on NPAPI as it's going to become unsupported by Firefox: https://blog.mozilla.org/futurereleases/2015/10/08/npapi-plugins-in-firefox/

Why not using something like WebChimera to build a plugin-free solution?

@fernandezpablo85 Maybe we can try to do some reverse engineering on those native installers to understand a bit what they do. I can use xar or ark to open the pkg archive under Linux.

[ghost]

Ok it works with "7z x torrentsTime-download.pkg": Bom PackageInfo Payload Scripts [TOC].xml

[gouessej@localhost torrentsTime]$ more PackageInfo

<pkg-info format-version="2" identifier="com.torrentstime.plugin" version="1.0.6.0" overwrite-permissions="false" install-location="/" auth="root">
<payload installKBytes="30425" numberOfFiles="6"/>
<scripts>
    <postinstall file="./postinstall"/>
</scripts>
</pkg-info>

[G-Ray]

I personally don't trust this plugin as long as it's not open source. All this is clearly to earn money with the vpn service operated by the same team themself : anonymousvpn.org. The vpn is really expensive BTW.

[devlo]

@G-Ray

Exactly. It's mainly for profit project.

[LubosD]

At least on OS X, it installs an NaCl executable, which presumably talks to a helper process /Library/PrivilegedHelperTools/com.torrents-time.helper started by launchd.

Unfortunately, this helper process aborts under Darling on Linux after talking to 5.79.65.173 and then doing some socket operations (opening and closing a socket several times). I did not investigate further.

[Forceflow]

Without open-sourcing the actual plugin, I see no point in trusting this project.

[devlo]

@Forceflow

Ye, it's so obvious that it's for profit/harm that's why they do not open source it. Popcorn Time was something different, they open sourced it all. There is big hype around this plugin atm, after PirateBay implemented it, people forget that PirateBay is not managed by old crew, it's for profit site for a long time now. Now you can't be sure that this plugin will actually not install some malware, it's recognized as Trojan-Downloader.Win32.Generic, which means it downloads/installs something (malware?) without your consent.

[ghost]

@LubosD Thanks. It seems to talk to a server located in Netherlands in Amsterdam.

@devlo Which virus scanner do you use under Windows? Have you tested with Winclam (open source)?

[devlo]

@gouessej Kaspersky.

[LubosD]

The helper process now seems to run under Darling (I'll commit fixes later).

I don't know how to enable the NaCl (pexe) part though. So if somrone is eager to run proprietary binaries on Linux, there is probably a way :-D

[Forceflow]

@devlo, @gouessej : Some executable packers/obfuscators trigger generic trojan warnings in virus scanners (since why would a program obfuscate its inner workings/layout?) but that doesn't necessarily mean malware is involved. My point is, without the actual source, there's simply no way to know.

Another issue I see with source of plugin not being available is documented in #9

[devlo]

@Forceflow

Not this one. No packer or obfuscator will generate code with network syscalls. You can pretty much get all what's going on from debugging it and looking at assembler code - that's how reverse engineering works.

[Forceflow]

@devlo

Interesting, though something as simple as an update check would generate that as well, no?

Could you share a decompilation?

[devlo]

@Forceflow

Yes, it can be false positive, that's why you see generic in Trojan-Downloader.Win32.Generic.

[DoubleRainbow]

Hey guys

Sorry for the late response, we are very busy.

I'm sorry, but I can't quite understand the concerns you've mentioned. There is nothing suspicious in our technology! It's straight forward, efficient and honest. Yes, Honest with a capital H.

It is a state of the art craftsmanship made to stream torrents from your browser and then to be able to convert them to a streamable format and play them with our video player. It has absolutely no other hidden aspects.

We'll be happy to answer any specific professional concern.

[andrewmd5]

And they deleted my comment so yet again

http://blog.andrew.im/post/139084882590/torrents-time-security-issues

[devlo]

@Codeusa

It's really pathetic to delete comments that show bugs in your software... It shows what kind of people are developing this.

[AlexDaniel]

I'm sorry, but I can't quite understand the concerns you've mentioned.

This is very sad…

[ghost]

@DoubleRainbow If you're honest, why don't you simply release the source code of your plugin? It would show that you're transparent, that you have nothing to hide and it would help some developers to improve it too. Plugins are going to become unsupported in major web browsers (and yours still doesn't work under GNU Linux), why not accepting some help to move to a plugin-free solution?

[devlo]

@gouessej

It's obvious why it's closed source, because it's FOR PROFIT solution/plugin.

[iadj]

Their website mentions they want to implement advertising solutions inside the player. That's why it's closed source. I can't imagine a better way to get indicted by the govt.

[iadj]

@Codeusa Very good article. As described, there is absolutely no reason to use this application as long as it's not being improved upon by an open source community.