I just realized that a Russian torrent client shows 100% availability for files and directories for which there has not been any publishing of magnet nor torrent file. There are only two Tixati installs on two PCs (one with 3.3.3, the other with 3.3.8) in my LAN that have those files (so I thought ...).
How can that happen ?
Perplexity indicated that there may be a leak in the DHT implementation that allows such?
Can you pls. advise?
TXs
Michael

Announcing to a DHT, in any client is PUBLIC.  There's nothing to leak.  This applies to all torrent clients.

How do you think BTDigg works exactly?

You can browse other people's torrents just by going into DHT, Peer DB tab.  Each line is a torrent hash.  You can just copy those and open as a magnet link and browse the files.  That's what all the scraper bots do.  There's nothing to be done about it, except don't use DHT and use a private tracker instead.

What exactly is a “Russian torrent client”? Did you mean some torrent search service?

Also, if you need to transfer torrent contents over local network, you can either enable local peer discovery, or manually add local addresses and ports of the other peer on both sides. See Transfers — Peers - Local peers. For single use, you can add local peer manually on Options tab for specific torrent. If you create a private torrent without trackers (or disable DHT and PEX for a regular torrent before starting it), no one from outside is going to learn about it.

Obviously, there are simpler methods for local file transfer. See, for example, copyparty for lots of functionality. Windows Network mounts also work fine, the trick is to create a dedicated user account with a password for network login on a serving system (via net user), grant it access rights, and everything will magically work without any braindead guides about unearthing guest access.

OP, I know exactly what you're talking about.  It's a problem with the DHT and BitTorrent protocol itself.  The DHT is full of scraper bots now.

I have almost completed a solution to this.  It might not be ready for the next 3.39 release, but the one after that for sure.  I am hurrying things along as quick as I can.

Magnet links will be fully private, and the SHA-1 hash algorithm will be gone.  The specification will be posted to the bottom of https://tixati.com/specs/bittorrent  very soon.  It will be referred to as protocol version 3.1.

Just hang in there, it's almost done....

TXs for all the education by your responses, and big TXs @KH for the hope you are triggering!

PS: "Russian torrent client" was bad English. torrent client FROM Russia (apparently ..., by whois) is what I meant. Their IP is always present, in Wikipedia and OAM World Maps alike.
But now I understand how, and what I could do for now - if I wanted.
As the maps will be published anyway, I am not concerned re. those files. But I stumbled across that alien IP, when I definitely did not expect one (back then - now I know) at all.

Bots from 31.200.249.0/24 are just the most noticeable, there are many others which could only connect once momentarily to get torrent metadata when you weren't looking. They don't have your files, it's just fake data. Public DHT is open to the whole world because its job is to let anyone in the world find any peer they might need.

This is very true, BUT, with a little foresight they could have made a few minor adjustments to the design to prevent the current problems.

Lookups and announcements could have been done under a hash of the info hash.  This way, anyone scraping their own DHT DB for magnet links would be left high and dry.

With protocol v3.1 (specs will be posted soon), the DHT lookup/announce is made to a derivative of main identifying torrent info hash.  Also there's a zero-knowledge proof added to the peer handshake to stop anyone that might try to inject themselves into the DB and wait for incoming connections to read the info hash from the peer handshake.  I've also considered a man in the middle attack on this and keyed it to the encrypted peer connection's Diffie Hellman shared secret to prevent such leaks.

It's a relatively simple set of changes, and I'm rushing to include this in the next Tixati release.

Well, it appeared 20 years ago, when connection encryption was not even considered generally useful, and RC4 and MD5 were “good enough for regular public”. In a couple of years, some people using a funny way of processing texture data on 3D accelerators would show how fast could brute force be on common consumer hardware, and accidentally start the mess we're in today.

The SHA-1 usage couldn't be helped 20 years ago, but I don't know why they didn't do the double-hash for the DHT, at least to discourage the bots from getting the file infos.

It will be so nice when that problem is over!  I'm so tired of seeing unwanted visitors when I make a torrent.

why would not you want to reveal torrent in public dht? what about the spirit of sharing?

People should have the choice.

^ Agreed... Curious if the new implementation will leave that choice? I always assumed DHT is effectively public and this was understood.

(I'm not any of the previous "Guest" users, just throwing in my 2 cents.).

Use protocol v3.1 to create torrents in the new 3.39 client.

DHT scrapers are found but can't connect.  Works like a charm.

Just saw the earlier response, downloaded and updated. Works (donation on the way). But did not test the v3.1 Protocol yet.
How will 3.1 mode interact with other torrent clients that not (yet) support v3.1?
TXs
Michael

So you all think that DHT search engines like BTDigg is a bad thing? I can't understand! So if in future every one use v3.1 as default, BTDigg can die? Congrats! For kill one of the best thing in torrent that is this DHT search engines.

If you use version 3.1 “hashed infohash” for announces, only other Tixati clients supporting it can connect. Users also need to get the same torrent/magnet from you (or from the same source you got them), but that's by definition.

No but I am so sick of when I make a torrent to share something with my friends there's a bunch of russian and dutch flags that suddenly jump into the torrent and start pulling the meta info.  It's all so tiresome.

Besides, you can just use v3 if you want something to be be public to DHT sniff, and then use v3.1 for the private stuff.  At least the SHA-1 nightmare is being dealt with in a way that isn't over-complicated (unlike v2 which is a complete shitshow and super-difficult to correctly implement).

I understand is really tiresome, but is not better just put all files into a rar with a strong password that you can share with your friends? Because if implemented by every client I think that almost nobody can use the old v3. Has a lot of things that I had access that was only possible using a DHT search engine, this change can limit the access of people to files, including some very rare ones, this is so bad.