JDownloader Community - Appwork GmbH
 

Reply
 
Thread Tools Display Modes
  #1  
Old 19.04.2018, 22:59
neme neme is offline
DSL Light User
 
Join Date: Jan 2011
Posts: 31
Default Logs and data privacy

Hi,

I clicked on the Help -> Create Log -> Continue ... and got some link to send you guys. Is the log automaticly sent to you without any notice or question or information about data being sent?

I saw a tmp folder and log files in it...
I was quite shocked that you get all the premium passwords, list of proxies, vpn access, whole list of past downloads, ip's I connected from etc ...

As you probably know some people may use the software to download movies, music, porn etc. Let's be straight ... Of course you can always say that its users fault and they shouldn't do it (bla bla) - but don't you think that you get maybe to much of sensitive data about peoople that don't know what you do with it, how you store it etc. If I love unusual porn movies or Im a gay that didn't come out and you get list of all movies that I have downloaded, when, where- it's very sensitive data... What sense it make for me to use VPN if the log sent to you contain every file that I've downloaded since 2 years, where I unpacked it, and you have all my access passwords.

:confused:
Anyways I apprieciate your work
neme

Last edited by raztoki; 20.04.2018 at 01:22.
Reply With Quote
  #2  
Old 20.04.2018, 01:12
raztoki's Avatar
raztoki raztoki is offline
English Supporter
 
Join Date: Apr 2010
Location: Australia
Posts: 17,117
Default

creation of logs process in which have to select the menu and confirm the log sessions that you're submitting (timestamps). Log creation is not your download or linkgrabber list entirety (as in not your history for x years). We can not see VPN passwords. We can not see proxy passwords. Yes logs can contain sensitive information (in which you have access to see yourself within logs/ path). We can see your IP via reconnection module or commonly presented in HTML response from the websites JD uses for you. We can see hoster user:passwords (we get sent hundreds a month for support reasons and we do not abuse them. Access to fix plugins and then we no longer use the account). We ask during support issues that you just upload only the session(s) required as its easier to identify issues and requires less bandwidth/storage on our end. Logs are stored on encrypted volume. They are purged after set time. They are not linked to you in any manner other than the information within and the LinkID (random id) that you provide us during support.

If we wanted your reported information we could gather it within software without your knowledge and send it home (just like any other software installed to your computer). Since we are not interested in what 'your doing/you've been doing' over what the last 10 years, I'd hope that worry is unfounded.

raztoki
__________________
raztoki @ jDownloader reporter/developer
http://svn.jdownloader.org/users/170

Don't fight the system, use it to your advantage. :]

Last edited by raztoki; 20.04.2018 at 01:21.
Reply With Quote
  #3  
Old 20.04.2018, 09:08
Jiaz's Avatar
Jiaz Jiaz is offline
JD Manager
 
Join Date: Mar 2009
Location: Germany
Posts: 67,320
Default

@raztoki: I've recently updated debug infos to include connection settings as well to debug proxy/connection/filter issues.

@neme:
The logs are not sent automatically. You first have to manually open the *Create Log* window and select the ranges. And then you have to click on *Continue*. That's far from automatically.

You can easily disable logs completely by setting Settings-Advanced Settings-Log.maxlogfilesize to 0 and restart
JDownloader automatically cleanup Settings-Advanced Settings-Log.cleanuplogsolderthanxdays

As raztoki already explained, uploaded logs are stored in encrypted way and only accessable by few staff members auto removed after timeout. Logs can only help us fixing/locating issues when they contain as much information as possible (Request, Response,ResponseContent)...We can't fix a plugin issue if we can't see the server response that has caused it.
Same goes for wrong configuration, for example wrong white/blacklisting in connection settings. Or invalid download folder or disk full and so on.

Users trust us(the developers) and JDownloader enough to use it for daily *downloading* of *family holiday photos* without thinking about such topcis at all. Same users also trust firefox/chrome and yet those send EVERY SITE/DOWNLOAD to safebrowing service first and they don't care about!? Chrome on windows even scans your files on disk! I always wonder why they start thinking about such topics when talking about logs? In this case about local stored logs they can easily disable and that are NOT sent automatically.
If we really would want to mess with your privacy and more important, your trust, we could easily modify JDownloader and kill the whole project very fast/drive it against the wall.

If you have further questions about this, please don't hesitate and write. It's important to us that there are no open questions or concerns.
__________________
JD-Dev & Server-Admin
Reply With Quote
  #4  
Old 20.04.2018, 11:28
neme neme is offline
DSL Light User
 
Join Date: Jan 2011
Posts: 31
Default

Thank you both for being open on the topic and answering. I got you guys with your point of view, that you could be evil already if you wanted to. On the other hand as IT specialists Im sure that you understand that's not the case. For me JD with it's transparency was always number one as the software that I can trust - even though I didn't check the sourcode at any point.

@raztoki Im nota tech guy but I've seen inside of a zipped log passwords to recently used hosters, unpacked files, proxies etc.

Let's say I've downloaded:
18.04.2018: files from: YouTube
18.04.2018: files from: RapidGator
19.04.2018: files from: Facebook
19.04.2018: files from: Porntube with VPN
20.04.2018: files from: Keep2Share
20.04.2018: Tried to download files from: UL.to and got an error
(it's just an example - I don't know if YT, Fb or PT need passwords to work)

So from what I can see in the log file you will get all the passwords in plain text and list of files that I've downloaded. I cannot control the conents of the log (even in really small matter) - lets say delete file names downloaded from services different than "UL.TO" and don't send other passwords than to service "UL.TO". If previous downloads were fine (before an error occurred), why would I want to send all the passwords? If the log says that connection was fine with Keep2Share, Porntube etc (look example above) than why would you "need" passwords to these services?

I suppose that in most cases filenames are not crucial so actually they could be wildcarded.

@Jiaz
Quote:
Originally Posted by Jiaz View Post
@neme:
The logs are not sent automatically. You first have to manually open the *Create Log* window and select the ranges. And then you have to click on *Continue*. That's far from automatically.
Im sorry, I not fully agree with You @Jiaz. Spot the difference:
Code:
How sending logs looks now:
Menu -> Create log -> Select ranges (not pick ranges) -> Continue
How should I know that after I press continue something will be already sent? "Continue" is a button like "next" and not "Done"/"Finish"/"Send".

Code:
How sending logs could look like:
Menu -> Create log -> Select ranges or pick manually -> 
See the contents of the log, question encrypt log "Yes/No" -> 
click the button "Send the log" (not "continue" !)
or else somewhere in the process of creating a log a possibility to pick the problematic host/part of the sofware so not much more will be send then needed.

Maybe it's more about awarness and concious decision.

Quote:
Originally Posted by Jiaz View Post
Users trust us(the developers) and JDownloader enough to use it for daily *downloading* of *family holiday photos* without thinking about such topcis at all. Same users also trust firefox/chrome and yet those send EVERY SITE/DOWNLOAD (...)
I DO think about privacy and try to configure the software the best way I can which is of course not easy (Chrome send automaticly list of passwords to Google account and spy through services and devices, there are digital fingerprints everywhere etc). I belive you want to make JDownloader at your best not comparing it to the different software and world that went crazy with getting our data.

Im always amazed by your work - for all the years, especially for support. I haven't seen this kind of quality in almost any commercial software. My concerns with privacy came when looked at the log and I started to wonder if it's not some kind of way that you would make money on Jdownloader because you do it for free/donation based and I was always curious with it.

Greetings,
neme
Reply With Quote
  #5  
Old 20.04.2018, 11:38
Jiaz's Avatar
Jiaz Jiaz is offline
JD Manager
 
Join Date: Mar 2009
Location: Germany
Posts: 67,320
Default


I've created a ticket for dialog modification.
We will also include text that better informs that logs may contain personal data
After selecting range, it will show what log files will be included and give the option to select/deselect single log files and then hit final *upload/create* button.

That way you can fine select what to send. For example issue with UL, so only send the UL logs.
__________________
JD-Dev & Server-Admin

Last edited by Jiaz; 20.04.2018 at 11:46.
Reply With Quote
  #6  
Old 20.04.2018, 11:42
Jiaz's Avatar
Jiaz Jiaz is offline
JD Manager
 
Join Date: Mar 2009
Location: Germany
Posts: 67,320
Default

Quote:
Originally Posted by neme View Post
I suppose that in most cases filenames are not crucial so actually they could be wildcarded.
Filenames can contain special chars which break downloading/post processing. Also user might have several issues and mean a specific download. And filenames are important to fix encoding issues, for example for servers that use wrong encoding/broken headers.
__________________
JD-Dev & Server-Admin
Reply With Quote
  #7  
Old 20.04.2018, 11:45
Jiaz's Avatar
Jiaz Jiaz is offline
JD Manager
 
Join Date: Mar 2009
Location: Germany
Posts: 67,320
Default

Quote:
Originally Posted by neme View Post
... and I started to wonder if it's not some kind of way that you would make money on Jdownloader because you do it for free/donation based and I was always curious with it.
We rely on adware (only during installation, no hidden/forced installation, no malware, can be skipped/decline), advertising, affiliates and donations to keep JDownloader free to use. See https://support.jdownloader.org/Know...g-installation
We also offer an adware free installer, see http://jdownloader.org/jdownloader2
__________________
JD-Dev & Server-Admin
Reply With Quote
  #8  
Old 20.04.2018, 11:48
Jiaz's Avatar
Jiaz Jiaz is offline
JD Manager
 
Join Date: Mar 2009
Location: Germany
Posts: 67,320
Default

Filtering the log is nearly impossible, for example the filename. It may be encoded (javascript, hex, base64, urlencoded..) within URL, HTML, Http Headers. Same for any other information. It will only make debugging/fixing lot harder.
__________________
JD-Dev & Server-Admin
Reply With Quote
  #9  
Old 20.04.2018, 11:52
Jiaz's Avatar
Jiaz Jiaz is offline
JD Manager
 
Join Date: Mar 2009
Location: Germany
Posts: 67,320
Default

Quote:
Originally Posted by Jiaz View Post
We rely on adware (only during installation, no hidden/forced installation, no malware, can be skipped/decline), advertising, affiliates and donations to keep JDownloader free to use. See https://support.jdownloader.org/Know...g-installation
We also offer an adware free installer, see http://jdownloader.org/jdownloader2
If we really would want to kill the project, there would be better ways than asking users to create logs *I hope it's clear that I'm just joking*
__________________
JD-Dev & Server-Admin
Reply With Quote
  #10  
Old 20.04.2018, 11:55
Jiaz's Avatar
Jiaz Jiaz is offline
JD Manager
 
Join Date: Mar 2009
Location: Germany
Posts: 67,320
Default

Please don't hesitate to comment/discuss
PS: I've discussed some more changes that we will implement over time
__________________
JD-Dev & Server-Admin

Last edited by Jiaz; 20.04.2018 at 17:20.
Reply With Quote
  #11  
Old 21.04.2018, 03:29
raztoki's Avatar
raztoki raztoki is offline
English Supporter
 
Join Date: Apr 2010
Location: Australia
Posts: 17,117
Default

@Jiaz
thx for the clarification, I wasn't aware of those changes
__________________
raztoki @ jDownloader reporter/developer
http://svn.jdownloader.org/users/170

Don't fight the system, use it to your advantage. :]
Reply With Quote
  #12  
Old 21.04.2018, 12:26
neme neme is offline
DSL Light User
 
Join Date: Jan 2011
Posts: 31
Default

Quote:
Originally Posted by Jiaz View Post

I've created a ticket for dialog modification.
We will also include text that better informs that logs may contain personal data
After selecting range, it will show what log files will be included and give the option to select/deselect single log files and then hit final *upload/create* button.

That way you can fine select what to send. For example issue with UL, so only send the UL logs.
Thank you
[suggestion]As for me it would be great to see:
a) set of files that will be send and quick overview what they are for
b) summary information about "sensitive" data being sent: ip, login, password, connection dates and time, filenames, machine details (if they're being sent) like configuration, computer name, folder names that files are unpacked to etc.

@Jiaz @raztoki

Last edited by Jiaz; 23.04.2018 at 15:40.
Reply With Quote
  #13  
Old 21.04.2018, 12:52
neme neme is offline
DSL Light User
 
Join Date: Jan 2011
Posts: 31
Default

Quote:
Originally Posted by Jiaz View Post
We rely on adware (only during installation, no hidden/forced installation, no malware, can be skipped/decline), advertising, affiliates and donations to keep JDownloader free to use. See **External links are only visible to Support Staff**...
We also offer an adware free installer, see **External links are only visible to Support Staff**...
The "adware" you're talking about is the hosting company banner?
I don't know if these ideas are in the area of your interest but I thought I can share this: (excuse my english) - I hope you (@raztoki @Jiaz) can see/read this below(?):
I think you could make great deals with reselling VPN's - WITHOUT favour any of them (unless there will be a special suited offer for jdownloader - lots of proxies, connection through TOR, more privacy etc.) - this is a very fast growing industry with great affiliate possibilities.
Great site that you could use to make your VPN offer:
**External links are only visible to Support Staff****External links are only visible to Support Staff**

You could be also the biggest hosters reseller
And if someones premium account is going to finish SOON - you could propose him new -that you will have cheaper, registered on new disposable e-mail (for privacy) etc. What would be interesting is you as some kind of "firewall" between the hoster and user. So user might pay you money in EUR, USD etc and you could buy account for him in cryptocurrency.

You could probably get (if users agree) a list of most downloaded files and put them on yours premium accounts and add a "TOP 100" chart to Jdownloader - so people would buy and / or download the files with your referrer.
[/ISSUE]
========
In general I think you could gain a lot more interest by working on privacy - look: signal / telegram / cryptocurrencies etc . People are not aware of what's happening and those who are hate the fact that we are being spyed on all the time.
Care for users privacy more than they can do it by themselves

That's my 5 cents on business model which you probably already have managed

See you around!
nemO

Last edited by Jiaz; 23.04.2018 at 14:30.
Reply With Quote
  #14  
Old 22.04.2018, 10:23
dabrown dabrown is offline
Black Hole
 
Join Date: Jun 2015
Location: North America
Posts: 266
Default

The adware is a browser toolbar that is (supposedly) optional. Most malware programs flag the JD2 installation because it contains said useless and hard to remove adware toolbar in the installer.
Reply With Quote
  #15  
Old 23.04.2018, 15:39
Jiaz's Avatar
Jiaz Jiaz is offline
JD Manager
 
Join Date: Mar 2009
Location: Germany
Posts: 67,320
Default

Quote:
Originally Posted by neme View Post
I think you could make great deals with reselling VPN's - WITHOUT favour any of them (unless there will be a special suited offer for jdownloader - lots of proxies, connection through TOR, more privacy etc.) - this is a very fast growing industry with great affiliate possibilities.
We are already working on that. But because of limited development ressource and other stuff of higher priority this will take some time
__________________
JD-Dev & Server-Admin
Reply With Quote
  #16  
Old 23.04.2018, 15:43
Jiaz's Avatar
Jiaz Jiaz is offline
JD Manager
 
Join Date: Mar 2009
Location: Germany
Posts: 67,320
Default

@neme: We will look into changing the log handling/dialog/upload but can't promise any eta. Please don't think that this isn't important to us but I'm drowning in work and other work and paper work and support and .....
__________________
JD-Dev & Server-Admin
Reply With Quote
  #17  
Old 23.04.2018, 15:45
Jiaz's Avatar
Jiaz Jiaz is offline
JD Manager
 
Join Date: Mar 2009
Location: Germany
Posts: 67,320
Default

Quote:
Originally Posted by dabrown View Post
The adware is a browser toolbar that is (supposedly) optional. Most malware programs flag the JD2 installation because it contains said useless and hard to remove adware toolbar in the installer.
We're working with IronSource and don't enforce any installation nor do any hidden installation. We offer an installer with adware (toolbar, search engine..) that you can decline/skip as well as an adware free installer, see http://jdownloader.org/jdownloader2
see https://support.jdownloader.org/Know...g-installation
__________________
JD-Dev & Server-Admin
Reply With Quote
  #18  
Old 23.04.2018, 15:45
Jiaz's Avatar
Jiaz Jiaz is offline
JD Manager
 
Join Date: Mar 2009
Location: Germany
Posts: 67,320
Default

@neme: I have some more privacy optimizations in mind for logging but those require major changes and will take some time
__________________
JD-Dev & Server-Admin
Reply With Quote
  #19  
Old 09.12.2019, 01:40
Beer Beer is offline
JD Fan
 
Join Date: Oct 2019
Posts: 70
Default

I'm essentially worried about how this data is stored and transferred. Stored in both my machine, yours and the path in between.

Worried that it might be susceptible to government level type adversaries. It would be like shooting fish on a barrel if they, or high profile rogue hackers would be able to access said information.

Some of us are pretty high value targets (not me, lol), dealing with large amounts of currency and such. Although i gather that big players would bring in a level of sophistication that would mitigate their vulnerabilities to a certain extent.

I am worried about whether you are compelled to deliver personal data, logs and such on your jurisdiction if a court order is approved, during an ongoing investigation and if we would be notified.

Now, regarding the clipboard observer. Are you keeping logs on everything from my clipboard? That would be an even greater liability. Sure we must trust someone. I trust microsoft. I trust ProtonVPN. I even trust Google to respect my privacy settings. I trust my addons, because i have trust in Google, Firefox and PrivacyTools, lol.

As far as applications go. I have to trust my AV. Good firewalls exist so we can control who, when and if it goes in or out, but not what. There are ways to conceal this information within encrypted channels deemed legitimate.

I mean, these things have to work properly, because if they don't, an article appears on thehackernews and we all get to know about the leaks. But what if something happens with JD? Look at what happened with NordVPN.

Even the most secure applications and organizations commit security blunders. I know you guys are good at what you do, but... I just wanna know how much of a liability am i facing.

Sure i have nothing to hide, but it don't matter. I wanna be able to have something to hide and still not being worried about whether my system is jeopardized.

Without having to use Qubes or Parrot OS and being a nerd, i hate nerds! Thug life! Lol... I believe in hiding in plain sight. Most amusing strategy there is. No risk, no fun.

Listen, i just wanna know if i am making it hard on the bad guys. :D
Reply With Quote
  #20  
Old 09.12.2019, 06:20
raztoki's Avatar
raztoki raztoki is offline
English Supporter
 
Join Date: Apr 2010
Location: Australia
Posts: 17,117
Default

Their is risk in everything you do in life.
Whats in them is what's present in /logs/ you can see this yourself.
JD logs are of what you've been doing in that session (Timestamps). logs/sessionid/
They are provided by yourself when you require help. We typically ask that you provide logs from a session that doesn't have to much background noise (heavy session with non related content happening in the background). Just inflates logs, and the storage requirement.
Clipboard isn't logged (for memory), urls that match patterns are. this then triggers plugin activity.
Feel free to run JD in debug mode or via a debugger and you can see everything the application does. Else have a read of the source code.

raztoki
__________________
raztoki @ jDownloader reporter/developer
http://svn.jdownloader.org/users/170

Don't fight the system, use it to your advantage. :]
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

All times are GMT +2. The time now is 15:54.
Provided By AppWork GmbH | Privacy | Imprint
Parts of the Design are used from Kirsch designed by Andrew & Austin
Powered by vBulletin® Version 3.8.10 Beta 1
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.