[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Filezilla a security risk

On 29.06.2012 15:56, Camaleón wrote:


The ONLY reason why Linux based systems hasn't got such a problem with
malware is that there are not enough Desktop machines to make this a
good target. Often enough there are security holes which allow you to
take control over the entire machine. And that's fine as it is complex
software.



True, but what's your point here?
The point is that software can't be 100% secure. So when possible it is a good idea to have more than one security layer. A bug in Apache my cause someone to get access to you FileZilla-Settings. At the moment this would be a big problem, if the file is encrypted the problem is still there but you have some additional time to change your passwords. Good thing. 


Should my Debian system becomes cracked or infected by any kind of treat
I would worry more about my usual files and not the settings for
Filezilla. I mean, nothing new here, security is a "multi-edged" sword.
Really? I would more worry about the remote servers listed in my FileZilla-Config (if there are any), because they might belong to customers, friends, etc. I might get worried about my Backups as I want to restore my compromised system. 


But if you can easily add some more security layers without loosing too
much performance and/or usability you should always do that.



Maybe... but you'll get a false impression of protection that can be even
more nocive as you'll relax your security notion.
Humans are making mistakes, a false impression of protection may lend you to such mistakes, this is true. That's one reason why we don't run background Virus-Checks on our machines (mails are being scanned and you can do on demand checks for USB media, etc.).
But it is easy to tell users that all files from those medias may be evil. It's much harder to tell them that their programs might store sensible data in a way that isn't secure. At least this is much harder than for the FileZilla guys to store passwords encrypted. 


Storing unhashed and unsalted or unencrypted passwords is simply stupid.
Ask the guys at last.fm. ;)



Again, there are files in my servers (e.g., ssl keys) and also my Mutt
SSL/SSH Keys should have a password or should be stored in some kind of encrypted container. 


configuration file (that holds my e-mail account password) which are
stored in cleartext. So...?
Pretty stupid isn't it? ;) An encrypted container wouldn't help a lot here, because I assume your MUA is running most of the day, right? So the container has to be open all the time and any malware could read the file. 


Do you want us to remove the ethernet cord? ;-)
Would be a nice thing from a security point of view, that's why I mentioned comfort and performance. :) 

Bye.
Reply to: