Re: Filezilla a security risk
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
damn, why can't postbox answer to the list instead of the posters email?
Camaleón schrieb:
> Yes, they can as well as they can also encrypt the current user
> settings from the XML file but they don't want to. Period and full
> stop.
True. Sad, but true.
>> What I'm trying to say is that our machines are pretty much very
>> complex and it is very easy to overlook things.
> It has been always so, Filezilla is not inventing nothing anew.
Jep, but they could respect this and give the user a little bit of extra
security.
(...)
>> No, but the really important data is encrypted in a way so even if
>> my machine is running all the time the container isn't accessible
>> all the time.
> Well done but I'm afraid you fit the 1% of the users that do so. I,
> by
True. Another reason for FZ to help those 99%. (Hey, cool, I'm the 1%,
where is my money? ;))
> the way, store thousand of plain text based e-mail messages (mbox)
> containing passwords for many Internet services. If I were paranoid
And so do I, at least on my Phone which I can't encrypt.
> enough, I'd only use hard disk encryption but this is still not in my
> to- do list.
I use HDD encryption for everything that I could loose or what might get
stolen, like our RDX-Backup-Drives I have in my bag anytime. Also all
Notebooks, some USB-Sticks and USB-Drives.
>>> I do check the files I donwload from the web, regardless they are
>>> going to be opened from windows or linux, e-mails are also
>>> scanned by means of ClamAV and USB keys are not anutomatically
>>> mounted thus can be also easily analyzed first.
>> That's the scenario I tried to point out above.
> And despite all the precautions I take, I have no problems with
> having a password stored in clear text ;-)
Just because you are NOT paranoid that doesn't mean that they are not
after you. ;)
>>> Curiously enough is not only Filezilla who takes the path for
>>> not encrypting the user credentials so there has to be a reason
>>> in behind for that to happen so often...
>> Laziness? Why did last.fm stores the passwords of their users as
>> MD5-Hash without salting them?
> No, developers are not lazy but practical: they simply don't want to
> use weak methods to handle this.
What's weaker, password encryption, file access rights or both of it
together? For little effort.
But, you're right. Developers are usually not lazy, at least our aren't.
Sometimes they might didn't have enough time to implement the next
security layer, but I don't know if this apply to FZ as well.
>>> Anyway, aren't most of us still using plain pop3 and smtp
>>> connections with no message encryption at all? Who are we
>>> blaming? >;-)
>> Most of my messages are not encrypted because the receiving end
>> isn't capable of that. But my Credentials will only be transmitted
>> when the connection is secure (even if the MTA is in the same
>> network).
> Again, you must pertain to the 1% of the users that do that ;-)
> Anyway, if the recipient does not use a secure protocol to download
> the data (pop3s/imaps), the security chain is broken and thus
> useless, you see now why devels are not lazy? Because you can't just
> take control of all ;-)
I don't care about the transport of the content. It's like sending
postcards. But I care about my password. We're using LDAP and my
Mail-Password is also my System-Login. ;)
>> SSL is pretty much snakeoil nowadays, but it's better than
>> nothing.
> That's the kind of reasoning software developers do: "if there's no
> 100% secure system, why should *I* bother"?
Why are they developing *BSD? Why should I bind some of my Services to
localhost if I have a firewall?
(...)
> Okay... I better return back to my cave, dust my typewritting machine
> and problem solved.
You got a cave? How comfortable. :)
> When you work in a corporate environment, disabling the external
> devices is a must. The biggest hole in a computer system is always
> the user. Always.
I think it depends on the company size and the company culture. We are
23 people at the moment and everybody can bring in his own devices and
connect them to our network and machines (WLAN is separated from the
LAN, only Internet-Access, it's not encrypted but you have to use a
captive portal to log in).
The deal is that if you for example has VPN access within you device you
have to inform me in case of loss, so I could disable the accounts for
that device. Also your device should have a remote delete function and a
password protection is mandatory. My users understand those rules and
take care of them. But yes, I guess I'm lucky.
>> Anyway I think we're going pretty much offtopic. My point is that
>> it would be a nice feature for FZ (and other tools) to store
>> passwords more secure. And I don't like the attitude of the
>> developers saying that it's not their problem if someone could read
>> the file who isn't allowed to. At least as such a feature is rather
>> easy to implement and won't affect the user experience in a bad
>> way.
> Nah, developers are made of different stuff and they rarely listen to
> their users...
But they should. They can get a lot of valuable feedback. Ok, our
developers are mainly developing for the people at our company and have
to work with them every day. That's making some kind of difference. I
can imagine as OpenSource-Developer you get a lot of bullshit requests.
> and hey, it's open source! You can hire a programmer, make a fork
> ("FileZilla-S" for secure) and add all the enhancements you want ;-
Forking a program for a single little feature doesn't make a lot of
sense to me. Either you will have to patch the upstream version every
now and then or you end up with a Fork that doesn't get any new
features, also it might confuses some users.
Bye.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJP7fwaAAoJEGqblLUjc3f4kdcH/0FmkD7aAs++33v0nd9RML/O
V13l3xLzRf7Vm4sLvzcrbvyCouFnVnCnjbUWsLJw2wNEaKNPk9MXcUHTcXyXkhHD
Cal+/txA70RbiEAByyCjz7gd2C1MnQ9RDCGf3k4w3qTnOLISxRkIEfUoeEoUrU6O
dXexGJea7Cf8diP4DHKtMQKstWROHrjOhH47KBJPo0nTeGt4ldn3SvpW9CC6Bs/C
MYZOw6+aJBDewKUbh3JllfDF2xoCHrYQrPUJAllSJI+3Wi8uzabOPduyd8WsnUZ5
aHMFt+v1TT30YBA++DSp8zpM8ZydDdUy2qjNWPZx5L3V2kI3DGv3ZOOmLaeh0cc=
=EoMX
-----END PGP SIGNATURE-----
Reply to: