On Wed, Jun 27, 2012 at 08:58:39PM -0300, francis picabia wrote:
> On Wed, Jun 27, 2012 at 4:46 PM, Andrei POPESCU
> <andreimpopescu@gmail.com> wrote:
> > On Mi, 27 iun 12, 16:26:48, francis picabia wrote:
> >> I've just learned Filezilla is a security risk. *It stores saved
> >> passwords and the last used password in a plain text file.
> >
> > As do many other programs.
>
> Huh. None that I run. Perhaps your standards are, uh, different.
No need to get ad-hominem. Andrei is correct, there *are* many that
do that, and many *in Debian* that do that. What Andrei runs or does
not run is irrelevant.
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/20120628161707.GD11366@debian
06-28-2012, 07:24 PM
francis picabia
Filezilla a security risk
On Thu, Jun 28, 2012 at 12:35 PM, Shane Johnson
<sdj@rasmussenequipment.com> wrote:
>
> Please remember that FTP by nature is insecure. *All it would take is
> for someone to packet sniff the connection and they would have the
> user name and password to the account as they are transmitted in plain
> text.
Yes, this is all correct. However filezilla does sftp as well and
SFTP session passwords are also saved in this plain text file as
a human readable password. That typically translates to SSH access.
In case this is lost on anyone, we are NOT talking about sniffing, but
drive by malware reading a plain text file on the client OS containing
the password.
Even if you do not check the box for saving the password, the most
recent entered password is saved there.
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/CA+AKB6ExyFTWPjq=JmqKJsQjxHxqqwcb-naikn9U10h0Jt0fHw@mail.gmail.com
06-28-2012, 08:18 PM
Camaleón
Filezilla a security risk
On Thu, 28 Jun 2012 20:48:27 +0200, Stanisław Findeisen wrote:
> On 2012-06-28 16:45, Camaleón wrote:
>>> 1. encryption: that's the file system's job
>>
>> True.
>
> Hm? You mean partition encryption?
What? :-?
> It won't help much if the malware is running with file owner's uid... or
> even if the system is booted at all (if you e.g. encrypt just /home).
I don't know what you mean... "Encryption" (of the user credentials, I
understand) is what Filezilla developers think is something that has to
come from the OS and the file system capabilities. And that's true, in
linux systems there are POSIX permissions you can use to prevent your
files being accessed by others.
If your account is hosed, well, go to their second argument: "2. don't
get the malware in the first place" ;-)
Greetings,
--
Camaleón
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/jsie79$no$18@dough.gmane.org
06-28-2012, 11:26 PM
Denis Witt
Filezilla a security risk
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> If your account is hosed, well, go to their second argument: "2.
> don't get the malware in the first place" ;-)
Great Argument, btw. Oh, I got an Airbag on my car, get rid of the
brakes please. I don't need them anymore.
The ONLY reason why Linux based systems hasn't got such a problem with
malware is that there are not enough Desktop machines to make this a
good target. Often enough there are security holes which allow you to
take control over the entire machine. And that's fine as it is complex
software.
But if you can easily add some more security layers without loosing too
much performance and/or usability you should always do that.
Storing unhashed and unsalted or unencrypted passwords is simply stupid.
Ask the guys at last.fm.
Bye.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4FECE810.4030101@concepts-and-training.de">http://lists.debian.org/4FECE810.4030101@concepts-and-training.de
06-29-2012, 01:16 AM
Richard Hector
Filezilla a security risk
On 29/06/12 11:26, Denis Witt wrote:
> If your account is hosed, well, go to their second argument: "2.
> don't get the malware in the first place" ;-)
Great Argument, btw. Oh, I got an Airbag on my car, get rid of the
brakes please. I don't need them anymore.
That's the wrong way round. I have brakes and drive safely, so an airbag
isn't essential. Which isn't to say I'd get it removed if I had one.
Richard
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
On Thu, Jun 28, 2012 at 10:03:19AM +0200, Claudius Hubig wrote:
> Hello francis,
>
> francis picabia <fpicabia@gmail.com> wrote:
> > On Wed, Jun 27, 2012 at 4:46 PM, Andrei POPESCU
> > <andreimpopescu@gmail.com> wrote:
> > > On Mi, 27 iun 12, 16:26:48, francis picabia wrote:
> > >> I've just learned Filezilla is a security risk. *It stores saved
> > >> passwords and the last used password in a plain text file.
> > >
> > > As do many other programs.
> >
> > Huh. None that I run. Perhaps your standards are, uh, different.
>
> Pidgin & OpenSSH if used without passphrases, just to name two
> examples. Claws-Mail applies some weird obfuscation that doesn't
> really help, except for that I have to store my passwords somewhere
> else in plaintext, too.
>
Where does OpenSSH store a password? Or are you referring to a
passphrase-less private key?
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120629014827.GB5965@aurora.owens.net">http://lists.debian.org/20120629014827.GB5965@aurora.owens.net
06-29-2012, 02:00 AM
Rob Owens
Filezilla a security risk
On Thu, Jun 28, 2012 at 04:24:43PM -0300, francis picabia wrote:
> On Thu, Jun 28, 2012 at 12:35 PM, Shane Johnson
> <sdj@rasmussenequipment.com> wrote:
>
> >
> > Please remember that FTP by nature is insecure. *All it would take is
> > for someone to packet sniff the connection and they would have the
> > user name and password to the account as they are transmitted in plain
> > text.
>
> Yes, this is all correct. However filezilla does sftp as well and
> SFTP session passwords are also saved in this plain text file as
> a human readable password. That typically translates to SSH access.
>
True, but you can restrict certain users to SFTP access only. I do
that, and I only allow SSH access with public key authentication.
> In case this is lost on anyone, we are NOT talking about sniffing, but
> drive by malware reading a plain text file on the client OS containing
> the password.
> Even if you do not check the box for saving the password, the most
> recent entered password is saved there.
>
I notice that GFTP, for example, does not seem to save any passwords
unless you 1) create a bookmark for the connection, and 2) check the
"Remember Password" box. That seems like a sensible way to do it, but
you will still be at risk with an unsavy user and/or malware on the
machine.
Malware can be in the form of a key logger, which will get anything you
type. Unsavy users will typically check a box in the name of
convenience, and give little thought to the security implications.
-Rob
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120629020026.GC5965@aurora.owens.net">http://lists.debian.org/20120629020026.GC5965@aurora.owens.net
06-29-2012, 06:17 AM
Andrei POPESCU
Filezilla a security risk
On Vi, 29 iun 12, 13:16:25, Richard Hector wrote:
> On 29/06/12 11:26, Denis Witt wrote:
> >>> If your account is hosed, well, go to their second argument: "2.
> >>> don't get the malware in the first place" ;-)
> >Great Argument, btw. Oh, I got an Airbag on my car, get rid of the
> >brakes please. I don't need them anymore.
>
> That's the wrong way round. I have brakes and drive safely, so an
> airbag isn't essential. Which isn't to say I'd get it removed if I
> had one.
+1
Kind regards,
Andrei
--
Offtopic discussions among Debian users and developers:
http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic
06-29-2012, 09:28 AM
Denis Witt
Filezilla a security risk
On 29.06.2012 03:16, Richard Hector wrote:
> If your account is hosed, well, go to their second argument: "2.
> don't get the malware in the first place" ;-)
Great Argument, btw. Oh, I got an Airbag on my car, get rid of the
brakes please. I don't need them anymore.
That's the wrong way round. I have brakes and drive safely, so an airbag
isn't essential. Which isn't to say I'd get it removed if I had one.
Maybe, seat belts are also not essential, but in many countries the
usage is mandatory, for a good reason.
So my argument is still valid. It is good to have as many security as
you can get as long as performance and comfort is still fine.
Bye.
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
On 06/27/2012 09:26 PM, francis picabia wrote:
> I've just learned Filezilla is a security risk. It stores saved
> passwords and the last used password in a plain text file.
>
> Malware commonly scoops up this info and hacks web sites
> or shell accounts.
>
> The developer refuses to incorporate a solution
> such as master password and encryption into filezilla.
>
> His responses in numerous bug reports and feature requests are:
>
> 1. encryption: that's the file system's job
> 2. don't get the malware in the first place
>
> In my opinion, people should avoid filezilla.
Thank you for your warning. I immediately switched to gftp because
storing passwords unencrypted violates my security standards.
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4FEDAB92.8080406@web.de">http://lists.debian.org/4FEDAB92.8080406@web.de
Filezilla a security risk
