The posts about how there are other risks from malware and keyloggers
is true enough. I never claimed that avoiding filezilla would make the Windows
system secure. But if you have your doors and windows open, and want
to reduce the chance of theft, then I'd say filezilla is like a patio
door wide open
on the scale of opportunities and the prevalence of the exploit.

The prevalence of a risk and the ease of executing the exploit
is what matters first. Whether it is possible to do
something else matters, but less. The greatest risk
is with what is currently happening in high frequency and has
a high likelihood of reoccurring. Debian Security Advisory
doesn't have this, but Redhat and Malware advisories rank
threats in terms of ease of execution, popularity in the wild
and severity of the damage which could result.

In my work place, people have thanked me for this warning. Even IT
people who work Information Systems are glad to know of this risk and
did not know of it before.

In the workplace, people use Windows and Unix. They do not have
the luxury of being as dogmatic as some Linux users. They are
mostly interested in working practically.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/CA+AKB6HRWca7xrB7YRD3i4=FvyhUSg74HMcj7ckGtX2wxeKWg w@mail.gmail.com

On Fri, 29 Jun 2012 01:26:08 +0200, Denis Witt wrote:

>> If your account is hosed, well, go to their second argument: "2. don't
>> get the malware in the first place" ;-)
>
> Great Argument, btw. Oh, I got an Airbag on my car, get rid of the
> brakes please. I don't need them anymore.

- The engineer has to decide *what* to add and *what* to remove.
- The manufacturer has to decide is it wants to sell *that kind* of car.
- The customer has to decide if he/she wants to buy *that* car.

There are many things to watch in the chain. And yes, brakes -as we know
today- do become obsolete sooner or later, such is life.

> The ONLY reason why Linux based systems hasn't got such a problem with
> malware is that there are not enough Desktop machines to make this a
> good target. Often enough there are security holes which allow you to
> take control over the entire machine. And that's fine as it is complex
> software.

True, but what's your point here?

Should my Debian system becomes cracked or infected by any kind of treat
I would worry more about my usual files and not the settings for
Filezilla. I mean, nothing new here, security is a "multi-edged" sword.

> But if you can easily add some more security layers without loosing too
> much performance and/or usability you should always do that.

Maybe... but you'll get a false impression of protection that can be even
more nocive as you'll relax your security notion.

> Storing unhashed and unsalted or unencrypted passwords is simply stupid.
> Ask the guys at last.fm.

Again, there are files in my servers (e.g., ssl keys) and also my Mutt
configuration file (that holds my e-mail account password) which are
stored in cleartext. So...? Do you want us to remove the ethernet
cord? ;-)

Greetings,

--
Camaleón


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/jskc6a$68h$4@dough.gmane.org

On 6/29/12 6:56 AM, Camaleón wrote:
Should my Debian system becomes cracked or infected by any kind of
treat I would worry more about my usual files and not the settings for
Filezilla. I mean, nothing new here, security is a "multi-edged" sword.



Really? I'm far more concerned about my credentials for foreign sites
than I am for any other information I store locally.



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: 4FEDB501.1080805@queernet.org">http://lists.debian.org/4FEDB501.1080805@queernet.org

On Friday 29 June 2012 10:28:11 Denis Witt wrote:
> I have brakes and drive safely, so an airbag
>
> > isn't essential.

And do all the speed louts see you coming and say: "We mustn't overtake on
this blind corner. The driver coming towards me on what is now the same side
of the road as I am on is a good driver. I must backtrack in time and not
overtake because good drivers don't have accidents."? I consider all the
modern improvements in safety essential, and with each of them have been an
early adopter.

Lisi


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 201206291502.53486.lisi.reisz@gmail.com">http://lists.debian.org/201206291502.53486.lisi.reisz@gmail.com

On Fri, 29 Jun 2012 07:00:33 -0700, Roger B.A. Klorese wrote:

> On 6/29/12 6:56 AM, Camaleón wrote:
>> Should my Debian system becomes cracked or infected by any kind of
>> treat I would worry more about my usual files and not the settings for
>> Filezilla. I mean, nothing new here, security is a "multi-edged" sword.
>
>
> Really? I'm far more concerned about my credentials for foreign sites
> than I am for any other information I store locally.

Yes, really.

The information I can store in my systems are by far more important than
the passwords for my FTP sites. In the end, it only affects the FTP
credentials, nor databases, nor root accounts... because you aren't login
as root for your FTP sessions, right? >;-)

Greetings,

--
Camaleón


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/jskdhm$68h$7@dough.gmane.org

My root credentials for my local machine aren't stored in plaintext. And if the local machine is compromised, the critical threat is its use as a zombie, not any info that's on it. There simply isn't any confidential data.

Sent from my iPhone

On Jun 29, 2012, at 3:19 PM, Camaleón <noelamac@gmail.com> wrote:

> On Fri, 29 Jun 2012 07:00:33 -0700, Roger B.A. Klorese wrote:
>
>> On 6/29/12 6:56 AM, Camaleón wrote:
>>> Should my Debian system becomes cracked or infected by any kind of
>>> treat I would worry more about my usual files and not the settings for
>>> Filezilla. I mean, nothing new here, security is a "multi-edged" sword.
>>
>>
>> Really? I'm far more concerned about my credentials for foreign sites
>> than I am for any other information I store locally.
>
> Yes, really.
>
> The information I can store in my systems are by far more important than
> the passwords for my FTP sites. In the end, it only affects the FTP
> credentials, nor databases, nor root accounts... because you aren't login
> as root for your FTP sessions, right? >;-)
>
> Greetings,
>
> --
> Camaleón
>
>
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: http://lists.debian.org/jskdhm$68h$7@dough.gmane.org
>


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 92FD3E54-D65F-4D68-8D7B-793E6008C676@queernet.org">http://lists.debian.org/92FD3E54-D65F-4D68-8D7B-793E6008C676@queernet.org

On 29.06.2012 15:56, Camaleón wrote:


The ONLY reason why Linux based systems hasn't got such a problem with
malware is that there are not enough Desktop machines to make this a
good target. Often enough there are security holes which allow you to
take control over the entire machine. And that's fine as it is complex
software.



True, but what's your point here?


The point is that software can't be 100% secure. So when possible it is
a good idea to have more than one security layer. A bug in Apache my
cause someone to get access to you FileZilla-Settings. At the moment
this would be a big problem, if the file is encrypted the problem is
still there but you have some additional time to change your passwords.
Good thing.



Should my Debian system becomes cracked or infected by any kind of treat
I would worry more about my usual files and not the settings for
Filezilla. I mean, nothing new here, security is a "multi-edged" sword.


Really? I would more worry about the remote servers listed in my
FileZilla-Config (if there are any), because they might belong to
customers, friends, etc. I might get worried about my Backups as I want
to restore my compromised system.



But if you can easily add some more security layers without loosing too
much performance and/or usability you should always do that.



Maybe... but you'll get a false impression of protection that can be even
more nocive as you'll relax your security notion.


Humans are making mistakes, a false impression of protection may lend
you to such mistakes, this is true. That's one reason why we don't run
background Virus-Checks on our machines (mails are being scanned and you
can do on demand checks for USB media, etc.).


But it is easy to tell users that all files from those medias may be
evil. It's much harder to tell them that their programs might store
sensible data in a way that isn't secure. At least this is much harder
than for the FileZilla guys to store passwords encrypted.



Storing unhashed and unsalted or unencrypted passwords is simply stupid.
Ask the guys at last.fm.



Again, there are files in my servers (e.g., ssl keys) and also my Mutt


SSL/SSH Keys should have a password or should be stored in some kind of
encrypted container.



configuration file (that holds my e-mail account password) which are
stored in cleartext. So...?


Pretty stupid isn't it? An encrypted container wouldn't help a lot
here, because I assume your MUA is running most of the day, right? So
the container has to be open all the time and any malware could read the
file.



Do you want us to remove the ethernet cord? ;-)


Would be a nice thing from a security point of view, that's why I
mentioned comfort and performance.


Bye.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: 4FEDBF4D.6040905@concepts-and-training.de">http://lists.debian.org/4FEDBF4D.6040905@concepts-and-training.de

On Fri, 29 Jun 2012 15:36:16 +0100, Roger B.A. Klorese wrote:

> On Jun 29, 2012, at 3:19 PM, Camaleón <noelamac@gmail.com> wrote:
>
>> On Fri, 29 Jun 2012 07:00:33 -0700, Roger B.A. Klorese wrote:
>>
>>> On 6/29/12 6:56 AM, Camaleón wrote:
>>>> Should my Debian system becomes cracked or infected by any kind of
>>>> treat I would worry more about my usual files and not the settings
>>>> for Filezilla. I mean, nothing new here, security is a "multi-edged"
>>>> sword.
>>>
>>>
>>> Really? I'm far more concerned about my credentials for foreign sites
>>> than I am for any other information I store locally.
>>
>> Yes, really.
>>
>> The information I can store in my systems are by far more important
>> than the passwords for my FTP sites. In the end, it only affects the
>> FTP credentials, nor databases, nor root accounts... because you aren't
>> login as root for your FTP sessions, right? >;-)

> My root credentials for my local machine aren't stored in plaintext.

I did not mean that. I mean login to your FTP server as "root" (and not
as plain user) which is different thing and of course should be avoided.

> And if the local machine is compromised, the critical threat is its use
> as a zombie, not any info that's on it.

You sure? Being a zombie could be even funny, sending spam and infected e-
mails to windows users, kinda "justice and divine revenge", he, he... :-)

> There simply isn't any confidential data.

Lucky you that don't have to worry for that.

> Sent from my iPhone
^^^^^^^^^^^^^^^^^^^

I hope you also care for the data stored in your cell phone >:-)

Greetings,

--
Camaleón


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/jskf56$68h$9@dough.gmane.org

On Fri, 29 Jun 2012 16:44:29 +0200, Denis Witt wrote:

> On 29.06.2012 15:56, Camaleón wrote:
>
>>> The ONLY reason why Linux based systems hasn't got such a problem with
>>> malware is that there are not enough Desktop machines to make this a
>>> good target. Often enough there are security holes which allow you to
>>> take control over the entire machine. And that's fine as it is complex
>>> software.
>
>> True, but what's your point here?
>
> The point is that software can't be 100% secure. So when possible it is
> a good idea to have more than one security layer.

Even if that extra layer is of no help because you leave your computer
open and accessible to anyone? Then you're wasting your time and your
computer resources, security has to sit between useful and effectiveness,
otherwise you're losing the battle.

> A bug in Apache my cause someone to get access to you FileZilla
> -Settings.

I wonder how that can happen...

> At the moment this would be a big problem, if the file is encrypted the
> problem is still there but you have some additional time to change your
> passwords. Good thing.

Good thing for a corner case. But the bad thing here is that someone can
access your Filezilla settings from you Apache, though.

>> Should my Debian system becomes cracked or infected by any kind of
>> treat I would worry more about my usual files and not the settings for
>> Filezilla. I mean, nothing new here, security is a "multi-edged" sword.
>
> Really? I would more worry about the remote servers listed in my
> FileZilla-Config (if there are any), because they might belong to
> customers, friends, etc. I might get worried about my Backups as I want
> to restore my compromised system.

You change the password for your FTP user accounts and that's all. Gee, I
wonder in what way users are using their linux systems that don't store
any important data on them, only for multimedia playing? :-P

>>> But if you can easily add some more security layers without loosing
>>> too much performance and/or usability you should always do that.
>
>> Maybe... but you'll get a false impression of protection that can be
>> even more nocive as you'll relax your security notion.
>
> Humans are making mistakes, a false impression of protection may lend
> you to such mistakes, this is true. That's one reason why we don't run
> background Virus-Checks on our machines (mails are being scanned and you
> can do on demand checks for USB media, etc.).

I do check the files I donwload from the web, regardless they are going
to be opened from windows or linux, e-mails are also scanned by means of
ClamAV and USB keys are not anutomatically mounted thus can be also
easily analyzed first.

And I do all of the above because I came from Windows first, I have the
steps burned in fire in my brain :-)

> But it is easy to tell users that all files from those medias may be
> evil. It's much harder to tell them that their programs might store
> sensible data in a way that isn't secure. At least this is much harder
> than for the FileZilla guys to store passwords encrypted.

Curiously enough is not only Filezilla who takes the path for not
encrypting the user credentials so there has to be a reason in behind for
that to happen so often...

Anyway, aren't most of us still using plain pop3 and smtp connections
with no message encryption at all? Who are we blaming? >;-)

>>> Storing unhashed and unsalted or unencrypted passwords is simply
>>> stupid. Ask the guys at last.fm.
>
>> Again, there are files in my servers (e.g., ssl keys) and also my Mutt
>
> SSL/SSH Keys should have a password or should be stored in some kind of
> encrypted container.

IIRC you have to remove the password so Apache can make use of it so
finally the security relies on the file perms (only root can read it).

>> configuration file (that holds my e-mail account password) which are
>> stored in cleartext. So...?
>
> Pretty stupid isn't it?

You tell me :-)

> An encrypted container wouldn't help a lot here, because I assume your
> MUA is running most of the day, right? So the container has to be open
all the time and any malware could read
> the file.

In my case it is launched on demand. My main MUA is Thunderbird.

>> Do you want us to remove the ethernet cord? ;-)
>
> Would be a nice thing from a security point of view, that's why I
> mentioned comfort and performance.

There's still dangerous USB flash drives and the always evil CD/DVD and
floppy disks... you never know.

Greetings,

--
Camaleón


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/jskgm9$68h$11@dough.gmane.org

On 29/06/12 15:36, Roger B.A. Klorese wrote:
> My root credentials for my local machine aren't stored in plaintext.
> And if the local machine is compromised, the critical threat is its
> use as a zombie, not any info that's on it. There simply isn't any
> confidential data.

But the reason for that is that your root password is encrypted using
one-way encryption. It cannot be decrypted.

But, the result of it being encrypted is compared to the result of the
password you log in with (as root) being encrypted ... if the two match,
that's good enough for PAM, etc.

Obviously, for FZ, you need two-way encryption/decryption.

I know I'm stating the obvious, but I've been told I'm good at that

--
Steve Dowe

Warp Universal Limited
http://warp2.me/sd


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4FEDC60E.8080903@warpuniversal.co.uk">http://lists.debian.org/4FEDC60E.8080903@warpuniversal.co.uk