FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 06-27-2012, 07:46 PM
Andrei POPESCU
 
Default Filezilla a security risk

On Mi, 27 iun 12, 16:26:48, francis picabia wrote:
> I've just learned Filezilla is a security risk. It stores saved
> passwords and the last used password in a plain text file.

As do many other programs.

> Malware commonly scoops up this info and hacks web sites
> or shell accounts.

Sure.

> The developer refuses to incorporate a solution
> such as master password and encryption into filezilla.

It's his prerogative to decide what to do with his spare time

> His responses in numerous bug reports and feature requests are:
>
> 1. encryption: that's the file system's job
> 2. don't get the malware in the first place
>
> In my opinion, people should avoid filezilla.

Once your account has been compromised you must assume that any
sensitive or confidential information accessible through that account
has been compromised as well. Even if the passwords are stored encrypted
on disc, at some point they have to be decrypted anyway, at which point
they become vulnerable.

Hope this explains,
Andrei
--
Offtopic discussions among Debian users and developers:
http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic
 
Old 06-27-2012, 11:58 PM
francis picabia
 
Default Filezilla a security risk

On Wed, Jun 27, 2012 at 4:46 PM, Andrei POPESCU
<andreimpopescu@gmail.com> wrote:
> On Mi, 27 iun 12, 16:26:48, francis picabia wrote:
>> I've just learned Filezilla is a security risk. *It stores saved
>> passwords and the last used password in a plain text file.
>
> As do many other programs.

Huh. None that I run. Perhaps your standards are, uh, different.

>> Malware commonly scoops up this info and hacks web sites
>> or shell accounts.
>
> Sure.
>
>> The developer refuses to incorporate a solution
>> such as master password and encryption into filezilla.
>
> It's his prerogative to decide what to do with his spare time

That, wasn't the point. The point is, waiting for a solution upstream
isn't what we should do next.

>> His responses in numerous bug reports and feature requests are:
>>
>> 1. encryption: that's the file system's job
>> 2. don't get the malware in the first place
>>
>> In my opinion, people should avoid filezilla.
>
> Once your account has been compromised you must assume that any
> sensitive or confidential information accessible through that account
> has been compromised as well. Even if the passwords are stored encrypted
> on disc, at some point they have to be decrypted anyway, at which point
> they become vulnerable.
>
> Hope this explains,

If you read some of the discussions about this vulnerability, there
are many stories of
accounts being compromised. I'm not talking theory, but something happening
right now on many systems. The Filezilla application is popular, and therefore
a common target of malware. As some of us have to guard systems which
have many users on them, this is of interest. It isn't my account I'm
worried about.

We have to do what ever possible to reduce the size of the target to
the hacker. In this case we advise users to uninstall Filezilla
and use something else. Not all Windows users of FTP tools are IT savvy.
They need warnings and guidance frequently. I passed this on so
others can reduce their threat potential.

Hope this explains...


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: CA+AKB6FCyZ2CV+vE4WqLA_iZ65kdXj+qTc4JmEi5uFdphf6qN Q@mail.gmail.com">http://lists.debian.org/CA+AKB6FCyZ2CV+vE4WqLA_iZ65kdXj+qTc4JmEi5uFdphf6qN Q@mail.gmail.com
 
Old 06-28-2012, 12:38 AM
Steven Rosenberg
 
Default Filezilla a security risk

On 06/27/2012 04:58 PM, francis picabia wrote:

On Wed, Jun 27, 2012 at 4:46 PM, Andrei POPESCU
<andreimpopescu@gmail.com> wrote:

On Mi, 27 iun 12, 16:26:48, francis picabia wrote:

I've just learned Filezilla is a security risk. It stores saved
passwords and the last used password in a plain text file.


As do many other programs.


Huh. None that I run. Perhaps your standards are, uh, different.


Malware commonly scoops up this info and hacks web sites
or shell accounts.


Sure.


The developer refuses to incorporate a solution
such as master password and encryption into filezilla.


It's his prerogative to decide what to do with his spare time


That, wasn't the point. The point is, waiting for a solution upstream
isn't what we should do next.


His responses in numerous bug reports and feature requests are:

1. encryption: that's the file system's job
2. don't get the malware in the first place

In my opinion, people should avoid filezilla.


Once your account has been compromised you must assume that any
sensitive or confidential information accessible through that account
has been compromised as well. Even if the passwords are stored encrypted
on disc, at some point they have to be decrypted anyway, at which point
they become vulnerable.

Hope this explains,


If you read some of the discussions about this vulnerability, there
are many stories of
accounts being compromised. I'm not talking theory, but something happening
right now on many systems. The Filezilla application is popular, and therefore
a common target of malware. As some of us have to guard systems which
have many users on them, this is of interest. It isn't my account I'm
worried about.

We have to do what ever possible to reduce the size of the target to
the hacker. In this case we advise users to uninstall Filezilla
and use something else. Not all Windows users of FTP tools are IT savvy.
They need warnings and guidance frequently. I passed this on so
others can reduce their threat potential.

Hope this explains...




So what do you recommend as an FTP client?


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: 4FEBA789.1090208@gmail.com">http://lists.debian.org/4FEBA789.1090208@gmail.com
 
Old 06-28-2012, 08:03 AM
Claudius Hubig
 
Default Filezilla a security risk

Hello francis,

francis picabia <fpicabia@gmail.com> wrote:
> On Wed, Jun 27, 2012 at 4:46 PM, Andrei POPESCU
> <andreimpopescu@gmail.com> wrote:
> > On Mi, 27 iun 12, 16:26:48, francis picabia wrote:
> >> I've just learned Filezilla is a security risk. *It stores saved
> >> passwords and the last used password in a plain text file.
> >
> > As do many other programs.
>
> Huh. None that I run. Perhaps your standards are, uh, different.

Pidgin & OpenSSH if used without passphrases, just to name two
examples. Claws-Mail applies some weird obfuscation that doesn't
really help, except for that I have to store my passwords somewhere
else in plaintext, too.

> the hacker. In this case we advise users to uninstall Filezilla
> and use something else. Not all Windows users of FTP tools are IT savvy.
^^^^^^^
> They need warnings and guidance frequently. I passed this on so
> others can reduce their threat potential.

Your users, your _Windows_ users, are certainly your problem and not
one that should be discussed on the debian-user ML. However, if you
find it a problem that programmes tend to leave unencrypted, sensible
data in /home rather than employing some more-or-less fake
encryption/obfuscation, feel free to suggest better ways to reach the
following target:

- It is not necessary to enter all passwords of every account upon
start of the programme.
- There is some sort of authentication, i.e. not every single
computer on this planet can log in.
- It works even if there is nobody around to enter passphrases/master
passwords (e.g., rsync over SSH to remote hosts).

Best regards,

Claudius
--
Adding sound to movies would be like putting lipstick on the Venus de Milo.
-- actress Mary Pickford, 1925
http://chubig.net telnet nightfall.org 4242
 
Old 06-28-2012, 08:37 AM
Andrei POPESCU
 
Default Filezilla a security risk

On Mi, 27 iun 12, 20:58:39, francis picabia wrote:
>
> We have to do what ever possible to reduce the size of the target to
> the hacker. In this case we advise users to uninstall Filezilla
> and use something else. Not all Windows users of FTP tools are IT savvy.
> They need warnings and guidance frequently. I passed this on so
> others can reduce their threat potential.

You are missing the point

In a situation where the doors (here Windows ) are left wide open,
instead of closing and securing them you are trying to hide the
valuables under the carpet.

Even if you put them in a safe (encrypt with some master password) the
villains have it easy to walk into the house and install spy cameras
everywhere so they can peak at your combination or simply just steal the
entire safe and brute-force it later.

Kind regards,
Andrei
P.S. this discussion if off-topic on debian-user, kindly follow-up on
the offtopic list in my sig (Reply-To: set accordingly)
--
Offtopic discussions among Debian users and developers:
http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic
 
Old 06-28-2012, 02:45 PM
Camaleón
 
Default Filezilla a security risk

On Wed, 27 Jun 2012 16:26:48 -0300, francis picabia wrote:

> I've just learned Filezilla is a security risk. It stores saved
> passwords and the last used password in a plain text file.

In Mutt, for instance, you can face the same situation.

> Malware commonly scoops up this info and hacks web sites or shell
> accounts.
>
> The developer refuses to incorporate a solution such as master password
> and encryption into filezilla.

Yes, it's a well-known "feature" of the Filezilla FTP client.

> His responses in numerous bug reports and feature requests are:
>
> 1. encryption: that's the file system's job

True.

> 2. don't get the malware in the first place

Also true.

> In my opinion, people should avoid filezilla.

I use it in my windows box (a plain FTP login sesion is transmitted in
clear text but despite that, true is that it poses a risk if your
computer gets infected and your login credentials are stored in clear
text) but I don't use Filezilla in Debian.

For windows there's another nice application (WinSCP) and for linux
you're plenty of options :-)

Greetings,

--
Camaleón


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/jshqlo$no$5@dough.gmane.org
 
Old 06-28-2012, 03:10 PM
Curt
 
Default Filezilla a security risk

On 2012-06-27, francis picabia <fpicabia@gmail.com> wrote:
> I've just learned Filezilla is a security risk. It stores saved
> passwords and the last used password in a plain text file.
>

There's an interesting (well, for arbitrary definitions of the word
interesting) discussion of the "problem" here:

http://unsharptech.com/2008/05/20/filezilla-ftp-passwords-stored-in-plaintext/

(From May, _2008_!, so you're a little _en retard_).

I personally use ncftp, but I suppose it lacks many bells and whistles.
It doesn't save passwords by default, though, and has a responsible man
page:

save-passwords
If you set this variable to yes, the program will save passwords along with the
bookmarks you save. While this makes non-anonymous logins more convenient,
this can be very dangerous since your account information is now sitting in
the $HOME/.ncftp/bookmarks file. The passwords aren't in clear text, but
it is still trivial to decode them if someone wants to make a modest effort.

Un homme averti en vaut deux.

If the filezilla man page isn't clear on this point, I think that is a
form negligence (although I don't know who's responsible for thei man
page in the end--maybe it's me!).


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: slrnjuot1t.38n.curty@einstein.electron.org">http://lists.debian.org/slrnjuot1t.38n.curty@einstein.electron.org
 
Old 06-28-2012, 03:10 PM
francis picabia
 
Default Filezilla a security risk

On Thu, Jun 28, 2012 at 5:03 AM, Claudius Hubig <debian_1206@chubig.net> wrote:

> Your users, your _Windows_ users, are certainly your problem and not
> one that should be discussed on the debian-user ML.

I have a Debian system I administer that was compromised this way.

If the hacker uses two mirrors and shaving cream to attack a system,
and it is happening frequently, it should be of interest to
system administrators.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/CA+AKB6G=xr2_GbCcvj2KTFEupEEGd9tyy7FZbtijhw1F0nyTp g@mail.gmail.com
 
Old 06-28-2012, 03:13 PM
francis picabia
 
Default Filezilla a security risk

On Thu, Jun 28, 2012 at 5:37 AM, Andrei POPESCU
<andreimpopescu@gmail.com> wrote:
> On Mi, 27 iun 12, 20:58:39, francis picabia wrote:
>>
>> We have to do what ever possible to reduce the size of the target to
>> the hacker. * In this case we advise users to uninstall Filezilla
>> and use something else. *Not all Windows users of FTP tools are IT savvy.
>> They need warnings and guidance frequently. *I passed this on so
>> others can reduce their threat potential.
>
> You are missing the point
>
> In a situation where the doors (here Windows ) are left wide open,
> instead of closing and securing them you are trying to hide the
> valuables under the carpet.
>
> Even if you put them in a safe (encrypt with some master password) the
> villains have it easy to walk into the house and install spy cameras
> everywhere so they can peak at your combination or simply just steal the
> entire safe and brute-force it later.

For you, there is special advice. Never communicate with your Windows users.
It can't possibly impact Linux.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: CA+AKB6GsMJPxKYsCOFK7pn3C7ogPYRpyyBRykwPsNQLyGDdau g@mail.gmail.com">http://lists.debian.org/CA+AKB6GsMJPxKYsCOFK7pn3C7ogPYRpyyBRykwPsNQLyGDdau g@mail.gmail.com


Thu Jun 28 17:30:01 2012
Return-Path: <users-bounces@lists.fedoraproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
eagle542.startdedicated.com
X-Spam-Level:
X-Spam-Status: No, score=-2.3 required=5.0 tests=FREEMAIL_FROM,HTML_MESSAGE,
RCVD_IN_DNSWL_MED,SPF_PASS,T_RP_MATCHES_RCVD autolearn=ham version=3.3.2
X-Original-To: tom@linux-archive.org
Delivered-To: tom-linux-archive.org@eagle542.startdedicated.com
Received: from bastion.fedoraproject.org (bastion01.fedoraproject.org [209.132.181.2])
by eagle542.startdedicated.com (Postfix) with ESMTP id 936AF20E01F4
for <tom@linux-archive.org>; Thu, 28 Jun 2012 17:15:15 +0200 (CEST)
Received: from lists.fedoraproject.org (collab03.vpn.fedoraproject.org [192.168.1.70])
by bastion01.phx2.fedoraproject.org (Postfix) with ESMTP id 3F67120BB8;
Thu, 28 Jun 2012 15:15:11 +0000 (UTC)
Received: from collab03.fedoraproject.org (localhost [127.0.0.1])
by lists.fedoraproject.org (Postfix) with ESMTP id 0446640C49;
Thu, 28 Jun 2012 15:15:09 +0000 (UTC)
X-Original-To: users@lists.fedoraproject.org
Delivered-To: users@lists.fedoraproject.org
Received: from smtp-mm02.fedoraproject.org (smtp-mm02.fedoraproject.org
[66.35.62.164])
by lists.fedoraproject.org (Postfix) with ESMTP id 59C9940ACC
for <users@lists.fedoraproject.org>;
Thu, 28 Jun 2012 15:14:51 +0000 (UTC)
Received: from blu0-omc3-s24.blu0.hotmail.com (blu0-omc3-s24.blu0.hotmail.com
[65.55.116.99])
by smtp-mm02.fedoraproject.org (Postfix) with ESMTP id C12033FC1E
for <users@lists.fedoraproject.org>;
Thu, 28 Jun 2012 15:14:52 +0000 (UTC)
Received: from BLU0-P3-EAS22 ([65.55.116.72]) by
blu0-omc3-s24.blu0.hotmail.com with Microsoft
SMTPSVC(6.0.3790.4675); Thu, 28 Jun 2012 08:14:50 -0700
X-Originating-IP: [189.57.41.5]
X-Originating-Email: [maximiliano.marin@hotmail.com]
Message-ID: <blu0-p3-eas22BAEE29D01A1CCB225E83E4E60@phx.gbl>
MIME-Version: 1.0
Subject: =?utf-8?Q?RE:_Restoring_grub_after_Windows_install?To: =?utf-8?Q?Community_support_for_Fedora_users? <users@lists.fedoraproject.org>
Importance: Normal
Date: Thu, 28 Jun 2012 15:14:48 +0000
From: =?utf-8?B?TWF4aW1pbGlhbm8gTWFyw61uIEJ1c3Rvcw==? <maximiliano.marin@hotmail.com>
X-OriginalArrivalTime: 28 Jun 2012 15:14:50.0835 (UTC)
FILETIME=[C3697A30:01CD5540]
X-BeenThere: users@lists.fedoraproject.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Community support for Fedora users <users@lists.fedoraproject.org>
List-Id: Community support for Fedora users <users.lists.fedoraproject.org>
List-Unsubscribe: <https://admin.fedoraproject.org/mailman/options/users>,
<mailto:users-request@lists.fedoraproject.org?subject=unsubscrib e>
List-Archive: <http://lists.fedoraproject.org/pipermail/users/>
List-Post: <mailto:users@lists.fedoraproject.org>
List-Help: <mailto:users-request@lists.fedoraproject.org?subject=help>
List-Subscribe: <https://admin.fedoraproject.org/mailman/listinfo/users>,
<mailto:users-request@lists.fedoraproject.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="==============V11534758998492980=="
Sender: users-bounces@lists.fedoraproject.org
Errors-To: users-bounces@lists.fedoraproject.org

--==============V11534758998492980=Content-Type: multipart/alternative;
boundary="_298AF15B-30DE-4F49-971D-17BDBA87948B_"

--_298AF15B-30DE-4F49-971D-17BDBA87948B_
Content-Transfer-Encoding: base64
Content-Type: text/plain; charset="utf-8"

SGVsbG86DQoNCkhvdyBkaWQgeW91IHJ1biBncnViMi1pbnN0YW xsPyANCg0KIA0KDQpJdCBpcyB2
ZXJ5IGltcG9ydGFudCB0byBrbm93IHRoZSBlcnJvciBtZXNzYW dlLg0KDQogDQoNClJlZ2FyZHMu
DQoNCiANCg0KTWF4Lg0KDQoNCkVudmlhZG8gZGVzZGUgbWkgUE MgY29uIFdpbmRvd3MgOA0KDQoN
CkRlOiBDaHJpc3RvcGhlciBTdmFuZWZhbGsNCkVudmlhZG8gZW w6IGp1ZXZlcywgMjggZGUganVu
aW8gZGUgMjAxMiA4OjE0OjAxDQpQYXJhOiBDb21tdW5pdHkgc3 VwcG9ydCBmb3IgRmVkb3JhIHVz
ZXJzDQpBc3VudG86IFJlOiBSZXN0b3JpbmcgZ3J1YiBhZnRlci BXaW5kb3dzIGluc3RhbGwNCg0K
DQpTbyBsYXN0IGRheSBJIGdvdCBhcm91bmQgdG8gaW5zdGFsbG luZyBWaXN0YS4gVGhlIGxhc3Qg
MTIgaG91cnMgaGF2ZSBjb252aW5jZWQgbWUgdGhhdCB0aGlzIG lzIGFyZ3VhYmx5IHRoZSB3b3Jz
dCBvcGVyYXRpbmcgc3lzdGVtIGV2ZXIgbWFkZSwgYW5kIGJvb3 RpbmcgYmFjayBpbnRvIEYxNyB3
YXMgYmxpc3MuIEkgaGF2ZSBub3QgdHJpZWQgV2luZG93cyA3IH ZlcnkgbXVjaCAob25seSByZWFs
bHkgdXNlIFdpbmRvd3MgYXQgYWxsIGlmIFdpbmUgd2lsbCBub3 QgZ2l2ZSBtZSBhIHNtb290aCBz
b2x1dGlvbikuDQoNCg0KDQpSZWluc3RhbGxpbmcgR3J1YiB3aX RoIHRoZSBGMTcgc2VlbXMgdG8g
YmUgYnJva2VuIGJ5IHRoZSB3YXkuLi5ncnViMi1pbnN0YWxsIH Rocm93cyBhbiBlcnJvci4gSSBk
aWQgbm90IHJlY29yZCBpdCB1bmZvcnR1bmF0ZWx5LCBidXQgSS AgYW0gYXNzdW1pbmcgaXQgY2Fu
IGJlIGZpeGVkLiBJZiBub3RoaW5nIGVsc2UsIGl0IGlzIG5vdC Bwcm9ibGVtYXRpYyB0byB1c2Ug
YW4gZWFybGllciB2ZXJzaW9uIGZvciByZWNvdmVyeSB1bmxlc3 MgeW91IG5lZWQgR3J1YjIuDQoN
Cg0KT24gVGh1LCBKdW4gMjgsIDIwMTIgYXQgMjowMCBBTSwgUm 9nZXIgPGFyZWxlbUBiaWdwb25k
LmNvbT4gd3JvdGU6DQoNCg0KDQpEZWNlcHRpdmVseSBzaW1wbG UgYW5kIGVsZWdhbnQgc29sdXRp
b24sIGFwcGx5IHRoZSBEV1BHQSBydWxlLg0KRGVsZXRlIFdpbm Rvd3MsIHByb2JsZW0gZ29lcyBh
d2F5Lg0KU29sdmVkIHByb2JsZW1zIG9uIG91ciBjb21wdXRlcn MuDQpSDQoNCg0KDQoNCkFtIDI4
LjA2LjIwMTIgMDE6MzAsIHNjaHJpZWIgRGF2ZSBJaG5hdDoNCg 0KDQpPbiBXZWQsIEp1biAyNywg
MjAxMiBhdCAxMToxNjoyOFBNICswMjAwLCBDaHJpc3RvcGhlci BTdmFuZWZhbGsgd3JvdGU6DQoN
Cg0KVGhlIGxpY2Vuc2UgZG9lcyBub3QgcGVybWl0IHVzYWdlIG luIGEgdmlydHVhbCBtYWNoaW5l
LCB1bmZvcnR1bmF0ZWx5Lg0KDQpXaGF0IGxpY2Vuc2U/ICBBRkFJSywgbm9uZSBvZiB0aGUgV2lu
ZG93cyBsaWNlbnNlcyBmb3JiaWQgcnVubmluZyBpbiBhIFZNLg 0KTW9zdCB2ZXJzaW9ucyBvZiBX
aW5kb3dzIGRvbid0IG1ha2UgYW55IHByb3Zpc2lvbiBmb3IgaX QuDQoNCnRoaXMgaXMgc2ltcGx5
IHdyb25nDQpodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vbGljZW 5zaW5nL2Fib3V0LWxpY2Vuc2lu
Zy92aXJ0dWFsaXphdGlvbi5hc3B4DQoNCkxpY2Vuc2luZyB0aG UgV2luZG93cyBEZXNrdG9wIE9w
ZXJhdGluZyBTeXN0ZW0NCg0KRm9yIFdpbmRvd3Mgb3BlcmF0aW 5nIHN5c3RlbSBzb2Z0d2FyZSBs
aWNlbnNlZCB0aHJvdWdoIHJldGFpbCAoRlBQKSBvciBwcmVpbn N0YWxsZWQgb24gYSBQQyAoT0VN
KSwgV2luZG93cyB1c2UNCnJpZ2h0cyBhcmUgb3V0bGluZWQgaW 4gdGhlIFNvZnR3YXJlIExpY2Vu
c2UgVGVybXMgdGhhdCBhY2NvbXBhbnkgdGhlIHNvZnR3YXJlLi BUaGVzZSBsaWNlbnNlIHRlcm1z
IHByb3ZpZGUgdXNlDQpyaWdodHMgdG8gcnVuIFdpbmRvd3MgbG 9jYWxseSBvbiB0aGUgbGljZW5z
ZWQgZGV2aWNlIGluIGEgdmlydHVhbCBvcGVyYXRpbmcgc3lzdG VtIGVudmlyb25tZW50IChPU0Up
OyBob3dldmVyIHRoZXkNCmRvIG5vdCBwcm92aWRlIHVzZSByaW dodHMgZm9yIGFjY2Vzc2luZyBX
aW5kb3dzIHJ1bm5pbmcgcmVtb3RlbHkgaW4gYSB2aXJ0dWFsIE 9TRSBmcm9tIHRoZSBsaWNlbnNl
ZCBkZXZpY2UsIGFuZCBhcmUNCmxpbWl0ZWQgaW4gb3RoZXIgd2 F5cyB3aGVuIGNvbXBhcmVkIHRv
IHZpcnR1YWxpemF0aW9uIHVzZSByaWdodHMgcHJvdmlkZWQgd2 l0aCBXaW5kb3dzIFNvZnR3YXJl
IEFzc3VyYW5jZSwgV2luZG93cw0KSW50dW5lLCBhbmQgV2luZG 93cyBWREEgbGljZW5zZXMgYWNx
dWlyZWQgdGhyb3VnaCBNaWNyb3NvZnQgVm9sdW1lIExpY2Vuc2 luZy4gRm9yIGV4YW1wbGUsIG5l
aXRoZXIgRlBQIG5vciBPRU0NCmxpY2Vuc2VzIHBlcm1pdCByZW 1vdGUgYWNjZXNzIHRvIGEgV2lu
ZG93cyB2aXJ0dWFsIG1hY2hpbmUgKFZNKSBydW5uaW5nIGluIG EgZGF0YWNlbnRlci4gRm9yIHRo
aXMsIGEgbGljZW5zZQ0Kb2J0YWluZWQgdGhyb3VnaCBNaWNyb3 NvZnQgVm9sdW1lIExpY2Vuc2lu
ZyBpcyByZXF1aXJlZC4NCg0KDQoNCg0KDQoNCg0KDQotLQ0KdX NlcnMgbWFpbGluZyBsaXN0DQp1
c2Vyc0BsaXN0cy5mZWRvcmFwcm9qZWN0Lm9yZw0KVG8gdW5zdW JzY3JpYmUgb3IgY2hhbmdlIHN1
YnNjcmlwdGlvbiBvcHRpb25zOg0KaHR0cHM6Ly9hZG1pbi5mZW RvcmFwcm9qZWN0Lm9yZy9tYWls
bWFuL2xpc3RpbmZvL3VzZXJzDQpHdWlkZWxpbmVzOiBodHRwOi 8vZmVkb3JhcHJvamVjdC5vcmcv
d2lraS9NYWlsaW5nX2xpc3RfZ3VpZGVsaW5lcw0KSGF2ZSBhIH F1ZXN0aW9uPyBBc2sgYXdheTog
aHR0cDovL2Fzay5mZWRvcmFwcm9qZWN0Lm9yZw0KDQoNCg0KDQ oNCg0KLS0gDQpCZXN0LA0KDQoN
Cg0KQ2hyaXN0b3BoZXIgU3ZhbmVmYWxr

--_298AF15B-30DE-4F49-971D-17BDBA87948B_
Content-Transfer-Encoding: base64
Content-Type: text/html; charset="utf-8"

PGh0bWw+PGhlYWQ+PC9oZWFkPjxib2R5PjxkaXYgc3R5bGU9J2 ZvbnQtZmFtaWx5OkNhbGlicmks
IlNlZ29lIFVJIixNZWlyeW8sIk1pY3Jvc29mdCBZYUhlaSBVSS IsIk1pY3Jvc29mdCBKaGVuZ0hl
aSBVSSIsIk1hbGd1biBHb3RoaWMiLCJLaG1lciBVSSIsIk5pcm 1hbGEgVUkiLFR1bmdhLCJMYW8g
VUkiLEVicmltYSxzYW5zLXNlcmlmO2ZvbnQtc2l6ZToxNC42Nn B4Oyc+PGRpdiBjbGFzcz0iIGhp
ZGUtb3V0bGluZSIgZGF0YS1mb2N1c2Zyb21wb2ludGVyPSJ0cn VlIj5IZWxsbzo8L2Rpdj48ZGl2
IGNsYXNzPSIgaGlkZS1vdXRsaW5lIiBkYXRhLWZvY3VzZnJvbX BvaW50ZXI9InRydWUiPkhvdyBk
aWQgeW91IHJ1biBncnViMi1pbnN0YWxsPyA8L2Rpdj48ZGl2IG NsYXNzPSIgaGlkZS1vdXRsaW5l
IiBkYXRhLWZvY3VzZnJvbXBvaW50ZXI9InRydWUiPiZuYnNwOz wvZGl2PjxkaXYgY2xhc3M9IiBo
aWRlLW91dGxpbmUiIGRhdGEtZm9jdXNmcm9tcG9pbnRlcj0idH J1ZSI+SXQgaXMgdmVyeSBpbXBv
cnRhbnQgdG8ga25vdyB0aGUgZXJyb3IgbWVzc2FnZS48L2Rpdj 48ZGl2IGNsYXNzPSIgaGlkZS1v
dXRsaW5lIiBkYXRhLWZvY3VzZnJvbXBvaW50ZXI9InRydWUiPi ZuYnNwOzwvZGl2PjxkaXYgY2xh
c3M9IiBoaWRlLW91dGxpbmUiIGRhdGEtZm9jdXNmcm9tcG9pbn Rlcj0idHJ1ZSI+UmVnYXJkcy48
L2Rpdj48ZGl2IGNsYXNzPSIgaGlkZS1vdXRsaW5lIiBkYXRhLW ZvY3VzZnJvbXBvaW50ZXI9InRy
dWUiPiZuYnNwOzwvZGl2PjxkaXYgY2xhc3M9IiBoaWRlLW91dG xpbmUiIGRhdGEtZm9jdXNmcm9t
cG9pbnRlcj0idHJ1ZSI+TWF4LjwvZGl2PjxkaXY+Jm5ic3A7PC 9kaXY+PGRpdj5FbnZpYWRvIGRl
c2RlIG1pIDxhIGhyZWY9Imh0dHA6Ly93aW5kb3dzLm1pY3Jvc2 9mdC5jb20vY29uc3VtZXItcHJl
dmlldyI+UEMgY29uIFdpbmRvd3MgODwvYT48L2Rpdj4JPGRpdj 4mbmJzcDs8L2Rpdj4JPGRpdiBz
dHlsZT0iYm9yZGVyLXRvcC1jb2xvcjogcmdiKDIyOSwgMjI5LC AyMjkpOyBib3JkZXItdG9wLXdp
ZHRoOiAycHg7IGJvcmRlci10b3Atc3R5bGU6IHNvbGlkOyI+CQ k8c3Ryb25nPkRlOjwvc3Ryb25n
PiZuYnNwO0NocmlzdG9waGVyIFN2YW5lZmFsazxicj4JCTxzdH Jvbmc+RW52aWFkbyBlbDo8L3N0
cm9uZz4mbmJzcDtqdWV2ZXMsIDI4IGRlIGp1bmlvIGRlIDIwMT IgODoxNDowMTxicj4JCTxzdHJv
bmc+UGFyYTo8L3N0cm9uZz4mbmJzcDtDb21tdW5pdHkgc3VwcG 9ydCBmb3IgRmVkb3JhIHVzZXJz
PGJyPgkJPHN0cm9uZz5Bc3VudG86PC9zdHJvbmc+Jm5ic3A7Um U6IFJlc3RvcmluZyBncnViIGFm
dGVyIFdpbmRvd3MgaW5zdGFsbDxicj4JPC9kaXY+CTxkaXY+Jm 5ic3A7PC9kaXY+U28gbGFzdCBk
YXkgSSBnb3QgYXJvdW5kIHRvIGluc3RhbGxpbmcgVmlzdGEuIF RoZSBsYXN0IDEyIGhvdXJzIGhh
dmUgY29udmluY2VkIG1lIHRoYXQgdGhpcyBpcyBhcmd1YWJseS B0aGUgd29yc3Qgb3BlcmF0aW5n
IHN5c3RlbSBldmVyIG1hZGUsIGFuZCBib290aW5nIGJhY2sgaW 50byBGMTcgd2FzIGJsaXNzLiBJ
IGhhdmUgbm90IHRyaWVkIFdpbmRvd3MgNyB2ZXJ5IG11Y2ggKG 9ubHkgcmVhbGx5IHVzZSBXaW5k
b3dzIGF0IGFsbCBpZiBXaW5lIHdpbGwgbm90IGdpdmUgbWUgYS BzbW9vdGggc29sdXRpb24pLjxk
aXY+Cjxicj48L2Rpdj48ZGl2PlJlaW5zdGFsbGluZyBHcnViIH dpdGggdGhlIEYxNyBzZWVtcyB0
byBiZSBicm9rZW4gYnkgdGhlIHdheS4uLmdydWIyLWluc3RhbG wgdGhyb3dzIGFuIGVycm9yLiBJ
IGRpZCBub3QgcmVjb3JkIGl0IHVuZm9ydHVuYXRlbHksIGJ1dC BJICZuYnNwO2FtIGFzc3VtaW5n
IGl0IGNhbiBiZSBmaXhlZC4gSWYgbm90aGluZyBlbHNlLCBpdC BpcyBub3QgcHJvYmxlbWF0aWMg
dG8gdXNlIGFuIGVhcmxpZXIgdmVyc2lvbiBmb3IgcmVjb3Zlcn kgdW5sZXNzIHlvdSBuZWVkIEdy
dWIyLjxicj4KPGJyPjxkaXYgY2xhc3M9ImdtYWlsX3F1b3RlIj 5PbiBUaHUsIEp1biAyOCwgMjAx
MiBhdCAyOjAwIEFNLCBSb2dlciA8c3BhbiBkaXI9Imx0ciI+Jm x0OzxhIGhyZWY9Im1haWx0bzph
cmVsZW1AYmlncG9uZC5jb20iIHRhcmdldD0iX2JsYW5rIj5hcm VsZW1AYmlncG9uZC5jb208L2E+
Jmd0Ozwvc3Bhbj4gd3JvdGU6PGJyPgo8YmxvY2txdW90ZSBjbG Fzcz0iZ21haWxfcXVvdGUiIHN0
eWxlPSJtYXJnaW46IDBweCAwcHggMHB4IDAuOGV4OyBwYWRkaW 5nLWxlZnQ6IDFleDsgYm9yZGVy
LWxlZnQtY29sb3I6IHJnYigyMDQsIDIwNCwgMjA0KTsgYm9yZG VyLWxlZnQtd2lkdGg6IDFweDsg
Ym9yZGVyLWxlZnQtc3R5bGU6IHNvbGlkOyI+CiAgCiAgICAKIC AKICA8ZGl2PgogICAgPGRpdj5E
ZWNlcHRpdmVseSBzaW1wbGUgYW5kIGVsZWdhbnQKICAgICAgc2 9sdXRpb24sIGFwcGx5IHRoZSBE
V1BHQSBydWxlLjxicj4KICAgICAgRGVsZXRlIFdpbmRvd3MsIH Byb2JsZW0gZ29lcyBhd2F5Ljxi
cj4KICAgICAgU29sdmVkIHByb2JsZW1zIG9uIG91ciBjb21wdX RlcnMuPHNwYW4+PGZvbnQgY29s
b3I9IiM4ODg4ODgiPjxicj4KICAgICAgUjxicj4KICAgIDwvZm 9udD48L3NwYW4+PC9kaXY+PGRp
dj48ZGl2PgogICAgPGJsb2NrcXVvdGU+CiAgICAgIDxwcmU+QW 0gMjguMDYuMjAxMiAwMTozMCwg
c2NocmllYiBEYXZlIElobmF0Ogo8L3ByZT4KICAgICAgPGJsb2 NrcXVvdGU+CiAgICAgICAgPHBy
ZT5PbiBXZWQsIEp1biAyNywgMjAxMiBhdCAxMToxNjoyOFBNIC swMjAwLCBDaHJpc3RvcGhlciBT
dmFuZWZhbGsgd3JvdGU6CjwvcHJlPgogICAgICAgIDxibG9ja3 F1b3RlPgogICAgICAgICAgPHBy
ZT5UaGUgbGljZW5zZSBkb2VzIG5vdCBwZXJtaXQgdXNhZ2UgaW 4gYSB2aXJ0dWFsIG1hY2hpbmUs
IHVuZm9ydHVuYXRlbHkuCjwvcHJlPgogICAgICAgIDwvYmxvY2 txdW90ZT4KICAgICAgICA8cHJl
PldoYXQgbGljZW5zZT8gIEFGQUlLLCBub25lIG9mIHRoZSBXaW 5kb3dzIGxpY2Vuc2VzIGZvcmJp
ZCBydW5uaW5nIGluIGEgVk0uCk1vc3QgdmVyc2lvbnMgb2YgV2 luZG93cyBkb24ndCBtYWtlIGFu
eSBwcm92aXNpb24gZm9yIGl0Lgo8L3ByZT4KICAgICAgPC9ibG 9ja3F1b3RlPgogICAgICA8cHJl
PnRoaXMgaXMgc2ltcGx5IHdyb25nCjxhIGhyZWY9Imh0dHA6Ly 93d3cubWljcm9zb2Z0LmNvbS9s
aWNlbnNpbmcvYWJvdXQtbGljZW5zaW5nL3ZpcnR1YWxpemF0aW 9uLmFzcHgiIHRhcmdldD0iX2Js
YW5rIj5odHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vbGljZW5zaW 5nL2Fib3V0LWxpY2Vuc2luZy92
aXJ0dWFsaXphdGlvbi5hc3B4PC9hPgoKTGljZW5zaW5nIHRoZS BXaW5kb3dzIERlc2t0b3AgT3Bl
cmF0aW5nIFN5c3RlbQoKRm9yIFdpbmRvd3Mgb3BlcmF0aW5nIH N5c3RlbSBzb2Z0d2FyZSBsaWNl
bnNlZCB0aHJvdWdoIHJldGFpbCAoRlBQKSBvciBwcmVpbnN0YW xsZWQgb24gYSBQQyAoT0VNKSwg
V2luZG93cyB1c2UKcmlnaHRzIGFyZSBvdXRsaW5lZCBpbiB0aG UgU29mdHdhcmUgTGljZW5zZSBU
ZXJtcyB0aGF0IGFjY29tcGFueSB0aGUgc29mdHdhcmUuIFRoZX NlIGxpY2Vuc2UgdGVybXMgcHJv
dmlkZSB1c2UKcmlnaHRzIHRvIHJ1biBXaW5kb3dzIGxvY2FsbH kgb24gdGhlIGxpY2Vuc2VkIGRl
dmljZSBpbiBhIHZpcnR1YWwgb3BlcmF0aW5nIHN5c3RlbSBlbn Zpcm9ubWVudCAoT1NFKTsgaG93
ZXZlciB0aGV5CmRvIG5vdCBwcm92aWRlIHVzZSByaWdodHMgZm 9yIGFjY2Vzc2luZyBXaW5kb3dz
IHJ1bm5pbmcgcmVtb3RlbHkgaW4gYSB2aXJ0dWFsIE9TRSBmcm 9tIHRoZSBsaWNlbnNlZCBkZXZp
Y2UsIGFuZCBhcmUKbGltaXRlZCBpbiBvdGhlciB3YXlzIHdoZW 4gY29tcGFyZWQgdG8gdmlydHVh
bGl6YXRpb24gdXNlIHJpZ2h0cyBwcm92aWRlZCB3aXRoIFdpbm Rvd3MgU29mdHdhcmUgQXNzdXJh
bmNlLCBXaW5kb3dzCkludHVuZSwgYW5kIFdpbmRvd3MgVkRBIG xpY2Vuc2VzIGFjcXVpcmVkIHRo
cm91Z2ggTWljcm9zb2Z0IFZvbHVtZSBMaWNlbnNpbmcuIEZvci BleGFtcGxlLCBuZWl0aGVyIEZQ
UCBub3IgT0VNCmxpY2Vuc2VzIHBlcm1pdCByZW1vdGUgYWNjZX NzIHRvIGEgV2luZG93cyB2aXJ0
dWFsIG1hY2hpbmUgKFZNKSBydW5uaW5nIGluIGEgZGF0YWNlbn Rlci4gRm9yIHRoaXMsIGEgbGlj
ZW5zZQpvYnRhaW5lZCB0aHJvdWdoIE1pY3Jvc29mdCBWb2x1bW UgTGljZW5zaW5nIGlzIHJlcXVp
cmVkLgoKPC9wcmU+CiAgICAgIDxicj4KICAgICAgPGZpZWxkc2 V0PjwvZmllbGRzZXQ+CiAgICAg
IDxicj4KICAgIDwvYmxvY2txdW90ZT4KICAgIDxicj4KICAgID xicj4KICA8L2Rpdj48L2Rpdj48
L2Rpdj4KCjxicj4tLTxicj4KdXNlcnMgbWFpbGluZyBsaXN0PG JyPgo8YSBocmVmPSJtYWlsdG86
dXNlcnNAbGlzdHMuZmVkb3JhcHJvamVjdC5vcmciIHRhcmdldD 0iX2JsYW5rIj51c2Vyc0BsaXN0
cy5mZWRvcmFwcm9qZWN0Lm9yZzwvYT48YnI+ClRvIHVuc3Vic2 NyaWJlIG9yIGNoYW5nZSBzdWJz
Y3JpcHRpb24gb3B0aW9uczo8YnI+CjxhIGhyZWY9Imh0dHBzOi 8vYWRtaW4uZmVkb3JhcHJvamVj
dC5vcmcvbWFpbG1hbi9saXN0aW5mby91c2VycyIgdGFyZ2V0PS JfYmxhbmsiPmh0dHBzOi8vYWRt
aW4uZmVkb3JhcHJvamVjdC5vcmcvbWFpbG1hbi9saXN0aW5mby 91c2VyczwvYT48YnI+Ckd1aWRl
bGluZXM6IDxhIGhyZWY9Imh0dHA6Ly9mZWRvcmFwcm9qZWN0Lm 9yZy93aWtpL01haWxpbmdfbGlz
dF9ndWlkZWxpbmVzIiB0YXJnZXQ9Il9ibGFuayI+aHR0cDovL2 ZlZG9yYXByb2plY3Qub3JnL3dp
a2kvTWFpbGluZ19saXN0X2d1aWRlbGluZXM8L2E+PGJyPgpIYX ZlIGEgcXVlc3Rpb24/IEFzayBh
d2F5OiA8YSBocmVmPSJodHRwOi8vYXNrLmZlZG9yYXByb2plY3 Qub3JnIiB0YXJnZXQ9Il9ibGFu
ayI+aHR0cDovL2Fzay5mZWRvcmFwcm9qZWN0Lm9yZzwvYT48Yn I+Cjxicj48L2Jsb2NrcXVvdGU+
PC9kaXY+PGJyPjxiciBjbGVhcj0iYWxsIj48ZGl2Pjxicj48L2 Rpdj4tLSA8YnI+QmVzdCw8ZGl2
Pjxicj48L2Rpdj48ZGl2PkNocmlzdG9waGVyIFN2YW5lZmFsaz wvZGl2Pjxicj4KPC9kaXY+Cjwv
ZGl2PjwvYm9keT48L2h0bWw+

--_298AF15B-30DE-4F49-971D-17BDBA87948B_--

--==============V11534758998492980=Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

LS0gCnVzZXJzIG1haWxpbmcgbGlzdAp1c2Vyc0BsaXN0cy5mZW RvcmFwcm9qZWN0Lm9yZwpUbyB1
bnN1YnNjcmliZSBvciBjaGFuZ2Ugc3Vic2NyaXB0aW9uIG9wdG lvbnM6Cmh0dHBzOi8vYWRtaW4u
ZmVkb3JhcHJvamVjdC5vcmcvbWFpbG1hbi9saXN0aW5mby91c2 VycwpHdWlkZWxpbmVzOiBodHRw
Oi8vZmVkb3JhcHJvamVjdC5vcmcvd2lraS9NYWlsaW5nX2xpc3 RfZ3VpZGVsaW5lcwpIYXZlIGEg
cXVlc3Rpb24/IEFzayBhd2F5OiBodHRwOi8vYXNrLmZlZG9yYXByb2plY3Qub3 JnCg=
--==============V11534758998492980==--
 
Old 06-28-2012, 03:35 PM
Shane Johnson
 
Default Filezilla a security risk

On Thu, Jun 28, 2012 at 9:13 AM, francis picabia <fpicabia@gmail.com> wrote:
> On Thu, Jun 28, 2012 at 5:37 AM, Andrei POPESCU
> <andreimpopescu@gmail.com> wrote:
>> On Mi, 27 iun 12, 20:58:39, francis picabia wrote:
>>>
>>> We have to do what ever possible to reduce the size of the target to
>>> the hacker. * In this case we advise users to uninstall Filezilla
>>> and use something else. *Not all Windows users of FTP tools are IT savvy.
>>> They need warnings and guidance frequently. *I passed this on so
>>> others can reduce their threat potential.
>>
>> You are missing the point
>>
>> In a situation where the doors (here Windows ) are left wide open,
>> instead of closing and securing them you are trying to hide the
>> valuables under the carpet.
>>
>> Even if you put them in a safe (encrypt with some master password) the
>> villains have it easy to walk into the house and install spy cameras
>> everywhere so they can peak at your combination or simply just steal the
>> entire safe and brute-force it later.
>
> For you, there is special advice. *Never communicate with your Windows users.
> It can't possibly impact Linux.
>
>
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: http://lists.debian.org/CA+AKB6GsMJPxKYsCOFK7pn3C7ogPYRpyyBRykwPsNQLyGDdau g@mail.gmail.com
>

Please remember that FTP by nature is insecure. All it would take is
for someone to packet sniff the connection and they would have the
user name and password to the account as they are transmitted in plain
text.

--
Shane D. Johnson
IT Administrator
Rasmussen Equipment


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: CAPLO1L5CkwxE2UcqM43VDHSVssMmoRPXF4_FUSKbZMFJ2Tcy_ w@mail.gmail.com">http://lists.debian.org/CAPLO1L5CkwxE2UcqM43VDHSVssMmoRPXF4_FUSKbZMFJ2Tcy_ w@mail.gmail.com
 

Thread Tools




All times are GMT. The time now is 10:30 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org