[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Filezilla's silent caching of user's credentials

To: michaelslists@xxxxxxxxx
Subject: Re: [Full-disclosure] Filezilla's silent caching of user's credentials
From: Ryan Sears <rdsears@xxxxxxx>
Date: Thu, 14 Oct 2010 03:16:15 -0400 (EDT)

Yeah I definitely have to go with silky on this one. 

Maybe if you elaborate on your point? I'm not sure I entirely grasp what you're 
trying to say, because if I am, then you share relatively the same view as the 
dev that's causing this problem. You can argue that any security measure 
"doesn't *work*" as you so put it, given the right circumstances. 

Take handcuffs for example, what good would they be if when you put them on, 
you could never get them off again? Sure they would "work", but there's no 
mechanism to UNsecure them, which is where vulnerabilities in security systems 
inherently exist. The handcuff design is flawed on a fundamental level as they 
can be easily shimmed by manipulating the way they lock into place. That's when 
the double-lock came into play, which is a very, very simple example of layered 
security. While the handcuffs are double-locked the teeth can't progress in any 
direction, because it locks that mechanism into place. This is undone by 
turning the key in the opposite direction to release the 'double-lock' then 
back forward to release the teeth. Call that two-factor authentication. That's 
all fair and well, but there are STILL ways to manipulate them to get out. What 
happens if you have a key (which is pretty much universal)? It's even been 
demonstrated that most handcuffs can be picked with a simple bobby pin. Are 
handcuffs pointless though? No. They've been demonstrated time and time again 
to be 'good enough'. 

My point is, the KISS principal doesn't really hold true here. Encryption 
schemes are MEANT to be complex in nature (at least one-way), because that's 
the only way to make sure that something is properly secured. Botg DID have 
encryption at some point, but he did away with it after people found it was 
easily reversed. (http://seclists.org/fulldisclosure/2005/Sep/50)

The idea that just because an encryption scheme may be reversed at some point 
it shouldn't be used is *absolutely* terrible practice.  Shadow passwords are a 
great example, while they have the ability to be cracked, they're still a de 
facto standard for authentication in *any* unix environment. There's a reason 
for this. That's why people created the crypt() function, and that's why the 
windows API has stuff to do this natively as well. 

As for change proposals, I did the digging, and found that 90% of all this crap 
would be avoided with a single 0->1 change in the source code. If 'kiosk-mode' 
was enabled by default, you could at least have the OPTION to use piss-poor 
practices to store your passwords if you so choose. 
(http://forum.filezilla-project.org/viewtopic.php?f=3&t=17932&start=15)

I've made my final plea to botg on this issue, and if he's not going to budge 
I'll be forced to take measures into my own hands and change the damn source 
myself. 

Thankfully the rest of the world doesn't share your (& botg's) opinions, 
because if they did, hacking wouldn't be any fun. 

Ryan

----- Original Message -----
From: "silky" <michaelslists@xxxxxxxxx>
To: "Christian Sciberras" <uuf6429@xxxxxxxxx>
Cc: full-disclosure@xxxxxxxxxxxxxxxxx, "Mutiny" <mutiny@xxxxxxxxxxxxxxxxxxx>
Sent: Thursday, October 14, 2010 2:46:13 AM GMT -05:00 US/Canada Eastern
Subject: Re: [Full-disclosure] Filezilla's silent caching of user's credentials

On Thu, Oct 14, 2010 at 5:39 PM, Christian Sciberras <uuf6429@xxxxxxxxx> wrote:
> > Not all attackers are created
> > equally.
>
> I still see this a simple matter of violating KISS to introduce a layer of 
> encryption.
> The question is, to which end? Sure, an attacker might see the encrypted
> file and think it's "too difficult" for him to get to the passwords. Another
> might use a certain utility to decrypt the said file. The thing is, to which 
> end are
> we encrypting the data? Just for the sake of making it work like the N other 
> programs?
> I mean, if this doesn't *work*, why even *bother*?

Sorry, but your comments are totally useless here and can't even
really be addressed properly, given their quite ridiculous nature. You
are missing the point of the encryption, and it is not my job to
convince you, and any further comments with anyone other than the
developer are useless.

> > There is no question here. There is no discussion. It should be done,
> > and if it is not, password saving should be stopped in FileZilla or an
> > alternative program should be sought. It's that simple.
>
> Great. If it's so simple that it can be done in under 10 mins, go complain
> to them.

This email thread *is* a direct complaint to them, after bugs have
been closed for years. I didn't start this thread. Do you even
understand what is going on here? Your emails suggest you do not.

> Cheers,
> Chris.

-- 
silky

http://dnoondt.wordpress.com/

"Every morning when I wake up, I experience an exquisite joy — the joy
of being this signature."

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Filezilla's silent caching of user's credentials
  - From: Christian Sciberras

Prev by Date: Re: [Full-disclosure] Filezilla's silent caching of user's credentials
Next by Date: Re: [Full-disclosure] Filezilla's silent caching of user's credentials
Previous by thread: Re: [Full-disclosure] Filezilla's silent caching of user's credentials
Next by thread: Re: [Full-disclosure] Filezilla's silent caching of user's credentials
Index(es):
- Date
- Thread