[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Filezilla's silent caching of user's credentials

To: Chris Evans <scarybeasts@xxxxxxxxx>
Subject: Re: [Full-disclosure] Filezilla's silent caching of user's credentials
From: Ryan Sears <rdsears@xxxxxxx>
Date: Thu, 14 Oct 2010 04:23:10 -0400 (EDT)

Ok. Granted I'm not talking about a 0-day in OpenSSH here, but this IS a real 
issue affecting REAL people. 

I'm not really sure *who* you're trying to take a jab with point 7 and beyond, 
but I know at least part of it is towards me.

Filezilla's behavior is *wrong* and what I was doing was calling for a 
community push to actually get things changed. I was trying to state my point 
as clearly and concisely as I possibly could, because I feel with enough of a 
community backing we can actually convince botg to make minor tweaks to his 
source code, and come to some kind of compromise.

Show me another widely-used, widely-accepted program that really does stuff 
like this. I haven't really encountered them (I could be mistaken though, and 
I'm fine with being corrected). 

I'm pretty sure you were trying to state that I was below you in some way, and 
I very well may be. This is a community full of people with varying degrees of 
technical knowledge and understanding, but we are all subscribed to this list 
to do one thing - learn. How do you learn? By observing. Observing folly's in 
the way other people have implemented things, and how people have done things 
right. Take the apache.org xss bug that got leveraged into a full compromise of 
their systems, there had to be people who were influenced to start using things 
like no-script because of it. Then you have the other people, who will never 
change their practices anyway. 

It's really all about the path of exposure, going back to the apache.org thing. 
That was a 0-day XSS bug (which honestly isn't THAT hard to find) that was used 
to leverage one user's account, which then lead to something, which then lead 
to something else. How do you know that a nuclear scientist didn't have this 
exact same thing happen to them with this filezilla behavior, which then lead 
to a compromise of a nuclear reactor? 

Just because I don't have something like 10% of all the ZDI bugs under my belt 
doesn't make my points any less valid. Who cares if people choose to write 
about it? Basically what you're saying is you're afraid of people using the 
internet to write about stuff they're interested in, and voice their opinions. 
That's in complete contradiction to the nature of this list (and the whole 
internet for that matter), and no matter how hard you close your eyes and wish 
that the internet hadn't given people an anonymous voice to bitch about what 
they choose, it'll never go away. That's just the way it is. 

Ryan

----- Original Message -----
From: "Chris Evans" <scarybeasts@xxxxxxxxx>
To: michaelslists@xxxxxxxxx
Cc: full-disclosure@xxxxxxxxxxxxxxxxx, "Mutiny" <mutiny@xxxxxxxxxxxxxxxxxxx>
Sent: Thursday, October 14, 2010 3:51:31 AM GMT -05:00 US/Canada Eastern
Subject: Re: [Full-disclosure] Filezilla's silent caching of user's credentials

On Wed, Oct 13, 2010 at 11:46 PM, silky < michaelslists@xxxxxxxxx > wrote: 

On Thu, Oct 14, 2010 at 5:39 PM, Christian Sciberras < uuf6429@xxxxxxxxx > 
wrote: 
> > Not all attackers are created 
> > equally. 
> 
> I still see this a simple matter of violating KISS to introduce a layer of 
> encryption. 
> The question is, to which end? Sure, an attacker might see the encrypted 
> file and think it's "too difficult" for him to get to the passwords. Another 
> might use a certain utility to decrypt the said file. The thing is, to which 
> end are 
> we encrypting the data? Just for the sake of making it work like the N other 
> programs? 
> I mean, if this doesn't *work*, why even *bother*? 

Sorry, but your comments are totally useless here and can't even 
really be addressed properly, given their quite ridiculous nature. 

Well done on behaving in a gentlemanly manner and winning people over with your 
in-depth technical arguments. 

I think you need to break down the problem into the various threats against 
these stored secrets. 

1) You're worried about some random person who has transient physical access to 
your logged-in machine. 

2) You're worried about some sophisticated actor who has transient physical 
access to your machine. 

3) You're worried about your machine getting stolen, or improper disposal of 
your hard drive. 

4) You're worried about the worst-possible impact of a file-theft bug, perhaps 
in a browser. 

5) You're worried about having used FileZilla on a public terminal. 

6) You're worried because multiple users without full trust between one another 
share the same account. 

Feel free to add 7), 8), etc. 

Once you start breaking it down, you realize that you're completely 
shit-out-of-luck in cases 2), 5) and 6); in case 1), the worst attacks comprise 
of writing to the drive and not reading from it; you're negligent if you're 
worried about 3) and don't have full-disk encryption; and 4) is actually the 
most nuanced and interesting threat yet it doesn't seem to be figuring in the 
reasoning of prior entrants to the thread. 

In fact, given the current state of the security industry, I think I have the 
worst threat yet: 

7) You're worried about a large number of bike-shedding lower-tier security 
researchers posting en-masse to f-d. You're worried that subsequent to this, 
some less technical security journalists will pick up on it and write a bunch 
of sensationalist news articles covering what is essentially a minor issue. 

The opening e-mail used or quoted phrases such as "critical deficiency", "total 
lapse" and "quite disturbing". This shows a disappointing misunderstanding of 
what "critical" really is. 

This bug is not being used to break into nuclear reactors in Iran, or to 
distribute mass malware. It's important to be balanced and realistic whilst 
discussing security issues. 

Cheers 
Chris 

You 
are missing the point of the encryption, and it is not my job to 
convince you, and any further comments with anyone other than the 
developer are useless. 

> > There is no question here. There is no discussion. It should be done, 
> > and if it is not, password saving should be stopped in FileZilla or an 
> > alternative program should be sought. It's that simple. 
> 
> Great. If it's so simple that it can be done in under 10 mins, go complain 
> to them. 

This email thread *is* a direct complaint to them, after bugs have 
been closed for years. I didn't start this thread. Do you even 
understand what is going on here? Your emails suggest you do not. 

> Cheers, 

> Chris. 

-- 
silky 

http://dnoondt.wordpress.com/ 

"Every morning when I wake up, I experience an exquisite joy — the joy 
of being this signature." 

_______________________________________________ 
Full-Disclosure - We believe in it. 
Charter: http://lists.grok.org.uk/full-disclosure-charter.html 
Hosted and sponsored by Secunia - http://secunia.com/ 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Filezilla's silent caching of user's credentials
  - From: Chris Evans

Prev by Date: Re: [Full-disclosure] Filezilla's silent caching of user's credentials
Next by Date: Re: [Full-disclosure] Filezilla's silent caching of user's credentials
Previous by thread: Re: [Full-disclosure] Filezilla's silent caching of user's credentials
Next by thread: Re: [Full-disclosure] Filezilla's silent caching of user's credentials
Index(es):
- Date
- Thread