Re: Filezilla's silent caching of user's credentials

[Chris Evans <scarybeasts () gmail com>]

On Thu, Oct 14, 2010 at 1:23 AM, Ryan Sears <rdsears () mtu edu> wrote:

> Ok. Granted I'm not talking about a 0-day in OpenSSH here, but this IS a
> real issue affecting REAL people.
>
> I'm not really sure *who* you're trying to take a jab with point 7 and
> beyond, but I know at least part of it is towards me.
>
> Filezilla's behavior is *wrong* and what I was doing was calling for a
> community push to actually get things changed. I was trying to state my
> point as clearly and concisely as I possibly could, because I feel with
> enough of a community backing we can actually convince botg to make minor
> tweaks to his source code, and come to some kind of compromise.

Turns out FileZilla is GPL'ed:
http://wiki.filezilla-project.org/FAQ#FileZilla_Client_FAQ
(No idea why I had thought otherwise until just now).

It seems like you are a fan of the software but feel passionately about the
password issue.

In this instance, the most productive way forward might be to submit a
patch. I'm sure the developers would be more receptive to an approach based
on "here's a nice new feature" rather than an approach based on "pitchforks
recruited from full-disclosure".


> Show me another widely-used, widely-accepted program that really does stuff
> like this. I haven't really encountered them (I could be mistaken though,
> and I'm fine with being corrected).
>
> I'm pretty sure you were trying to state that I was below you in some way,


No, and I apologize if it came across this way. Any rant can be traced back
to issues such as:

- The industry-wide overuse and misuse of the word "critical" when referring
to a security bug.
- People piling angrily into the thread despite the absence of any attempt
at a detailed threat analysis.


Cheers
Chris

and I very well may be. This is a community full of people with varying
> degrees of technical knowledge and understanding, but we are all subscribed
> to this list to do one thing - learn. How do you learn? By observing.
> Observing folly's in the way other people have implemented things, and how
> people have done things right. Take the apache.org xss bug that got
> leveraged into a full compromise of their systems, there had to be people
> who were influenced to start using things like no-script because of it. Then
> you have the other people, who will never change their practices anyway.
>
> It's really all about the path of exposure, going back to the apache.orgthing. That was a 0-day XSS bug (which 
> honestly isn't THAT hard to find)
> that was used to leverage one user's account, which then lead to something,
> which then lead to something else. How do you know that a nuclear scientist
> didn't have this exact same thing happen to them with this filezilla
> behavior, which then lead to a compromise of a nuclear reactor?
>
> Just because I don't have something like 10% of all the ZDI bugs under my
> belt doesn't make my points any less valid. Who cares if people choose to
> write about it? Basically what you're saying is you're afraid of people
> using the internet to write about stuff they're interested in, and voice
> their opinions. That's in complete contradiction to the nature of this list
> (and the whole internet for that matter), and no matter how hard you close
> your eyes and wish that the internet hadn't given people an anonymous voice
> to bitch about what they choose, it'll never go away. That's just the way it
> is.
>
> Ryan
>
> ----- Original Message -----
> From: "Chris Evans" <scarybeasts () gmail com>
> To: michaelslists () gmail com
> Cc: full-disclosure () lists grok org uk, "Mutiny" <
> mutiny () kevinbeardsucks com>
> Sent: Thursday, October 14, 2010 3:51:31 AM GMT -05:00 US/Canada Eastern
> Subject: Re: [Full-disclosure] Filezilla's silent caching of user's
> credentials
>
>
> On Wed, Oct 13, 2010 at 11:46 PM, silky < michaelslists () gmail com > wrote:
>
>
>
>
> On Thu, Oct 14, 2010 at 5:39 PM, Christian Sciberras < uuf6429 () gmail com >
> wrote:
> > > Not all attackers are created
> > > equally.
> >
> > I still see this a simple matter of violating KISS to introduce a layer
> of encryption.
> > The question is, to which end? Sure, an attacker might see the encrypted
> > file and think it's "too difficult" for him to get to the passwords.
> Another
> > might use a certain utility to decrypt the said file. The thing is, to
> which end are
> > we encrypting the data? Just for the sake of making it work like the N
> other programs?
> > I mean, if this doesn't *work*, why even *bother*?
>
> Sorry, but your comments are totally useless here and can't even
> really be addressed properly, given their quite ridiculous nature.
>
>
> Well done on behaving in a gentlemanly manner and winning people over with
> your in-depth technical arguments.
>
>
> I think you need to break down the problem into the various threats against
> these stored secrets.
>
>
> 1) You're worried about some random person who has transient physical
> access to your logged-in machine.
>
>
> 2) You're worried about some sophisticated actor who has transient physical
> access to your machine.
>
>
> 3) You're worried about your machine getting stolen, or improper disposal
> of your hard drive.
>
>
> 4) You're worried about the worst-possible impact of a file-theft bug,
> perhaps in a browser.
>
>
> 5) You're worried about having used FileZilla on a public terminal.
>
>
> 6) You're worried because multiple users without full trust between one
> another share the same account.
>
>
> Feel free to add 7), 8), etc.
>
>
> Once you start breaking it down, you realize that you're completely
> shit-out-of-luck in cases 2), 5) and 6); in case 1), the worst attacks
> comprise of writing to the drive and not reading from it; you're negligent
> if you're worried about 3) and don't have full-disk encryption; and 4) is
> actually the most nuanced and interesting threat yet it doesn't seem to be
> figuring in the reasoning of prior entrants to the thread.
>
>
> In fact, given the current state of the security industry, I think I have
> the worst threat yet:
>
>
> 7) You're worried about a large number of bike-shedding lower-tier security
> researchers posting en-masse to f-d. You're worried that subsequent to this,
> some less technical security journalists will pick up on it and write a
> bunch of sensationalist news articles covering what is essentially a minor
> issue.
>
>
>
>
> The opening e-mail used or quoted phrases such as "critical deficiency",
> "total lapse" and "quite disturbing". This shows a disappointing
> misunderstanding of what "critical" really is.
>
>
> This bug is not being used to break into nuclear reactors in Iran, or to
> distribute mass malware. It's important to be balanced and realistic whilst
> discussing security issues.
>
>
>
>
> Cheers
> Chris
>
>
>
> You
> are missing the point of the encryption, and it is not my job to
> convince you, and any further comments with anyone other than the
> developer are useless.
>
>
>
> > > There is no question here. There is no discussion. It should be done,
> > > and if it is not, password saving should be stopped in FileZilla or an
> > > alternative program should be sought. It's that simple.
> >
> > Great. If it's so simple that it can be done in under 10 mins, go
> complain
> > to them.
>
> This email thread *is* a direct complaint to them, after bugs have
> been closed for years. I didn't start this thread. Do you even
> understand what is going on here? Your emails suggest you do not.
>
>
> > Cheers,
>
> > Chris.
>
>
> --
> silky
>
> http://dnoondt.wordpress.com/
>
> "Every morning when I wake up, I experience an exquisite joy — the joy
> of being this signature."
>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/