Re: Filezilla's silent caching of user's credentials

[Pete Smith <seclists () decapitate us>]

Has anyone asked the developer to include a "don't cache credentials"
or "kiosk mode" (as someone else suggested) option even if this is not
the default at the very least it makes people aware that the passwords
are stored and may be (trivially) recoverable.

Pete

On 14 October 2010 18:51, Chris Evans <scarybeasts () gmail com> wrote:
> On Wed, Oct 13, 2010 at 11:46 PM, silky <michaelslists () gmail com> wrote:
> > On Thu, Oct 14, 2010 at 5:39 PM, Christian Sciberras <uuf6429 () gmail com>
> > wrote:
> > > > Not all attackers are created
> > > > equally.
> > >
> > > I still see this a simple matter of violating KISS to introduce a layer
> > > of encryption.
> > > The question is, to which end? Sure, an attacker might see the encrypted
> > > file and think it's "too difficult" for him to get to the passwords.
> > > Another
> > > might use a certain utility to decrypt the said file. The thing is, to
> > > which end are
> > > we encrypting the data? Just for the sake of making it work like the N
> > > other programs?
> > > I mean, if this doesn't *work*, why even *bother*?
> >
> > Sorry, but your comments are totally useless here and can't even
> > really be addressed properly, given their quite ridiculous nature.
>
> Well done on behaving in a gentlemanly manner and winning people over with
> your in-depth technical arguments.
> I think you need to break down the problem into the various threats against
> these stored secrets.
> 1) You're worried about some random person who has transient physical access
> to your logged-in machine.
> 2) You're worried about some sophisticated actor who has transient physical
> access to your machine.
> 3) You're worried about your machine getting stolen, or improper disposal of
> your hard drive.
> 4) You're worried about the worst-possible impact of a file-theft bug,
> perhaps in a browser.
> 5) You're worried about having used FileZilla on a public terminal.
> 6) You're worried because multiple users without full trust between one
> another share the same account.
> Feel free to add 7), 8), etc.
> Once you start breaking it down, you realize that you're completely
> shit-out-of-luck in cases 2), 5) and 6); in case 1), the worst attacks
> comprise of writing to the drive and not reading from it; you're negligent
> if you're worried about 3) and don't have full-disk encryption; and 4) is
> actually the most nuanced and interesting threat yet it doesn't seem to be
> figuring in the reasoning of prior entrants to the thread.
> In fact, given the current state of the security industry, I think I have
> the worst threat yet:
> 7) You're worried about a large number of bike-shedding lower-tier security
> researchers posting en-masse to f-d. You're worried that subsequent to this,
> some less technical security journalists will pick up on it and write a
> bunch of sensationalist news articles covering what is essentially a minor
> issue.
>
> The opening e-mail used or quoted phrases such as "critical deficiency",
> "total lapse" and "quite disturbing". This shows a disappointing
> misunderstanding of what "critical" really is.
> This bug is not being used to break into nuclear reactors in Iran, or to
> distribute mass malware. It's important to be balanced and realistic whilst
> discussing security issues.
>
> Cheers
> Chris
> > You
> > are missing the point of the encryption, and it is not my job to
> > convince you, and any further comments with anyone other than the
> > developer are useless.
> >
> >
> > > > There is no question here. There is no discussion. It should be done,
> > > > and if it is not, password saving should be stopped in FileZilla or an
> > > > alternative program should be sought. It's that simple.
> > >
> > > Great. If it's so simple that it can be done in under 10 mins, go
> > > complain
> > > to them.
> >
> > This email thread *is* a direct complaint to them, after bugs have
> > been closed for years. I didn't start this thread. Do you even
> > understand what is going on here? Your emails suggest you do not.
> >
> >
> > > Cheers,
> > > Chris.
> >
> >
> > --
> > silky
> >
> > http://dnoondt.wordpress.com/
> >
> > "Every morning when I wake up, I experience an exquisite joy — the joy
> > of being this signature."
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/