Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Filezilla's silent caching of user's credentials
From: Chris Evans <scarybeasts () gmail com>
Date: Thu, 14 Oct 2010 02:09:38 -0700

On Thu, Oct 14, 2010 at 1:23 AM, Ryan Sears <rdsears () mtu edu> wrote:

Ok. Granted I'm not talking about a 0-day in OpenSSH here, but this IS a
real issue affecting REAL people.

I'm not really sure *who* you're trying to take a jab with point 7 and
beyond, but I know at least part of it is towards me.

Filezilla's behavior is *wrong* and what I was doing was calling for a
community push to actually get things changed. I was trying to state my
point as clearly and concisely as I possibly could, because I feel with
enough of a community backing we can actually convince botg to make minor
tweaks to his source code, and come to some kind of compromise.

Turns out FileZilla is GPL'ed:
(No idea why I had thought otherwise until just now).

It seems like you are a fan of the software but feel passionately about the
password issue.

In this instance, the most productive way forward might be to submit a
patch. I'm sure the developers would be more receptive to an approach based
on "here's a nice new feature" rather than an approach based on "pitchforks
recruited from full-disclosure".

Show me another widely-used, widely-accepted program that really does stuff
like this. I haven't really encountered them (I could be mistaken though,
and I'm fine with being corrected).

I'm pretty sure you were trying to state that I was below you in some way,

No, and I apologize if it came across this way. Any rant can be traced back
to issues such as:

- The industry-wide overuse and misuse of the word "critical" when referring
to a security bug.
- People piling angrily into the thread despite the absence of any attempt
at a detailed threat analysis.


and I very well may be. This is a community full of people with varying
degrees of technical knowledge and understanding, but we are all subscribed
to this list to do one thing - learn. How do you learn? By observing.
Observing folly's in the way other people have implemented things, and how
people have done things right. Take the apache.org xss bug that got
leveraged into a full compromise of their systems, there had to be people
who were influenced to start using things like no-script because of it. Then
you have the other people, who will never change their practices anyway.

It's really all about the path of exposure, going back to the apache.orgthing. That was a 0-day XSS bug (which 
honestly isn't THAT hard to find)
that was used to leverage one user's account, which then lead to something,
which then lead to something else. How do you know that a nuclear scientist
didn't have this exact same thing happen to them with this filezilla
behavior, which then lead to a compromise of a nuclear reactor?

Just because I don't have something like 10% of all the ZDI bugs under my
belt doesn't make my points any less valid. Who cares if people choose to
write about it? Basically what you're saying is you're afraid of people
using the internet to write about stuff they're interested in, and voice
their opinions. That's in complete contradiction to the nature of this list
(and the whole internet for that matter), and no matter how hard you close
your eyes and wish that the internet hadn't given people an anonymous voice
to bitch about what they choose, it'll never go away. That's just the way it


----- Original Message -----
From: "Chris Evans" <scarybeasts () gmail com>
To: michaelslists () gmail com
Cc: full-disclosure () lists grok org uk, "Mutiny" <
mutiny () kevinbeardsucks com>
Sent: Thursday, October 14, 2010 3:51:31 AM GMT -05:00 US/Canada Eastern
Subject: Re: [Full-disclosure] Filezilla's silent caching of user's

On Wed, Oct 13, 2010 at 11:46 PM, silky < michaelslists () gmail com > wrote:

On Thu, Oct 14, 2010 at 5:39 PM, Christian Sciberras < uuf6429 () gmail com >
Not all attackers are created

I still see this a simple matter of violating KISS to introduce a layer
of encryption.
The question is, to which end? Sure, an attacker might see the encrypted
file and think it's "too difficult" for him to get to the passwords.
might use a certain utility to decrypt the said file. The thing is, to
which end are
we encrypting the data? Just for the sake of making it work like the N
other programs?
I mean, if this doesn't *work*, why even *bother*?

Sorry, but your comments are totally useless here and can't even
really be addressed properly, given their quite ridiculous nature.

Well done on behaving in a gentlemanly manner and winning people over with
your in-depth technical arguments.

I think you need to break down the problem into the various threats against
these stored secrets.

1) You're worried about some random person who has transient physical
access to your logged-in machine.

2) You're worried about some sophisticated actor who has transient physical
access to your machine.

3) You're worried about your machine getting stolen, or improper disposal
of your hard drive.

4) You're worried about the worst-possible impact of a file-theft bug,
perhaps in a browser.

5) You're worried about having used FileZilla on a public terminal.

6) You're worried because multiple users without full trust between one
another share the same account.

Feel free to add 7), 8), etc.

Once you start breaking it down, you realize that you're completely
shit-out-of-luck in cases 2), 5) and 6); in case 1), the worst attacks
comprise of writing to the drive and not reading from it; you're negligent
if you're worried about 3) and don't have full-disk encryption; and 4) is
actually the most nuanced and interesting threat yet it doesn't seem to be
figuring in the reasoning of prior entrants to the thread.

In fact, given the current state of the security industry, I think I have
the worst threat yet:

7) You're worried about a large number of bike-shedding lower-tier security
researchers posting en-masse to f-d. You're worried that subsequent to this,
some less technical security journalists will pick up on it and write a
bunch of sensationalist news articles covering what is essentially a minor

The opening e-mail used or quoted phrases such as "critical deficiency",
"total lapse" and "quite disturbing". This shows a disappointing
misunderstanding of what "critical" really is.

This bug is not being used to break into nuclear reactors in Iran, or to
distribute mass malware. It's important to be balanced and realistic whilst
discussing security issues.


are missing the point of the encryption, and it is not my job to
convince you, and any further comments with anyone other than the
developer are useless.

There is no question here. There is no discussion. It should be done,
and if it is not, password saving should be stopped in FileZilla or an
alternative program should be sought. It's that simple.

Great. If it's so simple that it can be done in under 10 mins, go
to them.

This email thread *is* a direct complaint to them, after bugs have
been closed for years. I didn't start this thread. Do you even
understand what is going on here? Your emails suggest you do not.





"Every morning when I wake up, I experience an exquisite joy — the joy
of being this signature."

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]