On Thu, Oct 14, 2010 at 1:23 AM, Ryan Sears <[email protected]> wrote: > Ok. Granted I'm not talking about a 0-day in OpenSSH here, but this IS a > real issue affecting REAL people. > > I'm not really sure *who* you're trying to take a jab with point 7 and > beyond, but I know at least part of it is towards me. > > Filezilla's behavior is *wrong* and what I was doing was calling for a > community push to actually get things changed. I was trying to state my > point as clearly and concisely as I possibly could, because I feel with > enough of a community backing we can actually convince botg to make minor > tweaks to his source code, and come to some kind of compromise. >
Turns out FileZilla is GPL'ed: http://wiki.filezilla-project.org/FAQ#FileZilla_Client_FAQ (No idea why I had thought otherwise until just now). It seems like you are a fan of the software but feel passionately about the password issue. In this instance, the most productive way forward might be to submit a patch. I'm sure the developers would be more receptive to an approach based on "here's a nice new feature" rather than an approach based on "pitchforks recruited from full-disclosure". > Show me another widely-used, widely-accepted program that really does stuff > like this. I haven't really encountered them (I could be mistaken though, > and I'm fine with being corrected). > > I'm pretty sure you were trying to state that I was below you in some way, No, and I apologize if it came across this way. Any rant can be traced back to issues such as: - The industry-wide overuse and misuse of the word "critical" when referring to a security bug. - People piling angrily into the thread despite the absence of any attempt at a detailed threat analysis. Cheers Chris and I very well may be. This is a community full of people with varying > degrees of technical knowledge and understanding, but we are all subscribed > to this list to do one thing - learn. How do you learn? By observing. > Observing folly's in the way other people have implemented things, and how > people have done things right. Take the apache.org xss bug that got > leveraged into a full compromise of their systems, there had to be people > who were influenced to start using things like no-script because of it. Then > you have the other people, who will never change their practices anyway. > > It's really all about the path of exposure, going back to the > apache.orgthing. That was a 0-day XSS bug (which honestly isn't THAT hard to > find) > that was used to leverage one user's account, which then lead to something, > which then lead to something else. How do you know that a nuclear scientist > didn't have this exact same thing happen to them with this filezilla > behavior, which then lead to a compromise of a nuclear reactor? > > Just because I don't have something like 10% of all the ZDI bugs under my > belt doesn't make my points any less valid. Who cares if people choose to > write about it? Basically what you're saying is you're afraid of people > using the internet to write about stuff they're interested in, and voice > their opinions. That's in complete contradiction to the nature of this list > (and the whole internet for that matter), and no matter how hard you close > your eyes and wish that the internet hadn't given people an anonymous voice > to bitch about what they choose, it'll never go away. That's just the way it > is. > > Ryan > > ----- Original Message ----- > From: "Chris Evans" <[email protected]> > To: [email protected] > Cc: [email protected], "Mutiny" < > [email protected]> > Sent: Thursday, October 14, 2010 3:51:31 AM GMT -05:00 US/Canada Eastern > Subject: Re: [Full-disclosure] Filezilla's silent caching of user's > credentials > > > On Wed, Oct 13, 2010 at 11:46 PM, silky < [email protected] > wrote: > > > > > On Thu, Oct 14, 2010 at 5:39 PM, Christian Sciberras < [email protected] > > wrote: > > > Not all attackers are created > > > equally. > > > > I still see this a simple matter of violating KISS to introduce a layer > of encryption. > > The question is, to which end? Sure, an attacker might see the encrypted > > file and think it's "too difficult" for him to get to the passwords. > Another > > might use a certain utility to decrypt the said file. The thing is, to > which end are > > we encrypting the data? Just for the sake of making it work like the N > other programs? > > I mean, if this doesn't *work*, why even *bother*? > > Sorry, but your comments are totally useless here and can't even > really be addressed properly, given their quite ridiculous nature. > > > Well done on behaving in a gentlemanly manner and winning people over with > your in-depth technical arguments. > > > I think you need to break down the problem into the various threats against > these stored secrets. > > > 1) You're worried about some random person who has transient physical > access to your logged-in machine. > > > 2) You're worried about some sophisticated actor who has transient physical > access to your machine. > > > 3) You're worried about your machine getting stolen, or improper disposal > of your hard drive. > > > 4) You're worried about the worst-possible impact of a file-theft bug, > perhaps in a browser. > > > 5) You're worried about having used FileZilla on a public terminal. > > > 6) You're worried because multiple users without full trust between one > another share the same account. > > > Feel free to add 7), 8), etc. > > > Once you start breaking it down, you realize that you're completely > shit-out-of-luck in cases 2), 5) and 6); in case 1), the worst attacks > comprise of writing to the drive and not reading from it; you're negligent > if you're worried about 3) and don't have full-disk encryption; and 4) is > actually the most nuanced and interesting threat yet it doesn't seem to be > figuring in the reasoning of prior entrants to the thread. > > > In fact, given the current state of the security industry, I think I have > the worst threat yet: > > > 7) You're worried about a large number of bike-shedding lower-tier security > researchers posting en-masse to f-d. You're worried that subsequent to this, > some less technical security journalists will pick up on it and write a > bunch of sensationalist news articles covering what is essentially a minor > issue. > > > > > The opening e-mail used or quoted phrases such as "critical deficiency", > "total lapse" and "quite disturbing". This shows a disappointing > misunderstanding of what "critical" really is. > > > This bug is not being used to break into nuclear reactors in Iran, or to > distribute mass malware. It's important to be balanced and realistic whilst > discussing security issues. > > > > > Cheers > Chris > > > > You > are missing the point of the encryption, and it is not my job to > convince you, and any further comments with anyone other than the > developer are useless. > > > > > > There is no question here. There is no discussion. It should be done, > > > and if it is not, password saving should be stopped in FileZilla or an > > > alternative program should be sought. It's that simple. > > > > Great. If it's so simple that it can be done in under 10 mins, go > complain > > to them. > > This email thread *is* a direct complaint to them, after bugs have > been closed for years. I didn't start this thread. Do you even > understand what is going on here? Your emails suggest you do not. > > > > Cheers, > > > Chris. > > > -- > silky > > http://dnoondt.wordpress.com/ > > "Every morning when I wake up, I experience an exquisite joy — the joy > of being this signature." > > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
