User Forks FileZilla FTP Client After Getting Hacked (filezillasecure.com) 166
Slashdot reader Entropy98 writes: A frustrated FileZilla user took matters into his own hands after getting hacked due to the fact that his saved passwords were being saved in plain text files. Despite years of numerous requests over almost 10 years the FileZilla devs refused to add a Master Password option to encrypt the stored passwords. Finally fed up one user forked FileZilla and created FileZilla Secure with the Master Password option.
This stuff drives me nuts (Score:5, Insightful)
When devs act like asshats and refuse to consider that just because you can still get at encrypted passwords doesn't mean it's not helpful to make the bar a little higher than reading plain fucking text.
Re:This stuff drives me nuts (Score:5, Insightful)
A) I would guess Filezilla is used much more as an SFTP and FTPS client (is there a better one on Windows?) than as an FTP client.
B & C could apply to SSH clients such as PuTTY as well, so we should stop using that?
If we only implemented security enhancements when they were perfect solutions we wouldn't implement very much security. Usually there is a balancing act between usability, security, and cost. In this case there seems to be very little usability impact on encrypting the password store so why not do it?
All that said I'm pretty particular about what software can hold passwords of mine so I've always typed them in to Filezilla on an as needed basis, seems as if that was a good idea.
Re: (Score:2)
Re: (Score:2)
1/ It's a really good idea to not have the password in plain text.
2/ It's not difficult to implement.
Yes you can go on about "perfect" but in this case it's like comparing a cereal packet code wheel solution to something intended to be used by adults.
Re: (Score:2)
I also avoid storing passwords in applications.
Lately I've been using MobaXterm [mobatek.net] It wraps up the SSH and SFTP/SCP client in one place. It also allows you to run unix commands from windows, for example, scp and rsync.
It's not Open Source, but there is a free version. It also gives you a forwarded X session, ssh tabs, and runs from a single executable (portable).
Re: (Score:2)
It would have to be more than just key based, the private key also has to be encrypted forcing the user to enter a passphrase before the key can be used. Otherwise someone with access to the system could just steal the private key file... Essentially Filezilla asking users to store passwords and then not encrypting them is the same as a program requiring an unencrypted SSH private key.
Re: (Score:3, Funny)
Shrek: Ogres are like onions.
Donkey: They stink?
Shrek: Yes. No.
Donkey: Oh, they make you cry.
Shrek: No.
Donkey: Oh, you leave em out in the sun, they get all brown, start sproutin’ little white hairs.
Shrek: No. Layers. Onions have layers. Ogres have layers. Onions have layers. You get it? We both have layers.
Donkey: Oh, you both have layers. Oh. You know, not everybody like onions.
Re:This stuff drives me nuts (Score:5, Interesting)
When someone can read your passwords of your disk, the point of encryption is already moot.
No, encrypting the password database with a master password that's not saved means it can no longer be read directly, significantly raising the bar for capturing passwords.
A) FTP is typically plain text anyway so you could just wireshark it
Depending on user privileges this may not be possible, and would only gather one at a time.
B) you can replace the binaries and have them emailed any time they are entered
Depending on user privileges this may not be possible.
C) you can install a keylogger
See B
This "user" could've just as easy encrypted his entire hard drive or user directory. Still wouldn't have helped though.
No shit that wouldn't have helped, as long as the drive's mounted the file is plaintext as far as the malware is concerned.
I would seriously reconsider taking a "secure" anything from anyone that can't bother to think their own security through.
Clearly you're not capable of thinking through security yourself.
Let's say I'm shithoused and inadvertently run some kind of malware that wants to steal my FTP passwords. I realize what I've done almost immediately after and shut down to restore from backups. If they're stored unencrypted, that malware could have already sent my full stored password list to wherever. If they're encrypted with a master password, the malware gets absolutely nothing. Even if I don't catch it immediately the malware still can't get it no matter what until I actually go to use those passwords.
If you can't see how huge of a difference that is I don't know what to say.
Re: (Score:2)
If you discover malware you should expect your passwords to be compromised, encrypted or not. Sure a master password may help at first glance but it's trivial to crack anything less than 16 characters long and also depends heavily on the encryption used and RNG. Most likely you reused a master password elsewhere or it's still somewhere in memory of the malware has been on your computer longer than you expected.
If you are the "victim" of malware, then you should change all your passwords and revoke all your
Re: (Score:2)
Sure a master password may help at first glance but it's trivial to crack anything less than 16 characters long and also depends heavily on the encryption used and RNG.
No it is not.
That is an completely idiotic claim.
To "crack" the encryption of something, you need a meaningful idea how it looks unencrypted.
If this is my unencrypted list of passwords:
why
are
you trying
so hard
you my stumble over them with brute force (using a dictionary), sooner or later regardless how long the master password is (if that is e
Re: (Score:2)
Think again: http://www.dailymail.co.uk/sci... [dailymail.co.uk]
People have predictable passwords, your character set is typically limited to ~64 characters out of 256.
To know whether a password is cracked, you can check various methods: does it include untypable characters, is the data returned structured (you could expect e.g. a signature matching known database formats) does it have a high degree of randomness and after that, does the password work.
In your example you have a high degree of semicolons, so your structure i
Re: (Score:2)
Actually the semicolons are close to random ;D
Point is, if you have no edge, you can not do much.
Re: (Score:2)
but it's trivial to crack anything less than 16 characters long
A random 15 char password would take 8.6 billion years on average assuming 1 trillion combos per second. I'm not sure "trivial" is the correct word.
Re: (Score:2)
I unlocked a BitLocker drive with 8 character password in less than an hour using an open source BitLocker tool. The password was a morphed dictionary word. Ever heard of Markov chains? Dedicated clusters can run through 90% of all passwords 8-16 characters in a matter of hours/days.
Re: (Score:2)
Dedicated clusters can run through 90% of all passwords 8-16 characters in a matter of hours/days.
A 16 char password has nearly 10^32 combinations. If you had 100,000 computers, each with 100 cores that are 10ghz, it would take 10^12 seconds to go through all of the combinations, assuming it only took 1 clock cycle per comparison. That's still almost 32,000 years. Please, let me know about this magical datacenter of your's.
Your tool obviously makes many assumptions, like the password is composed of words or common patterns.
Re: (Score:2)
Well, SFTP and FTP can be run over a secure channel like a VPN or SSH tunnel -- in fact SFTP was designed to run that way as it provides no authentication capabilities of its own. In which case wireshark does you no good because you're looking at packets full of gibberish.
Second it is possible to get access to a machine without having access to the network segment it is on, in which case wireshark doesn't do you any good.
Third, it is possible to get access to a disk without necessarily having the ability to
Re: (Score:1)
Well, SFTP and FTP can be run over a secure channel like a VPN or SSH tunnel -- in fact SFTP was designed to run that way as it provides no authentication capabilities of its own
Do you perhaps mean FTPS, not SFTP? FTPS is basically FTP over a secure channel (as HTTPS is to HTTP), while SFTP is a completely separate protocol (SSH File Transfer Protocol - an extension to the Secure Shell protocol). You can also tunnel FTP over SSH, but it is yet a different type of connection.
Re: (Score:2)
B) The binary would be protected from write access by UAC.
Re: (Score:2)
Anonymous FTP uses no passwords. As in no password even exists, let alone is sent over the network.
Please explain in detail how your magical fantasy network sniffer is going to read a non-existent password that isn't set over a network.
Re: (Score:2)
They're not arrogant asshats. Simply put, these guys are the SNL tech rejects. They go around, snickering, somebody doesn't know the Master Password, before breaking out into song, until our chief protagonist, the Trinity wannabe/lookalike hacks into the file and sees the password in plain text.
The project's been forked; Good news, everyone!
Re: (Score:2)
When devs act like asshats and refuse to consider that just because you can still get at encrypted passwords doesn't mean it's not helpful to make the bar a little higher than reading plain fucking text.
The same ones that tell you "patches welcome" for bug fixes or feature requests a large number of people desire? That seems to be the MO with many open source projects.
If this was a problem for so long... (Score:1)
Re:This stuff drives me nuts (Score:5, Informative)
Filezilla also supports SFTP and FTPS though and is probably the best Windows client for those protocols so it's used for a lot more than just FTP. In fact, I would venture to guess that Filezilla FTP use is pretty minimal.
Re: (Score:1)
Re: (Score:2)
Are you aware you can use FileZilla for SFTP connections right?
Re: (Score:2)
And what has that to do with storing passwords in plain text?
Re: This stuff drives me nuts (Score:1)
FileZilla is also a ssh / scp client. So keeping stored passwords unencrypted is just being stubborn!
Good deal (Score:5, Insightful)
Now as long as those lazy bastards at FileZilla don't sue him, maybe this will be a nice step forward.
As for you fucking clowns at FileZilla storing passwords in plain text files, what the fuck? Did you just teleport in from 1992 or something??
Re:Good deal (Score:5, Funny)
Re: (Score:1)
Actually, I support the GP.
The imperative to secure passwords is really strong these days, considering all the hacks, internet crime, and even the activities of the Three Letter Agencies. In a pre-internet world, plain text storage would have been bad enough, but post-internet it is unacceptable. Thus the comment about 1992.
So many /. readers come off like arrogant know-it-alls. "Well, if you have root/physical access/any malware at all/newb users/software I don't agree with/closed source/hamburger with
OSS working as it should. (Score:5, Insightful)
How many OSS projects would benefit from:
User demands feature.
Devs refuse feature.
User forks and adds feature.
Re: (Score:3, Insightful)
The dev is a user; the users are devs.
And "users who are not devs can go fuck themselves"?
Because that's kind of what you are saying to non-dev users.
FLOSS is better than proprietary software. (Score:2)
That's not a fair interpretation of what the grandparent poster wrote. Should we interpret your response to be anti-business because you didn't mention that non-developing users can hire developers? Of course not, that wouldn't be fair because you didn't say any such thing.
Users who aren't developers still have viable options. They can learn development (as the other developing users did) or they can hire developers. These options make FLOSS better than proprietary software. When proprietary software isn't
Re: (Score:2)
That's not a fair interpretation of what the grandparent poster wrote. Should we interpret your response to be anti-business because you didn't mention that non-developing users can hire developers? Of course not, that wouldn't be fair because you didn't say any such thing.
It's perfectly fair.
Hiring a developer, unless they are in sole editorial control of the section of code you are interested in having modified, doesn't guarantee editorial control over the project direction.
With that, the project is free to reject the patches of the hired gun, and you are left with a fork of the project, and no one to maintain it going forward.
Worse, even if you were "made of money", and could afford a hired gun to port forward the changes for each new release of Mozilla, without the patche
Re: (Score:2)
Not really. Users who cannot submit almost certainly cannot fork the project.
Re: OSS working as it should. (Score:1)
Re: (Score:2)
Unless you bought off the guy arguing against the feature in the bug report, he was so obviously adamantly opposed to the idea that it would not happen.
Some developers can be bought off, but that guy was adamant enough that he's certainly got editorial control enough to rip the changes back out.
Re: (Score:2)
FileZilla is free. Users can't really make demands of the developers.
The users could always pay someone to add the feature. Crowd fund it.
Re: OSS working as it should. (Score:2)
The healthier compromise would be admitting they don't have the cycles and inviting a code contribution. Fork the project and do a pull-request. If the devs don't a contribution, if it fixes an issue and it is of good quality, then maybe it is time to accept the original project is in life support and the fork deserves to be the future?
Re: (Score:2)
But does this actually solve anything? OK, it is forked, and there are probably other forks as well. But I cannot use more than one at once, and the main devs doing the core work are still on the original branch, with a bunch of flakes who probably moved on years ago owning the forks. At the end of the day, it is probably not worth using any of these forks if you care about getting any possible updates to the main program.
Re: (Score:2)
It would help if this didn't take 10 years. If this is OSS working as it's should then it shows how inherently broken a system of relying on users to be able to change their own software is; most users are not software developers.
Re: (Score:2)
Re: (Score:2)
https://filezilla-project.org/... [filezilla-project.org]
need a password for my master password (Score:1)
If your system is already compromised by malware, won't it just capture your master password when you start Filezilla? This effort just seems to be adding a pointless layer for a software program that's has nowhere near the attack surface of a web browser.
Re: (Score:2)
If they're a script kiddy and can only read files, though, you can stop them by having some selected files encrypted, or their contents encrypted. For example, /etc/shadow.
Re: (Score:2)
So it's not at all unreasonable to think that Filezilla is 100% to blame here, for both the unencrypted password file and for the malware infection.
The OS should do this (Score:1)
It should just use whatever password manager is installed on the OS, like the gnome keyring or kde wallet manager
Re: (Score:2)
Interesting how you say that the OS should do this, then suggest two applications that aren't part of the OS.
IIS Server resume bug (Score:5, Interesting)
Apparently, there's a bug in Microsoft's IIS server that causes corruption when attempting to resume large downloads. FileZilla does not take this into account, and as a result, the download is corrupted. Clearly, this is Microsoft's fault, but the situation is that there are many buggy IIS servers out there, and Filezilla, by not having a workaround for this (other FTP clients do have a workaround), ends up corrupting the download. After looking at this ticket [filezilla-project.org], it shows that the developer clearly does not live in the real world.
Personally, this issue hasn't affected me, but the exchange I linked to tells me a lot about the attitude of the developer. I only even discovered this issue when reading about FileZilla.
So is this fork going to address this issue?
Re: (Score:2)
the developer clearly does not live in the real world
Maybe... he didn't reply for 18 months.
Re: (Score:1)
Wow. I love how the developer of the client software is telling his users to upgrade the servers they're connecting to!
That takes some real chutzpah.
dom
Re: IIS Server resume bug (Score:4, Insightful)
Thanks for posting that link, that ticket is pure gold. 7 years of arrogance make for a fascinating 5 minute read.
The amount of time that developer spent arguing and reclosing that ticket could have been spent solving the problem, but instead he was proud of "making a stand" against a mainstream server product (IIS) that doesn't follow the standard. All he did was alienate users, including potentially me - I don't use Filezilla but moving forward if the need arises I'll choose anything else, I don't want code written by that aspie on my machine.
It's always a red flag when someone starts using metaphors in a tech discussion, like this guy and his "bridge". Inevitably it leads to a metaphor contest ("no, the river is the protocol", "then the pillars are the implementation", "no, IIS is the truck crossing the river" etc etc). I have a policy of leaving meetings when the discussion gets to metaphors.
People like that guy are not representative of open source developers, they're representative of *bad* open source developers.
Re: (Score:2)
On the other hand, I assume he's not getting paid for it. Doesn't matter what open source application it is, if it wasn't my itch to scratch I doubt I'd bother to fix someone else's botched implementation of file formats, protocols and such. Particularly not a large, closed source corporation like Microsoft. Could you imagine Firefox trying to mimic IE6's rendering? I'd probably not bother with the long analogies though just mark it as WONTFIX, if someone offers
a) a clean and working compatibility patch
or
b)
Re: (Score:3)
Doesn't matter what open source application it is, if it wasn't my itch to scratch I doubt I'd bother to fix someone else's botched implementation of file formats, protocols and such.
So what you're saying is you're happy releasing and standing behind some software that is incompatible and useless for a large portion of popular servers on the internet? If this was some edge case I'd agree with you, as a developer, especially someone working for free/fun you can't fix everything. But if you can't talk to IIS then frankly your website should feature a warning about how poorly your program works.
It's not like people were asking for a perfect fix. Half of that thread was simply asking for so
Re: (Score:2)
If it's a tiny one person project, why not?
The thing may be popular but things like storing the password in plain text for any malware to read shows that it's a one person hobby project with far less than professional effort.
Re: (Score:2)
If it's a tiny one person project, why not?
Well if that's the case then just say so. Instead you see an endless stream of the developer putting more effort into arrogantly arguing philosophy than required to fix the actual problems. Look through the bug tracker. This is not someone who's tight on time, but someone who just seem to be a user hating arsehole who can't stand the fact that people have a different view than his, even when that different view is taken up by most of his competitors.
As always when you look at these individual stories it's
And they release a new version every week! (Score:3)
FTP is such an old protocol, after a while you have implemented it properly, and nothing will really change. One would think FileZilla is then pretty stable and won't see new builds often. But they apparently find time to spend on new features almost weekly. Instead of spending the time on bugs in the core point of the tool, namely doing file transfer which actually transfers the file, they spend time on random features in the UI and tacked on crap not needed for transferring files.
Re: (Score:2)
Yes I just checked and there's an exciting new feature released a week ago:
Tuned appearance of progress bar in transfer queue
I know, I know, it's all done by volunteers, but why would someone spend time changing progress bars on a FTP client when basic security features (like encrypting passwords) are missing and when a significant problem with a mainstream FTP server has been reported for 7 years. If one's goal is improving a FTP client, this makes no sense, and if one is thrilled to do some fancy GUI stuff why on earth would that person contribute to a F
Re: (Score:2)
Indeed. Comment 31 aka Codesquid's Bridge [filezilla-project.org] is truly awesome:
No, the engineer really did exist in another world. Not only was he incapable of understanding that a bridge costs more than a car or a truck, he didn't even understand that many people do not own the bridges they drive over. He even thought that customers would prefer his truck because it couldn't drive over this particular bridge.
Re: (Score:2)
That would make an amazing t-shirt.
I DROVE CODESQUID TRUCK ON A 7.5% BRIDGE AND I SURVIVED
Re: (Score:2)
PIN number
ATM machine
nothing says "stupid" like redundant labeling
Re: (Score:2)
The S in IIS stands for services, not server.
Re: (Score:2)
nothing says "stupid" like redundant labeling
You are mistaken.
Nothing says "stupid" like being pedantic about such simple matters.
Everyone, including scientists/biologists says HIV virus.
Same for any other matter. It is "strictly speaking" wrong: but everyone uses language that way. Get over it and be done with it, you look extremely stupid to me, as you obviously don't now that. On the other hand you simply could be an autist, then it is forgivable.
Re: (Score:2)
Nothing says "useless pedantry" like mistakenly expanding acronyms inline.
"Send me a GIF." "You want me to send you a format?"
"Okay, how about a JPEG." "But I don't know the whole group personally."
Filezilla dev... (Score:1)
After reading that thread on the Filezilla forum I feel slightly sick in my stomach.
That dev is one dense motherfucker, his only reply is "Yes but how did you get infected in the first place", as if that mattered in any way.
Don't store PLAIN TEXT passwords in your software, dummy!
Seriously reaching black hole level density here buddy, shame on you...
Re: (Score:3)
It does ... would you trust crypto code commits from someone who got hacked from clicking a simple phishing email ?
Re: (Score:2)
Is that how he was hacked? I looked at several of the links but did not see that.
codesquid seems to have a very well developed sense of what-he-is-prepared-to-do and what not, or "who cares what the users want because they are clueless?".
I know someone who uses Filezilla but he is on a network which has no direct connection to the outside world. Probably the safest way.
Re: (Score:2)
No, I don't know how he was hacked. I was just painting a possible scenario.
Re: (Score:2)
I would.
Doubly so considering that the tech for this patch already exists, and I must point out, *already exists* within other Mozilla packages! You know that thing in Thunderbird where the email client can save all of your email passwords and encrypt them using a single password? Well, doesn't it seem similar to that other thing in Firefox where the browser can save all your passwords and encrypt them using a single password? Right. So all the Filezilla devs had to do was take the same code and apply it to
Re: (Score:2)
Re: Filezilla dev... (Score:1)
It wasn't a phishing email. It was a browser exploit that took the ftp login details from the unencrypted filezilla password and then uploaded itself to every page of every site of every server on the password list.
This isn't the first time some malware targeted the filezilla password file. There's a reason chrome, Firefox, bitcoin, and others encrypt their master password file.
Re:Filezilla dev... (Score:4, Insightful)
Everybody can get hacked eventually. A moment of distraction, a zero day exploit, a trusted partner or source getting undermined...
If you think you are too smart to get hacked, you are a fool.
Security is the one place where your very best effort ought to be the norm.
Idiot user - it's fully encrypted! (Score:1)
Re: (Score:2)
Switch to WinSCP (Score:1)
Switch to WinSCP because it's better than FileZilla in every way.
Re: (Score:2)
Done and done. It's a really good program.
Comment removed (Score:3)
Segmented FTP? (Score:1)
Great! I've been thinking about doing the same thing for some time now since the FileZilla Devs seem dead set about ignoring Segmented FTP. People have been requesting it for years and the devs are like 'eh, I don't need it so why would anyone else?'
https://whatbox.ca/wiki/Multi-threaded_and_Segmented_FTP
https://forum.filezilla-project.org/viewtopic.php?t=24720
https://trac.filezilla-project.org/ticket/2309
https://trac.filezilla-project.org/ticket/2762
https://trac.filezilla-project.org/ticket/5526
It's in the name. (Score:2)
Forks Filezilla to make a more secure option... (Score:1)
Serves forked-because-of-security-enhancements download over HTTP instead of HTTPS even though certs are free via LetsEncrypt. SMH.
FileZilla vs MobaXterm vs PuTTY (Score:2)
I've seen several comments shrugging shoulders over whether there is a better sftp client out there. As an instructor who teaches an introductory C++ on Linux course to students whose only previous experience has been in Windows, I have found that MobaXterm is much better than Filezilla or PuTTY.
YMMV, etc., etc.
Why is this news? This is a standard open source (Score:1)
Why is this news? This is a standard open source practice, to fork and change/improve.
Good work developer. Good use of Open Source.
The hack was not *caused* by filezilla... (Score:2)
I had to read the article to see, the hack was not due to a bug in filezilla. But this bug/missing feature made the other hack much more devastating. Once the malware infiltrated, it was coded to look for filezilla passwords and took advantage of that.
Re:Not "Secure" (Score:5, Informative)
Filezilla is a client for FTP, SFTP (SSH File Transfer Protocol), and FTP over TLS. Only one of those three uses cleartext passwords over the network.
Re: (Score:2)
Probably you should learn to read.
This: Only one of those three uses cleartext passwords over the network.
is not the topic.
The topic are clear text passwords saved in a text file on the clients computer.
Re: (Score:2)
Filezilla is a client for FTP, SFTP (SSH File Transfer Protocol), and FTP over TLS. Only one of those three uses cleartext passwords over the network.
Thank you for the clarification, but the year is 2016. None of the protocols or programs used today should be using or storing cleartext passwords on any system or transmitted over any network.
Enough of the bullshit excuses to continue to even support insecure protocols. No excuse is viable today.
Re: (Score:1)
Re: (Score:2)
It's just as secure as the web browser you're using right now (HTTP vs HTTPS)
Re: (Score:2)
Re: (Score:1)
FileZilla uses NSIS for its installers (also open source), and are (falsely) flagged by some AVs as malicious all the time, including Avast.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Does not run on Linux, Mac OS X, BSD, AIX, Solaris ... and many other OSes.
Re: (Score:2)
Does not run on Linux, Mac OS X, BSD, AIX, Solaris ... and many other OSes.
Pretty much all of the aforementioned OSes natively support SSH and SFTP from the command line, so what's the problem again?
Oh yeah, that's right, I forgot. The command line has become the standard transmission of interfaces today. (sorry, couldn't help but toss a car analogy in...)
Re: (Score:2)
Of course they do!
What has that to do with WinSCP? Or Filezilla?
Or more importantly, Filezilla saving passwords in clear text?
As far as I can tell: nothing.
BTW: ssh only works if you have a native account on the target system. Neither ftp or sftp require that. Probably you should stop mixing up tools and protocols. Might help you in discussions where this is relevant.
SFTP requires a certificate infrastructure. In other words: it only works if the server you want to connect to via SFTP has an TSL certificate
Re: (Score:2)
The very same feature is already in Thunderbird and Firefox: both are Mozilla packages.