Slashdot Mirror

http://wiki.filezilla-project.org/FileZilla_FTP_Server Clearly states that it does not support SFTP.

Hi,

I'm Denis Sinegubko. The one quoted in this article.

I want to clarify one thing about how malware steals passwords from webmasters' computers.

TCP traffic sniffing was only one of possible vectors.

However, now I have more proofs that malicious programs just read configuration files and registry settings.

Just check how this trojan steals FTP, email and IM credentials:
http://www.viruslist.com/en/viruses/encyclopedia?virusid=147349

I checked programs, installed on my computer and indeed many of them store passwords in _plain text_, not encrypted. And those that encrypt
passwords use very weak algorithms.

FileZilla stores FTP credentials (including passwords) in .xml files in plain text. And this is "by design"! Check this thread:
http://forum.filezilla-project.org/viewtopic.php?f=2&t=12280

So why would malware bother with sniffing traffic or key logging (this activity can be detected by antivirus), when it can simply read everything it needs from files and Windows registry?

Psst... FileZilla.

1. new people available to projects
2. old people now unavailable to project

I observe that at this time, the increase in new people on the Internet dwarfs changes in either rate. True, the loss of key players can kill a project. Just because more middle-class white males may be forces to stop working on 'F/OSS' will not mean the end of F/OSS. OpenSource is not a business in competition with proprietary software. And as long as a project is Opensource, someone can dig up the old tapes and start patching away. The pool of raw talent is growing. Invite these new people in, they might be able to help.

Inability to upgrade, leads to more intense skill sets.

I agree that manufactures have been dumbing down the documentation. This is done not only to be friendly to the Aunt Mable crowd, but also protect this new "Intellectual Property" that the marketing department has gotten the legal department worked up about.

However, real - or open - standards vs fake - de-facto / Microsoft - standards are published in their gory detail. Many many books are published today on the details of how things work, worked and will work. However, you must go to your library and read them to benefit. Today many people want instahacking sk1llz at the push of button. Unfortunately, the real world is also garbage-in/garbage-out. Those 3rd world folks are required to put in the effort to make work what is just a push-of-a-button away for 1st world people. The difference if subtle: they have to read, you ought to read.

And, to top it off, I resent the SourceForge and all such "organizations". I much enjoy and miss, the days when each project had it's off-beat web-site hanging off of some obscure computer connection, or even hosted by some free hosting site like Geocities. Greatly enhanced the fealing of individuality and added a lot of color to the Linux community. When Sourceforge came around, it so much feals corporate, institutionalized and all the horrible things that most of us hate.

Enhanced the fealing (sic) of individuality? Don't you mean ugly?

Hmmm, let's see: sourceforge provides webhosting and other tools for a project, but how many still have their own websites?

• Slashcode @ sf.net points to slashcode.org
• keepass project's site is keypass.info
• filezilla is hosted at filezilla-project.org
• The TortoiseSVN project has a nice site at tortoisesvn.net
• Clamwin uses clamwin.com
• many more...

And that was just from clicking randomly on the top 10 downloads page. (Technically I also hit sourceforge's own project, but can you really blame sourceforge for hosting at sourceforge?) I don't really see the addition of a useful 'professional' index really impacting the 'feals' (sic) of the projects. I think it's less geocites and more "it's only 100 bucks, just register the domain already."

You still end up at some obscure computer connection for many projects. Not everything is a myproject.sourceforce.com site. However, for tiny projects they get free hosting and some do fairly

I setup my parents windows PC with an OpenVPN connection to my house and an FTP server (only listening on the TAP interface). I use Duplicity to do an GPG encrypted incremental backup to the FTP server over the VPN.

Duplicity uses encrypted TAR files for the backup, so your internal filenames...etc are never visible, which is an added benefit if you wanted to do this to a hosting provider..etc. Depending on the amount/size of your files, the first backup can be large. To get around that, I made the first backup to an external hard drive, and brought it with me on a visit (rinse and repeat a couple of times a year for good measure).

I haven't tried to restore a single file over the network, but have tested a full restore (copying the files back to an external). That being the case, I'm not sure I'd recommend this solution for an quasi on-line backup system. However, it does work quite well for just getting your data off-site (securely and incrementally), and since my parents live about 60 miles away, I'm getting a bit of geographical diversity as well.

Too bad I wasn't in that discussion. I would have recommend using FTP over SSL/TLS. I know proftpd server and Filezilla client (and presumably server) support it.

I personally like gFTP, but FZ 3 will have native Linux support. See development diary. Or perhaps you want some nightly builds?