User Forks FileZilla FTP Client After Getting Hacked

Slashdot reader Entropy98 writes: A frustrated FileZilla user took matters into his own hands after getting hacked due to the fact that his saved passwords were being saved in plain text files. Despite years of numerous requests over almost 10 years the FileZilla devs refused to add a Master Password option to encrypt the stored passwords. Finally fed up one user forked FileZilla and created FileZilla Secure with the Master Password option.

This stuff drives me nuts

When devs act like asshats and refuse to consider that just because you can still get at encrypted passwords doesn't mean it's not helpful to make the bar a little higher than reading plain fucking text.

Re:This stuff drives me nuts

[BenFranske]

Filezilla also supports SFTP and FTPS though and is probably the best Windows client for those protocols so it's used for a lot more than just FTP. In fact, I would venture to guess that Filezilla FTP use is pretty minimal.

Re:This stuff drives me nuts

[Nostalgia4Infinity]

Last time I checked Filezilla supports port 22 (SSH).

Re:This stuff drives me nuts

[krelvin]

Are you aware you can use FileZilla for SFTP connections right?

Re: This stuff drives me nuts

FileZilla is also a ssh / scp client. So keeping stored passwords unencrypted is just being stubborn!

Re:This stuff drives me nuts

[BenFranske]

A) I would guess Filezilla is used much more as an SFTP and FTPS client (is there a better one on Windows?) than as an FTP client.

B & C could apply to SSH clients such as PuTTY as well, so we should stop using that?

If we only implemented security enhancements when they were perfect solutions we wouldn't implement very much security. Usually there is a balancing act between usability, security, and cost. In this case there seems to be very little usability impact on encrypting the password store so why not do it?

All that said I'm pretty particular about what software can hold passwords of mine so I've always typed them in to Filezilla on an as needed basis, seems as if that was a good idea.

Re:This stuff drives me nuts

[korgitser]

Shrek: Ogres are like onions.
Donkey: They stink?
Shrek: Yes. No.
Donkey: Oh, they make you cry.
Shrek: No.
Donkey: Oh, you leave em out in the sun, they get all brown, start sproutin’ little white hairs.
Shrek: No. Layers. Onions have layers. Ogres have layers. Onions have layers. You get it? We both have layers.
Donkey: Oh, you both have layers. Oh. You know, not everybody like onions.

Re:This stuff drives me nuts

[wolrahnaes]

When someone can read your passwords of your disk, the point of encryption is already moot.

No, encrypting the password database with a master password that's not saved means it can no longer be read directly, significantly raising the bar for capturing passwords.

A) FTP is typically plain text anyway so you could just wireshark it

Depending on user privileges this may not be possible, and would only gather one at a time.

B) you can replace the binaries and have them emailed any time they are entered

Depending on user privileges this may not be possible.

C) you can install a keylogger

See B

This "user" could've just as easy encrypted his entire hard drive or user directory. Still wouldn't have helped though.

No shit that wouldn't have helped, as long as the drive's mounted the file is plaintext as far as the malware is concerned.

I would seriously reconsider taking a "secure" anything from anyone that can't bother to think their own security through.

Clearly you're not capable of thinking through security yourself.

Let's say I'm shithoused and inadvertently run some kind of malware that wants to steal my FTP passwords. I realize what I've done almost immediately after and shut down to restore from backups. If they're stored unencrypted, that malware could have already sent my full stored password list to wherever. If they're encrypted with a master password, the malware gets absolutely nothing. Even if I don't catch it immediately the malware still can't get it no matter what until I actually go to use those passwords.

If you can't see how huge of a difference that is I don't know what to say.

Re:This stuff drives me nuts

[hey!]

Well, SFTP and FTP can be run over a secure channel like a VPN or SSH tunnel -- in fact SFTP was designed to run that way as it provides no authentication capabilities of its own. In which case wireshark does you no good because you're looking at packets full of gibberish.

Second it is possible to get access to a machine without having access to the network segment it is on, in which case wireshark doesn't do you any good.

Third, it is possible to get access to a disk without necessarily having the ability to install a keylogger. For example the disk could be recycled; or your malware may have the ability to send files but not the privileges needed to install a keylogger.

This is really a broken way to think about security. Yes, security is only as reliable as its weakest link, but the existence of a single weak link doesn't mean it's OK to have holes all over the place. If that's the case if there's more than one vulnerability it's nobody's job to fix his bit until everyone else fixes theirs.

Re:This stuff drives me nuts

[darkain]

B) The binary would be protected from write access by UAC.

Re:This stuff drives me nuts

B & C could apply to SSH clients such as PuTTY as well, so we should stop using that

If you're still using password based authentication; sure; it applies. (But that's still a terrible idea)

Re:This stuff drives me nuts

It's the same with their TLS response, which was essentially, "Fuck you. You have no idea what you actually want. When will you ever learn that I know what's best for you?" Arrogant assholes as far as I'm concerned. On the plus side, I have choices so I choose not to use it.

Re:This stuff drives me nuts

[BenFranske]

It would have to be more than just key based, the private key also has to be encrypted forcing the user to enter a passphrase before the key can be used. Otherwise someone with access to the system could just steal the private key file... Essentially Filezilla asking users to store passwords and then not encrypting them is the same as a program requiring an unencrypted SSH private key.

Re:This stuff drives me nuts

[DMJC]

Hell I'm using Filezilla on Unix as an SFTP client, Time to upgrade to filezilla secure.

Re:This stuff drives me nuts

[Provocateur]

They're not arrogant asshats. Simply put, these guys are the SNL tech rejects. They go around, snickering, somebody doesn't know the Master Password, before breaking out into song, until our chief protagonist, the Trinity wannabe/lookalike hacks into the file and sees the password in plain text.

The project's been forked; Good news, everyone!

Re:This stuff drives me nuts

[guruevi]

If you discover malware you should expect your passwords to be compromised, encrypted or not. Sure a master password may help at first glance but it's trivial to crack anything less than 16 characters long and also depends heavily on the encryption used and RNG. Most likely you reused a master password elsewhere or it's still somewhere in memory of the malware has been on your computer longer than you expected.

If you are the "victim" of malware, then you should change all your passwords and revoke all your keys including those your master passwords unlock. Master password applications are primarily a tool to unlock otherwise random and complicated password so you don't have to remember 20+ off them. In my experience they are NEVER intended to be a layer of machine security.

Re:This stuff drives me nuts

[SeaFox]

When devs act like asshats and refuse to consider that just because you can still get at encrypted passwords doesn't mean it's not helpful to make the bar a little higher than reading plain fucking text.

The same ones that tell you "patches welcome" for bug fixes or feature requests a large number of people desire? That seems to be the MO with many open source projects.

Re:This stuff drives me nuts

I'd forgotten that it could do that. I basically only use it when FTP is required (quite rare). WinSCP does SFTP/SCP natively or from WINE when I'm too lazy to use scp itself (on OSX).

Re:This stuff drives me nuts

[angel'o'sphere]

And what has that to do with storing passwords in plain text?

Re:This stuff drives me nuts

[angel'o'sphere]

Sure a master password may help at first glance but it's trivial to crack anything less than 16 characters long and also depends heavily on the encryption used and RNG.
No it is not.

That is an completely idiotic claim.

To "crack" the encryption of something, you need a meaningful idea how it looks unencrypted.

If this is my unencrypted list of passwords:

why
are
you trying
so hard

you my stumble over them with brute force (using a dictionary), sooner or later regardless how long the master password is (if that is even used as a cipher).

If this is the unencrypted content of my "password file":

wdut38;ksdiibn1;0978&llopÃ-; idomjs \nhte;-e,6345h#+2agpw,bcsw

you have no clue that you just found the correct en-/decryption key. Regardless if said key is only 1 char long or 2 or 32.

Re:This stuff drives me nuts

FTP is simply a protocol. It can be encrypted or plain text.

Re:This stuff drives me nuts

...I would venture to guess that Filezilla FTP use is pretty minimal.

Common fucking sense has become rather extinct in the human population. That fact is summarized in why this discussion exists.

Humans are fucking stupid for the most part when it comes to computer security. Please don't debase yourself with assumptions or guesses.

Re:This stuff drives me nuts

[dissy]

Anonymous FTP uses no passwords. As in no password even exists, let alone is sent over the network.

Please explain in detail how your magical fantasy network sniffer is going to read a non-existent password that isn't set over a network.

Re:This stuff drives me nuts

[dbIII]

Two things:
1/ It's a really good idea to not have the password in plain text.
2/ It's not difficult to implement.
Yes you can go on about "perfect" but in this case it's like comparing a cereal packet code wheel solution to something intended to be used by adults.

Re: This stuff drives me nuts

Anonymous ftp sends passwords over the network exactly like regular ftp does. The server just accepts any password. Traditionally, you're supposed to use your email address for the password.

Re:This stuff drives me nuts

[fintux]

Well, SFTP and FTP can be run over a secure channel like a VPN or SSH tunnel -- in fact SFTP was designed to run that way as it provides no authentication capabilities of its own

Do you perhaps mean FTPS, not SFTP? FTPS is basically FTP over a secure channel (as HTTPS is to HTTP), while SFTP is a completely separate protocol (SSH File Transfer Protocol - an extension to the Secure Shell protocol). You can also tunnel FTP over SSH, but it is yet a different type of connection.

Re:This stuff drives me nuts

[Bengie]

but it's trivial to crack anything less than 16 characters long

A random 15 char password would take 8.6 billion years on average assuming 1 trillion combos per second. I'm not sure "trivial" is the correct word.

Re:This stuff drives me nuts

Cyberduck (https://cyberduck.io/) is another option. It does better than FileZilla, but still has an issue. At least they encrypt the data-at-rest for the passwords.

Re:This stuff drives me nuts

[guruevi]

Think again: http://www.dailymail.co.uk/sci...
People have predictable passwords, your character set is typically limited to ~64 characters out of 256.

To know whether a password is cracked, you can check various methods: does it include untypable characters, is the data returned structured (you could expect e.g. a signature matching known database formats) does it have a high degree of randomness and after that, does the password work.

In your example you have a high degree of semicolons, so your structure is password semicolon. Even if I knew nothing about how your program stores passwords (which is trivial to find out even in closed source software), there is a non random pattern.

Re:This stuff drives me nuts

[guruevi]

I unlocked a BitLocker drive with 8 character password in less than an hour using an open source BitLocker tool. The password was a morphed dictionary word. Ever heard of Markov chains? Dedicated clusters can run through 90% of all passwords 8-16 characters in a matter of hours/days.

Re:This stuff drives me nuts

How is it "acting like an asshat", if you don't want a specific feature in your own software? I think it's more on the asshat side of things to demand that other people should implement a certain feature in their software. You are given a kind gesture when you are provided with the source-code and a permission to change the program to your own liking.. so that's what was done here. I don't see anyone being asshats here ;)

Re:This stuff drives me nuts

[pnutjam]

I prefer winSCP to filezilla, although, to be fair it's only a UI preference.

I also avoid storing passwords in applications.

Lately I've been using MobaXterm It wraps up the SSH and SFTP/SCP client in one place. It also allows you to run unix commands from windows, for example, scp and rsync.
It's not Open Source, but there is a free version. It also gives you a forwarded X session, ssh tabs, and runs from a single executable (portable).

Re: This stuff drives me nuts

When OPENBSD did a major security upgrade about a year ago, they decide FTP would not go into the default install because of security issues. They also wIthdrew all the web browsers.

I suspect the devs of FTP may be thinking similarly and do want the FTP user to feel insecure.

Still I have not followed this,issue very closely and there is a lot of not talking always about such things

Re:This stuff drives me nuts

[Bengie]

Dedicated clusters can run through 90% of all passwords 8-16 characters in a matter of hours/days.

A 16 char password has nearly 10^32 combinations. If you had 100,000 computers, each with 100 cores that are 10ghz, it would take 10^12 seconds to go through all of the combinations, assuming it only took 1 clock cycle per comparison. That's still almost 32,000 years. Please, let me know about this magical datacenter of your's.

Your tool obviously makes many assumptions, like the password is composed of words or common patterns.

Re:This stuff drives me nuts

[angel'o'sphere]

Actually the semicolons are close to random ;D

Point is, if you have no edge, you can not do much.

Good deal

[JustAnotherOldGuy]

Now as long as those lazy bastards at FileZilla don't sue him, maybe this will be a nice step forward.

As for you fucking clowns at FileZilla storing passwords in plain text files, what the fuck? Did you just teleport in from 1992 or something??

Re:Good deal

[Megane]

They're just upholding the proud decades-long tradition of FTP putting everything in the clear.

Re:Good deal

As for you fucking clowns at FileZilla storing passwords in plain text files, what the fuck? Did you just teleport in from 1992 or something??

You sound like my senile grandpa who gets enraged at the television everytime the local tv station that broadcasts "Wheel of Fortune" puts on a rerun.

Calm down there, gramps. You don't want to get your blood pressure up.

Re:Good deal

If your grandpa is senile, wouldn't reruns seem like original programming?

Re:Good deal

You sound like my 4-year old who has a tantrum every time he doesn't get to watch Power Rangers.

OP is right, what the fuck were they thinking storing passwords in a text file? That's Security Fail 101.

Re:Good deal

Actually, I support the GP.

The imperative to secure passwords is really strong these days, considering all the hacks, internet crime, and even the activities of the Three Letter Agencies. In a pre-internet world, plain text storage would have been bad enough, but post-internet it is unacceptable. Thus the comment about 1992.

So many /. readers come off like arrogant know-it-alls. "Well, if you have root/physical access/any malware at all/newb users/software I don't agree with/closed source/hamburger with cheese, then all is lost so there's no point in encrypting a password file!" Besides being jackasses, these people miss huge and important security points:

1). Defense in depth. Learn it;
2). People make mistakes;
3). Software has bugs and thus security we thought was in place, sometimes isn't;
4). Security exposures can be for a limited time, by a limited means of access, and for a limited segment of a system. Thus the whole "well you're compromised and so it's game over" mindset is a losing and defeatist mindset;
5). The whole perimeter security model has lost almost all relevance. True professionals no longer rely upon it;
6). My information says, and from sources I trust, that "all networks worth hacking have already been penetrated". And just in case the import of that statement is lost on you, all networks are considered by someone to be worth hacking. So the bad guys are on the doorstep and you had better have more than just one security measure to deal with them.

Plain text password storage in 2016 is appalling. If you don't think so then I have to wonder where your head is at.

Re:Good deal

Now as long as those lazy bastards at FileZilla don't sue him, maybe this will be a nice step forward.

As for you fucking clowns at FileZilla storing passwords in plain text files, what the fuck? Did you just teleport in from 1992 or something??

Ironically in 1992, I was learning about UNIX password salts.

Otherwise known as a foreign concept for some of the world's most popular authentication mechanisms.

Needless to say, we haven't come very far with common fucking sense.

Re:Good deal

If the bad guys already have access to your disk, you are already fucked.

Re:Good deal

they can't sue him.
If he provides updated app under same GPL license, he is untouchable.

OSS working as it should.

[0100010001010011]

How many OSS projects would benefit from:

User demands feature.
Devs refuse feature.
User forks and adds feature.

Re: OSS working as it should.

Would be nice if the code submission process wasn't a labyrinthine process subject to the whims of the devs either.

But honestly I don't think you grok open source. The dev is a user; the users are devs. A dev is not beholden to user requests. This is not a commercial product. If you want a feature, ask for it. If a dev doesn't care, build it and submit it. If the devs don't think it's good for the project, your last option is to fork.

Re: OSS working as it should.

[tlambert]

The dev is a user; the users are devs.

And "users who are not devs can go fuck themselves"?

Because that's kind of what you are saying to non-dev users.

Re: OSS working as it should.

False dichotomy much, the user can also become a developer if only to effect a change that scratches their particular itch.

The most disappointing thing of the 'progress' in software development is that the goal is to insulate the end user from have to know anything, worse making knowing something useless.

Users who are not devs are not told to go away, they are told that they too can contribute. Come in, the water is fine. Those for whom 'learning something' or 'doing something' is a form of torture, take this as an invitation to introduce one part of their anatomy to another. In so doing they self select themselves as people with whom discussion is futile. (It's been tried, no-one was happy). Luckily not everyone is like that and those that are have commercially developed software that they can pay for if they prefer and still get access to Free software although many still aren't happy.

In summary people are welcome to contribute and free to use as they see fit, but no-one likes to deal with unhappy, self entitled individuals.

Re:OSS working as it should.

I think the answer is 42.

Re: OSS working as it should.

So now you have a fork with a crappy programmer that may have little to no knowledge of secure programming practices... cobbles together a 'patch' and everyone jumps on it because 'feature'.

Yet the code is not reviewed and or intrusion tested... are you still safe?

captcha: culpable

Re:OSS working as it should.

[wisnoskij]

But does this actually solve anything? OK, it is forked, and there are probably other forks as well. But I cannot use more than one at once, and the main devs doing the core work are still on the original branch, with a bunch of flakes who probably moved on years ago owning the forks. At the end of the day, it is probably not worth using any of these forks if you care about getting any possible updates to the main program.

Re: OSS working as it should.

If only there was a way to look at the source, oh wait!

Re:OSS working as it should.

OSS does work, sometimes. It takes people who have the time and skills to act though. An example:

User demands feature.

Gnome 2 'upgrades' to Gnome 3

Devs refuse feature.

Many people scream, posting-wars happen, much e-ink wears out keyboards and fills up forums.

User forks and adds feature.

MATE desktop manager. Even Ubuntu have it now and its their best 'flavour' in the opinion of quite a few folks. And as a bonus we also got Cinnamon which is spreading in popularity across more distros than I can keep track of.

As for Zilla, their decade-old version had "encryption". (cough)
It was - let us be kind here - "primitive". Not ROT-13, but XOR with a repeating fixed string (the product name, no less) in a loop - genius! So with the next codebase generation the author decided to throw it out as it was a friggin joke of an encryption scheme. But he/she/they refused to implement a proper encryption scheme as its not their domain - and we all read about how home-brew encryption is the suckiest possible solution.

Re:OSS working as it should.

[thegarbz]

It would help if this didn't take 10 years. If this is OSS working as it's should then it shows how inherently broken a system of relying on users to be able to change their own software is; most users are not software developers.

Re: OSS working as it should.

the user can also become a developer if only to effect a change that scratches their particular itch.

Yeah, because I want to use software which has been developed by people who just picked up programming to scratch a particular itch for "security."

Re: OSS working as it should.

[Midnight+Thunder]

The healthier compromise would be admitting they don't have the cycles and inviting a code contribution. Fork the project and do a pull-request. If the devs don't a contribution, if it fixes an issue and it is of good quality, then maybe it is time to accept the original project is in life support and the fork deserves to be the future?

Re:OSS working as it should.

Honestly I think every program implementing its own encrypted stored is really idiotic anyway.
This kind of thing should be done via password managers, preferably ones that also transparently support hardware solutions.
At least on Linux that's what Chrome does for example, at least it keeps on nagging me to give it access to kwallet...
If Windows doesn't have a built-in solution for this, it admitted becomes quite a pain.

Re:OSS working as it should.

How many OSS projects would benefit from:

User demands feature.
Devs refuse feature.
User forks and adds feature.

At least the FileZilla devs aren't taking after the Gnome developers:

> User demands feature
> Devs refuse feature
> Devs remove more features

Re: OSS working as it should.

[Trogre]

Not really. Users who cannot submit almost certainly cannot fork the project.

Re: OSS working as it should.

[p91paul]

Well that is true for any software. If you need a feature, and it doesn't exist, you can either implement it or ask for it and hope to find a developer which is kind enough to implement it for you. Developers as a species tend to get kinder when paid though. People tend to forget that just because someone develops a product that is very useful as free software, there is no obligation for them developers to spend their free time to satisfy user requests. We should be grateful when they do, but we have no right whatsoever to be mad at them if they don't.

Re: OSS working as it should.

[tlambert]

Unless you bought off the guy arguing against the feature in the bug report, he was so obviously adamantly opposed to the idea that it would not happen.

Some developers can be bought off, but that guy was adamant enough that he's certainly got editorial control enough to rip the changes back out.

Re: OSS working as it should.

[AmiMoJo]

FileZilla is free. Users can't really make demands of the developers.

The users could always pay someone to add the feature. Crowd fund it.

Re:OSS working as it should.

If you paid me I'd be happy to make a patched FileZilla Edition repurposed to your liking.

No FTP access needed

If they can access your password file over the network, lulz.

Re:No FTP access needed

[freeze128]

Filezilla is a populat FTP client, but it's NOT an FTP server.

Re:No FTP access needed

[ebonum]

https://filezilla-project.org/...

frustrated

I guess if it were 10 years, then maybe he should have "taken matters into his own hands" sooner. Or got a password manager, or girlfriend.

need a password for my master password

If your system is already compromised by malware, won't it just capture your master password when you start Filezilla? This effort just seems to be adding a pointless layer for a software program that's has nowhere near the attack surface of a web browser.

Re:need a password for my master password

[davecb]

It's a defense in depth. If the attacker is a professional security service and has a key logger on your system, they can get anything, at the expense of having to grovel through everything you type for a day (;-))

If they're a script kiddy and can only read files, though, you can stop them by having some selected files encrypted, or their contents encrypted. For example, /etc/shadow.

Re:need a password for my master password

I have a fence around my house. Does that mean if someone jumps over it, I should just leave my personal documents and banking papers on the desk to appreciate his effort and warmly welcome said robber?

Re:need a password for my master password

Yes!  Please do!

Yours,
Midnight Creeper

Re:need a password for my master password

Paging BadAnalogyGuy.

Re:need a password for my master password

[Kobun]

It's one step better than that - this page distributes malware-loaded Filezilla installers - https://filezilla-project.org/...

So it's not at all unreasonable to think that Filezilla is 100% to blame here, for both the unencrypted password file and for the malware infection.

Malicious file?

Avast has flagged the windows 64bit installer as malicious.

Re:Malicious file?

FileZilla uses NSIS for its installers (also open source), and are (falsely) flagged by some AVs as malicious all the time, including Avast.

Re: Malicious file?

Avast? Isn't that some kind of "anti virus" software? If you are running that you are already running malware by choice.

Re:Malicious file?

[Kobun]

Depends what you are installing - FileZilla distributes official versions of their software that is loaded with Malware. Tim (BotG) has sworn up and down that it isn't Malware, and the rest of the world disagrees with him. SourceForge's takeover forced him to at least keep the malware-laden links off Sourceforge, but they're still there as the default if you download from Filezilla.org

The OS should do this

It should just use whatever password manager is installed on the OS, like the gnome keyring or kde wallet manager

Re:The OS should do this

[cdrudge]

The OS should do this... like the gnome keyring or kde wallet manager

Interesting how you say that the OS should do this, then suggest two applications that aren't part of the OS.

Not "Secure"

"Secure" is a misnomer here, as the ftp protocol is inherently insecure, including sending the username/password in the clear anyway.

Re:Not "Secure"

[Dwedit]

Filezilla is a client for FTP, SFTP (SSH File Transfer Protocol), and FTP over TLS. Only one of those three uses cleartext passwords over the network.

Re:Not "Secure"

Right, one of them does, so this client is not "Secure"

Re:Not "Secure"

I bet you're one of those that want embedded devices (aka IoT) to use ssh instead of telnet while ignoring that most of those will accept admin:admin style default logins

Re:Not "Secure"

Maybe they should call it "More Secure"

Re:Not "Secure"

[darkain]

It's just as secure as the web browser you're using right now (HTTP vs HTTPS)

Re:Not "Secure"

[angel'o'sphere]

Probably you should learn to read.

This: Only one of those three uses cleartext passwords over the network.
is not the topic.

The topic are clear text passwords saved in a text file on the clients computer.

Re:Not "Secure"

I think reading is something you're having trouble with - or at least, comprehension.

Dwedit knows that the topic is clear text passwords saved in a text file. That's the entire point of his reply.

If the only protocols supported by FileZilla all sent passwords in clear text, then saving the passwords in an encrypted file would be pretty pointless - the degree to which it improved your security would be significantly less than the effort and pain involved in implementing and supporting the encrypted password store feature.

However, BECAUSE FileZilla supports protocols that don't send passwords in the clear, encrypting them on disk is worth the pain, and will definitely improve the situation - as the password file was the weakest link. Encrypting it makes that link stronger (and may even make something else the weakest link).

Re:Not "Secure"

[geekmux]

Filezilla is a client for FTP, SFTP (SSH File Transfer Protocol), and FTP over TLS. Only one of those three uses cleartext passwords over the network.

Thank you for the clarification, but the year is 2016. None of the protocols or programs used today should be using or storing cleartext passwords on any system or transmitted over any network.

Enough of the bullshit excuses to continue to even support insecure protocols. No excuse is viable today.

Re:Not "Secure"

[LoginOrSignup]

Some of the later FileZilla releases have been clients for malware.

Re:Not "Secure"

[sbrown7792]

Yeah but then everyone would start abbreviating it "MS Filezilla" and noone would use it, because it looks like Microsoft touched it.

why the effort?

Key based SSH transfers would have saved this "developer" from the hack and wasting time writing a new version of a dead tech.

IIS Server resume bug

[cjellibebi]

Apparently, there's a bug in Microsoft's IIS server that causes corruption when attempting to resume large downloads. FileZilla does not take this into account, and as a result, the download is corrupted. Clearly, this is Microsoft's fault, but the situation is that there are many buggy IIS servers out there, and Filezilla, by not having a workaround for this (other FTP clients do have a workaround), ends up corrupting the download. After looking at this ticket, it shows that the developer clearly does not live in the real world.

Personally, this issue hasn't affected me, but the exchange I linked to tells me a lot about the attitude of the developer. I only even discovered this issue when reading about FileZilla.

So is this fork going to address this issue?

Re:IIS Server resume bug

[hcs_$reboot]

the developer clearly does not live in the real world

Maybe... he didn't reply for 18 months.

Re:IIS Server resume bug

Wow. I love how the developer of the client software is telling his users to upgrade the servers they're connecting to!

That takes some real chutzpah.

dom

Re: IIS Server resume bug

[lucm]

Thanks for posting that link, that ticket is pure gold. 7 years of arrogance make for a fascinating 5 minute read.

The amount of time that developer spent arguing and reclosing that ticket could have been spent solving the problem, but instead he was proud of "making a stand" against a mainstream server product (IIS) that doesn't follow the standard. All he did was alienate users, including potentially me - I don't use Filezilla but moving forward if the need arises I'll choose anything else, I don't want code written by that aspie on my machine.

It's always a red flag when someone starts using metaphors in a tech discussion, like this guy and his "bridge". Inevitably it leads to a metaphor contest ("no, the river is the protocol", "then the pillars are the implementation", "no, IIS is the truck crossing the river" etc etc). I have a policy of leaving meetings when the discussion gets to metaphors.

People like that guy are not representative of open source developers, they're representative of *bad* open source developers.

Re:IIS Server resume bug

Why don't you submit a patch instead of relying on others to use up their free or paid time to satisfy your needs.

Re:IIS Server resume bug

[fnj]

IIS server

PIN number
ATM machine
nothing says "stupid" like redundant labeling

Re: IIS Server resume bug

[Kjella]

On the other hand, I assume he's not getting paid for it. Doesn't matter what open source application it is, if it wasn't my itch to scratch I doubt I'd bother to fix someone else's botched implementation of file formats, protocols and such. Particularly not a large, closed source corporation like Microsoft. Could you imagine Firefox trying to mimic IE6's rendering? I'd probably not bother with the long analogies though just mark it as WONTFIX, if someone offers

a) a clean and working compatibility patch
or
b) a paid consulting gig

I'd consider it, if not go complain to Microsoft. I know shit like this happens a lot in the real world, I work around a lot of broken and buggy shit but then I also collect a paycheck for it. It's not the kind of work you do for fun, it's just a pain in the butt because you're forced to deal with a poor product.

Re:IIS Server resume bug

It's wontfix, it happens all the time. Did you even look at those ridiculous proposed solutions?

Re: IIS Server resume bug

[thegarbz]

Doesn't matter what open source application it is, if it wasn't my itch to scratch I doubt I'd bother to fix someone else's botched implementation of file formats, protocols and such.

So what you're saying is you're happy releasing and standing behind some software that is incompatible and useless for a large portion of popular servers on the internet? If this was some edge case I'd agree with you, as a developer, especially someone working for free/fun you can't fix everything. But if you can't talk to IIS then frankly your website should feature a warning about how poorly your program works.

It's not like people were asking for a perfect fix. Half of that thread was simply asking for some basic sanity checking on the received content and a warning if the result is expected to be corrupted, rather than waiting a long time only to be disappointed.

Could you imagine Firefox trying to mimic IE6's rendering?

You're talking about connecting to a server (bug is out of control of administrators and affects people all over the internet) to some received HTML (a very individual problem).

Anyway I can imagine it. There was a plugin provided that loaded IE6 in Firefox tabs which I used for many years. This isn't an example of WONTFIX it's an example of a simple workaround that didn't take a crap on user expectations.

It's not the kind of work you do for fun, it's just a pain in the butt because you're forced to deal with a poor product.

I'm not sure now if you're talking about Filezilla's developers or Filezilla's users.

Re: IIS Server resume bug

Please don't tell me that IIS is a popular ftp server.

Re:IIS Server resume bug

[wonkey_monkey]

The S in IIS stands for services, not server.

Re: IIS Server resume bug

> incompatible and useless for a large portion of popular servers on the internet?

Microsoft is fine with having an incompatible server, and asking for shitloads of money for it.
If you think this is something to be bothered about, then you surely must consider every single Microsoft employee as the scum of the earth!

Re:IIS Server resume bug

[angel'o'sphere]

nothing says "stupid" like redundant labeling
You are mistaken.
Nothing says "stupid" like being pedantic about such simple matters.
Everyone, including scientists/biologists says HIV virus.
Same for any other matter. It is "strictly speaking" wrong: but everyone uses language that way. Get over it and be done with it, you look extremely stupid to me, as you obviously don't now that. On the other hand you simply could be an autist, then it is forgivable.

Re:IIS Server resume bug

It's not even "strictly speaking" wrong.

Initialisms and acronyms used as names aren't like macros in C that get expanded on parsing. They're just names. So it's irrelevant to the context of the sentence what the initials stand for. So not only is it correct, it is often extremely helpful to add one of the words that happens to be represented in the initialism into the sentence to clarify what you're talking about.

(And that's completely ignoring the fact that "S" doesn't even stand for "Server" in IIS)

Re:IIS Server resume bug

[Trogre]

Nothing says "useless pedantry" like mistakenly expanding acronyms inline.

"Send me a GIF." "You want me to send you a format?"
"Okay, how about a JPEG." "But I don't know the whole group personally."

Re: IIS Server resume bug

[dbIII]

So what you're saying is you're happy releasing and standing behind some software that is incompatible and useless for a large portion of popular servers on the internet?

If it's a tiny one person project, why not?
The thing may be popular but things like storing the password in plain text for any malware to read shows that it's a one person hobby project with far less than professional effort.

Re: IIS Server resume bug

[thegarbz]

If it's a tiny one person project, why not?

Well if that's the case then just say so. Instead you see an endless stream of the developer putting more effort into arrogantly arguing philosophy than required to fix the actual problems. Look through the bug tracker. This is not someone who's tight on time, but someone who just seem to be a user hating arsehole who can't stand the fact that people have a different view than his, even when that different view is taken up by most of his competitors.

As always when you look at these individual stories it's worth checking to see if this is an isolated case of user winging or if there's a history of developer arrogance that got to this point.

Re:IIS Server resume bug

I remember when Opera tried to ignore everything that was not a written, solid and finished spec for the web.
They were promptly ignored by the greater web browser using community. (this being after they got rid of the silly payment)

There is sticking to specs and going above and beyond to deal with errors these specs have introduced and not been fixed.
That is how future revisions to said specs get made. Or new specs entirely.

HTML5 came about because of absolute disagreement of everybody against W3Cs stupid decisions and trying to force that god-awful XHTML down every single throat in existence.
And despite the fact that some things are stupid, it is mostly far better off for it. Most features are locked down and require permission before being used. W3C were against this. (and even if they weren't, their monolithic shitfest would have taken till NOW to have implemented a draft spec!)
One wasn't, the battery API, and it is now being removed by a browser vendor COMPLETELY. (Mozilla)
Likewise some silly flexible box system that ended up ballooning to 20k+ lines of code was ripped out entirely because the overhead it was causing was insane.
We now have Flexbox.

Codesquid seems like he wants to be made obsolete. Bye then.

Re: IIS Server resume bug

[wildstoo]

Indeed. Comment 31 aka Codesquid's Bridge is truly awesome:

No, the engineer really did exist in another world. Not only was he incapable of understanding that a bridge costs more than a car or a truck, he didn't even understand that many people do not own the bridges they drive over. He even thought that customers would prefer his truck because it couldn't drive over this particular bridge.

Re: IIS Server resume bug

[lucm]

That would make an amazing t-shirt.

I DROVE CODESQUID TRUCK ON A 7.5% BRIDGE AND I SURVIVED

Filezilla dev...

After reading that thread on the Filezilla forum I feel slightly sick in my stomach.

That dev is one dense motherfucker, his only reply is "Yes but how did you get infected in the first place", as if that mattered in any way.
Don't store PLAIN TEXT passwords in your software, dummy!

Seriously reaching black hole level density here buddy, shame on you...

Re:Filezilla dev...

[goarilla]

That dev is one dense motherfucker, his only reply is "Yes but how did you get infected in the first place", as if that mattered in any way.

It does ... would you trust crypto code commits from someone who got hacked from clicking a simple phishing email ?

Re:Filezilla dev...

No it doesn't. Storing passwords in plain text is a BAD(tm) idea, what does the attack vector have to do with it?

Re:Filezilla dev...

[Vlad_the_Inhaler]

Is that how he was hacked? I looked at several of the links but did not see that.
codesquid seems to have a very well developed sense of what-he-is-prepared-to-do and what not, or "who cares what the users want because they are clueless?".

I know someone who uses Filezilla but he is on a network which has no direct connection to the outside world. Probably the safest way.

Re:Filezilla dev...

[NotAPK]

I would.

Doubly so considering that the tech for this patch already exists, and I must point out, *already exists* within other Mozilla packages! You know that thing in Thunderbird where the email client can save all of your email passwords and encrypt them using a single password? Well, doesn't it seem similar to that other thing in Firefox where the browser can save all your passwords and encrypt them using a single password? Right. So all the Filezilla devs had to do was take the same code and apply it to Filezilla so it can do the same thing. Yet they haven't.

I'm perfectly confident that nearly any half-competent dev could have done this, which is why I would trust this patch. However...

There have been numerous problems with Filezilla over the years and I truly don't know why it's become such a train wreck of a program.

WinSCP is a much better alternative.

Re: Filezilla dev...

It wasn't a phishing email. It was a browser exploit that took the ftp login details from the unencrypted filezilla password and then uploaded itself to every page of every site of every server on the password list.

This isn't the first time some malware targeted the filezilla password file. There's a reason chrome, Firefox, bitcoin, and others encrypt their master password file.

Re:Filezilla dev...

[hey!]

Everybody can get hacked eventually. A moment of distraction, a zero day exploit, a trusted partner or source getting undermined...

If you think you are too smart to get hacked, you are a fool.

Security is the one place where your very best effort ought to be the norm.

Re:Filezilla dev...

Everybody can get hacked eventually. A moment of distraction, a zero day exploit, a trusted partner or source getting undermined...

Moment of distraction that happened to me:

I downloaded something off a file sharing network. I temporarily unpacked the zip to see what was inside. There was an .exe that had an icon that looked like a folder. I double-clicked on it by accident. Don't know what it did, but had to install a virus scanner to rid it of my system.

Yes, I did have file extensions un-hidden. Yes, the icon didn't even match my environment (it was a fancy XP icon and I was running 2000). Yet I still somehow double-clicked on it. And I knew within a second that it was the wrong move.

(I suppose running antivirus software would have caught it before it executed, but those things make the computer so damn sluggish ...)

Re:Filezilla dev...

[goarilla]

Is that how he was hacked? I looked at several of the links but did not see that.

No, I don't know how he was hacked. I was just painting a possible scenario.

Re:Filezilla dev...

[pnutjam]

I agree, winSCP beats the pants off FileZilla.

Idiot user - it's fully encrypted!

[LynnwoodRooster]

In fact, to make sure it's twice as secure, FileZilla double-encrypts all passwords with the ROT13 algorithm.

Re:Idiot user - it's fully encrypted!

I do not understand double negatives.

Re:Idiot user - it's fully encrypted!

[LynnwoodRooster]

Are you positive about that?

Switch to WinSCP

Switch to WinSCP because it's better than FileZilla in every way.

Re:Switch to WinSCP

[NotAPK]

Done and done. It's a really good program.

Re:Switch to WinSCP

Winscp lacks a linux version. Filezilla runs on both and is useful even if you only use as an ssh client. Fuck, FTP predates Bretton Woods II and the end of dollar to gold convertibility.

Re: Switch to WinSCP

It's slower than filezilla and in my opinion the interface isn't as good.

Re: Switch to WinSCP

It's slower than filezilla and in my opinion the interface isn't as good.

WinSCP is scriptable; Filezilla is not. FileZilla's interface can't be better when it's only half there.

FLOSS is better than proprietary software.

[jbn-o]

That's not a fair interpretation of what the grandparent poster wrote. Should we interpret your response to be anti-business because you didn't mention that non-developing users can hire developers? Of course not, that wouldn't be fair because you didn't say any such thing.

Users who aren't developers still have viable options. They can learn development (as the other developing users did) or they can hire developers. These options make FLOSS better than proprietary software. When proprietary software isn't good enough, nobody is allowed to improve it, distribute their improved versions (even commercially), and help others.

It's also great that FileZilla is GPL'd so the copyright holders can compel those who distribute to distribute their improved source code too. Software freedom is great to have and copyleft is a good mechanism for helping others get to share in the freedom.

Re:FLOSS is better than proprietary software.

[tlambert]

That's not a fair interpretation of what the grandparent poster wrote. Should we interpret your response to be anti-business because you didn't mention that non-developing users can hire developers? Of course not, that wouldn't be fair because you didn't say any such thing.

It's perfectly fair.

Hiring a developer, unless they are in sole editorial control of the section of code you are interested in having modified, doesn't guarantee editorial control over the project direction.

With that, the project is free to reject the patches of the hired gun, and you are left with a fork of the project, and no one to maintain it going forward.

Worse, even if you were "made of money", and could afford a hired gun to port forward the changes for each new release of Mozilla, without the patches in the tree, there's every possibility that a structural or architectural change may preclude an easy port forward of the code: the developers in the main Mozilla project have no vested interest in not modifying internal APIs willy-nilly.

In fact: they've modified internal APIs willy-nilly in the past, so their track record in this regard isn't so great.

So no: it's generally not a good idea to hire a developer to make the changes you want, if they're not going to be accepted back into the project.

From the bug report, and the caustic relationship present, and the main developer's insistence that it's not a problem unless your machine is compromised anyway (totally ignoring all "security in depth" arguments) -- it's pretty damn sure that a fork was the only option.

Or are you saying these patches will likely make it back into the main line Mozilla?

Love Filezilla...

[matbury]

...but yes, not encrypting login credentials is a major concern for me too. Also, I prefer to use keys rather than passwords wherever possible but more often than not, Filezilla throws up a bunch of bugs that haven't been patched in a long time when I try to use them.

So yes, the Filezilla devs really need to get their acts together on security.

BTW, no Filezilla Secure available for Linux yet. Since Linux pretty well has encryption for all things web built in, it's tempting to give up on GUIs and simply do it all from the command line.

Re:Love Filezilla...

BTW, no Filezilla Secure available for Linux yet. Since Linux pretty well has encryption for all things web built in, it's tempting to give up on GUIs and simply do it all from the command line.

Regarding Linux, it took me no more than 10 minutes and I've compiled it (debian testing, amd64). And it took me so long because I had to install the various dependencies.

I tried and it works, at startup asks for a master password and then goes on as usual.

Dude, Filezilla had no fault in you getting hacked

You got hacked because you visited a web site with malware on it and you used a vulnerable browser (or vulnerable add-ons or plugins) to do so. At that point, your system was compromised. Filezilla had no part in it. If you enter the master password on a hacked system, that's gone too, and every password that was encrypted with that master password is then also compromised.

Segmented FTP?

[bastrogue]

Great! I've been thinking about doing the same thing for some time now since the FileZilla Devs seem dead set about ignoring Segmented FTP. People have been requesting it for years and the devs are like 'eh, I don't need it so why would anyone else?'

https://whatbox.ca/wiki/Multi-threaded_and_Segmented_FTP

https://forum.filezilla-project.org/viewtopic.php?t=24720

https://trac.filezilla-project.org/ticket/2309

https://trac.filezilla-project.org/ticket/2762

https://trac.filezilla-project.org/ticket/5526

Re:Segmented FTP?

Isn't it a dead feature? I remember split downloads were a cool thing back in the gozilla days. To put the brakes on leechers a file sharing site might have limited each individual connection to 10KB/s to try and limit bandwidth costs. So naturally the leechers used programs that would allow multiple connections making the problem worse than if they had never tried to control bandwidth at all. In today's world even cheap web hosts give unmetered best effort 100mbit or 1gbit behind routers that are smart enough not to allocate an unfair amount of bandwidth to a single IP just because it made 10 requests.

It's a relic of the past, like breaking large images into tiles to "load faster" when really all it ever did was cause congestion and any responsiveness improvement was better served with progressive encoding.

Obvious solution

Why didn't you just switch clients?

Re:Obvious solution

[Kobun]

Seriously, give WinSCP a try. https://winscp.net/eng/downloa...

Re:Obvious solution

[angel'o'sphere]

Does not run on Linux, Mac OS X, BSD, AIX, Solaris ... and many other OSes.

Re:Obvious solution

[geekmux]

Does not run on Linux, Mac OS X, BSD, AIX, Solaris ... and many other OSes.

Pretty much all of the aforementioned OSes natively support SSH and SFTP from the command line, so what's the problem again?

Oh yeah, that's right, I forgot. The command line has become the standard transmission of interfaces today. (sorry, couldn't help but toss a car analogy in...)

Re:Obvious solution

[angel'o'sphere]

Of course they do!
What has that to do with WinSCP? Or Filezilla?
Or more importantly, Filezilla saving passwords in clear text?
As far as I can tell: nothing.

BTW: ssh only works if you have a native account on the target system. Neither ftp or sftp require that. Probably you should stop mixing up tools and protocols. Might help you in discussions where this is relevant.

SFTP requires a certificate infrastructure. In other words: it only works if the server you want to connect to via SFTP has an TSL certificate that can be verified somehow.

So, your thrown in comment, off topic as it is, makes not much sense.

It's in the name.

[SCPaPaJoe]

Just don't use software with "zilla" in the name. With a name like that, it can't be serious.

Re:Dude, Filezilla had no fault in you getting hac

And if you did not enter the master password, are every password that was encrypted been compromised?

Forks Filezilla to make a more secure option...

[intangible]

Serves forked-because-of-security-enhancements download over HTTP instead of HTTPS even though certs are free via LetsEncrypt. SMH.

Thank you.

Thank you for the information and the new off shoot. I uninstalled Filezilla and won't use it ever again. I won't necessarily jump onto the new software mentioned for a while until I see other reviews, analyze it, etc. but to find out that my 16 websites that I have to support are open to the first hacker that grabs one of mine or anothers admin's PC, I'm pretty pissed out.

As it is almost always a matter or WHEN NOT IF you get hacked this is a pretty poor answer to Filezilla users.

FileZilla vs MobaXterm vs PuTTY

[tgibson]

I've seen several comments shrugging shoulders over whether there is a better sftp client out there. As an instructor who teaches an introductory C++ on Linux course to students whose only previous experience has been in Windows, I have found that MobaXterm is much better than Filezilla or PuTTY.
YMMV, etc., etc.

If this was a problem for so long...

[Larsen+E+Whipsnade]

why didn't somebody fork it long before now?

ForkZilla!

Nah seriously, call it that :)

Sigh

They already had options like gnome-keychain, Apple's keychain access and GNUPG's Keychain.

They could have used all of that even without rewriting many portions of their software.

Re:Sigh

[NotAPK]

The very same feature is already in Thunderbird and Firefox: both are Mozilla packages.

And they release a new version every week!

[Otis_INF]

FTP is such an old protocol, after a while you have implemented it properly, and nothing will really change. One would think FileZilla is then pretty stable and won't see new builds often. But they apparently find time to spend on new features almost weekly. Instead of spending the time on bugs in the core point of the tool, namely doing file transfer which actually transfers the file, they spend time on random features in the UI and tacked on crap not needed for transferring files.

Re:And they release a new version every week!

[lucm]

Yes I just checked and there's an exciting new feature released a week ago:

Tuned appearance of progress bar in transfer queue

I know, I know, it's all done by volunteers, but why would someone spend time changing progress bars on a FTP client when basic security features (like encrypting passwords) are missing and when a significant problem with a mainstream FTP server has been reported for 7 years. If one's goal is improving a FTP client, this makes no sense, and if one is thrilled to do some fancy GUI stuff why on earth would that person contribute to a FTP client instead of a window manager or similar thing.

Re:Dude, Filezilla had no fault in you getting hac

If you don't enter the master password, you might as well store the other passwords to /dev/null, which is secure.

Hopefully he expunges all the malware, too...

Original FileZilla developer, Tim Kosse, has been very clear regarding the fact that he is happy to allow malware to be bundled with FileZilla if it "pays the bills". He pardons himself by stating, rather wryly, that "A malware free version is available from an alternate download link." Hopefully, the fork maintainer eliminates this practice.

Why is this news? This is a standard open source

[rhyous]

Why is this news? This is a standard open source practice, to fork and change/improve.

Good work developer. Good use of Open Source.

Nice case study

I love how this so beautifully sums up everything that is great about and everything that is wrong with OSS.

import plain text file, possible?

I don't see a way to import the plain text file into the program. Am I missing something? If it doesn't exist, a utility to locate and encrypt the original plain text file in the right way using the master password, and then delete it after verifying that FZSecure indeed has the information, would be a bit of a time saver. I emailed the author and offered to write a VB6 version if he is interested.

The hack was not *caused* by filezilla...

[cant_get_a_good_nick]

I had to read the article to see, the hack was not due to a bug in filezilla. But this bug/missing feature made the other hack much more devastating. Once the malware infiltrated, it was coded to look for filezilla passwords and took advantage of that.