User Forks FileZilla FTP Client After Getting Hacked

Slashdot reader Entropy98 writes: A frustrated FileZilla user took matters into his own hands after getting hacked due to the fact that his saved passwords were being saved in plain text files. Despite years of numerous requests over almost 10 years the FileZilla devs refused to add a Master Password option to encrypt the stored passwords. Finally fed up one user forked FileZilla and created FileZilla Secure with the Master Password option.

IIS Server resume bug

[cjellibebi]

Apparently, there's a bug in Microsoft's IIS server that causes corruption when attempting to resume large downloads. FileZilla does not take this into account, and as a result, the download is corrupted. Clearly, this is Microsoft's fault, but the situation is that there are many buggy IIS servers out there, and Filezilla, by not having a workaround for this (other FTP clients do have a workaround), ends up corrupting the download. After looking at this ticket, it shows that the developer clearly does not live in the real world.

Personally, this issue hasn't affected me, but the exchange I linked to tells me a lot about the attitude of the developer. I only even discovered this issue when reading about FileZilla.

So is this fork going to address this issue?

Re:This stuff drives me nuts

[wolrahnaes]

When someone can read your passwords of your disk, the point of encryption is already moot.

No, encrypting the password database with a master password that's not saved means it can no longer be read directly, significantly raising the bar for capturing passwords.

A) FTP is typically plain text anyway so you could just wireshark it

Depending on user privileges this may not be possible, and would only gather one at a time.

B) you can replace the binaries and have them emailed any time they are entered

Depending on user privileges this may not be possible.

C) you can install a keylogger

See B

This "user" could've just as easy encrypted his entire hard drive or user directory. Still wouldn't have helped though.

No shit that wouldn't have helped, as long as the drive's mounted the file is plaintext as far as the malware is concerned.

I would seriously reconsider taking a "secure" anything from anyone that can't bother to think their own security through.

Clearly you're not capable of thinking through security yourself.

Let's say I'm shithoused and inadvertently run some kind of malware that wants to steal my FTP passwords. I realize what I've done almost immediately after and shut down to restore from backups. If they're stored unencrypted, that malware could have already sent my full stored password list to wherever. If they're encrypted with a master password, the malware gets absolutely nothing. Even if I don't catch it immediately the malware still can't get it no matter what until I actually go to use those passwords.

If you can't see how huge of a difference that is I don't know what to say.