Slashdot Mirror

← Back to Stories (view on slashdot.org)

User Forks FileZilla FTP Client After Getting Hacked (filezillasecure.com)

Posted by EditorDavid on from the transfer-complete dept.

Slashdot reader Entropy98 writes: A frustrated FileZilla user took matters into his own hands after getting hacked due to the fact that his saved passwords were being saved in plain text files. Despite years of numerous requests over almost 10 years the FileZilla devs refused to add a Master Password option to encrypt the stored passwords. Finally fed up one user forked FileZilla and created FileZilla Secure with the Master Password option.

95 of 166 comments (clear)

  1. This stuff drives me nuts by Anonymous Coward · · Score: 5, Insightful

    When devs act like asshats and refuse to consider that just because you can still get at encrypted passwords doesn't mean it's not helpful to make the bar a little higher than reading plain fucking text.

    1. Re:This stuff drives me nuts by BenFranske · · Score: 4, Informative

      Filezilla also supports SFTP and FTPS though and is probably the best Windows client for those protocols so it's used for a lot more than just FTP. In fact, I would venture to guess that Filezilla FTP use is pretty minimal.

    2. Re:This stuff drives me nuts by Nostalgia4Infinity · · Score: 1

      Last time I checked Filezilla supports port 22 (SSH).

    3. Re:This stuff drives me nuts by krelvin · · Score: 1

      Are you aware you can use FileZilla for SFTP connections right?

    4. Re: This stuff drives me nuts by Anonymous Coward · · Score: 1

      FileZilla is also a ssh / scp client. So keeping stored passwords unencrypted is just being stubborn!

    5. Re:This stuff drives me nuts by BenFranske · · Score: 4, Insightful

      A) I would guess Filezilla is used much more as an SFTP and FTPS client (is there a better one on Windows?) than as an FTP client.

      B & C could apply to SSH clients such as PuTTY as well, so we should stop using that?

      If we only implemented security enhancements when they were perfect solutions we wouldn't implement very much security. Usually there is a balancing act between usability, security, and cost. In this case there seems to be very little usability impact on encrypting the password store so why not do it?

      All that said I'm pretty particular about what software can hold passwords of mine so I've always typed them in to Filezilla on an as needed basis, seems as if that was a good idea.

    6. Re:This stuff drives me nuts by korgitser · · Score: 2, Funny

      Shrek: Ogres are like onions.
      Donkey: They stink?
      Shrek: Yes. No.
      Donkey: Oh, they make you cry.
      Shrek: No.
      Donkey: Oh, you leave em out in the sun, they get all brown, start sproutin’ little white hairs.
      Shrek: No. Layers. Onions have layers. Ogres have layers. Onions have layers. You get it? We both have layers.
      Donkey: Oh, you both have layers. Oh. You know, not everybody like onions.

      --
      FCKGW 09F9 42
    7. Re:This stuff drives me nuts by wolrahnaes · · Score: 4, Interesting

      When someone can read your passwords of your disk, the point of encryption is already moot.

      No, encrypting the password database with a master password that's not saved means it can no longer be read directly, significantly raising the bar for capturing passwords.

      A) FTP is typically plain text anyway so you could just wireshark it

      Depending on user privileges this may not be possible, and would only gather one at a time.

      B) you can replace the binaries and have them emailed any time they are entered

      Depending on user privileges this may not be possible.

      C) you can install a keylogger

      See B

      This "user" could've just as easy encrypted his entire hard drive or user directory. Still wouldn't have helped though.

      No shit that wouldn't have helped, as long as the drive's mounted the file is plaintext as far as the malware is concerned.

      I would seriously reconsider taking a "secure" anything from anyone that can't bother to think their own security through.

      Clearly you're not capable of thinking through security yourself.

      Let's say I'm shithoused and inadvertently run some kind of malware that wants to steal my FTP passwords. I realize what I've done almost immediately after and shut down to restore from backups. If they're stored unencrypted, that malware could have already sent my full stored password list to wherever. If they're encrypted with a master password, the malware gets absolutely nothing. Even if I don't catch it immediately the malware still can't get it no matter what until I actually go to use those passwords.

      If you can't see how huge of a difference that is I don't know what to say.

      --
      I used to get high on life, but I developed a tolerance. Now I need something stronger.
    8. Re:This stuff drives me nuts by hey! · · Score: 1

      Well, SFTP and FTP can be run over a secure channel like a VPN or SSH tunnel -- in fact SFTP was designed to run that way as it provides no authentication capabilities of its own. In which case wireshark does you no good because you're looking at packets full of gibberish.

      Second it is possible to get access to a machine without having access to the network segment it is on, in which case wireshark doesn't do you any good.

      Third, it is possible to get access to a disk without necessarily having the ability to install a keylogger. For example the disk could be recycled; or your malware may have the ability to send files but not the privileges needed to install a keylogger.

      This is really a broken way to think about security. Yes, security is only as reliable as its weakest link, but the existence of a single weak link doesn't mean it's OK to have holes all over the place. If that's the case if there's more than one vulnerability it's nobody's job to fix his bit until everyone else fixes theirs.

      --
      Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
    9. Re:This stuff drives me nuts by darkain · · Score: 1

      B) The binary would be protected from write access by UAC.

    10. Re:This stuff drives me nuts by BenFranske · · Score: 1

      It would have to be more than just key based, the private key also has to be encrypted forcing the user to enter a passphrase before the key can be used. Otherwise someone with access to the system could just steal the private key file... Essentially Filezilla asking users to store passwords and then not encrypting them is the same as a program requiring an unencrypted SSH private key.

    11. Re:This stuff drives me nuts by DMJC · · Score: 1

      Hell I'm using Filezilla on Unix as an SFTP client, Time to upgrade to filezilla secure.

    12. Re:This stuff drives me nuts by Provocateur · · Score: 1

      They're not arrogant asshats. Simply put, these guys are the SNL tech rejects. They go around, snickering, somebody doesn't know the Master Password, before breaking out into song, until our chief protagonist, the Trinity wannabe/lookalike hacks into the file and sees the password in plain text.

      The project's been forked; Good news, everyone!

      --
      WARNING: Smartphones have side effects--most of them undocumented.
    13. Re:This stuff drives me nuts by guruevi · · Score: 1

      If you discover malware you should expect your passwords to be compromised, encrypted or not. Sure a master password may help at first glance but it's trivial to crack anything less than 16 characters long and also depends heavily on the encryption used and RNG. Most likely you reused a master password elsewhere or it's still somewhere in memory of the malware has been on your computer longer than you expected.

      If you are the "victim" of malware, then you should change all your passwords and revoke all your keys including those your master passwords unlock. Master password applications are primarily a tool to unlock otherwise random and complicated password so you don't have to remember 20+ off them. In my experience they are NEVER intended to be a layer of machine security.

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
    14. Re:This stuff drives me nuts by SeaFox · · Score: 1

      When devs act like asshats and refuse to consider that just because you can still get at encrypted passwords doesn't mean it's not helpful to make the bar a little higher than reading plain fucking text.

      The same ones that tell you "patches welcome" for bug fixes or feature requests a large number of people desire? That seems to be the MO with many open source projects.

    15. Re:This stuff drives me nuts by angel'o'sphere · · Score: 1

      And what has that to do with storing passwords in plain text?

      --
      Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
    16. Re:This stuff drives me nuts by angel'o'sphere · · Score: 1

      Sure a master password may help at first glance but it's trivial to crack anything less than 16 characters long and also depends heavily on the encryption used and RNG.
      No it is not.

      That is an completely idiotic claim.

      To "crack" the encryption of something, you need a meaningful idea how it looks unencrypted.

      If this is my unencrypted list of passwords:

      why
      are
      you trying
      so hard

      you my stumble over them with brute force (using a dictionary), sooner or later regardless how long the master password is (if that is even used as a cipher).

      If this is the unencrypted content of my "password file":

      wdut38;ksdiibn1;0978&llopÃ-; idomjs \nhte;-e,6345h#+2agpw,bcsw

      you have no clue that you just found the correct en-/decryption key. Regardless if said key is only 1 char long or 2 or 32.

      --
      Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
    17. Re:This stuff drives me nuts by dissy · · Score: 1

      Anonymous FTP uses no passwords. As in no password even exists, let alone is sent over the network.

      Please explain in detail how your magical fantasy network sniffer is going to read a non-existent password that isn't set over a network.

    18. Re:This stuff drives me nuts by dbIII · · Score: 1

      Two things:
      1/ It's a really good idea to not have the password in plain text.
      2/ It's not difficult to implement.
      Yes you can go on about "perfect" but in this case it's like comparing a cereal packet code wheel solution to something intended to be used by adults.

    19. Re:This stuff drives me nuts by fintux · · Score: 1

      Well, SFTP and FTP can be run over a secure channel like a VPN or SSH tunnel -- in fact SFTP was designed to run that way as it provides no authentication capabilities of its own

      Do you perhaps mean FTPS, not SFTP? FTPS is basically FTP over a secure channel (as HTTPS is to HTTP), while SFTP is a completely separate protocol (SSH File Transfer Protocol - an extension to the Secure Shell protocol). You can also tunnel FTP over SSH, but it is yet a different type of connection.

    20. Re:This stuff drives me nuts by Bengie · · Score: 1

      but it's trivial to crack anything less than 16 characters long

      A random 15 char password would take 8.6 billion years on average assuming 1 trillion combos per second. I'm not sure "trivial" is the correct word.

    21. Re:This stuff drives me nuts by guruevi · · Score: 1

      Think again: http://www.dailymail.co.uk/sci...
      People have predictable passwords, your character set is typically limited to ~64 characters out of 256.

      To know whether a password is cracked, you can check various methods: does it include untypable characters, is the data returned structured (you could expect e.g. a signature matching known database formats) does it have a high degree of randomness and after that, does the password work.

      In your example you have a high degree of semicolons, so your structure is password semicolon. Even if I knew nothing about how your program stores passwords (which is trivial to find out even in closed source software), there is a non random pattern.

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
    22. Re:This stuff drives me nuts by guruevi · · Score: 1

      I unlocked a BitLocker drive with 8 character password in less than an hour using an open source BitLocker tool. The password was a morphed dictionary word. Ever heard of Markov chains? Dedicated clusters can run through 90% of all passwords 8-16 characters in a matter of hours/days.

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
    23. Re:This stuff drives me nuts by pnutjam · · Score: 1

      I prefer winSCP to filezilla, although, to be fair it's only a UI preference.

      I also avoid storing passwords in applications.

      Lately I've been using MobaXterm It wraps up the SSH and SFTP/SCP client in one place. It also allows you to run unix commands from windows, for example, scp and rsync.
      It's not Open Source, but there is a free version. It also gives you a forwarded X session, ssh tabs, and runs from a single executable (portable).

      --
      Cheap storage VM.
    24. Re:This stuff drives me nuts by Bengie · · Score: 1

      Dedicated clusters can run through 90% of all passwords 8-16 characters in a matter of hours/days.

      A 16 char password has nearly 10^32 combinations. If you had 100,000 computers, each with 100 cores that are 10ghz, it would take 10^12 seconds to go through all of the combinations, assuming it only took 1 clock cycle per comparison. That's still almost 32,000 years. Please, let me know about this magical datacenter of your's.

      Your tool obviously makes many assumptions, like the password is composed of words or common patterns.

    25. Re:This stuff drives me nuts by angel'o'sphere · · Score: 1

      Actually the semicolons are close to random ;D

      Point is, if you have no edge, you can not do much.

      --
      Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
  2. Good deal by JustAnotherOldGuy · · Score: 5, Insightful

    Now as long as those lazy bastards at FileZilla don't sue him, maybe this will be a nice step forward.

    As for you fucking clowns at FileZilla storing passwords in plain text files, what the fuck? Did you just teleport in from 1992 or something??

    --
    Just cruising through this digital world at 33 1/3 rpm...
    1. Re:Good deal by Megane · · Score: 5, Funny

      They're just upholding the proud decades-long tradition of FTP putting everything in the clear.

      --
      #naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
    2. Re:Good deal by Anonymous Coward · · Score: 1

      Actually, I support the GP.

      The imperative to secure passwords is really strong these days, considering all the hacks, internet crime, and even the activities of the Three Letter Agencies. In a pre-internet world, plain text storage would have been bad enough, but post-internet it is unacceptable. Thus the comment about 1992.

      So many /. readers come off like arrogant know-it-alls. "Well, if you have root/physical access/any malware at all/newb users/software I don't agree with/closed source/hamburger with cheese, then all is lost so there's no point in encrypting a password file!" Besides being jackasses, these people miss huge and important security points:

      1). Defense in depth. Learn it;
      2). People make mistakes;
      3). Software has bugs and thus security we thought was in place, sometimes isn't;
      4). Security exposures can be for a limited time, by a limited means of access, and for a limited segment of a system. Thus the whole "well you're compromised and so it's game over" mindset is a losing and defeatist mindset;
      5). The whole perimeter security model has lost almost all relevance. True professionals no longer rely upon it;
      6). My information says, and from sources I trust, that "all networks worth hacking have already been penetrated". And just in case the import of that statement is lost on you, all networks are considered by someone to be worth hacking. So the bad guys are on the doorstep and you had better have more than just one security measure to deal with them.

      Plain text password storage in 2016 is appalling. If you don't think so then I have to wonder where your head is at.

  3. OSS working as it should. by 0100010001010011 · · Score: 5, Insightful

    How many OSS projects would benefit from:

    User demands feature.
    Devs refuse feature.
    User forks and adds feature.

    1. Re: OSS working as it should. by tlambert · · Score: 2, Insightful

      The dev is a user; the users are devs.

      And "users who are not devs can go fuck themselves"?

      Because that's kind of what you are saying to non-dev users.

    2. Re:OSS working as it should. by wisnoskij · · Score: 1

      But does this actually solve anything? OK, it is forked, and there are probably other forks as well. But I cannot use more than one at once, and the main devs doing the core work are still on the original branch, with a bunch of flakes who probably moved on years ago owning the forks. At the end of the day, it is probably not worth using any of these forks if you care about getting any possible updates to the main program.

      --
      Troll is not a replacement for I disagree.
    3. Re:OSS working as it should. by thegarbz · · Score: 1

      It would help if this didn't take 10 years. If this is OSS working as it's should then it shows how inherently broken a system of relying on users to be able to change their own software is; most users are not software developers.

    4. Re: OSS working as it should. by Midnight+Thunder · · Score: 1

      The healthier compromise would be admitting they don't have the cycles and inviting a code contribution. Fork the project and do a pull-request. If the devs don't a contribution, if it fixes an issue and it is of good quality, then maybe it is time to accept the original project is in life support and the fork deserves to be the future?

      --
      Jumpstart the tartan drive.
    5. Re: OSS working as it should. by Trogre · · Score: 1

      Not really. Users who cannot submit almost certainly cannot fork the project.

      --
      "Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
    6. Re: OSS working as it should. by p91paul · · Score: 1

      Well that is true for any software. If you need a feature, and it doesn't exist, you can either implement it or ask for it and hope to find a developer which is kind enough to implement it for you. Developers as a species tend to get kinder when paid though. People tend to forget that just because someone develops a product that is very useful as free software, there is no obligation for them developers to spend their free time to satisfy user requests. We should be grateful when they do, but we have no right whatsoever to be mad at them if they don't.

    7. Re: OSS working as it should. by tlambert · · Score: 1

      Unless you bought off the guy arguing against the feature in the bug report, he was so obviously adamantly opposed to the idea that it would not happen.

      Some developers can be bought off, but that guy was adamant enough that he's certainly got editorial control enough to rip the changes back out.

    8. Re: OSS working as it should. by AmiMoJo · · Score: 1

      FileZilla is free. Users can't really make demands of the developers.

      The users could always pay someone to add the feature. Crowd fund it.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  4. need a password for my master password by Anonymous Coward · · Score: 1

    If your system is already compromised by malware, won't it just capture your master password when you start Filezilla? This effort just seems to be adding a pointless layer for a software program that's has nowhere near the attack surface of a web browser.

    1. Re:need a password for my master password by davecb · · Score: 1
      It's a defense in depth. If the attacker is a professional security service and has a key logger on your system, they can get anything, at the expense of having to grovel through everything you type for a day (;-))

      If they're a script kiddy and can only read files, though, you can stop them by having some selected files encrypted, or their contents encrypted. For example, /etc/shadow.

      --
      davecb@spamcop.net
    2. Re:need a password for my master password by Kobun · · Score: 1

      It's one step better than that - this page distributes malware-loaded Filezilla installers - https://filezilla-project.org/...

      So it's not at all unreasonable to think that Filezilla is 100% to blame here, for both the unencrypted password file and for the malware infection.

  5. Re:No FTP access needed by freeze128 · · Score: 1

    Filezilla is a populat FTP client, but it's NOT an FTP server.

  6. The OS should do this by Anonymous Coward · · Score: 1

    It should just use whatever password manager is installed on the OS, like the gnome keyring or kde wallet manager

    1. Re:The OS should do this by cdrudge · · Score: 1

      The OS should do this... like the gnome keyring or kde wallet manager

      Interesting how you say that the OS should do this, then suggest two applications that aren't part of the OS.

  7. Re:No FTP access needed by ebonum · · Score: 1

    https://filezilla-project.org/...

  8. Re:Not "Secure" by Dwedit · · Score: 5, Informative

    Filezilla is a client for FTP, SFTP (SSH File Transfer Protocol), and FTP over TLS. Only one of those three uses cleartext passwords over the network.

  9. Re:Malicious file? by Anonymous Coward · · Score: 1

    FileZilla uses NSIS for its installers (also open source), and are (falsely) flagged by some AVs as malicious all the time, including Avast.

  10. IIS Server resume bug by cjellibebi · · Score: 5, Interesting

    Apparently, there's a bug in Microsoft's IIS server that causes corruption when attempting to resume large downloads. FileZilla does not take this into account, and as a result, the download is corrupted. Clearly, this is Microsoft's fault, but the situation is that there are many buggy IIS servers out there, and Filezilla, by not having a workaround for this (other FTP clients do have a workaround), ends up corrupting the download. After looking at this ticket, it shows that the developer clearly does not live in the real world.

    Personally, this issue hasn't affected me, but the exchange I linked to tells me a lot about the attitude of the developer. I only even discovered this issue when reading about FileZilla.

    So is this fork going to address this issue?

    1. Re:IIS Server resume bug by hcs_$reboot · · Score: 1

      the developer clearly does not live in the real world

      Maybe... he didn't reply for 18 months.

      --
      Slashdot, fix the reply notifications... You won't get away with it...
    2. Re:IIS Server resume bug by Anonymous Coward · · Score: 1

      Wow. I love how the developer of the client software is telling his users to upgrade the servers they're connecting to!

      That takes some real chutzpah.

      dom

    3. Re: IIS Server resume bug by lucm · · Score: 3, Insightful

      Thanks for posting that link, that ticket is pure gold. 7 years of arrogance make for a fascinating 5 minute read.

      The amount of time that developer spent arguing and reclosing that ticket could have been spent solving the problem, but instead he was proud of "making a stand" against a mainstream server product (IIS) that doesn't follow the standard. All he did was alienate users, including potentially me - I don't use Filezilla but moving forward if the need arises I'll choose anything else, I don't want code written by that aspie on my machine.

      It's always a red flag when someone starts using metaphors in a tech discussion, like this guy and his "bridge". Inevitably it leads to a metaphor contest ("no, the river is the protocol", "then the pillars are the implementation", "no, IIS is the truck crossing the river" etc etc). I have a policy of leaving meetings when the discussion gets to metaphors.

      People like that guy are not representative of open source developers, they're representative of *bad* open source developers.

      --
      lucm, indeed.
    4. Re:IIS Server resume bug by fnj · · Score: 1

      IIS server

      PIN number
      ATM machine
      nothing says "stupid" like redundant labeling

    5. Re: IIS Server resume bug by Kjella · · Score: 1

      On the other hand, I assume he's not getting paid for it. Doesn't matter what open source application it is, if it wasn't my itch to scratch I doubt I'd bother to fix someone else's botched implementation of file formats, protocols and such. Particularly not a large, closed source corporation like Microsoft. Could you imagine Firefox trying to mimic IE6's rendering? I'd probably not bother with the long analogies though just mark it as WONTFIX, if someone offers

      a) a clean and working compatibility patch
      or
      b) a paid consulting gig

      I'd consider it, if not go complain to Microsoft. I know shit like this happens a lot in the real world, I work around a lot of broken and buggy shit but then I also collect a paycheck for it. It's not the kind of work you do for fun, it's just a pain in the butt because you're forced to deal with a poor product.

      --
      Live today, because you never know what tomorrow brings
    6. Re: IIS Server resume bug by thegarbz · · Score: 2

      Doesn't matter what open source application it is, if it wasn't my itch to scratch I doubt I'd bother to fix someone else's botched implementation of file formats, protocols and such.

      So what you're saying is you're happy releasing and standing behind some software that is incompatible and useless for a large portion of popular servers on the internet? If this was some edge case I'd agree with you, as a developer, especially someone working for free/fun you can't fix everything. But if you can't talk to IIS then frankly your website should feature a warning about how poorly your program works.

      It's not like people were asking for a perfect fix. Half of that thread was simply asking for some basic sanity checking on the received content and a warning if the result is expected to be corrupted, rather than waiting a long time only to be disappointed.

      Could you imagine Firefox trying to mimic IE6's rendering?

      You're talking about connecting to a server (bug is out of control of administrators and affects people all over the internet) to some received HTML (a very individual problem).

      Anyway I can imagine it. There was a plugin provided that loaded IE6 in Firefox tabs which I used for many years. This isn't an example of WONTFIX it's an example of a simple workaround that didn't take a crap on user expectations.

      It's not the kind of work you do for fun, it's just a pain in the butt because you're forced to deal with a poor product.

      I'm not sure now if you're talking about Filezilla's developers or Filezilla's users.

    7. Re:IIS Server resume bug by wonkey_monkey · · Score: 1

      The S in IIS stands for services, not server.

      --
      systemd is Roko's Basilisk.
    8. Re:IIS Server resume bug by angel'o'sphere · · Score: 1

      nothing says "stupid" like redundant labeling
      You are mistaken.
      Nothing says "stupid" like being pedantic about such simple matters.
      Everyone, including scientists/biologists says HIV virus.
      Same for any other matter. It is "strictly speaking" wrong: but everyone uses language that way. Get over it and be done with it, you look extremely stupid to me, as you obviously don't now that. On the other hand you simply could be an autist, then it is forgivable.

      --
      Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
    9. Re:IIS Server resume bug by Trogre · · Score: 1

      Nothing says "useless pedantry" like mistakenly expanding acronyms inline.

      "Send me a GIF." "You want me to send you a format?"
      "Okay, how about a JPEG." "But I don't know the whole group personally."

      --
      "Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
    10. Re: IIS Server resume bug by dbIII · · Score: 1

      So what you're saying is you're happy releasing and standing behind some software that is incompatible and useless for a large portion of popular servers on the internet?

      If it's a tiny one person project, why not?
      The thing may be popular but things like storing the password in plain text for any malware to read shows that it's a one person hobby project with far less than professional effort.

    11. Re: IIS Server resume bug by thegarbz · · Score: 1

      If it's a tiny one person project, why not?

      Well if that's the case then just say so. Instead you see an endless stream of the developer putting more effort into arrogantly arguing philosophy than required to fix the actual problems. Look through the bug tracker. This is not someone who's tight on time, but someone who just seem to be a user hating arsehole who can't stand the fact that people have a different view than his, even when that different view is taken up by most of his competitors.

      As always when you look at these individual stories it's worth checking to see if this is an isolated case of user winging or if there's a history of developer arrogance that got to this point.

    12. Re: IIS Server resume bug by wildstoo · · Score: 1

      Indeed. Comment 31 aka Codesquid's Bridge is truly awesome:

      No, the engineer really did exist in another world. Not only was he incapable of understanding that a bridge costs more than a car or a truck, he didn't even understand that many people do not own the bridges they drive over. He even thought that customers would prefer his truck because it couldn't drive over this particular bridge.

    13. Re: IIS Server resume bug by lucm · · Score: 1

      That would make an amazing t-shirt.

      I DROVE CODESQUID TRUCK ON A 7.5% BRIDGE AND I SURVIVED

      --
      lucm, indeed.
  11. Filezilla dev... by Anonymous Coward · · Score: 1

    After reading that thread on the Filezilla forum I feel slightly sick in my stomach.

    That dev is one dense motherfucker, his only reply is "Yes but how did you get infected in the first place", as if that mattered in any way.
    Don't store PLAIN TEXT passwords in your software, dummy!

    Seriously reaching black hole level density here buddy, shame on you...

    1. Re:Filezilla dev... by goarilla · · Score: 2

      That dev is one dense motherfucker, his only reply is "Yes but how did you get infected in the first place", as if that mattered in any way.

      It does ... would you trust crypto code commits from someone who got hacked from clicking a simple phishing email ?

    2. Re:Filezilla dev... by Vlad_the_Inhaler · · Score: 1

      Is that how he was hacked? I looked at several of the links but did not see that.
      codesquid seems to have a very well developed sense of what-he-is-prepared-to-do and what not, or "who cares what the users want because they are clueless?".

      I know someone who uses Filezilla but he is on a network which has no direct connection to the outside world. Probably the safest way.

      --
      Mielipiteet omiani - Opinions personal, facts suspect.
    3. Re:Filezilla dev... by NotAPK · · Score: 1

      I would.

      Doubly so considering that the tech for this patch already exists, and I must point out, *already exists* within other Mozilla packages! You know that thing in Thunderbird where the email client can save all of your email passwords and encrypt them using a single password? Well, doesn't it seem similar to that other thing in Firefox where the browser can save all your passwords and encrypt them using a single password? Right. So all the Filezilla devs had to do was take the same code and apply it to Filezilla so it can do the same thing. Yet they haven't.

      I'm perfectly confident that nearly any half-competent dev could have done this, which is why I would trust this patch. However...

      There have been numerous problems with Filezilla over the years and I truly don't know why it's become such a train wreck of a program.

      WinSCP is a much better alternative.

    4. Re: Filezilla dev... by Anonymous Coward · · Score: 1

      It wasn't a phishing email. It was a browser exploit that took the ftp login details from the unencrypted filezilla password and then uploaded itself to every page of every site of every server on the password list.

      This isn't the first time some malware targeted the filezilla password file. There's a reason chrome, Firefox, bitcoin, and others encrypt their master password file.

    5. Re:Filezilla dev... by hey! · · Score: 3, Insightful

      Everybody can get hacked eventually. A moment of distraction, a zero day exploit, a trusted partner or source getting undermined...

      If you think you are too smart to get hacked, you are a fool.

      Security is the one place where your very best effort ought to be the norm.

      --
      Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
    6. Re:Filezilla dev... by goarilla · · Score: 1

      Is that how he was hacked? I looked at several of the links but did not see that.

      No, I don't know how he was hacked. I was just painting a possible scenario.

    7. Re:Filezilla dev... by pnutjam · · Score: 1

      I agree, winSCP beats the pants off FileZilla.

      --
      Cheap storage VM.
  12. Switch to WinSCP by Anonymous Coward · · Score: 1

    Switch to WinSCP because it's better than FileZilla in every way.

    1. Re:Switch to WinSCP by NotAPK · · Score: 1

      Done and done. It's a really good program.

  13. FLOSS is better than proprietary software. by jbn-o · · Score: 1

    That's not a fair interpretation of what the grandparent poster wrote. Should we interpret your response to be anti-business because you didn't mention that non-developing users can hire developers? Of course not, that wouldn't be fair because you didn't say any such thing.

    Users who aren't developers still have viable options. They can learn development (as the other developing users did) or they can hire developers. These options make FLOSS better than proprietary software. When proprietary software isn't good enough, nobody is allowed to improve it, distribute their improved versions (even commercially), and help others.

    It's also great that FileZilla is GPL'd so the copyright holders can compel those who distribute to distribute their improved source code too. Software freedom is great to have and copyleft is a good mechanism for helping others get to share in the freedom.

    --
    Digital Citizen
    1. Re:FLOSS is better than proprietary software. by tlambert · · Score: 1

      That's not a fair interpretation of what the grandparent poster wrote. Should we interpret your response to be anti-business because you didn't mention that non-developing users can hire developers? Of course not, that wouldn't be fair because you didn't say any such thing.

      It's perfectly fair.

      Hiring a developer, unless they are in sole editorial control of the section of code you are interested in having modified, doesn't guarantee editorial control over the project direction.

      With that, the project is free to reject the patches of the hired gun, and you are left with a fork of the project, and no one to maintain it going forward.

      Worse, even if you were "made of money", and could afford a hired gun to port forward the changes for each new release of Mozilla, without the patches in the tree, there's every possibility that a structural or architectural change may preclude an easy port forward of the code: the developers in the main Mozilla project have no vested interest in not modifying internal APIs willy-nilly.

      In fact: they've modified internal APIs willy-nilly in the past, so their track record in this regard isn't so great.

      So no: it's generally not a good idea to hire a developer to make the changes you want, if they're not going to be accepted back into the project.

      From the bug report, and the caustic relationship present, and the main developer's insistence that it's not a problem unless your machine is compromised anyway (totally ignoring all "security in depth" arguments) -- it's pretty damn sure that a fork was the only option.

      Or are you saying these patches will likely make it back into the main line Mozilla?

  14. Re:Idiot user - it's fully encrypted! by LynnwoodRooster · · Score: 1

    Are you positive about that?

    --
    Browsing at +1 - no ACs, I ignore their posts. So refreshing!
  15. Re:Not "Secure" by darkain · · Score: 1

    It's just as secure as the web browser you're using right now (HTTP vs HTTPS)

  16. Love Filezilla... by matbury · · Score: 2

    ...but yes, not encrypting login credentials is a major concern for me too. Also, I prefer to use keys rather than passwords wherever possible but more often than not, Filezilla throws up a bunch of bugs that haven't been patched in a long time when I try to use them.

    So yes, the Filezilla devs really need to get their acts together on security.

    BTW, no Filezilla Secure available for Linux yet. Since Linux pretty well has encryption for all things web built in, it's tempting to give up on GUIs and simply do it all from the command line.

  17. Segmented FTP? by bastrogue · · Score: 1

    Great! I've been thinking about doing the same thing for some time now since the FileZilla Devs seem dead set about ignoring Segmented FTP. People have been requesting it for years and the devs are like 'eh, I don't need it so why would anyone else?'

    https://whatbox.ca/wiki/Multi-threaded_and_Segmented_FTP

    https://forum.filezilla-project.org/viewtopic.php?t=24720

    https://trac.filezilla-project.org/ticket/2309

    https://trac.filezilla-project.org/ticket/2762

    https://trac.filezilla-project.org/ticket/5526

  18. Re:Malicious file? by Kobun · · Score: 1

    Depends what you are installing - FileZilla distributes official versions of their software that is loaded with Malware. Tim (BotG) has sworn up and down that it isn't Malware, and the rest of the world disagrees with him. SourceForge's takeover forced him to at least keep the malware-laden links off Sourceforge, but they're still there as the default if you download from Filezilla.org

  19. Re:Obvious solution by Kobun · · Score: 1

    Seriously, give WinSCP a try. https://winscp.net/eng/downloa...

  20. It's in the name. by SCPaPaJoe · · Score: 1

    Just don't use software with "zilla" in the name. With a name like that, it can't be serious.

  21. Forks Filezilla to make a more secure option... by intangible · · Score: 1

    Serves forked-because-of-security-enhancements download over HTTP instead of HTTPS even though certs are free via LetsEncrypt. SMH.

  22. Re:Not "Secure" by angel'o'sphere · · Score: 1

    Probably you should learn to read.

    This: Only one of those three uses cleartext passwords over the network.
    is not the topic.

    The topic are clear text passwords saved in a text file on the clients computer.

    --
    Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
  23. Re:Obvious solution by angel'o'sphere · · Score: 1

    Does not run on Linux, Mac OS X, BSD, AIX, Solaris ... and many other OSes.

    --
    Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
  24. FileZilla vs MobaXterm vs PuTTY by tgibson · · Score: 1

    I've seen several comments shrugging shoulders over whether there is a better sftp client out there. As an instructor who teaches an introductory C++ on Linux course to students whose only previous experience has been in Windows, I have found that MobaXterm is much better than Filezilla or PuTTY.
    YMMV, etc., etc.

  25. Re:Not "Secure" by geekmux · · Score: 1

    Filezilla is a client for FTP, SFTP (SSH File Transfer Protocol), and FTP over TLS. Only one of those three uses cleartext passwords over the network.

    Thank you for the clarification, but the year is 2016. None of the protocols or programs used today should be using or storing cleartext passwords on any system or transmitted over any network.

    Enough of the bullshit excuses to continue to even support insecure protocols. No excuse is viable today.

  26. Re:Obvious solution by geekmux · · Score: 1

    Does not run on Linux, Mac OS X, BSD, AIX, Solaris ... and many other OSes.

    Pretty much all of the aforementioned OSes natively support SSH and SFTP from the command line, so what's the problem again?

    Oh yeah, that's right, I forgot. The command line has become the standard transmission of interfaces today. (sorry, couldn't help but toss a car analogy in...)

  27. If this was a problem for so long... by Larsen+E+Whipsnade · · Score: 1

    why didn't somebody fork it long before now?

  28. Re:Obvious solution by angel'o'sphere · · Score: 1

    Of course they do!
    What has that to do with WinSCP? Or Filezilla?
    Or more importantly, Filezilla saving passwords in clear text?
    As far as I can tell: nothing.

    BTW: ssh only works if you have a native account on the target system. Neither ftp or sftp require that. Probably you should stop mixing up tools and protocols. Might help you in discussions where this is relevant.

    SFTP requires a certificate infrastructure. In other words: it only works if the server you want to connect to via SFTP has an TSL certificate that can be verified somehow.

    So, your thrown in comment, off topic as it is, makes not much sense.

    --
    Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
  29. Re:Sigh by NotAPK · · Score: 1

    The very same feature is already in Thunderbird and Firefox: both are Mozilla packages.

  30. And they release a new version every week! by Otis_INF · · Score: 2

    FTP is such an old protocol, after a while you have implemented it properly, and nothing will really change. One would think FileZilla is then pretty stable and won't see new builds often. But they apparently find time to spend on new features almost weekly. Instead of spending the time on bugs in the core point of the tool, namely doing file transfer which actually transfers the file, they spend time on random features in the UI and tacked on crap not needed for transferring files.

    --
    Never underestimate the relief of true separation of Religion and State.
    1. Re:And they release a new version every week! by lucm · · Score: 1

      Yes I just checked and there's an exciting new feature released a week ago:

      Tuned appearance of progress bar in transfer queue

      I know, I know, it's all done by volunteers, but why would someone spend time changing progress bars on a FTP client when basic security features (like encrypting passwords) are missing and when a significant problem with a mainstream FTP server has been reported for 7 years. If one's goal is improving a FTP client, this makes no sense, and if one is thrilled to do some fancy GUI stuff why on earth would that person contribute to a FTP client instead of a window manager or similar thing.

      --
      lucm, indeed.
  31. Re:Not "Secure" by LoginOrSignup · · Score: 1

    Some of the later FileZilla releases have been clients for malware.

  32. Why is this news? This is a standard open source by rhyous · · Score: 1

    Why is this news? This is a standard open source practice, to fork and change/improve.

    Good work developer. Good use of Open Source.

  33. The hack was not *caused* by filezilla... by cant_get_a_good_nick · · Score: 1

    I had to read the article to see, the hack was not due to a bug in filezilla. But this bug/missing feature made the other hack much more devastating. Once the malware infiltrated, it was coded to look for filezilla passwords and took advantage of that.

  34. Re:Not "Secure" by sbrown7792 · · Score: 1

    Yeah but then everyone would start abbreviating it "MS Filezilla" and noone would use it, because it looks like Microsoft touched it.