-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 damn, why can't postbox answer to the list instead of the posters email?
Camaleón schrieb: > Yes, they can as well as they can also encrypt the current user > settings from the XML file but they don't want to. Period and full > stop. True. Sad, but true. >> What I'm trying to say is that our machines are pretty much very >> complex and it is very easy to overlook things. > It has been always so, Filezilla is not inventing nothing anew. Jep, but they could respect this and give the user a little bit of extra security. (...) >> No, but the really important data is encrypted in a way so even if >> my machine is running all the time the container isn't accessible >> all the time. > Well done but I'm afraid you fit the 1% of the users that do so. I, > by True. Another reason for FZ to help those 99%. (Hey, cool, I'm the 1%, where is my money? ;)) > the way, store thousand of plain text based e-mail messages (mbox) > containing passwords for many Internet services. If I were paranoid And so do I, at least on my Phone which I can't encrypt. > enough, I'd only use hard disk encryption but this is still not in my > to- do list. I use HDD encryption for everything that I could loose or what might get stolen, like our RDX-Backup-Drives I have in my bag anytime. Also all Notebooks, some USB-Sticks and USB-Drives. >>> I do check the files I donwload from the web, regardless they are >>> going to be opened from windows or linux, e-mails are also >>> scanned by means of ClamAV and USB keys are not anutomatically >>> mounted thus can be also easily analyzed first. >> That's the scenario I tried to point out above. > And despite all the precautions I take, I have no problems with > having a password stored in clear text ;-) Just because you are NOT paranoid that doesn't mean that they are not after you. ;) >>> Curiously enough is not only Filezilla who takes the path for >>> not encrypting the user credentials so there has to be a reason >>> in behind for that to happen so often... >> Laziness? Why did last.fm stores the passwords of their users as >> MD5-Hash without salting them? > No, developers are not lazy but practical: they simply don't want to > use weak methods to handle this. What's weaker, password encryption, file access rights or both of it together? For little effort. But, you're right. Developers are usually not lazy, at least our aren't. Sometimes they might didn't have enough time to implement the next security layer, but I don't know if this apply to FZ as well. >>> Anyway, aren't most of us still using plain pop3 and smtp >>> connections with no message encryption at all? Who are we >>> blaming? >;-) >> Most of my messages are not encrypted because the receiving end >> isn't capable of that. But my Credentials will only be transmitted >> when the connection is secure (even if the MTA is in the same >> network). > Again, you must pertain to the 1% of the users that do that ;-) > Anyway, if the recipient does not use a secure protocol to download > the data (pop3s/imaps), the security chain is broken and thus > useless, you see now why devels are not lazy? Because you can't just > take control of all ;-) I don't care about the transport of the content. It's like sending postcards. But I care about my password. We're using LDAP and my Mail-Password is also my System-Login. ;) >> SSL is pretty much snakeoil nowadays, but it's better than >> nothing. > That's the kind of reasoning software developers do: "if there's no > 100% secure system, why should *I* bother"? Why are they developing *BSD? Why should I bind some of my Services to localhost if I have a firewall? (...) > Okay... I better return back to my cave, dust my typewritting machine > and problem solved. You got a cave? How comfortable. :) > When you work in a corporate environment, disabling the external > devices is a must. The biggest hole in a computer system is always > the user. Always. I think it depends on the company size and the company culture. We are 23 people at the moment and everybody can bring in his own devices and connect them to our network and machines (WLAN is separated from the LAN, only Internet-Access, it's not encrypted but you have to use a captive portal to log in). The deal is that if you for example has VPN access within you device you have to inform me in case of loss, so I could disable the accounts for that device. Also your device should have a remote delete function and a password protection is mandatory. My users understand those rules and take care of them. But yes, I guess I'm lucky. >> Anyway I think we're going pretty much offtopic. My point is that >> it would be a nice feature for FZ (and other tools) to store >> passwords more secure. And I don't like the attitude of the >> developers saying that it's not their problem if someone could read >> the file who isn't allowed to. At least as such a feature is rather >> easy to implement and won't affect the user experience in a bad >> way. > Nah, developers are made of different stuff and they rarely listen to > their users... But they should. They can get a lot of valuable feedback. Ok, our developers are mainly developing for the people at our company and have to work with them every day. That's making some kind of difference. I can imagine as OpenSource-Developer you get a lot of bullshit requests. > and hey, it's open source! You can hire a programmer, make a fork > ("FileZilla-S" for secure) and add all the enhancements you want ;- Forking a program for a single little feature doesn't make a lot of sense to me. Either you will have to patch the upstream version every now and then or you end up with a Fork that doesn't get any new features, also it might confuses some users. Bye. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJP7fwaAAoJEGqblLUjc3f4kdcH/0FmkD7aAs++33v0nd9RML/O V13l3xLzRf7Vm4sLvzcrbvyCouFnVnCnjbUWsLJw2wNEaKNPk9MXcUHTcXyXkhHD Cal+/txA70RbiEAByyCjz7gd2C1MnQ9RDCGf3k4w3qTnOLISxRkIEfUoeEoUrU6O dXexGJea7Cf8diP4DHKtMQKstWROHrjOhH47KBJPo0nTeGt4ldn3SvpW9CC6Bs/C MYZOw6+aJBDewKUbh3JllfDF2xoCHrYQrPUJAllSJI+3Wi8uzabOPduyd8WsnUZ5 aHMFt+v1TT30YBA++DSp8zpM8ZydDdUy2qjNWPZx5L3V2kI3DGv3ZOOmLaeh0cc= =EoMX -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4fedfc1e.9080...@concepts-and-training.de