Go Back   FlashFXP Forums > >

General Discussion Need help? Have a problem? Let us help you. Bug reports and feature requests should be made using the Bug Tracker or Feature Tracker

Closed Thread
 
Thread Tools Rate Thread Display Modes
Old 04-01-2007, 08:53 AM   #1
loopex
Member
FlashFXP Beta Tester
 
Join Date: Feb 2007
Location: Europe
Posts: 30
Default encrypted sites.dat - password & cached memory

sites / security / set password

When sites.dat being encrypted, does the original non encrypted sites.dat being wiped from
the harddrive several times? if not? then it is still possible to recover the site.dat readable... and thats not good...

when open flashfxp and the encrypted sites.dat being decrypted, will it be cached in memory unencrypted? till the program exits? Does the memory gets wiped on exit?

does the password we enter when we fire up flashfxp being stored in memory?
if so? will it being wiped on exit or power down?


Thanks
loopex is offline  
Old 04-01-2007, 02:29 PM   #2
MxxCon
Super Duper
FlashFXP Beta Tester
 
Join Date: Oct 2001
Location: Brooklyn, NY
Posts: 3,881
Default

Quote:
Does the memory gets wiped on exit?
you should ask manufacturer of your OS if/how memory is being freed when application is closed.
Quote:
will it being wiped on exit or power down?
i'd like to know what kind of computer memory you use that doesn't lose it's content on powerdown

if you are so paranoid about your passwords, don't store anything in flashfxp and use http://keepass.info/
__________________
[Sig removed by Administrator: Signature can not exceed 20GB]
MxxCon is offline  
Old 04-01-2007, 05:01 PM   #3
loopex
Member
FlashFXP Beta Tester
 
Join Date: Feb 2007
Location: Europe
Posts: 30
Default

yes, you know what you are talking about, thats good.. you must be a security expert?
you told me in another thread that there are no backdoor, right?

for ex. if the original non encrypted sites.dat doesnt get wiped with pseudorandom data
several times after the pwd are set, then i have found a security hole, to reveal the
sites & password within a short time... allright, not a backdoor.. but very close..

do you really know how windows dump memory continuously? if you did then you would understand..
here i ask a couple of question, bcoz i cant find the answer in help.chm or search..

if there is way to make flashfxp more secure, why not do it?
if there is any? why leave security hole's open?

if me or someone else can help Author to find a couple of more security feature for bigstar
to implement, then i cant se anything wrong with it? do you?

thing is; its not about me, their are so many user of flashfxp out there and im sure they would
like a bulletproof encryption/decrytion with no security holes in it.

Author did implement this symmetric block cipher for a reason?
and it was Not bcoz flashfxp user should be switching over to 'keeypass.info' instead of FFXP for secure sites/pwd storage


Thanks

Last edited by loopex; 04-01-2007 at 05:35 PM.
loopex is offline  
Old 04-01-2007, 07:34 PM   #4
MxxCon
Super Duper
FlashFXP Beta Tester
 
Join Date: Oct 2001
Location: Brooklyn, NY
Posts: 3,881
Default

Quote:
Originally Posted by loopex View Post
for ex. if the original non encrypted sites.dat doesnt get wiped with pseudorandom data several times after the pwd are set, then i have found a security hole, to reveal the sites & password within a short time... allright, not a backdoor.. but very close..
it's not a backdoor. it's not very close. it's not even in the same state or country or planet.
i don't think you understand what a "backdoor" is.
if you are so security conclusion, you: 1)shouldn't have entered any data into unencrypted sites.dat in the 1st place. 2)shouldn't be using unencrypted file system.
Quote:
do you really know how windows dump memory continuously? if you did then you would understand..
what you said doesn't make any sense.
Quote:
here i ask a couple of question, bcoz i cant find the answer in help.chm or search..
these things are not in the help file because it's something 99.95% of users interested in. if you think otherwise, feel free to write the content and contact IniCom to workout how it'll be added.
Quote:
if there is way to make flashfxp more secure, why not do it?
sure, however there are realistic and unrealistic requests.
Quote:
why leave security hole's open?
if you find any security holes, feel free to let bigstar know.
Quote:
if me or someone else can help Author to find a couple of more security feature for bigstar to implement, then i cant se anything wrong with it? do you?
i'd rather see him work on useful flashfxp features instead of spending time learning, coding and troubleshooting how to securely delete/rewrite files. i wouldn't want to loose all of my data because of some bug in his implementation. if i need to do that, i'll use software designed and tested to do that.
Quote:
thing is; its not about me, their are so many user of flashfxp out there and im sure they would like a bulletproof encryption/decrytion with no security holes in it.
they sure do expect a secure software. if you find any vulnerabilities, feel free to let bigstar know.
Quote:
Author did implement this symmetric block cipher for a reason? and it was Not bcoz flashfxp user should be switching over to 'keeypass.info' instead of FFXP for secure sites/pwd storage
he implemented it because it was secure. however there are people for which it might not be secure enough, or don't trust flashfxp. for those people i suggest looking to solutions created specifically with the highest grade of security for storing sensitive information.

but ultimately it's up to bigstar and inicom to deside what goes into flashfxp so final word is up to them.
__________________
[Sig removed by Administrator: Signature can not exceed 20GB]
MxxCon is offline  
Old 04-02-2007, 01:01 AM   #5
loopex
Member
FlashFXP Beta Tester
 
Join Date: Feb 2007
Location: Europe
Posts: 30
Default

Quote:
Originally Posted by MxxCon View Post
i wouldn't want to loose all of my data because of some bug in his implementation.
a genuine alpha/beta tester should help the coder to find any bug and report it so it can be fixed...
before a public release is made, not to be afraid for loose all data bcoz of a bug in his implementation??
The answer is full "backup" before you test any new beta releases... or you should go for the Gold version.

Thanks

Last edited by loopex; 04-02-2007 at 05:08 AM.
loopex is offline  
Old 04-02-2007, 05:58 AM   #6
MxxCon
Super Duper
FlashFXP Beta Tester
 
Join Date: Oct 2001
Location: Brooklyn, NY
Posts: 3,881
Default

get to the point of using flashfxp for as long as i have and tested as many internal pre-alpha builds as i have then you'll have any authority of telling me what a genuine tester is and how to properly test flashfxp.
__________________
[Sig removed by Administrator: Signature can not exceed 20GB]

Last edited by MxxCon; 04-02-2007 at 08:51 AM.
MxxCon is offline  
Old 04-02-2007, 09:02 AM   #7
DayCuts
Senior Member
FlashFXP Beta Tester
 
Join Date: Dec 2003
Posts: 421
Default

Quote:
Originally Posted by loopex View Post
The answer is full "backup" before you test any new beta releases
So, do you backup your entire system before each and every program you install?

If it is that much of a concern to you that the unencrypted (if it is so) sites.dat that is kept in memory when flashfxp is started could be sniffed or detected by a virus/trojan/whatever, and/or found on your drive because it was no wiped several times with psuedorandom data before, then my suggestion to you would be to remember the information and enter it manually.

Im all for security improvements if they are reasonable to implement, but your claim that non-psuedorandom data removal etc are security holes is rediculas. How many other programs out there do you know that have such features.
DayCuts is offline  
Old 04-02-2007, 12:34 PM   #8
loopex
Member
FlashFXP Beta Tester
 
Join Date: Feb 2007
Location: Europe
Posts: 30
Default

no, not for every program i install.
Raid-1 and entire system backup over the network with 'disk imaging software' every second week...

but the line you quote in your post was meant for MxxCon, if you scroll up a little bit then you can read
what MxxCon just Said "how to securely delete/rewrite files" and that he wouldn't want to loose
data bcoz of some bug in his implementation. if MxxCon is so afraid to loose data? then he should
do full system backup before testing new alpha/beta release.

Thanks
loopex is offline  
Old 04-02-2007, 01:40 PM   #9
MxxCon
Super Duper
FlashFXP Beta Tester
 
Join Date: Oct 2001
Location: Brooklyn, NY
Posts: 3,881
Default

Quote:
Originally Posted by loopex View Post
if MxxCon is so afraid to loose data? then he should do full system backup before testing new alpha/beta release.
i would probably have to if bigstar will decide to implement his own 'secure-delete' implementation.
__________________
[Sig removed by Administrator: Signature can not exceed 20GB]
MxxCon is offline  
Closed Thread

Tags
encrypted, flashfxp, memory, password, sites.dat

Thread Tools
Display Modes Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 08:25 PM.

Parts of this site powered by vBulletin Mods & Addons from DragonByte Technologies Ltd. (Details)