• FTPbox (Beta) - Dropbox alternative that syncs with your host via FTP
    295 replies, posted
[QUOTE=Van-man;31415322]Why not??[/QUOTE] It is portable... just zip your installation directory.
[QUOTE=John the Gr8;31405384]A portable version would consist of 4 files, 5 with the XML config file. Should I make them a zip and call it portable?[/QUOTE] I honestly can't see a problem with that. Just keep it in a flash drive or something. If you force the portable version to use a folder located in the same folder as the executable. So say you have the executable in /ftpbox you keep the files in /ftpbox/files. That way you could theoretically manage your shit anywhere.
Found a slight security flaw. Your FTP user/pass/host is stored in plain text in settings.xml
[QUOTE=wingless;31426742]I honestly can't see a problem with that. Just keep it in a flash drive or something. If you force the portable version to use a folder located in the same folder as the executable. So say you have the executable in /ftpbox you keep the files in /ftpbox/files. That way you could theoretically manage your shit anywhere.[/QUOTE] Good idea, I'll look it up... [QUOTE=FlamingSpaz;31427186]Found a slight security flaw. Your FTP user/pass/host is stored in plain text in settings.xml[/QUOTE] Yeah I know, how else could they be stored really? Previously they were stored in a FTPbox.exe.config file, I changed to .xml so that, when it updates, the file remains there and doesn't get overwritten...
[QUOTE=John the Gr8;31427956]Yeah I know, how else could they be stored really? Previously they were stored in a FTPbox.exe.config file, I changed to .xml so that, when it updates, the file remains there and doesn't get overwritten...[/QUOTE] [url=http://www.gutgames.com/post/AES-Encryption-in-C.aspx]AES Encyption.[/url]
just say it's minimized file like Notepad++
[QUOTE=wingless;31428291][url=http://www.gutgames.com/post/AES-Encryption-in-C.aspx]AES Encyption.[/url][/QUOTE] John and I were discussing about this, but beign the app open source, anyone could look at the trunk, see the key to decrypt it and carry on with getting the login details. Unless we don't include the pass in the trunk.
[QUOTE=barttool;31440697]John and I were discussing about this, but beign the app open source, anyone could look at the trunk, see the key to decrypt it and carry on with getting the login details. Unless we don't include the pass in the trunk.[/QUOTE] Make the key dynamic to each user?
[QUOTE=jetboy;31440895]Make the key dynamic to each user?[/QUOTE] Ask the user upon installation to smash the keyboard to generate a random key.
[QUOTE=barttool;31440697]John and I were discussing about this, but beign the app open source, anyone could look at the trunk, see the key to decrypt it and carry on with getting the login details. Unless we don't include the pass in the trunk.[/QUOTE] It's still a first layer of security. Better than having nothing at all. [editline]31st July 2011[/editline] [QUOTE=jetboy;31440895]Make the key dynamic to each user?[/QUOTE] Or this.
I found a bug, If I made a new file or folder then rename it, it has both of them. but it doesn't show on my computer, only on the server.
Oh just wanted to point this out: [img]http://ftpbox.org/images/tray.png[/img] Notice the "μμ".
[QUOTE=Intoxicated Spy;31442055]I found a bug, If I made a new file or folder then rename it, it has both of them. but it doesn't show on my computer, only on the server.[/QUOTE] It fucks up both ways for me sometimes aswell(all the time until I restart FTPBox). This only happens on FTP, SFTP is fool proof though. AES would actually be a awesome alternative to plaintext, I hope it gets implemented. Even though if its easy to find the key random people wont be able to get it unless they look at the source code.
I'll use AES to encrypt the account info, but I'll hide the password needed for decryption in the source files... I'll work on that right away! [QUOTE=jetboy;31442259]Oh just wanted to point this out: [img]http://ftpbox.org/images/tray.png[/img] Notice the "μμ".[/QUOTE] Yeah, it's Greek. [editline]31st July 2011[/editline] [QUOTE=doonbugie2;31445046]It fucks up both ways for me sometimes aswell(all the time until I restart FTPBox). This only happens on FTP, SFTP is fool proof though. AES would actually be a awesome alternative to plaintext, I hope it gets implemented. Even though if its easy to find the key random people wont be able to get it unless they look at the source code.[/QUOTE] By getting STP to work I might have fucked up FTP... I'll have to check what's wrong.
[QUOTE=John the Gr8;31448406]I'll use AES to encrypt the account info, but I'll hide the password needed for decryption in the source files... I'll work on that right away! Yeah, it's Greek. [editline]31st July 2011[/editline] By getting STP to work I might have fucked up FTP... I'll have to check what's wrong.[/QUOTE] I figured what was the problem i had: my computer didn't let the program access the config.xml file to apply the login details, I just had to run it in admin mode...
[QUOTE=John the Gr8;31448406]I'll use AES to encrypt the account info, but I'll hide the password needed for decryption in the source files... [/QUOTE] I honestly suggest hashing the date & time during installation and using that as the key.
[QUOTE=barttool;31450338]I figured what was the problem i had: my computer didn't let the program access the config.xml file to apply the login details, I just had to run it in admin mode...[/QUOTE] That isnt the issue for me, otherwise FTPBox would not be able to sync on startup. I restart it and everything syncronizes. Then after that it does not respond.
I released v1.7.2: - Account data is now encrypted using that AES library (decryption pass/salt are removed from source files) - I fixed something I broke in previous version concerning syncing with FTP. PS: When you run the app and click "Update Now", it'll throw an error. Don't worry, the app will have been updated, you'll just have to run FTPbox.exe manually to continue. Of course it's the last time you'll see that error, my apologies! [editline]1st August 2011[/editline] oh and you'll have to fill in your FTP info once more now that they get encrypted...
It works perfectly now! Thanks for developing the program, solves alot of problems. [img]http://snailpunch.info/uhsuj.png[/img]
When I try to install it I get this: [img]http://i.imgur.com/XBBJn.jpg[/img]
[QUOTE=John the Gr8;31458743]I released v1.7.2: - Account data is now encrypted using that AES library (decryption pass/salt are removed from source files) - I fixed something I broke in previous version concerning syncing with FTP. PS: When you run the app and click "Update Now", it'll throw an error. Don't worry, the app will have been updated, you'll just have to run FTPbox.exe manually to continue. Of course it's the last time you'll see that error, my apologies! [editline]1st August 2011[/editline] oh and you'll have to fill in your FTP info once more now that they get encrypted...[/QUOTE] You know what? You're a winner.
[QUOTE=jetboy;31460531]When I try to install it I get this: [img]http://i.imgur.com/XBBJn.jpg[/img][/QUOTE] Yeah, same here. It seems to be broken on new installations. The program itself works flawlessly though. [img]http://snailpunch.info/glkkc.png[/img]
Give me some time to prepare a new feature, and if no weird errors delay it you'll have a new release (and a working setup file) in the next couple of hours...
-snip- Im dumb
[QUOTE=FlamingSpaz;31862504]The salt is in the source :v: Also it's not long enough.[/QUOTE] I doubt it's the real one.
[QUOTE=wingless;31862684]I doubt it's the real one.[/QUOTE] pass/salt is replaced with "removed" in the source code...
Attemping to add rsync support... Not going too well :smith:
I really hate that I don't have enough time to check rsync on my own :( By the way, the new release is ready. But, my host doesn't allow me to connect with SFTP anymore, for some weird reason, so I'll need you people to beta-test this new release. The release contains: - Web interface (finally) - Translation to French In my attempt to fix some problems with FTP, I might have broken stuff as well, so if it's not a problem check FTP too. I tried to fix the error that, when deleting a local folder, it would be recreated. It works for me now, it doesn't recreate the folder. But more people testing would be better. Of course check the cool new interface too, it's a very good first release I think, and it'll update automatically from now on. This is just the beginning! The beta executable can be found here: [url]http://ftpbox.org/beta.zip[/url] [B]use it by replacing the exe in the installation folder with the one in the zip.[/B]
[QUOTE=John the Gr8;31866379]I really hate that I don't have enough time to check rsync on my own :( By the way, the new release is ready. But, my host doesn't allow me to connect with SFTP anymore, for some weird reason, so I'll need you people to beta-test this new release. The release contains: - Web interface (finally) - Translation to French In my attempt to fix some problems with FTP, I might have broken stuff as well, so if it's not a problem check FTP too. I tried to fix the error that, when deleting a local folder, it would be recreated. It works for me now, it doesn't recreate the folder. But more people testing would be better. Of course check the cool new interface too, it's a very good first release I think, and it'll update automatically from now on. This is just the beginning! The beta executable can be found here: [url]http://ftpbox.org/beta.zip[/url] [B]use it by replacing the exe in the installation folder with the one in the zip.[/B][/QUOTE] The reason people don't encrypt usernames/passwords in config files is because it's useless. Obviously your program needs access to the credentials if they are saved, so no matter what you do, anyone with access to your machine also has access to the credentials. The proper thing to do here is to rely on your file system's security, which should prevent other users of your machine to read your private files. You accomplish this by saving user information in AppData/Roaming or somewhere similar. Encrypting the user and password is simply a false sense of security, and worse than not encrypting anything, because of that false impression that there is security present.
You should use DPAPI to protect the username/password instead. It at least does so you can't just copy the file and then use it in other places. [url]http://msdn.microsoft.com/en-us/library/ms995355.aspx[/url] [url]http://www.c-sharpcorner.com/UploadFile/mosessaur/dpapiprotecteddataclass01052006142332PM/dpapiprotecteddataclass.aspx[/url]
Sorry, you need to Log In to post a reply to this thread.