DEFCON talk mentions rclone as target

Apparently at some hacker confab called DEFCON, an anonymous participant is planning a talk/demonstration on compromising seedboxes (much of which is applicable to servers as well): "Mass Owning of Seedboxes - A Live Hacking Exhibition" Anon, Hacker - DEF CON Forums

The hacker has put up the slides for the talk/demonstration here

This would be of limited interest here but for the first bullet point on slide 10:

• Rclone.conf is a great target

It's not clear from the slides what it is that makes .rclone.conf a "great target" (beyond "plaintext creds") and I'm not really competent to guess, but others might be.

Make of this what you will.

1 Like

Actually the last slide gives good summary - and it is 100% right:)

Be careful…
Seedboxes protect you from your ISP - but that is all they do.
Your data is still at risk. Your data can/will be found.
If you pay for illegal things don’t get mad when they are stolen.
Don’t expect admins who run seedboxes to know anything about security.
Don’t put API keys or passwords on seedboxes… you moron.
The FEDs could be doing these same attacks. I could see the real source IPs for
all other users in last logs.
Lots of people used their same username on different providers.
Lots of people would tunnel data back to their home machine, or SSH to other
boxes, like idiots.

FUD, just use your brain and you're good to go...

Just to be clear: if someone has your rclone.conf they have access to your cloud account(s) in it.
Don't leave rclone.conf on your seedbox if you are not actively using it.

I use plain text config but limited to user. The config is encrypted through file system anyway.
Would be nice to decrypt config file once per session, instead of typing password at every command - that's the main reason I do not use config protection.

you do not have to type the password for every command.

best to start a new topic, answer all the questions.

I will test at home later. Last time I tried it, I recall I had to type password for every rclone command.

it is well documented

best to start a new topic, answer all the questions, and not post in this topic...