From: Deepak Jain [mailto:deepak@ai.net] Sent: Saturday, July 28, 2001 3:49 PM
I am not sure why people complain about telnet-security when many of these same people have no qualms whatsoever using FTP on the same account -- equally plain text and over the general internet.
I 100% agree with you and we don't do in.ftpd either (ever since the first wu-ftpd exploit was published). All of those functions here use the various flavors of SSHscp. General downloads and publication are via httpd. Uploads are via JSP to non-executable directories. All of the above are front-ended with tcpd and detailed hosts-allow entries, which is all post-ipchains activity. -- This is fine if you don't operate a network where customers/clients/etc get to decide their access levels. If they pay you to provide network access/ servers/what have you and they say, "I want FTP" there is very little ground to disagree with them. In a university, some enterprises, and a few paranoid organizations, sysadmin's have carte blanche to make the act of updating/removing content as obscure a process as they wish. Usually, its not a good wish. Most networks are not in the firing line of hackers, and script kiddies, whether its through obscurity or luck. Best practices are only followed by organizations that have philosphies of improvement from within. I am sure we can all agree that most problematic ones don't. I guess the whole reason I brought this point up is that the status quo is to trust that the network is not being sniffed, or if it is, its by benevolent forces [ignoring any particular political agenda]. This is how our POTS and general telco networks operate. Its up to individual operations to decide if this is not sufficient. -- I recently found out that Emil Dykstra was no longer universally required reading in all Computer Science curriclulii. I stand amazed. No *wonder* we continue to have these problems. --- I don't have a CS degree, so it doesn't amaze me a bit. Then again, I don't think I'm part of the problem you are talking about... [knowing the difference between strcpy and strncpy, and of course what a buffer overflow is in the first place] :) Deepak Jain AiNET