RE: 'we should all be uncomfortable with the extent to which luck ..'
From: Deepak Jain [mailto:deepak@ai.net] Sent: Saturday, July 28, 2001 3:49 PM
I am not sure why people complain about telnet-security when many of these same people have no qualms whatsoever using FTP on the same account -- equally plain text and over the general internet.
I 100% agree with you and we don't do in.ftpd either (ever since the first wu-ftpd exploit was published). All of those functions here use the various flavors of SSHscp. General downloads and publication are via httpd. Uploads are via JSP to non-executable directories. All of the above are front-ended with tcpd and detailed hosts-allow entries, which is all post-ipchains activity. Actually, we could talk a lot about nasty old MSFT. But, wu-FTP is just as bad, if not worse. How many years has it been and it *still* isn't fixed? I was on a recent HP-UX installation and they *still* had the vulnerability. Maybe it is because MSFT and WU are in the same State? Maybe MSFT's attitude is geo-physically caused? In many ways the open-source community is as bad. How many programmers don't know the difference between strcpy and strncpy and the relevent security implications? Also, why does strcpy/memcpy continue to exist? The fact that we still have buffer overflow problems is living proof that some should not be programming without a license. I recently found out that Emil Dykstra was no longer universally required reading in all Computer Science curriclulii. I stand amazed. No *wonder* we continue to have these problems.
On Sat, 28 Jul 2001 16:28:39 PDT, Roeland Meyer said:
Maybe it is because MSFT and WU are in the same State? Maybe MSFT's attitude is geo-physically caused?
MSFT moved their corporate offices to St. Louis? Washington University and the U of Washington are NOT the same school.
From: Deepak Jain [mailto:deepak@ai.net] Sent: Saturday, July 28, 2001 3:49 PM
I am not sure why people complain about telnet-security when many of these same people have no qualms whatsoever using FTP on the same account -- equally plain text and over the general internet.
I 100% agree with you and we don't do in.ftpd either (ever since the first wu-ftpd exploit was published). All of those functions here use the various flavors of SSHscp. General downloads and publication are via httpd. Uploads are via JSP to non-executable directories. All of the above are front-ended with tcpd and detailed hosts-allow entries, which is all post-ipchains activity. -- This is fine if you don't operate a network where customers/clients/etc get to decide their access levels. If they pay you to provide network access/ servers/what have you and they say, "I want FTP" there is very little ground to disagree with them. In a university, some enterprises, and a few paranoid organizations, sysadmin's have carte blanche to make the act of updating/removing content as obscure a process as they wish. Usually, its not a good wish. Most networks are not in the firing line of hackers, and script kiddies, whether its through obscurity or luck. Best practices are only followed by organizations that have philosphies of improvement from within. I am sure we can all agree that most problematic ones don't. I guess the whole reason I brought this point up is that the status quo is to trust that the network is not being sniffed, or if it is, its by benevolent forces [ignoring any particular political agenda]. This is how our POTS and general telco networks operate. Its up to individual operations to decide if this is not sufficient. -- I recently found out that Emil Dykstra was no longer universally required reading in all Computer Science curriclulii. I stand amazed. No *wonder* we continue to have these problems. --- I don't have a CS degree, so it doesn't amaze me a bit. Then again, I don't think I'm part of the problem you are talking about... [knowing the difference between strcpy and strncpy, and of course what a buffer overflow is in the first place] :) Deepak Jain AiNET
On Sat, 28 Jul 2001, Roeland Meyer wrote:
Actually, we could talk a lot about nasty old MSFT. But, wu-FTP is just as bad, if not worse.
I agree. -- JustThe.net LLC - Steve "Web Dude" Sobol, CTO - sjsobol@JustThe.net Donate a portion of your monthly ISP bill to your favorite charity or non-profit organization! E-mail me for details.
participants (4)
-
Deepak Jain
-
Roeland Meyer
-
Steven J. Sobol
-
Valdis.Kletnieks@vt.edu