'we should all be uncomfortable with the extent to which luck ..'

Deepak Jain deepak at ai.net
Sun Jul 29 02:21:10 UTC 2001

> From: Deepak Jain [mailto:deepak at ai.net]
> Sent: Saturday, July 28, 2001 3:49 PM
> I am not sure why people complain about telnet-security when
> many of these
> same people have no qualms whatsoever using FTP on the same account --
> equally plain text and over the general internet.

I 100% agree with you and we don't do in.ftpd either (ever since the first
wu-ftpd exploit was published). All of those functions here use the various
flavors of SSHscp. General downloads and publication are via httpd. Uploads
are via JSP to non-executable directories. All of the above are front-ended
with tcpd and detailed hosts-allow entries, which is all post-ipchains


This is fine if you don't operate a network where customers/clients/etc get
to decide their access levels. If they pay you to provide network access/
servers/what have you and they say, "I want FTP" there is very little ground
to disagree with them.

In a university, some enterprises, and a few paranoid organizations,
have carte blanche to make the act of updating/removing content as obscure a
process as they wish. Usually, its not a good wish.

Most networks are not in the firing line of hackers, and script kiddies,
whether its through obscurity or luck. Best practices are only followed by
organizations that have philosphies of improvement from within. I am sure
we can all agree that most problematic ones don't.

I guess the whole reason I brought this point up is that the status quo is
to trust that the network is not being sniffed, or if it is, its by
forces [ignoring any particular political agenda]. This is how our POTS and
general telco networks operate. Its up to individual operations to decide if
this is not sufficient.


I recently found out that Emil Dykstra was no longer universally required
reading in all Computer Science curriclulii. I stand amazed. No *wonder* we
continue to have these problems.


I don't have a CS degree, so it doesn't amaze me a bit. Then again, I don't
think I'm part of the problem you are talking about... [knowing the
between strcpy and strncpy, and of course what a buffer overflow is in the
first place] :)

Deepak Jain

More information about the NANOG mailing list