[lug] Is anon ftp upload really bad?
John.Hernandez at noaa.gov
Wed Apr 24 17:49:07 MDT 2002
Yes, "authenticated anonymous" is indeed an oxymoron, but I didn't say
or imply it.
The notion of a "secure system" is never really an absolute in any
practical environment. Security almost always involves layers of
defense, each of which may have some theoretical flaws, but would
successfully thwart the common attacker.
I'll be the first to admit that cleatext passwords can be compromised,
but notion that cleartext passwords are worthless doesn't stand up in
my book. If I threw up a telnet server somewhere on the 'net and gave
you a valid UID, it would be not be trivial for you to gain shell
access, even if I logged in remotely under that same UID routinely.
Well, maybe if you REALLY REALLY wanted to, but that's my point.
I've personally witnessed well-chosen reusable plaintext passwords used
across the Internet stand the test of time; I'm not THAT surprised.
Apparently nobody cares that much about that particular account to risk
getting caught sneaking a sniffer onto the wire along the path;
that's probably the case with 99% of the accounts in existence.
Sure, a steel door is better than a wooden door is better than no door,
but there's an appropriate door for every doorway. Look at the example
of stateless IP filters on common router platforms. They are
notoriously flawed in more than one respect, but you don't see everyone
going around turning them off in favor of no network filtering but
instead a totally host-based security effort. They are, together,
Peter Hutnick wrote:
> I guess I don't know of any kind of authenticated anonymous FTP. The
> two sound mutually exclusive to me.
> To say it another way, I don't see any use in a half-measure. Either rely on
> authentication (and IMO cleartext isn't authentication, since, as you allude
> to, you basically have to assume the passwords to be compromised) or don't.
> Using untrusted authentication on top of an otherwise secure system seems to
> be the worst of both worlds to me.
- John Hernandez - Network Engineer - 303-497-6392 -
| National Oceanic and Atmospheric Administration |
| Mailstop R/OM12. 325 Broadway, Boulder, CO 80305 |
More information about the LUG