[39967] in North American Network Operators' Group
RE: 'we should all be uncomfortable with the extent to which luck
daemon@ATHENA.MIT.EDU (Roeland Meyer)
Sat Jul 28 19:25:06 2001
Message-ID: <EA9368A5B1010140ADBF534E4D32C728025A90@condor.mhsc.com>
From: Roeland Meyer <rmeyer@mhsc.com>
To: "'deepak@ai.net'" <deepak@ai.net>,
"Steven J. Sobol" <sjsobol@NorthShoreTechnologies.net>,
Mitch Halmu <mitch@netside.net>
Cc: Roeland Meyer <rmeyer@mhsc.com>, 'k claffy' <kc@ipn.caida.org>,
nanog@nanog.org, caida@caida.org
Date: Sat, 28 Jul 2001 16:28:39 -0700
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Errors-To: owner-nanog-outgoing@merit.edu
> From: Deepak Jain [mailto:deepak@ai.net]
> Sent: Saturday, July 28, 2001 3:49 PM
>
> I am not sure why people complain about telnet-security when
> many of these
> same people have no qualms whatsoever using FTP on the same account --
> equally plain text and over the general internet.
I 100% agree with you and we don't do in.ftpd either (ever since the first
wu-ftpd exploit was published). All of those functions here use the various
flavors of SSHscp. General downloads and publication are via httpd. Uploads
are via JSP to non-executable directories. All of the above are front-ended
with tcpd and detailed hosts-allow entries, which is all post-ipchains
activity.
Actually, we could talk a lot about nasty old MSFT. But, wu-FTP is just as
bad, if not worse. How many years has it been and it *still* isn't fixed? I
was on a recent HP-UX installation and they *still* had the vulnerability.
Maybe it is because MSFT and WU are in the same State? Maybe MSFT's attitude
is geo-physically caused?
In many ways the open-source community is as bad. How many programmers don't
know the difference between strcpy and strncpy and the relevent security
implications? Also, why does strcpy/memcpy continue to exist? The fact that
we still have buffer overflow problems is living proof that some should not
be programming without a license.
I recently found out that Emil Dykstra was no longer universally required
reading in all Computer Science curriclulii. I stand amazed. No *wonder* we
continue to have these problems.
