Theiling Online    Sitemap    Conlang Mailing List HQ    Attic   

Re: OFFLIST Re: TECH: info on ftp

From:Sai Emrys <sai@...>
Date:Wednesday, August 27, 2008, 18:59
On Wed, Aug 27, 2008 at 2:58 AM, Mark J. Reed <markjreed@...> wrote:

> 2. No. The password isn't stored anywhere people can access it on the > site - it's not quite that bad. :) >
True. Not unless they can take advantage of a server vulnerability or the like, of course.... and FWIW FTP servers have historically had an unusually high number of such vulnerabilities. (For the technically inclined: go download Metasploit, svn up, and take a look at just how many FTP attacks there are available. Not good, eh? ;-)) There exists also sftp (SSH + FTP) and ftps (FTP + SSL). But a) if you're using ssh, why would you want ftp rather than real scp, and b) dealing with SSL in an actually secure manner requires either serious geekery or paying for a real SSL certificate (man-in-the-middle attacks are trivial otherwise, rendering the SSL useless). But whenever you send information over the Internet between two
> computers, software running on a third computer that is topologically > "between" the first two can look at that information, too.
Mind that, in the case that any computer along the line is on wireless, everything it does over that wireless network is available for anyone within physical receiving distance to read (if they can crack whatever security you have on that wireless network). Just as a rule of thumb: I've cracked WEP 'secured' nets in <10 min for busy networks, 2 days for rarely used ones, and successfully connected to / sniffed the traffic of networks ~5 miles away using good equipment on top of a hill. I've yet to see someone crack WPA however in any practical way. Lesson: use WPA unless you don't care if your traffic is listened in on.
> The fact that such software (called a "sniffer") has to be running > somewhere > between the two computers in question is not a very stringent > requirement if the two computers are far enough apart, especially if > the sniffer is installed on a lot of unsuspecting folks' computers via > a virus.
FWIW as counterpoint, over-the-wire sniffing is somewhat ameliorated by the fact that your traffic will generally take the fastest route to destination. Which usually means that the only computers involved are: yours, anyone near you if you're wireless, your router [it's a computer too], your ISP frontend, backend, trunk, inter-ISP trunk, other ISP's trunk, backend, frontend, and the website host itself (plus whatever routers, load balancers, etc). Relatively speaking, it's unlikely that ISP computers will be compromised because they're generally pretty damn paranoid about it... buuuuut I know people who work for ISPs, and have heard them talk about their machines getting compromised because someone in the office wasn't quite as paranoid as they ought to have been. (And as a result becoming spambots just like any random home user... except spambots with really massive bandwidth and the ability to monitor a few thousand home users' traffic...) So even though it's unlikely, you should consider all traffic you send to be suspect to being sniffed (= wiretapped / spied on) unless it's well encrypted. Incidentally, one thing people usually forget is that VOIP (e.g. Skype, Vonage, etc) is usually completely unencrypted, and one can record complete conversations in exactly the same manner. It's not difficult at all. (Good, easy tool for Windows users: Cain & Abel. Try it out and see for yourself.) BTW random on this: GMail defaults to only being https for login, and http for the actual app. However, you can force it by logging in originally to - and there's a nice plugin for Firefox, Better Gmail 2, that does this for you automatically. (I use it.) - Sai