Re: OFFLIST Re: TECH: info on ftp

On Wed, Aug 27, 2008 at 2:58 AM, Mark J. Reed <markjreed@...> wrote:

> 2. No.  The password isn't stored anywhere people can access it on the
> site - it's not quite that bad. :)
>
True.

Not unless they can take advantage of a server vulnerability or the like, of
course.... and FWIW FTP servers have historically had an unusually high
number of such vulnerabilities.

(For the technically inclined: go download Metasploit, svn up, and take a
look at just how many FTP attacks there are available. Not good, eh? ;-))

There exists also sftp (SSH + FTP) and ftps (FTP + SSL). But a) if you're
using ssh, why would you want ftp rather than real scp, and b) dealing with
SSL in an actually secure manner requires either serious geekery or paying
for a real SSL certificate (man-in-the-middle attacks are trivial otherwise,
rendering the SSL useless).


But whenever you send information over the Internet between two
> computers, software running on a third computer that is topologically
> "between" the first two can look at that information, too.

Mind that, in the case that any computer along the line is on wireless,
everything it does over that wireless network is available for anyone within
physical receiving distance to read (if they can crack whatever security you
have on that wireless network).

Just as a rule of thumb: I've cracked WEP 'secured' nets in <10 min for busy
networks, 2 days for rarely used ones, and successfully connected to /
sniffed the traffic of networks ~5 miles away using good equipment on top of
a hill. I've yet to see someone crack WPA however in any practical way.
Lesson: use WPA unless you don't care if your traffic is listened in on.


> The fact that such software (called a "sniffer") has to be running
> somewhere
> between the two computers in question is not a very stringent
> requirement if the two computers are far enough apart, especially if
> the sniffer is installed on a lot of unsuspecting folks' computers via
> a virus.

FWIW as counterpoint, over-the-wire sniffing is somewhat ameliorated by the
fact that your traffic will generally take the fastest route to destination.

Which usually means that the only computers involved are: yours, anyone near
you if you're wireless, your router [it's a computer too], your ISP
frontend, backend, trunk, inter-ISP trunk, other ISP's trunk, backend,
frontend, and the website host itself (plus whatever routers, load
balancers, etc).

Relatively speaking, it's unlikely that ISP computers will be compromised
because they're generally pretty damn paranoid about it... buuuuut I know
people who work for ISPs, and have heard them talk about their machines
getting compromised because someone in the office wasn't quite as paranoid
as they ought to have been. (And as a result becoming spambots just like any
random home user... except spambots with really massive bandwidth and the
ability to monitor a few thousand home users' traffic...)

So even though it's unlikely, you should consider all traffic you send to be
suspect to being sniffed (= wiretapped / spied on) unless it's well
encrypted.

Incidentally, one thing people usually forget is that VOIP (e.g. Skype,
Vonage, etc) is usually completely unencrypted, and one can record complete
conversations in exactly the same manner. It's not difficult at all. (Good,
easy tool for Windows users: Cain & Abel. Try it out and see for yourself.)


BTW random on this: GMail defaults to only being https for login, and http
for the actual app. However, you can force it by logging in originally to
https://mail.google.com - and there's a nice plugin for Firefox, Better
Gmail 2, that does this for you automatically. (I use it.)

- Sai