|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: 'we should all be uncomfortable with the extent to which luck ..'
> From: Deepak Jain [mailto:[email protected]] > Sent: Saturday, July 28, 2001 3:49 PM > > I am not sure why people complain about telnet-security when > many of these > same people have no qualms whatsoever using FTP on the same account -- > equally plain text and over the general internet. I 100% agree with you and we don't do in.ftpd either (ever since the first wu-ftpd exploit was published). All of those functions here use the various flavors of SSHscp. General downloads and publication are via httpd. Uploads are via JSP to non-executable directories. All of the above are front-ended with tcpd and detailed hosts-allow entries, which is all post-ipchains activity. Actually, we could talk a lot about nasty old MSFT. But, wu-FTP is just as bad, if not worse. How many years has it been and it *still* isn't fixed? I was on a recent HP-UX installation and they *still* had the vulnerability. Maybe it is because MSFT and WU are in the same State? Maybe MSFT's attitude is geo-physically caused? In many ways the open-source community is as bad. How many programmers don't know the difference between strcpy and strncpy and the relevent security implications? Also, why does strcpy/memcpy continue to exist? The fact that we still have buffer overflow problems is living proof that some should not be programming without a license. I recently found out that Emil Dykstra was no longer universally required reading in all Computer Science curriclulii. I stand amazed. No *wonder* we continue to have these problems.
|