Bugtraq mailing list archives
Re: your mail
From: jmm () elegant com (John Macdonald)
Date: Mon, 16 May 1994 16:49:15 -0400
Steven C. Blair wrote :
||
|| John MacDonald says:
***^*****
Macdonald
||
|| There is one advantage in doing this sort of thing. There is
|| a powerful security advantage in having many off-site copies
|| of the ls-lR+hash file. It is *really* hard for to cracker
|| to spoof a change to an existing file
||
|| If folks would quit using writable directories in their hierarchies then the
|| problem goes away. There are few to NO compelling reasons with my years of
|| experience that justify writable directories in anonymous FTP. You're just
|| asking for trouble, with a big "T".
||
|| If you must justify having a writable directory that is FTp reachable from an
|| external network, either use a seperate login with a one-time passwd that is
|| changed mutually by both parties on your sites' end, or learn the
|| intricacies(sp?) of WU-FTPD which can prevent a lot of problems.
That is a separate issue.
Having checksums, and making it difficult to hide the existance
of a change by maintaining external copies of the expected
value of the checksum is a valuable tool for discovering that
a breach has occurred.
Getting the permissions right can prevent many types of such
breaches.
--
That is 27 years ago, or about half an eternity in | John Macdonald
computer years. - Alan Tibbetts | jmm () Elegant COM
Current thread:
- Re: trojans on ftp sites der Mouse (May 14)
- Re: trojans on ftp sites Peter Deutsch (May 14)
- <Possible follow-ups>
- Re: trojans on ftp sites Paul Robinson (May 14)
- Re: your mail Christopher Klaus (May 14)
- Re: trojans on ftp sites smb () research att com (May 14)
- Re: your mail John Macdonald (May 16)
- Re: your mail Steven C. Blair (May 16)
- Re: your mail John Macdonald (May 16)
- Re: your mail Christopher Klaus (May 16)
- Re: your mail Adam Shostack (May 16)
- Re: your mail John Macdonald (May 16)
- Checksums in FTP servers. Scott Northrop (May 16)