Full Disclosure mailing list archives
Re: FD should block attachments
From: "Gregory A. Gilliss" <ggilliss () netpublishing com>
Date: Fri, 2 Apr 2004 11:45:38 -0800
First, Aunt Tillie ought not to be sending files around the Internet, IMHO. But we've already lost *that* battle, so ... Basically, attachments in SMTP sux0r. File Transfer Protocol (which no one should use since it's insecure) was designed for ... transferring files. SMTP was not - go ask Eric Allman, he'll know. However other protocols will do (HTTP works, although blocking sux0rz). SSH comes to mind (unless Microsoft has co-opted *that* too). Why not help Aunt Tillie install WinSCP? No more need for server access or perms or disk quotas (cuz it goes from her craptacular Winbloz box to someone elses' craptacular Winbloz box) *and* it's secure (or as secure as anything running on a Winbloz box can be these days). If we list members are as Godlike as we pretend to be we'd declare a national holiday and send out one final SMTP attachment to wall the Aunt Tillies (and Uncle Leos) of the world with WinSCP and a link to some nice, clear, screen-shot-laden instructions on how to install and configure it. Oh, of course they'll all need static IPs, which will make beaucoup $$$ for decent ISPs and will help get rid of crappy dynamic PPPoE DSL and dial-up providers thank heaven. Another nice side benefit, the RIAA can go hang trying to catch all the *secure* file transfers of mp3 ph1l3z Now someone go write a GPL WinSSHD so that they'll be able to *receive* the miserable ph1l3z they'll spew back and forth 8-) G On or about 2004.04.02 13:27:19 +0000, Valdis.Kletnieks () vt edu (Valdis.Kletnieks () vt edu) said:
This will be more useful once there's a way to do all of the following: 1) Upload the file to a webserver (which Joe User often doesn't have) 2) Set permissions on the file so only the recipients can get it. 3) Figure out the resulting URL for inclusion in the mail. 4) Deal with removing the file after a week or so. 5) All the *other* cruft involved in that whole process. In general, *not* something your Aunt Tillie can deal with.
-- Gregory A. Gilliss, CISSP E-mail: greg () gilliss com Computer Security WWW: http://www.gilliss.com/greg/ PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E 8C A3 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: FD should block attachments, (continued)
- RE: FD should block attachments Aditya, ALD [Aditya Lalit Deshmukh] (Apr 02)
- RE: FD should block attachments Zach Forsyth (Apr 01)
- RE: FD should block attachments Poof (Apr 02)
- RE: FD should block attachments Paul Schmehl (Apr 02)
- Re: FD should block attachments Tim (Apr 02)
- Re: FD should block attachments Mike Klinke (Apr 02)
- Re: FD should block attachments Tim (Apr 02)
- Re: FD should block attachments Valdis . Kletnieks (Apr 02)
- Re: FD should block attachments Tim (Apr 02)
- Re: FD should block attachments Paul Schmehl (Apr 02)
- Re: FD should block attachments Gregory A. Gilliss (Apr 02)
- RE: FD should block attachments Poof (Apr 02)
- Re: FD should block attachments Niek Baakman (Apr 02)
- Re: FD should block attachments Michael Cecil (Apr 02)
- Re: FD should block attachments Paul Schmehl (Apr 02)
- RE: FD should block attachments Poof (Apr 02)
- Re: FD should block attachments Niek Baakman (Apr 03)
- Re: FD should block attachments petard (Apr 02)
- Re: [FD] FD should block attachments Andrew J Caines (Apr 02)
- Re: Re: [FD] FD should block attachments morning_wood (Apr 02)
- Re: Re: [FD] FD should block attachments Luke Norman (Apr 02)