| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: ggilliss at netpublishing.com (Gregory A. Gilliss) Subject: FD should block attachments First, Aunt Tillie ought not to be sending files around the Internet, IMHO. But we've already lost *that* battle, so ... Basically, attachments in SMTP sux0r. File Transfer Protocol (which no one should use since it's insecure) was designed for ... transferring files. SMTP was not - go ask Eric Allman, he'll know. However other protocols will do (HTTP works, although blocking sux0rz). SSH comes to mind (unless Microsoft has co-opted *that* too). Why not help Aunt Tillie install WinSCP? No more need for server access or perms or disk quotas (cuz it goes from her craptacular Winbloz box to someone elses' craptacular Winbloz box) *and* it's secure (or as secure as anything running on a Winbloz box can be these days). If we list members are as Godlike as we pretend to be we'd declare a national holiday and send out one final SMTP attachment to wall the Aunt Tillies (and Uncle Leos) of the world with WinSCP and a link to some nice, clear, screen-shot-laden instructions on how to install and configure it. Oh, of course they'll all need static IPs, which will make beaucoup $$$ for decent ISPs and will help get rid of crappy dynamic PPPoE DSL and dial-up providers thank heaven. Another nice side benefit, the RIAA can go hang trying to catch all the *secure* file transfers of mp3 ph1l3z Now someone go write a GPL WinSSHD so that they'll be able to *receive* the miserable ph1l3z they'll spew back and forth 8-) G On or about 2004.04.02 13:27:19 +0000, Valdis.Kletnieks@...edu (Valdis.Kletnieks@...edu) said: > This will be more useful once there's a way to do all of the following: > > 1) Upload the file to a webserver (which Joe User often doesn't have) > 2) Set permissions on the file so only the recipients can get it. > 3) Figure out the resulting URL for inclusion in the mail. > 4) Deal with removing the file after a week or so. > 5) All the *other* cruft involved in that whole process. > > In general, *not* something your Aunt Tillie can deal with. -- Gregory A. Gilliss, CISSP E-mail: greg@...liss.com Computer Security WWW: http://www.gilliss.com/greg/ PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E 8C A3
Powered by blists - more mailing lists