lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040402194538.GB9994@netpublishing.com>
From: ggilliss at netpublishing.com (Gregory A. Gilliss)
Subject: FD should block attachments

First, Aunt Tillie ought not to be sending files around the Internet, 
IMHO. But we've already lost *that* battle, so ...

Basically, attachments in SMTP sux0r. File Transfer Protocol (which no 
one should use since it's insecure) was designed for ... transferring 
files. SMTP was not - go ask Eric Allman, he'll know. However other 
protocols will do (HTTP works, although blocking sux0rz). SSH comes to 
mind (unless Microsoft has co-opted *that* too).

Why not help Aunt Tillie install WinSCP? No more need for server access or
perms or disk quotas (cuz it goes from her craptacular Winbloz box to 
someone elses' craptacular Winbloz box) *and* it's secure (or as secure 
as anything running on a Winbloz box can be these days).

If we list members are as Godlike as we pretend to be we'd declare a 
national holiday and send out one final SMTP attachment to wall the Aunt 
Tillies (and Uncle Leos) of the world with WinSCP and a link to some nice,
clear, screen-shot-laden instructions on how to install and configure it.

Oh, of course they'll all need static IPs, which will make beaucoup $$$ 
for decent ISPs and will help get rid of crappy dynamic PPPoE DSL and
dial-up providers thank heaven. Another nice side benefit, the RIAA can go
hang trying to catch all the *secure* file transfers of mp3 ph1l3z

Now someone go write a GPL WinSSHD so that they'll be able to *receive* 
the miserable ph1l3z they'll spew back and forth 8-)

G

On or about 2004.04.02 13:27:19 +0000, Valdis.Kletnieks@...edu (Valdis.Kletnieks@...edu) said:

> This will be more useful once there's a way to do all of the following:
> 
> 1) Upload the file to a webserver (which Joe User often doesn't have)
> 2) Set permissions on the file so only the recipients can get it.
> 3) Figure out the resulting URL for inclusion in the mail.
> 4) Deal with removing the file after a week or so.
> 5) All the *other* cruft involved in that whole process.
> 
> In general, *not* something your Aunt Tillie can deal with.

-- 
Gregory A. Gilliss, CISSP                              E-mail: greg@...liss.com
Computer Security                             WWW: http://www.gilliss.com/greg/
PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E 8C A3


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ