[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] FD should block attachments

To: full-disclosure@xxxxxxxxxxxxxxxx
Subject: Re: [Full-Disclosure] FD should block attachments
From: "Gregory A. Gilliss" <ggilliss@xxxxxxxxxxxxxxxxx>
Date: Fri, 2 Apr 2004 11:45:38 -0800

First, Aunt Tillie ought not to be sending files around the Internet, 
IMHO. But we've already lost *that* battle, so ...

Basically, attachments in SMTP sux0r. File Transfer Protocol (which no 
one should use since it's insecure) was designed for ... transferring 
files. SMTP was not - go ask Eric Allman, he'll know. However other 
protocols will do (HTTP works, although blocking sux0rz). SSH comes to 
mind (unless Microsoft has co-opted *that* too).

Why not help Aunt Tillie install WinSCP? No more need for server access or
perms or disk quotas (cuz it goes from her craptacular Winbloz box to 
someone elses' craptacular Winbloz box) *and* it's secure (or as secure 
as anything running on a Winbloz box can be these days).

If we list members are as Godlike as we pretend to be we'd declare a 
national holiday and send out one final SMTP attachment to wall the Aunt 
Tillies (and Uncle Leos) of the world with WinSCP and a link to some nice,
clear, screen-shot-laden instructions on how to install and configure it.

Oh, of course they'll all need static IPs, which will make beaucoup $$$ 
for decent ISPs and will help get rid of crappy dynamic PPPoE DSL and
dial-up providers thank heaven. Another nice side benefit, the RIAA can go
hang trying to catch all the *secure* file transfers of mp3 ph1l3z

Now someone go write a GPL WinSSHD so that they'll be able to *receive* 
the miserable ph1l3z they'll spew back and forth 8-)

G

On or about 2004.04.02 13:27:19 +0000, Valdis.Kletnieks@xxxxxx 
(Valdis.Kletnieks@xxxxxx) said:

> This will be more useful once there's a way to do all of the following:
> 
> 1) Upload the file to a webserver (which Joe User often doesn't have)
> 2) Set permissions on the file so only the recipients can get it.
> 3) Figure out the resulting URL for inclusion in the mail.
> 4) Deal with removing the file after a week or so.
> 5) All the *other* cruft involved in that whole process.
> 
> In general, *not* something your Aunt Tillie can deal with.

-- 
Gregory A. Gilliss, CISSP                              E-mail: greg@xxxxxxxxxxx
Computer Security                             WWW: http://www.gilliss.com/greg/
PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E 8C A3

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- RE: [Full-Disclosure] FD should block attachments
  - From: Poof
- RE: [Full-Disclosure] FD should block attachments
  - From: Paul Schmehl
- Re: [Full-Disclosure] FD should block attachments
  - From: Tim
- Re: [Full-Disclosure] FD should block attachments
  - From: Valdis . Kletnieks

Prev by Date: gpl winsshd, was RE: [Full-Disclosure] FD should block attachments
Next by Date: Re: [Full-Disclosure] Training & Certifications
Previous by thread: Re: [Full-Disclosure] FD should block attachments
Next by thread: Re: [Full-Disclosure] FD should block attachments
Index(es):
- Date
- Thread