Re: ramen worm

[s-luppescu@example.com]

On 20-Jan-2001 Stephen J. Turnbull wrote:
>>>>>> "Stuart" == Stuart Luppescu <s-luppescu@example.com> writes:
> 
>     Stuart> Well, ftp is very useful in some cases, especially for
>     Stuart> anonymous access to files.
> 
> HTTP is generally faster, more robust (to stupid clients that wake up
> in ASCII mode for example), and doesn't require special treatment for
> firewalls.
> 
>     Stuart> The vulnerability in ftp was fixed a long time ago,
> 
> You're missing Joerg's point.  The vulnerability in FTP will _never_
> be fixed, because FTP is a complex server application.  HTTP has
> exactly the same vulnerability, of course---so why run two such
> servers?

Yeah, but I don't run an HTTP server on my machine, and ftp is easier to set up
than apache.

> And neither should be enabled by default.  Not even if you install the
> package.

Huh? I don't get it. If you don't intend to run the server, why would you
install the package? Why make the user take the extra step to enable the service
after installation? If you're saying the package shouldn't be installed without
giving the administrator the choice, that's another thing. But if the
administrator makes the active decision to install the ftp server (or any other
service), I don't see why it shouldn't be enabled on installation.
______________________________________________________________________
Stuart Luppescu         -=-=-  University of Chicago
ºÍʸ ¤ÈÃÒÆàÈþ¤ÎÉã(EUC)  -=-=-  s-luppescu@example.com
http://www.consortium-chicago.org/people/sl/sl.html
PGP public key: www.consortium-chicago.org/people/sl/pubkey.asc
       ICQ #21172047  AIM: psycho7070
"I am, therefore I am."
-- Akira
>> Sent on 21-Jan-2001 at 14:28:09 with xfmail