Debian/Ubuntu security apt phun

Shawn K. Quinn skquinn at rushpost.com
Wed Dec 14 13:18:17 PST 2016


On 12/14/2016 03:07 PM, John Newman wrote:
> Naught to do with Debian, but goddam I'm sick of seeing IPs from all
> over the world logging into our one anon ftp server and recursively
> trying to upload Photo.scr over and over, until the little monitor
> script catches and blocks it.
> 
> The file is of course actually a Windows executable, not a ".scr"
> file...

First, why the hell are you running an anonymous FTP server in 2016?!
FTP needs to die... it was designed in an era where it was acceptable to
send passwords across the internet in plain text. That era is long gone.
HTTP (really HTTPS now) for downloads, and SFTP/SCP for the use cases
where HTTP(S) won't really fit.

Second, if I remember right, .scr *is* a type of Windows executable
(originally used for screensavers). Thank Microsoft for that one... most
people wouldn't recognize .scr the way they would, say, .exe, .dll, and
the like. This is why I like the Unix method a lot better: if you want
to run something, you either have to feed it to something like bash or
python on the command line, or give it execute permissions. Of course,
the flip side of this is that mounting stuff over SMB has the executable
bit set on everything, even stuff for which an execute action would not
make any sense... which kind of shoots down this rudimentary security
mechanism. (Again, blame Microsoft, who clearly thinks the existence of
an execute permission bit is redundant.)

Not much I haven't said before, though:
<http://www.rantroulette.com/tag/microsoft>

-- 
Shawn K. Quinn <skquinn at rushpost.com>
http://www.rantroulette.com
http://www.skqrecordquest.com



More information about the cypherpunks mailing list