1 |
walt <w41ter@×××××.com> writes: |
2 |
|
3 |
> I've been reading the monthly security bulletin from sans.org for |
4 |
> several years. During that time I've noticed some recurring themes, |
5 |
> including multiple appearances from Adobe products like Flash. |
6 |
> |
7 |
> Another recurring theme is ftp servers (of which there are dozens) |
8 |
> like this month's report: |
9 |
> |
10 |
> Platform: Cross Platform |
11 |
> Title: Wing FTP Server "ssh public key" Authentication Security Bypass |
12 |
> Vulnerability |
13 |
> Description: Wing FTP Server is a secure file server for Windows, Linux, |
14 |
> Mac, FreeBSD and Solaris. Wing FTP Server is exposed to a security bypass |
15 |
> issue that affects the SSH authentication mechanism. Versions prior to |
16 |
> Wing FTP Server 3.8.8 are affected. |
17 |
> Ref: http://www.securityfocus.com/bid/48335/info |
18 |
> |
19 |
> Mind you, this is the first time I've seen Wing mentioned, but over the |
20 |
> years there have been dozens of other ftp servers cited for other flaws |
21 |
> in security. |
22 |
> |
23 |
> My question: WTF uses these poorly written ftp servers? Why do they |
24 |
> exist? Who asked for them? Who wrote the code, and why? |
25 |
> |
26 |
> My tentative guess: either evil programmers, or incompetent programmers. |
27 |
> (I suspect the intersection of the two sets is very small.) |
28 |
> |
29 |
> Many years ago when I was still using M$ Windows I wrote my own hex |
30 |
> editor in Visual Basic. I can't explain why I chose to do it, other |
31 |
> than as an exercise to learn Visual Basic. (I haven't used it since.) |
32 |
> |
33 |
> I'm quite certain that my hex editor would flunk even the most basic |
34 |
> security tests today because I wasn't programming with security in mind. |
35 |
> (In other words, I was the rankest of amateurs.) |
36 |
> |
37 |
> I'm running out of indignation now, and going to bed, but I'd welcome |
38 |
> other indignant comments :) |
39 |
|
40 |
Egad, such foolishness. What's wrong with them... |
41 |
|
42 |
(How did I do for indignant? ; ) ) |