I've been using Mindspring.com as my website host
for a long time. But Mindspring uses (and apparently
will continue to use) simple ftp for file transfer.
Reading _Counter Hack Reloaded_, 2nd Ed., has convinced
me that I should look for an (OpenBSD) ISP that supports
SCP for file transfers. Is there a list of such servers?
(possibly at openbsd.org, although I did not spot it)
Or can anyone recommend some inexpensive sites?
(my website is not commercial).

Thanks,
Dave Feustel

--
Using OpenBSD with or without X & KDE?
http://dfeustel.home.mindspring.com

<dfeustel@mindspring.com> wrote in message
news:huRlg.2656$DI2.2057@trnddc05...
> I've been using Mindspring.com as my website host
> for a long time. But Mindspring uses (and apparently
> will continue to use) simple ftp for file transfer.
> Reading _Counter Hack Reloaded_, 2nd Ed., has convinced
> me that I should look for an (OpenBSD) ISP that supports
> SCP for file transfers. Is there a list of such servers?
> (possibly at openbsd.org, although I did not spot it)
> Or can anyone recommend some inexpensive sites?
> (my website is not commercial).

I run a webhosting business, primarily (but not exclusively) for independent
musicians. Been running OpenBSD since we started up in '99 (currently using
3.7; we upgrade every 2-3 years or so). However, we're still using FTP for
uploads (my clients are mostly not technical), but I'd be interested in
providing more secure alternatives. To be clear: FTP is indeed insecure, but
this doesn't make my systems insecure per se - as you'd expect from an
OpenBSD nut . We *don't* provide log-in accounts.

We're in the UK, if that makes any difference. Our servers are very lightly
loaded, are co-loco'ed on a big phat pipe, and hence are quite zippy... More
details on my site. Yell if I can help.

Steve
http://www.fivetrees.com

Begin <huRlg.2656$DI2.2057@trnddc05>
On 2006-06-20, dfeustel@mindspring.com <dfeustel@mindspring.com> wrote:
> I've been using Mindspring.com as my website host
> for a long time. But Mindspring uses (and apparently
> will continue to use) simple ftp for file transfer.

And why is that, do you think?

I am not necessairily defending the practice, but I am advocating
knowing the reasoning behind it, if any. If you look at how and what the
traffic passes, you will note that the need for securing data that will
subsequently be offered up to everyone on a website, varies with your
local network neighbourhood.


> Reading _Counter Hack Reloaded_, 2nd Ed., has convinced me

I haven't read the book but the title suggests it belongs to a sad
class of populistic and sensationalist books that do little more than
spread FUD and maybe a sense of urgency to fix it[2]. Those tend to be
extremely thick and full of screenshots and lots of little details and
must-do's and not enough solid background to make your own decisions.

I don't know about this book, but a quick read of a review by Rob Slade
on the RISKS list[1] of the predecessor (_Counter Hack_) does not
suggest this book is much above the rest.

Letting yourself be convinced in such a way as likely as not means that
you end up doing things that merely result in some sense of security,
but you still won't have the background to make a good solid tradeoff
accounting of your own.


Point in case: No amount of encryption of data on the wire will prevent
trojans on your windows box from grabbing the password and sending it
somewhere else. Yes, securing your file transfers would be better, but
you might have other things with more urgency to take care of. Can you
decide which needs attention first?


> [...] I should look for an (OpenBSD) ISP that supports SCP for file
> transfers.

There are more options than just scp and sftp. For example, ftps, that
is ftp/ssl or ftp/tls would do it in a pinch, and rsync/ssh is useful
for updating websites as well. There are probably some more protocols
(webdav/https, anyone?) with potential use.


> Is there a list of such servers?

Not that I know of. If you're serious about this, you can always start
one. I'd suggest including more than just isps that support scp/sftp.


[1] In itself a great source of discussion on computer related risks; at
least the digest is a must read for basically anyone who deals with
design and implementation of computer systems, especially ones that
deal with a greater public.
[2] But where this ``it'' is so fuzzy it might very well give rise to the
dreaded ``We must do something! This is something! We must do this!''

--
j p d (at) d s b (dot) t u d e l f t (dot) n l .
This message was originally posted on Usenet in plain text.
Any other representation, additions, or changes do not have my
consent and may be a violation of international copyright law.

jpd <read_the_sig@do.not.spam.it.invalid> wrote:
> Begin <huRlg.2656$DI2.2057@trnddc05>
> On 2006-06-20, dfeustel@mindspring.com <dfeustel@mindspring.com> wrote:
>> I've been using Mindspring.com as my website host
>> for a long time. But Mindspring uses (and apparently
>> will continue to use) simple ftp for file transfer.
>
> And why is that, do you think?
>
> I am not necessairily defending the practice, but I am advocating
> knowing the reasoning behind it, if any. If you look at how and what the
> traffic passes, you will note that the need for securing data that will
> subsequently be offered up to everyone on a website, varies with your
> local network neighbourhood.

My problem is that I may be suffering from a DOS against ftp uploads.
SCP would seem to eliminate at least some of the DOS/DDOS possibilities.

>> Reading _Counter Hack Reloaded_, 2nd Ed., has convinced me
>
> I haven't read the book but the title suggests it belongs to a sad
> class of populistic and sensationalist books that do little more than
> spread FUD and maybe a sense of urgency to fix it[2]. Those tend to be
> extremely thick and full of screenshots and lots of little details and
> must-do's and not enough solid background to make your own decisions.

You really should take a look at the book yourself.

> I don't know about this book, but a quick read of a review by Rob Slade
> on the RISKS list[1] of the predecessor (_Counter Hack_) does not
> suggest this book is much above the rest.

In my opinion, _CHR_ is good enough to make me consider buying a copy
for reference.

> Letting yourself be convinced in such a way as likely as not means that
> you end up doing things that merely result in some sense of security,
> but you still won't have the background to make a good solid tradeoff
> accounting of your own.

>
> Point in case: No amount of encryption of data on the wire will prevent
> trojans on your windows box from grabbing the password and sending it

I run OpenBSD, not windows.

> somewhere else. Yes, securing your file transfers would be better, but
> you might have other things with more urgency to take care of. Can you
> decide which needs attention first?

Securing my ability to ftp upload is currently my most important task.
Nothing else comes close.
>
>> [...] I should look for an (OpenBSD) ISP that supports SCP for file
>> transfers.
>
> There are more options than just scp and sftp. For example, ftps, that
> is ftp/ssl or ftp/tls would do it in a pinch, and rsync/ssh is useful
> for updating websites as well. There are probably some more protocols
> (webdav/https, anyone?) with potential use.

I am not infatuated with any specific secure protocol for ftp.
So far no ISPs I have used offer *any* secure method of ftp.
I would like to find an ISP that at least *offers* a secure ftp.

>> Is there a list of such servers?
>
> Not that I know of. If you're serious about this, you can always start
> one. I'd suggest including more than just isps that support scp/sftp.

My interest in such a list is using it to get an affordable ISP that
provides a secure ftp. IMHO it would definitely be a smart advocacy
move for OpenBSD.org to provide such information as part of its listing
of OpenBSD support.

--
Using OpenBSD with or without X & KDE?
http://dfeustel.home.mindspring.com

Steve at fivetrees <steve@nospamtafivetrees.com> wrote:
> <dfeustel@mindspring.com> wrote in message
> news:huRlg.2656$DI2.2057@trnddc05...
>> I've been using Mindspring.com as my website host
>> for a long time. But Mindspring uses (and apparently
>> will continue to use) simple ftp for file transfer.
>> Reading _Counter Hack Reloaded_, 2nd Ed., has convinced
>> me that I should look for an (OpenBSD) ISP that supports
>> SCP for file transfers. Is there a list of such servers?
>> (possibly at openbsd.org, although I did not spot it)
>> Or can anyone recommend some inexpensive sites?
>> (my website is not commercial).
>
> I run a webhosting business, primarily (but not exclusively) for
> independent musicians. Been running OpenBSD since we started up in
> '99 (currently using 3.7; we upgrade every 2-3 years or so). However,
> we're still using FTP for uploads (my clients are mostly not
> technical), but I'd be interested in providing more secure alternatives.
> To be clear: FTP is indeed insecure, but this doesn't make my systems
> insecure per se - as you'd expect from an OpenBSD nut . We *don't*
> provide log-in accounts.
>
> We're in the UK, if that makes any difference. Our servers are very
> lightly loaded, are co-loco'ed on a big phat pipe, and hence are
> quite zippy... More details on my site. Yell if I can help.
>
> http://www.fivetrees.com

All I need is a non-commercial website, email, and a secure way to ftp.
(I'm pretty sure that scp is part of the base install of OpenBSD).
A secure method of sending email and downloading pop email would be a
big plus. What would those services cost?

Thanks



--
Using OpenBSD with or without X & KDE?
http://dfeustel.home.mindspring.com

Begin <OhTlg.6571$Za5.6241@trnddc04>
On 2006-06-20, dfeustel@mindspring.com <dfeustel@mindspring.com> wrote:
> My problem is that I may be suffering from a DOS against ftp uploads.
> SCP would seem to eliminate at least some of the DOS/DDOS possibilities.

Let's see how this would work. D/DoSes work by swamping the target with
data, or send it data that causes a lot of work to be performed in vain,
or both, to the effect that it deprives legitimate users from using
the targeted resources. This is a definition you can find in any good
computer network security book.

Now, you propose to replace ftp with something else, and that has a
few consequences. You'll get a different isp, and that might make the
problems go away, but if it was *you* that was targeted, maybe the
attacker will re-target on you again?

Then, a different protocol, using a different port. If the attack is
port-targeted, this might help, but you don't need a protocol change for
that, as even FTP daemons support moving over to another port. If the
link itself is swamped, no protocol or port changes are going to save
you.

In addition, crypto is generally (and in the case of public key crypto,
especially) computing intensive; each connection setup requires quite a
lot of cpu cycles. So it's just as likely, if not more likely, you'll
worsen the situation.

I really don't see why or how, if you really have a D/DoS directed
against you, slapping on crypto would help, or how you came to be
convinced that it would help.


> You really should take a look at the book yourself.

If what you picked up from it is anything to go by, no thanks.

Your conviction you need to do something might be understandable but
your reasoning does need some work.


> My interest in such a list is using it to get an affordable ISP that
> provides a secure ftp. IMHO it would definitely be a smart advocacy
> move for OpenBSD.org to provide such information as part of its listing
> of OpenBSD support.

Then talk to the OpenBSD project directly, they probably have an
advocacy mailinglist somewhere, which would be a better place to propose
this. Still, someone needs to actually do it. Would you volunteer?


--
j p d (at) d s b (dot) t u d e l f t (dot) n l .
This message was originally posted on Usenet in plain text.
Any other representation, additions, or changes do not have my
consent and may be a violation of international copyright law.

jpd <read_the_sig@do.not.spam.it.invalid> wrote:
> Begin <OhTlg.6571$Za5.6241@trnddc04>
> On 2006-06-20, dfeustel@mindspring.com <dfeustel@mindspring.com> wrote:
>> My problem is that I may be suffering from a DOS against ftp uploads.
>> SCP would seem to eliminate at least some of the DOS/DDOS possibilities.
>
> Let's see how this would work. D/DoSes work by swamping the target with
> data, or send it data that causes a lot of work to be performed in vain,
> or both, to the effect that it deprives legitimate users from using
> the targeted resources. This is a definition you can find in any good
> computer network security book.

There is also session hijacking.

> Now, you propose to replace ftp with something else, and that has a
> few consequences. You'll get a different isp, and that might make the
> problems go away, but if it was *you* that was targeted, maybe the
> attacker will re-target on you again?

Very likely, if that is what is going on.

> Then, a different protocol, using a different port. If the attack is
> port-targeted, this might help, but you don't need a protocol change for
> that, as even FTP daemons support moving over to another port. If the
> link itself is swamped, no protocol or port changes are going to save
> you.
>
> In addition, crypto is generally (and in the case of public key crypto,
> especially) computing intensive; each connection setup requires quite a
> lot of cpu cycles. So it's just as likely, if not more likely, you'll
> worsen the situation.
>
> I really don't see why or how, if you really have a D/DoS directed
> against you, slapping on crypto would help, or how you came to be
> convinced that it would help.

A little more authentication might prevent session hijacking, if that is
what is going on. This is covered in _CounterHack Reloaded_.
>
>> You really should take a look at the book yourself.
>
> If what you picked up from it is anything to go by, no thanks.

Suit yourself.

> Your conviction you need to do something might be understandable but
> your reasoning does need some work.

>> My interest in such a list is using it to get an affordable ISP that
>> provides a secure ftp. IMHO it would definitely be a smart advocacy
>> move for OpenBSD.org to provide such information as part of its listing
>> of OpenBSD support.
>
> Then talk to the OpenBSD project directly, they probably have an
> advocacy mailinglist somewhere, which would be a better place to propose
> this. Still, someone needs to actually do it. Would you volunteer?

I think there are serious compatibility problems between me and a
number of subscribers to the OpenBSD misc mailing list.
I used to post regularly to misc. My posts were not appreciated and
I took a lot of abuse from some of the other posters.
I think it was a case of "shoot the messenger" since I discovered
several problems with security on OpenBSD. To be fair, the problems were
with X and with KDE, but the problems made OpenBSD insecure when KDE
was running. KDE developers regarded the problem as OpenBSD's and vice
versa. The KDE problem was partially fixed in 3.9. I stopped using X
after the OpenBSD developers said that real security could only be achieved
by not running X. Almost all of the problems I had been having stopped after
I reinstalled OpenBSD 3.9 without X. At any rate, it was suggested that
I stop posting on misc. So I stopped posting on misc and started posting
on a variety of unix-related newsgroups. This has worked out well for me.
Theo's project is too important for me to be constantly aggravating the
developers with my posts to misc. I appreciate the advice I got from Theo.

--
Using OpenBSD with or without X & KDE?
http://dfeustel.home.mindspring.com

dfeustel@mindspring.com wrote:
> jpd <read_the_sig@do.not.spam.it.invalid> wrote:
>> Begin <huRlg.2656$DI2.2057@trnddc05>
>> On 2006-06-20, dfeustel@mindspring.com <dfeustel@mindspring.com> wrote:
>>> I've been using Mindspring.com as my website host
>>> for a long time. But Mindspring uses (and apparently
>>> will continue to use) simple ftp for file transfer.
>>
>> And why is that, do you think?
>>
>> I am not necessairily defending the practice, but I am advocating
>> knowing the reasoning behind it, if any. If you look at how and what the
>> traffic passes, you will note that the need for securing data that will
>> subsequently be offered up to everyone on a website, varies with your
>> local network neighbourhood.
>
> My problem is that I may be suffering from a DOS against ftp uploads.
> SCP would seem to eliminate at least some of the DOS/DDOS possibilities.

Aside from the fact that SCP doesn't, what makes you believe you are the
target of a DoS? As opposed to, say, a not-quite-perfectly configured
system?

<snip>
>> somewhere else. Yes, securing your file transfers would be better, but
>> you might have other things with more urgency to take care of. Can you
>> decide which needs attention first?
>
> Securing my ability to ftp upload is currently my most important task.
> Nothing else comes close.

Well, that's basically impossible. A standard residential line can
always be DoS'ed by a sufficiently large botnet.

>>> [...] I should look for an (OpenBSD) ISP that supports SCP for file
>>> transfers.
>>
>> There are more options than just scp and sftp. For example, ftps, that
>> is ftp/ssl or ftp/tls would do it in a pinch, and rsync/ssh is useful
>> for updating websites as well. There are probably some more protocols
>> (webdav/https, anyone?) with potential use.
>
> I am not infatuated with any specific secure protocol for ftp.
> So far no ISPs I have used offer *any* secure method of ftp.
> I would like to find an ISP that at least *offers* a secure ftp.

Why? In almost all cases, you only FTP stuff that ends up on a
world-accessible page anyway, and commercial hosts are not sufficiently
secure to trust with anything you wouldn't trust FTP with.

Or, more to the point, it's almost always possible to at least read
your data after compromising another account, and compromising any
account is generally rather easy. OpenBSD has little to do with this;
it's mostly a matter of correctly configuring the web server used,
typically Apache. Basically, only suEXEC
<http://httpd.apache.org/docs/1.3/suexec.html> is likely to really
prevent this (PHP has several features, like safe_mode and open_basedir,
that try to give a chroot-like experience; sadly, they do not seem very
robust, and I'd not entrust really important data to such security).

Of course, suEXEC makes using mod_php and the like impossible - and the
traditional CGI paradigm requires starting a new php process for each
web page, which is very bad for performance.

FastCGI seems to solve at least some of these problems, but at the cost
of being more complicated and supported on few commercial hosts.

Finally, you could go the way I took - just run your own server. Sure,
people can still DoS you off the net, but at least you get to provide
your own security. Of course, if it's a server for the local students'
association, you still don't get to choose to kill PHP; but at least you
can implement *some* security (like updates only being possible over
Subversion over SSH).

>>> Is there a list of such servers?
>>
>> Not that I know of. If you're serious about this, you can always start
>> one. I'd suggest including more than just isps that support scp/sftp.
>
> My interest in such a list is using it to get an affordable ISP that
> provides a secure ftp. IMHO it would definitely be a smart advocacy
> move for OpenBSD.org to provide such information as part of its listing
> of OpenBSD support.

If you want secure webhosting, post a threat model and your requirements
(for instance, do you want DoS protection, confidentiality, ...?)

Joachim

Begin <_4Xlg.8651$nS5.5754@trnddc07>
On 2006-06-20, dfeustel@mindspring.com <dfeustel@mindspring.com> wrote:
>
> There is also session hijacking.

But that isn't what you said. If all you do is throw random
possibilities in the group just to say ``look what I read, mom!'', it
isn't worth bothering to discuss.


--
j p d (at) d s b (dot) t u d e l f t (dot) n l .
This message was originally posted on Usenet in plain text.
Any other representation, additions, or changes do not have my
consent and may be a violation of international copyright law.

While I have considerable respect for the technical talents of the
responders to the original post of this thread, they are drifting away
from my original problem, so I am not going to continue with this thread.
I appreciate the effort the responders put into this, but there is a
communication problem here caused, IMHO, by the restricted bandwidth of
email. Of course if you want to visit me here in downtown Fort Wayne to
discuss this further over a beer or two... :-)

Dave Feustel

jKILLSPAM.schipper@math.uu.nl wrote:
> dfeustel@mindspring.com wrote:
>> jpd <read_the_sig@do.not.spam.it.invalid> wrote:
>>> Begin <huRlg.2656$DI2.2057@trnddc05>
>>> On 2006-06-20, dfeustel@mindspring.com <dfeustel@mindspring.com> wrote:
>>>> I've been using Mindspring.com as my website host
>>>> for a long time. But Mindspring uses (and apparently
>>>> will continue to use) simple ftp for file transfer.
>>>
>>> And why is that, do you think?
>>>
>>> I am not necessairily defending the practice, but I am advocating
>>> knowing the reasoning behind it, if any. If you look at how and what the
>>> traffic passes, you will note that the need for securing data that will
>>> subsequently be offered up to everyone on a website, varies with your
>>> local network neighbourhood.
>>
>> My problem is that I may be suffering from a DOS against ftp uploads.
>> SCP would seem to eliminate at least some of the DOS/DDOS possibilities.
>
> Aside from the fact that SCP doesn't, what makes you believe you are the
> target of a DoS? As opposed to, say, a not-quite-perfectly configured
> system?
>
> <snip>
>>> somewhere else. Yes, securing your file transfers would be better, but
>>> you might have other things with more urgency to take care of. Can you
>>> decide which needs attention first?
>>
>> Securing my ability to ftp upload is currently my most important task.
>> Nothing else comes close.
>
> Well, that's basically impossible. A standard residential line can
> always be DoS'ed by a sufficiently large botnet.
>
>>>> [...] I should look for an (OpenBSD) ISP that supports SCP for file
>>>> transfers.
>>>
>>> There are more options than just scp and sftp. For example, ftps, that
>>> is ftp/ssl or ftp/tls would do it in a pinch, and rsync/ssh is useful
>>> for updating websites as well. There are probably some more protocols
>>> (webdav/https, anyone?) with potential use.
>>
>> I am not infatuated with any specific secure protocol for ftp.
>> So far no ISPs I have used offer *any* secure method of ftp.
>> I would like to find an ISP that at least *offers* a secure ftp.
>
> Why? In almost all cases, you only FTP stuff that ends up on a
> world-accessible page anyway, and commercial hosts are not sufficiently
> secure to trust with anything you wouldn't trust FTP with.
>
> Or, more to the point, it's almost always possible to at least read
> your data after compromising another account, and compromising any
> account is generally rather easy. OpenBSD has little to do with this;
> it's mostly a matter of correctly configuring the web server used,
> typically Apache. Basically, only suEXEC
> <http://httpd.apache.org/docs/1.3/suexec.html> is likely to really
> prevent this (PHP has several features, like safe_mode and open_basedir,
> that try to give a chroot-like experience; sadly, they do not seem very
> robust, and I'd not entrust really important data to such security).
>
> Of course, suEXEC makes using mod_php and the like impossible - and the
> traditional CGI paradigm requires starting a new php process for each
> web page, which is very bad for performance.
>
> FastCGI seems to solve at least some of these problems, but at the cost
> of being more complicated and supported on few commercial hosts.
>
> Finally, you could go the way I took - just run your own server. Sure,
> people can still DoS you off the net, but at least you get to provide
> your own security. Of course, if it's a server for the local students'
> association, you still don't get to choose to kill PHP; but at least you
> can implement *some* security (like updates only being possible over
> Subversion over SSH).
>
>>>> Is there a list of such servers?
>>>
>>> Not that I know of. If you're serious about this, you can always start
>>> one. I'd suggest including more than just isps that support scp/sftp.
>>
>> My interest in such a list is using it to get an affordable ISP that
>> provides a secure ftp. IMHO it would definitely be a smart advocacy
>> move for OpenBSD.org to provide such information as part of its listing
>> of OpenBSD support.
>
> If you want secure webhosting, post a threat model and your requirements
> (for instance, do you want DoS protection, confidentiality, ...?)
>
> Joachim

--
Using OpenBSD with or without X & KDE?
http://dfeustel.home.mindspring.com