Re: SOLUTION--Re: need help with anon FTP access via a web browser

[Ben Goren <ben_(_at_)_trumpetpower_(_dot_)_com>]

On Wed, Aug 28, 2002 at 11:19:48PM -0400, Mark Besonen wrote:

> Yes, I recognize  the dangers of anonymous write  access, but if
> you  ratchet  down the  FTP  account  quota  to 100  megs,  that
> certainly helps to discourage abuse.  And by setting permissions
> at 333  on this writeable  directory, well, you can  obscure the
> contents of it even though people can still write to it.  Yes, I
> know  that if  you  know  the fully  qualified  name/path to  an
> uploaded file you  can still get to it, but  the 333 permissions
> at least prevent casual  browsers from stumbling across uploads.
> Since I  don't expect this  writeable directory to be  used much
> anyways,  a  simple cron  script  to  mail  a message  when  the
> directory content changes will also  help to keep me informed of
> possible abuse.
>
> If I've missed something major  in my assessment above, I'd love
> to hear about  it.  After all, I'm still  learning probably like
> most of the rest of you.

Unfortunately, there's one  kind of scenario I  don't think you've
fully thought through. Pardon me  if I pick an emotionally-charged
scenario....

Consider: a  child pornographer  discovers your open  server, puts
his latest photo shoot  in a zip file on it,  and advertises it on
USENET.  What are you going to tell the FBI when they question you
about it? What are you going to tell your boss? The scenario works
the  same  with pirated  software,  Al  Queda training  materials,
whatever.

Mr. Ross  already  mentioned  NiftyTelnet, which  sounds  like  it
should be  just fine,  even for your  patron. Here are  some other
suggestions for your particular situation:

    o Forget the 'Net. If she's got a Zip drive or some such, have
    her copy the files to a disk and put a stamp on it.

    o She's got a Mac. These  photos will eventually be published.
    Doesn't Apple  have a service  that lets you upload  photos to
    one of their  Web sites? If not, other  companies do. The fees
    are generally modest and the sites are designed just for folks
    like her.

    o Use  email. So what  if it takes  30% longer? Just  have her
    send you ten  megabytes before she leaves  for the day. You'll
    have the whole thing in a week.

    o  Create a  simple file  upload CGI  that lets  people upload
    files but not  download them. This opens you to  a DOS attack,
    but it's probably not a show-stopper of a vulnerability.

    o  If you  must use  FTP, don't  permit anonymous  uploads. As
    I   mentioned   earlier,   the   broswers   support   password
    authentication,  though   I  don't  remember  the   exact  URL
    syntax. Passwords  can  be  sniffed,  but it  raises  the  bar
    significantly. Also, run a cron job every minute to move files
    out of  the FTP area  into some secure location;  this permits
    uploads but severly restricts  the possibility of downloads. A
    moderately sophisticated  attacker could  bounce files  off of
    you, but that's about it.

    o What may  be the ideal solution: contact somebody  in the IT
    department of  the college  nearest her. Hire that  person, or
    just promise a  tour of American historical  sites, tickets to
    the Boston Symphony, etc., the next  time the person is on the
    Eastern seabord.

Hmm...that brings up a thought:  what country is she in? There may
be somebody on  this list nearby who'd be willing  to help. Or, if
you want to pay all my  expenses, I'd probably be willing to waive
my normal fees....

Good luck,

b&

--
Ben Goren
 mailto:ben_(_at_)_trumpetpower_(_dot_)_com
 http://www.trumpetpower.com/
 icbm:33o25'37"N_111o57'32"W

[demime 0.98d removed an attachment of type application/pgp-signature]