FTP Hacking on the Rise

← Back to Stories (view on slashdot.org)

Posted by CmdrTaco on Wednesday March 12, 2008 @03:00AM from the how-long-before-a-protocol-becomes-retro dept.

yahoi writes "The disco-era File Transfer Protocol (FTP) is making a comeback, but not in a good way — spammers are now using the old-school file transfer technology to serve up bot malware, and even as a backdoor into some enterprises that neglect to lock down their oft-forgotten FTP servers. Researchers at F-Secure have spotted a new wave of exploits that use FTP — rather than a malicious URL, or an email attachment — to deliver their malware payloads because few gateways scan for FTP attachments these days."

212 comments

Min score:

Reason:

Sort:

What's next? by Anonymous Coward · 2008-03-12 03:02 · Score: 5, Funny

Gopher?
1. Re:What's next? by gnick · 2008-03-12 03:22 · Score: 5, Funny
  
  Gophers are actually not that hard to hack, although most of my experience is with prairie dogs. About 250 yards out with a decent scope and 'opening a port' is not that hard. Known exploit.
  
  --
  He's getting rather old, but he's a good mouse.
2. Re:What's next? by PitaBred · 2008-03-12 03:50 · Score: 2, Funny
  
  Every try opening a port with a .30-06? You don't have much left to hack...
  
  --
  My blog. Good stuff (when I remember to update it). Read it.
3. Re:What's next? by 3p1ph4ny · 2008-03-12 03:53 · Score: 2, Funny
  
  It depends on the architecture.
4. Re:What's next? by Em+Adespoton · 2008-03-12 04:16 · Score: 1
  
  Nah; why use Gopher? It requires too much infrastructure and nobody has a client that can handle it anymore.... sort of like Archie.
  
  I'd place my bets on something like WAIS or LDAP myself ;)
5. Re:What's next? by ObsessiveMathsFreak · 2008-03-12 04:19 · Score: 4, Funny
  
  WARNING: Attempting to hack Groundhogs may result in an infinite loop.
  
  --
  May the Maths Be with you!
6. Re:What's next? by cranky_slacker · 2008-03-12 04:54 · Score: 1
  
  I prefer badgers... http://www.strangehorizons.com/2004/20040405/badger.shtml
7. Re:What's next? by Anonymous Coward · 2008-03-12 05:11 · Score: 1, Funny
  
  Prairie dog or gopher, you're gonna have the same thing left, just different DNA ;)
8. Re:What's next? by CronoCloud · 2008-03-12 07:17 · Score: 2, Insightful
  
  nobody has a client that can handle it anymore
  
  Actually Lynx, Camino, Konqueror, Firefox, Mozilla/Seamonkey suite, and IE7 can all handle Gopher.
9. Re:What's next? by yellowalienbaby · 2008-03-12 22:24 · Score: 1
  
  I'd rather try and get into Veronica
  
  --
  Darwin Hawking Blackmore
10. Re:What's next? by Jeruvy · 2008-03-13 06:30 · Score: 1
  
  Regardless, you will not use that port again.
  
  --
  Jeruvy
Uh oh by B3ryllium · 2008-03-12 03:03 · Score: 4, Insightful

Further proof that FTP is for chumps. :) scp to the rescue!
1. Re:Uh oh by Brian+Gordon · 2008-03-12 03:07 · Score: 3, Informative
  
  SCP? Still disco-era. Try sftp, might as well since we tunnel every other service under the sun through ssh.
2. Re:Uh oh by B3ryllium · 2008-03-12 03:20 · Score: 5, Insightful
  
  Disco-era? It was first implemented in 1995. That's the New Kids era, not the Disco era.
3. Re:Uh oh by Critical+Facilities · 2008-03-12 03:21 · Score: 2, Interesting
  
  Yeah, cause no one uses FTP anymore, right?
4. Re:Uh oh by B3ryllium · 2008-03-12 03:25 · Score: 1
  
  I dunno about you, but I downloaded my last two distro ISOs (Knoppix and Ubuntu) using BitTorrent ... :)
5. Re:Uh oh by Critical+Facilities · 2008-03-12 03:27 · Score: 1
  
  Whoops, that first "no one" was supposed to have that link.
6. Re:Uh oh by Critical+Facilities · 2008-03-12 03:30 · Score: 1
  
  Absolutely I did, but I'm just saying it's not like FTP is obscure.
7. Re:Uh oh by ivan256 · 2008-03-12 03:33 · Score: 5, Insightful
  
  Some of us don't care to waste cycles encrypting data that doesn't need to be encrypted.
8. Re:Uh oh by winkydink · 2008-03-12 03:40 · Score: 5, Funny
  
  Agree. The disco era ended sometime in the late 70's / early 80's. Of course, that's before half of the /. posters were born, so it's understandable that they wouldn't know this.
  
  Hey! You! Get off my lawn!
  
  --
  "I'd rather be a lightning rod than a seismometer." -Ken Kesey
9. Re:Uh oh by B3ryllium · 2008-03-12 03:42 · Score: 3, Funny
  
  ... you probably recycle your waste electrons, too, don't you?
10. Re:Uh oh by gnick · 2008-03-12 03:49 · Score: 1
  
  What do you suggest I do when my bit-bucket fills up?
  
  --
  He's getting rather old, but he's a good mouse.
11. Re:Uh oh by Anonymous Coward · 2008-03-12 03:56 · Score: 2, Informative
  
  Disco-era? It was first implemented in 1995.
  
  Then why were people writing about it in 1971?
  http://tools.ietf.org/html/rfc114
12. Re:Uh oh by ajs · 2008-03-12 03:59 · Score: 1
  Disco-era? FTP?! Hmmm... last I checked, FTP was one of the world's most widely used file transfer protocols.
  
  ftp://ftp.netscape.com/pub/netscape9/en-US/9.0/unix/linux/netscape-navigator-9.0.0.6.tar.gz
  ftp://ftp.gnome.org/pub/GNOME/desktop/2.20/2.20.3/
  ftp://releases.mozilla.org/pub/mozilla.org/
  ... and so on.
13. Re:Uh oh by B3ryllium · 2008-03-12 04:05 · Score: 2, Insightful
  
  "Disco-era" is meant literally in the case of the original post, since its advent coincides with that of disco music.
  
  And being one of the most widely used protocols doesn't mean it's not for chumps. It just means there are a lot of chumps.
14. Re:Uh oh by Anonymous Coward · 2008-03-12 04:06 · Score: 5, Funny
  
  The disco era ended sometime in the late 70's / early 80's. It didn't end, it just got too cool for you.
  
  -- Disco Stu
15. Re:Uh oh by Otto · 2008-03-12 04:09 · Score: 1
  
  All the FTP usage is probably under a couple of percent. Torrents surpassed 50% of the total internet traffic some time ago.
  
  --
  - Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
16. Re:Uh oh by leamanc · 2008-03-12 04:13 · Score: 1
  
  The history lesson continues. 1995 was hardly the New Kids era. Their era ended in '90 or '91. The New Kids put out a ridiculous pseudo-gangsta album in 1994 as NKOTB and broke up shortly thereafter.
  
  If anything, 1995 was the post-grunge hangover era. Bands like Bush, Seven Mary Three and POTUSA ruled the airwaves. And Alanis. Unfortunately, I associate 1995 with hearing "You Oughta Know" 18 times a day on the radio.
  
  --
  :q!
17. Re:Uh oh by fizzup · 2008-03-12 04:13 · Score: 4, Informative
  
  I think you may have misunderstood. RFC 114 refers to FTP, which is from the 70s. The poster was talking about scp, which is certainly from the mid-90s.
  
  Now, whether 1971 counts as disco-era is another question. I would say that it is pre-disco, since every school child knows that the disco era started with Soul Makossa in 1973.
18. Re:Uh oh by driddle · 2008-03-12 04:17 · Score: 0, Redundant
  
  I think you mean the current generation of FTP was created in 1985 not 1995.
  
  See http://tools.ietf.org/html/rfc959
  
  But that was not the first RFC published on FTP the first was in 1971
  
  http://tools.ietf.org/html/rfc114
  
  Here is a history of FTP:
  
  The first FTP standard was RFC 114, published in April 1971, before TCP and IP even existed. This standard defined the basic commands of the protocol and the formal means by which devises communicate using it. At this time the predecessor of TCP (called simply the Network Control Protocol or NCP) was used for conveying network traffic. There was no Internet back then. Its precursor, the ARPAnet, was tiny, consisting of only a small group of development computers.
  
  A number of subsequent RFCs refined the operation of this early version of FTP, with revisions published as RFC 172 in June 1971 and RFC 265 in November 1971. The first major revision was RFC 354, July 1972, which for the first time contained a description of the overall communication model used by modern TCP, and details on many of the current features of the protocol. In subsequent months many additional RFCs were published, defining features for FTP or raising issues with it. RFC 542, August 1973, the FTP specification looks remarkably similar to the one we use today, over three decades later, except that it was still defined to run over NCP.
  
  After a number of subsequent RFCs to define and discuss changes, the formal standard for modern FTP was published in RFC 765, File Transfer Protocol Specification, June 1980. This was the first standard to define FTP operation over modern TCP/IP, and was created at around the same time as the other primary defining standards for TCP/IP.
  
  RFC 959, File Transfer Protocol (FTP), was published in October 1985 and made some revisions to RFC 765, including the addition of several new commands, and is now the base specification for FTP. Since that time a number of other standards have been published that define extensions to FTP, better security measures and other features. (Some of these are discussed in the general operation section in the appropriate places.)
  
  http://www.primusweb.com/fitnesspartner/library/activity/gf_guide1.htm
19. Re:Uh oh by cHiphead · 2008-03-12 04:18 · Score: 1
  
  More than that, this is not news at ALL. All of the malware has been using FTP for years, its the 'other' distribution methods that seem to be showing up a little more often, but FTP traffic is a lot less suspicious on very large LAN.
  
  Cheers.
  
  --
  
  This is my sig. There are many like it, but this one is mine.
20. Re:Uh oh by klx · 2008-03-12 04:23 · Score: 1
  
  New Kids era? They were implemented in 1986. Try Hanson era.
21. Re:Uh oh by B3ryllium · 2008-03-12 04:32 · Score: 1
  
  Fair enough. :)
22. Re:Uh oh by revlee · 2008-03-12 04:36 · Score: 1
  
  1995? That may have been when you first used it, but the RFC's (http://www.wu-ftpd.org/rfc/) date back to 1971.
23. Re:Uh oh by B3ryllium · 2008-03-12 04:47 · Score: 1, Redundant
  
  OP said that FTP was for chumps, and that SCP was the new shizzle. GP said that SCP was just as disco-era as FTP. Parent countered that SCP was implemented in 1995, indicating that FTP is literally disco-era.
24. Re:Uh oh by nschubach · 2008-03-12 04:51 · Score: 2, Funny
  
  Disco is NOT dead. Disco is LIFE!
  
  --
  Every time I start to have faith in humanity, I ruin it by driving to work between 7 and 8 am.
25. Re:Uh oh by HTH+NE1 · 2008-03-12 04:54 · Score: 4, Informative
  
  Hmm, scp has built-in support for transfering an entire directory with one command natively, but sftp can be used to transfer files between two servers while being controlled from a third site such that the transfer doesn't pass through the controlling client (useful for maintaining from a dial-up connection two high-speed servers that don't grant shell access).
  
  Decisions, decisions.
  
  --
  Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
26. Re:Uh oh by srck · 2008-03-12 05:00 · Score: 1
  
  http://tools.ietf.org/html/rfc959 refers to the 1985 FTP spec, itself obsoleting 1980's http://tools.ietf.org/html/rfc765, so "disco-era" would be fair.
27. Re:Uh oh by winkydink · 2008-03-12 05:08 · Score: 1
  
  Nice leisure suit, Larry.
  
  --
  "I'd rather be a lightning rod than a seismometer." -Ken Kesey
28. Re:Uh oh by Brian+Gordon · 2008-03-12 05:09 · Score: 1
  
  SFTP is the more fully-featured protocol, says so right on wikipedia.
29. Re:Uh oh by HTH+NE1 · 2008-03-12 05:21 · Score: 1
  
  Dude, don't you know that it's Slashdot-hip to be ultra-paranoid about absolutely everything? Picking and choosing your encryption needs based upon, gasp, practicality and with an eye toward efficient use of your technological resources isn't going to win you any points around this place. I don't say any more until the CSM-25 counter measure filter is activated.
  
  --
  Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
30. Re:Uh oh by blincoln · 2008-03-12 05:29 · Score: 1
  
  SCP also doesn't allow things like directory listings. While that may be advantageous in some situations, it rules it out as a full FTP replacement. SFTP and FTP-over-SSL are the two main public protocols I'm aware of that allow that kind of thing.
  
  --
  "...always new atoms but always doing the same dance, remembering what the dance was yesterday." -Richard Feynman
31. Re:Uh oh by Anonymous Coward · 2008-03-12 05:32 · Score: 0
  
  If you encrypt only the data that you deem "needs" to be encrypted, then your ISP knows to just assume that any encrypted traffic coming from you must be illicit.
  
  If you encrypt everything, then they waste millions of processor cycles deciphering your grocery list.
  
  If Comcast is going to fuck around with my traffic, I'm going to make it nearly impossible for them to see what I'm doing.
32. Re:Uh oh by Blackknight · 2008-03-12 05:38 · Score: 1
  
  The problem is a lot of programs do not support sftp and accounts that have shell access turned off are SOL any way since ssh needs a shell to work. While there are solutions like jailing users and restricted ssh they're a pain to set up and you still need the application support any way.
33. Re:Uh oh by C0vardeAn0nim0 · 2008-03-12 05:45 · Score: 1
  
  SCP is new stuff, tunneled over ssh. i think you mean RCP, dontcha ? the old school non-encrypted stuff that could be configured to work without password using .rhosts on the destination host.
  
  that's why we disable it in all unix boxes here at work.
  
  --
  What ? Me, worry ?
34. Re:Uh oh by realmolo · 2008-03-12 05:55 · Score: 1
  
  Oh, please. "Wasting cycles"? You might as well encrypt ALL your data that travels over the Internet. It's free. It's easy. And, let's be honest, SCP is simpler to deal with than FTP in almost every way. The only catch is that Windows users will need to download an SCP client like WinSCP. Which, incidentally, does FTP, too.
  
  And I don't want to hear the "but everyone already has an FTP client". Well, yeah, technically. But on Windows, you have either command-line FTP, which is too hard to use for most people, or the built-in FTP of Internet Explorer, which doesn't work worth a shit.
35. Re:Uh oh by B3ryllium · 2008-03-12 06:02 · Score: 2, Informative
  
  Yes, you're correct, except for the fact that the GP had called SCP "disco-era", in apparent disregard for the context of that phrase's usage. I was merely correcting the timeframe of SCP's inception.
36. Re:Uh oh by Brian+Gordon · 2008-03-12 06:02 · Score: 1
  
  No, SFTP is newer and more fully-featured than SCP. From wikipedia:
  For most applications, the SCP protocol is superseded by the more comprehensive SFTP protocol, which is also based on SSH.
37. Re:Uh oh by witherstaff · 2008-03-12 06:05 · Score: 1
  
  I assume you mean '85? RFC 959 But even by then leisure suits were on the way out - except for sierra games ;)
  
  On a side note, why is the next leisure suit larry game only for the PS3, XBOX, but not the wii. Talk about missing an opportunity for using the wiimote for gameplay...
38. Re:Uh oh by Anonymous Coward · 2008-03-12 06:12 · Score: 0
  
  ... you probably recycle your waste electrons, too, don't you?
  I don't know how you manage, but I don't like having my hair stand on end all the time.
  Technically, you could say that I'm actually dumping electrons into my environment, but I prefer to call it recycling.
39. Re:Uh oh by B3ryllium · 2008-03-12 06:15 · Score: 1
  
  Why does everyone on Slashdot seem to lack reading comprehension today? The GP accused SCP of being "still disco-era", so I corrected him.
40. Re:Uh oh by Chysn · 2008-03-12 07:01 · Score: 1
  
  > OP said that FTP was for chumps, and that SCP was the new shizzle. GP said that SCP was just as disco-era as FTP. Parent countered that SCP was
  > implemented in 1995, indicating that FTP is literally disco-era.
  
  Thanks for the recap. If a bunch of geeks can't reach consensus on which technologies correspond to which musical trends, I'm just gonna go back to X-MODEM.
  
  --
  --I'm so big, my sig has its own sig.
  -- See?
41. Re:Uh oh by B3ryllium · 2008-03-12 07:25 · Score: 1
  
  XModem is for chumps. ZModem for the win!
42. Re:Uh oh by ajs · 2008-03-12 07:37 · Score: 1
  
  All the FTP usage is probably under a couple of percent. Torrents surpassed 50% of the total internet traffic some time ago. Yes, but when you look at specific kinds of distribution, FTP is still a major player. Specifically, it's the primary business-to-business data distribution protocol (at least in every industry I've ever worked in).
43. Re:Uh oh by ivan256 · 2008-03-12 08:08 · Score: 1
  
  It's not free. It's easy, sure, but it has performance costs. Low end or virtualized servers will serve less users if you are spending CPU cycles encrypting content (all servers, really, but high-end high-power systems are less likely to be pegged). CPUs switch out of power saving mode and consume more electricity if you are doing heavy amounts of encryption. Encryption is frequently a bottleneck in high speed data transfers on fast networks. So it's not free. It's far from free. Hence you are entirely wrong.
44. Re:Uh oh by ivan256 · 2008-03-12 08:14 · Score: 1
  
  You could make it completely impossible for them to see what you're doing by using another provider.
  
  You are clearly a content consumer, and not a content provider anyway, so you could probably care less about the reasons you may wish to save processing power by not encrypting. And I'm not talking about P2P.... The most prolific BitTorrent participant has nothing on a serious content distributor.
45. Re:Uh oh by funkboy · 2008-03-12 08:23 · Score: 1
  
  Which is why we use RSync...
46. Re:Uh oh by Reaperducer · 2008-03-12 08:33 · Score: 1
  
  Zmodem is for Johnny-come-latelys.
  
  Punter FTW!
  
  ACK ACK ACK
  
  --
  -- I'm old enough to have lived through six different meanings of the word "hacker."
47. Re:Uh oh by Anonymous Coward · 2008-03-12 10:33 · Score: 0
  
  No. No, no, no, no, and no. SCP does not support proper handling of symlinks, nor does the most popular SSH server (OpenSSH) provide a chroot environment to protect system files from prying users. The OpenSSH authors have been offered numerous toolkits and patch sets to generate proper chroot cages. They've been rejected on the grounds that "if your server isn't secure, why are you running an SSH server on it?"
  
  SSH is also far too commonly used with un-password-protected SSH keys, a flaw that could be addressed by making it more awkward to create such keys, but which no user passkey generation tools currently do.
  
  Instead, use WebDAV over HTTPS, which can provide easy browseable access, has plenty of good GUI's for it, and is built directly into Microsoft Windows' "Network Neighborhood" tool and some contemporary web design tools. Or for more sophisticated access to symlinks and proper file ownership, run rsync over an stunnel.
48. Re:Uh oh by Antique+Geekmeister · 2008-03-12 10:38 · Score: 1
  
  FTP should, for obvious password sniffing security reasons, only be a major player for anonymous downloads. It's antique, robust, and well supported. For upload, you're insane to use it. Numerous properly authenticated and encrypted techniques exist for that, and they can run in parallel to FTP to allow secure remote control of hte download site.
49. Re:Uh oh by Fnordulicious · 2008-03-12 11:04 · Score: 1
  
  Whatever. Kermit works everywhere.
50. Re:Uh oh by bug1 · 2008-03-12 12:15 · Score: 1
  
  SCP cant list the contents of a directory, neither can http, there is no equivalent to ftp.
51. Re:Uh oh by IntlHarvester · 2008-03-12 12:15 · Score: 1
  
  Unfortunately, numerous properly authenticated and encrypted techniques aren't supported by Windows Explorer (well, WebDAV/SSL, which has its own set of problems). So authenticated FTP remains pretty popular simply due to ease of use.
  
  --
  Business. Numbers. Money. People. Computer World.
52. Re:Uh oh by Fred_A · 2008-03-12 20:40 · Score: 1
  
  What do you suggest I do when my bit-bucket fills up? I use mine as compost for my B-trees.
  
  --
  
  May contain traces of nut.
  Made from the freshest electrons.
53. Re:Uh oh by ivan256 · 2008-03-13 02:20 · Score: 1
  
  I go out of my way to configure my servers to be low-power. Mostly because they cost more in electricity to run over their lifespan than the hardware cost up front by a factor of five. I can log into the managed power bar in my rack and know immediately which servers are serving SSL content, and which aren't. It's an 11 watt difference (35w, 46w) because the CPU goes from its slowest mode to a few steps up.
54. Re:Uh oh by Otto · 2008-03-14 04:20 · Score: 1
  
  Yes, but when you look at specific kinds of distribution, FTP is still a major player. Specifically, it's the primary business-to-business data distribution protocol (at least in every industry I've ever worked in). Sounds like some rather unimportant industries. We (an unnamed Fortune 500 company) use scp for most of our file transfers, because we need encryption. It's rather hard to claim you are taking proper security measures when your important financial data is being sent over the public network in the clear.
  
  All of the banks we deal with and have to transfer data back and forth to (half a dozen of them) support secure protocols. None of them allow FTP.
  
  Now, for those people who don't support anything but FTP, we use VPN's to connect to them so that we can encrypt the whole thing (because everybody has a VPN in some way, and trying to get people to use SFTP is an exercise in futility). However, this is simply procedure, a lot of this data is not particularly critical and could probably stand to go unencrypted. It's simply our company policy that any automated data transfer that travels outside the firewall must be using a secure method to do it. I would think that any major industry has the same policy.
  
  --
  - Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
Big deal.. by Junta · 2008-03-12 03:04 · Score: 5, Insightful

First off, since when is a 'URL' considered a transport mechanism rather than syntax for specifying a transport mechanism and location? Is ftp://whatever.example.com/badcode/ not a URL because it's ftp now? That's a goofy statement.

And then, this isn't about ftp being hacked, just that bad software is being hosted using ftp as well as http (which I presume is what is meant by 'URL' or being emailed.

And, ftp is not merely an ancient, deprecated protocol. It's still widely used because it does what is intended for well and works under high load readily.

--
XML is like violence. If it doesn't solve the problem, use more.
1. Re:Big deal.. by Ed+Avis · 2008-03-12 03:17 · Score: 1
  
  It's true that ftp works reliably under high load. Then again, so does http. If you just want to serve some files to an anonymous public, I can't see much reason to not just put them in a directory and let Apache serve them - or some faster web server if you really have such a fast network link that Apache can't saturate it.
  
  For authenticated file transfers, is there any reason to use ftp instead of the ssh file transfer protocol (sftp)?
  
  --
  -- Ed Avis ed@membled.com
2. Re:Big deal.. by Sebastian+Reichelt · 2008-03-12 03:25 · Score: 1
  
  You are correct about the mistakes in the summary. However, this is also about FTP servers being hacked, to make them distribute the malware in the first place. Getting upload access to an abandoned FTP server is probably much easier than using SSH or some Windows folder sharing stuff, especially since you automatically have a URL where everyone can download the malware.
3. Re:Big deal.. by Firehed · 2008-03-12 03:25 · Score: 1
  
  Depends on the sensitivity of what's being transported. With both protocols, all you need (from a user perspective anyways) is a good login and password. But if someone is eavesdropping on the connection, you really don't want your DB connection credentials or latest internal builds going over a plaintext line.
  
  --
  How are sites slashdotted when nobody reads TFAs?
4. Re:Big deal.. by PlusFiveTroll · 2008-03-12 03:26 · Score: 2, Insightful
  
  Yes because http is the best way to download a directory of uncompressed files all at once
  
  Stuffing everything in a big compressed file sucks for dial up users, ftp has its purpose.
5. Re:Big deal.. by garett_spencley · 2008-03-12 03:29 · Score: 3, Informative
  
  "For authenticated file transfers, is there any reason to use ftp instead of the ssh file transfer protocol (sftp)?"
  
  Unfortunately there's a lot of software that simply does not support ssh/scp/sftp and will only work with FTP. Joomla is an example of a CMS that uses FTP to update template files and such that the web server can not write to. In this case you create an FTP server that listens on 127.0.0.1:21 and the PHP script, run under the web server user, FTPs to the host and logs in under a different user to upload the changes.
  
  I've also got some business software that I run on my local machine that FTPs to my web server to upload new files. I really wish it would support ssh but it doesn't.
  
  Maybe ssh tunnels are the way to go for such situations ? Either way FTP is still used for such circumstances. These programmers really need to get with the times.
6. Re:Big deal.. by Mr.+Sketch · 2008-03-12 03:37 · Score: 4, Insightful
  
  is there any reason to use ftp instead of the ssh file transfer protocol (sftp)? Well, since no version of Windows I know of comes with SSH/SCP/SFTP support out of the box, I think you have your reason right there. People don't want to have to download third party programs to do what they consider basic tasks, so providers fall back to protocols that have wide support (HTTP/FTP). Bittorrent seems to be an anomaly in this argument, but probably because it has more uses.
  
  --
  Things you think are in the Constitution, but are not.
7. Re:Big deal.. by daveime · 2008-03-12 03:46 · Score: 1, Troll
  
  Yes, because if it did, they'd just be accused of anti-competitive practices ONCE AGAIN, bad old Microsoft, stealing the food from the mouths of poor SSH client developers, naughty naughty. Damned if they do, damned if they don't :-(
8. Re:Big deal.. by cromar · 2008-03-12 03:54 · Score: 1
  
  Couldn't you use SSH tunneling?
9. Re:Big deal.. by Hatta · 2008-03-12 04:01 · Score: 2, Informative
  
  I trust the security of vsftpd more than I do apache.
  
  --
  Give me Classic Slashdot or give me death!
10. Re:Big deal.. by Ferzerp · 2008-03-12 04:32 · Score: 1
  
  I don't really think this a troll. It is pretty true.
11. Re:Big deal.. by faxafloi · 2008-03-12 04:39 · Score: 1
  
  For authenticated file transfers, is there any reason to use ftp instead of the ssh file transfer protocol (sftp)?
  
  Depends on how they're authenticated. If your customer has a shell account on your machine, you're right. But some ftp servers that authenticate against, say, ldap or a database. Keeps your customers out of /etc/passwd.
  
  You could certainly do this for a few files with http. But when there are ~2000 files totaling ~100 GB, and the customer is of the old school who probably doesn't know (or care) what torrent is, ftp is the way to go.
  
  --
  Exit, pursued by a bear.
12. Re:Big deal.. by TheThiefMaster · 2008-03-12 04:49 · Score: 1
  
  Ok, so the only real advantage ftp has over http is the ability to "list" files in a machine-understandable way to allow mass-downloads?
  
  I can't think of anything else.
  
  The only other "feature" that I know of is that the protocol supports one client requesting a file transfer for a different client, but is that ever used?
13. Re:Big deal.. by ajs318 · 2008-03-12 05:06 · Score: 1
  
  You could {and BTW, there are actually two L's in "tunnelling"} but it wouldn't solve the problem here. The problem here is that people are using FTP to upload material {such as phishing site backends} to servers. The solution is actually to disable mod_userdir in Apache -- because then the phishing site can't be downloaded by recipients of the phishing e-mails.
  
  --
  Je fume. Tu fumes. Nous fûmes!
14. Re:Big deal.. by Obfuscant · 2008-03-12 05:15 · Score: 1
  
  Well configured ftp servers don't allow download of files that have been uploaded. Mine doesn't even allow you to 'ls' the upload directory. It's a black hole.
15. Re:Big deal.. by cromar · 2008-03-12 05:23 · Score: 1
  
  That may well be a fix for the attack in the article, but I was replying to garett's problems with programs that don't support SSH directly.
  
  And by the way, it's "tunneling" not "tunelling." US English FTW ;P LOL
16. Re:Big deal.. by ajs318 · 2008-03-12 05:34 · Score: 1
  
  Look, I can forgive the Pilgrim Fathers not taking a copy of the Oxford English Dictionary on the Mayflower -- they probably had more important things to think about at the time. I can even forgive them naming the place they landed (Plymouth, Massachusetts) after the place they set off from (Plymouth, Devon). However, you've since had the better part of 400 years (and two Industrial Revolutions) in which either to learn to spell our language properly or to invent your own language. What's your sorry excuse?
  
  --
  Je fume. Tu fumes. Nous fûmes!
17. Re:Big deal.. by cromar · 2008-03-12 05:46 · Score: 1
  
  Wow. You're actually pissed off about this. And being a huge dick.
18. Re:Big deal.. by CoreDump01 · 2008-03-12 06:09 · Score: 1
  
  I can't think of anything else.
  
  cd $some-directory
  prompt
  mget *
  
  Looks pretty efficient to me...
19. Re:Big deal.. by rdradar · 2008-03-12 06:30 · Score: 1
  
  How do you do server to server transfers with http? With FTP you can FXP the files directly from another server to another. This is great if you're moving large files occasionally, since your own crappy upload speed wont come in the way.
20. Re:Big deal.. by damn_registrars · 2008-03-12 07:03 · Score: 1
  
  stealing the food from the mouths of poor SSH client developers, naughty naughty
  I don't know about you, but I don't know anyone who is making money as an SSH developer. It comes (at least partially) from the OpenBSD project, which is non-profit. And many of the ssh clients and servers that are out there for windows (putty and cygwin, to name one for each) are free anyways.
  
  So I'm not sure that there is really any food to steal. These guys make their money elsewhere, from what I can tell.
  
  Hence, I think we need to look elsewhere for the reason why Microsoft doesn't include even basic ssh client functionality in their operating systems. I vote for laziness myself...
  
  --
  Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
21. Re:Big deal.. by Mr.+Sketch · 2008-03-12 07:04 · Score: 1
  
  You mean people pay for an SSH client? I have only used free clients, namely PuTTY and WinSCP for SSH/SFTP access on Windows and they seem to work just fine and I've never had a reason to seek out an alternate version.
  
  --
  Things you think are in the Constitution, but are not.
22. Re:Big deal.. by jafiwam · 2008-03-12 07:23 · Score: 1
  
  Another big player (Microsoft) has been really slow on this too.
  
  Just about the only secure protocol that's easy and already ready to use with Windows server 2k3 is HTTPS. And it's a pain in the rear to do do self signed certificates with it.
  
  No support for SFTP, SSH, SCP or anything else without third party apps.
  
  I have been told but not seen that the new server OS supports SFTP. But, when Win2k3 came out, it was a really really stupid move not to include SFTP.
23. Re:Big deal.. by HTH+NE1 · 2008-03-12 07:42 · Score: 1
  
  Early on, some people were hosting the images on their websites using ftp URLs instead of http URLs. Browsers with FTP support were adhering to the social norm that, when logging in to an FTP site as "anonymous", the user was to send his e-mail address as the password. (Some FTP sites would deny access to anonymous logins if the domain in the password didn't match, but would accept "username@" as implying that the domain was consistent.)
  
  This was a quick way to illicitly harvest web surfers' e-mail addresses, and was why I never gave a browser my e-mail address and instead always used dedicated e-mail software to read e-mail, preferably something that also wouldn't open any connections to download data for any embedded content in HTML e-mails like images, frames, iframes, java applets, javascripts, flash content, etc.
  
  --
  Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
24. Re:Big deal.. by JLennox · 2008-03-12 10:39 · Score: 1
  
  People pay for their web browser?
25. Re:Big deal.. by Cat+Panic · 2008-03-12 12:05 · Score: 1
  
  If people are told to use it, they will.
26. Re:Big deal.. by Alpha830RulZ · 2008-03-12 16:33 · Score: 1
  
  Still pissed about losing that little war, aren't we? Sorry about the empire, too.
  
  --
  I was taught to respect my elders. The trouble is, it's getting harder and harder to find some.
27. Re:Big deal.. by Anonymous Coward · 2008-03-12 19:50 · Score: 0
  
  We piss in your tea every day, btw..
28. Re:Big deal.. by Fred_A · 2008-03-12 20:49 · Score: 1
  
  Well configured ftp servers don't allow download of files that have been uploaded. Mine doesn't even allow you to 'ls' the upload directory. It's a black hole. I seem to remember that was actually the default configuration of anon FTP servers by a lot of Linux distributions (been a while since I actually installed an anon FTP server though). Which makes sense as it is sort of a standard setup.
  
  --
  
  May contain traces of nut.
  Made from the freshest electrons.
29. Re:Big deal.. by Ed+Avis · 2008-03-12 23:22 · Score: 1
  
  Well, since no version of Windows I know of comes with SSH/SCP/SFTP support out of the box, I think you have your reason right there.
  But even if you have Windows clients, still, why would you try to use ftp for authenticated transfers? It is sending the password in plain text where anyone can sniff it, and there is no protection against someone reading or modifying the data in transit. If your data is not sensitive then just allow anonymous access. Windows may not include an sftp client but it does come with Internet Explorer which is capable of doing https and securely sending a username/password to authenticate. Again, is there any reason to use ftp?
  
  The only situation I can think of is where you want to restrict access but you don't really care about security. For example only paying customers have access to the FTP site, but the data you publish is essentially non-secret. Then you could require a username and password to connect, even though you know it won't stop a determined attacker sniffing the network traffic. But even in this situation http or https with username/password authentication could do the job just as well.
  
  --
  -- Ed Avis ed@membled.com
30. Re:Big deal.. by Ed+Avis · 2008-03-12 23:26 · Score: 1
  
  In some ways that is a big advantage, if you want to automate filesystem-ish operations like traversing directories, creating new files with a given name, listing them and so on. There is no standard way to do this over http, except for the convention that the URI includes the filesystem path. But if you are just setting up a download site and not allowing uploads from the public (the common case?) then an Apache directory listing does the job fine.
  
  --
  -- Ed Avis ed@membled.com
31. Re:Big deal.. by Ed+Avis · 2008-03-12 23:31 · Score: 1
  
  It's quite possible in principle to set up an sftp server authenticating against LDAP or what have you.
  
  --
  -- Ed Avis ed@membled.com
32. Re:Big deal.. by anomalous+cohort · 2008-03-13 08:38 · Score: 1
  
  People don't want to have to download third party programs to do what they consider basic tasks, so providers fall back to protocols that have wide support (HTTP/FTP)
  If memory serves, the basic FTP tool that comes on MS-Windows has a Command Line Interface. IMHO, most computer users, who are not using SFTP, would prefer to download and install a third party program than to use a CLI. IE does support FTP but most users won't know how to FTP with IE since you have to add your username and password to the URL.
  
  If providers were all that concerned with an authenticating, secure, yet convenient file sharing capability, then they would be using an HTTPS based technology.
And the newest exploit... by downix · 2008-03-12 03:04 · Score: 4, Funny

They have conquered WWW and Email, now FTP, next on their list... NTP! Yes, hacking through your clock, I can see it now! Malware which will make you either cronically early, or late!

--
Karma Whoring for Fun and Profit.
1. Re:And the newest exploit... by Frozen+Void · 2008-03-12 03:11 · Score: 3, Informative
  
  google "NTP exploit"
2. Re:And the newest exploit... by sm62704 · 2008-03-12 03:23 · Score: 1
  
  They have conquered WWW and Email, now FTP, next on their list... NTP! Yes, hacking through your clock, I can see it now! Malware which will make you either cronically early, or late!
  
  They alrteady did!
  
  --
  mcgrew's razor: Never attribute to stupidity that which can be explained by greedy self-interest
3. Re:And the newest exploit... by Otter · 2008-03-12 03:27 · Score: 1
  
  NTP! Yes, hacking through your clock, I can see it now! Malware which will make you either cronically early, or late!
  I'm not sure if that's a typo or a pun...
  Incidentally, while TFA is interesting, the summary here is a mix of inaccurate and incoherent.
  
  --
  What I'm listening to now on Pandora...
4. Re:And the newest exploit... by Idiomatick · 2008-03-12 03:46 · Score: 2, Funny
  
  Oddly enough this post showed up as 4th on google right after your post. Time loop?
5. Re:And the newest exploit... by skeeto · 2008-03-12 04:25 · Score: 3, Informative
  
  Actually, the OpenBSD guys believed the original NTP implementation to be a security risk and thus created their own: see Using OpenNTPD and this post by the OpenNTPD maintainer.
6. Re:And the newest exploit... by Chemisor · 2008-03-12 08:24 · Score: 1
  
  > They have conquered WWW and Email, now FTP, next on their list... NTP!
  
  Uh, no. Next on this list would be uucp.
Don't forget by bperkins · 2008-03-12 03:06 · Score: 0

to type "bin."
1. Re:Don't forget by jo42 · 2008-03-12 04:11 · Score: 1
  
  You mean "pasv" then "bin".
Different protocol, but same stupidity by DigitalSorceress · 2008-03-12 03:06 · Score: 5, Informative

Well, for my money, anyone who blindly clicks on a link.... FTP or HTTP and runs an executable that comes from it is going to get infected regardless of what protocol was used for it.

The fact that a lot of gateways prevent certain actions based on the protocol just makes the "any key" users blindly click on stuff without worry - after all, they've "got protection"

When it comes to any infection vector that involves social engineering, your brain (should you choose to use it) is your best virus protection.

--

The Digital Sorceress
1. Re:Different protocol, but same stupidity by Anonymous Coward · 2008-03-12 05:32 · Score: 0
  
  Uh, why did visiting the wrong website without taking any further action cause me to get exploited?
2. Re:Different protocol, but same stupidity by vglass · 2008-03-13 10:03 · Score: 1
  
  While FTP is insecure in that username/password credentials are sent unprotected over the wire, I would argue that very few FTP servers are actually compromised in this way (sniffing the wire). Most FTP servers are compromised by automated brute force username/password attacks and weak user passwords. Even if you are using a secure protocols (SFTP, SCP) these protocols are still subject to these attacks unless you have measures in place to prevent it. Take a look at your server logs and I'm sure you will find several failed authentication attempts against port 22. One of the simplest things that admins can do to reduce hacks is to automatically ban an IP after too many failed logins. For SSH a tool like DenyHosts is really simple to install.
FTP attachments? by Anonymous Coward · 2008-03-12 03:07 · Score: 5, Insightful

because few gateways scan for FTP attachments these days.

Er, that's because there's no such thing as an FTP attachment? If you are referring to links, then I'm not aware of any virus checkers that automatically download and check HTTP links either.

Can anybody translate this into something that makes sense?
1. Re:FTP attachments? by phaunt · 2008-03-12 03:11 · Score: 3, Informative
  because few gateways scan for FTP attachments these days.
  
  Er, that's because there's no such thing as an FTP attachment? If you are referring to links, then I'm not aware of any virus checkers that automatically download and check HTTP links either.
  Can anybody translate this into something that makes sense?
  I believe the writer of the summary has mixed up two things:
  
  Gateways don't bother with FTP traffic
  
  Instead of malicious attachments, e-mails include links to ftp servers.
2. Re:FTP attachments? by plague3106 · 2008-03-12 03:18 · Score: 1
  
  Er, that's because there's no such thing as an FTP attachment? If you are referring to links, then I'm not aware of any virus checkers that automatically download and check HTTP links either.
  
  Can anybody translate this into something that makes sense?
  
  Yes, virus checkers can check the HTTP stream and abort the download if they find something. I think Norton was doing this in early 2001, I don't know if they still are.
3. Re:FTP attachments? by WK2 · 2008-03-12 03:32 · Score: 2, Interesting
  
  Can anybody translate this into something that makes sense?
  OK. Via spam, F-Secure found a malware web page with an ftp link. They think this is going to be a trend. Some businesses proxy http connections, and scan downloads for viruses. They believe that malware authors will shift away from http to ftp because there is a less likely chance that downloads will be scanned.
  
  I don't see this happening. It is speculation, and I think malware authors will just use whatever servers they have access to, or whatever they know how to set up. Few organizations scan http or ftp files that go through their gateways.
  
  To be fair to F-Secure, though, they used tech terms correctly. They properly distinguished between email attachments, http, and ftp. They didn't use the word URL in the entire article. The reporter (or possibly CmdrTaco) likely didn't fully understand what the article says, and thought, "ZOMG!! NEW HAX ATTACKS!! MUST ALERT SLASHDOT!!!"
  
  --
  Write your own Choose Your Own Adventure. http://www.freegameengines.org/gamebook-engine/
4. Re:FTP attachments? by Sylver+Dragon · 2008-03-12 03:50 · Score: 1
  
  I think one of the other important points the article makes is that the hacked FTP servers aren't just random FTP server nor are they just small shops running Windows SBS with the Next-Next-Next install and no one monitoring them. The FTP servers were from large companies whom users might trust.
  
  As has been said by someone above, blindly trusting links you get in emails, and then running the linked executable, either requires an amazing amount of ignorance these days, or a special kind of stupid. Yet, somehow, trojans are alive and well in the intertubes.
  
  --
  Necessity is the mother of invention.
  Laziness is the father.
5. Re:FTP attachments? by hackstraw · 2008-03-12 03:57 · Score: 1
  
  becoose-a foo getooeys scun fur FTP ettechments zeese-a deys.
  
  Um gesh dee bork, bork! Ir, thet's becoose-a zeere's nu sooch theeng es un FTP ettechment? Iff yuoo ere-a refferreeng tu leenks, zeen I'm nut evere-a ooff uny furoos checkers thet ootumeteecelly doonlued und check HTTP leenks ieezeer. Hurty flurty schnipp schnipp!
  
  Cun unybudy trunslete-a thees intu sumetheeng thet mekes sense-a?
6. Re:FTP attachments? by Anonymous Coward · 2008-03-12 04:01 · Score: 0
  
  Yes, virus checkers can check the HTTP stream and abort the download if they find something.
  
  I don't think any virus checkers do that. They hook into the filesystem and check newly created files, don't they? In which case, it doesn't matter whether the file was downloaded via HTTP, FTP, or any other protocol.
7. Re:FTP attachments? by DigitalSorceress · 2008-03-12 04:09 · Score: 1
  
  Yeah, I think they're probably talking about firewalls / anti-spam appliances. I used the term "gateways" myself in another reply, but I was thinking of firewalls...
  
  I blame it on a severe caffeine deficiency which I shall now remedy.
  
  --
  
  The Digital Sorceress
8. Re:FTP attachments? by Crudely_Indecent · 2008-03-12 04:44 · Score: 1
  
  something that makes sense This is a phenomenon I like to call "talking out of the side of your neck" which is a method of communication where the words that one speaks do not pass the brain prior to arriving at the vocal cords. Essentially, the words take a detour at the neck to avoid the mean and logical brain.
  
  Most likely, this was penned by a copy writer who assumed that email has attachments, why not FTP? Who really cares what l33t haxxors call files through FTP. I call it so 70's....SFTP anyone? Chroot jail anyone?
  
  --
  
  "Lame" - Galaxar
9. Re:FTP attachments? by DavidTC · 2008-03-12 06:23 · Score: 1
  
  Desktop antivirus doesn't do this, but there are commercial firewall appliances that do, indeed, watch HTTP streams and scan them. Or block known malicious URLs.
  Although it's somewhat mind-blowing they don't watch FTP ones also, considering they already have to watch the FTP control channel to support FTP's braindead reverse connections.
  
  --
  If corporations are people, aren't stockholders guilty of slavery?
10. Re:FTP attachments? by Pedrito · 2008-03-12 13:26 · Score: 1
  
  Thanks for pointing that out. I was going to ask but afraid that there might actually be something called an FTP attachment and then I'd have to turn in my geek credentials for sure.
11. Re:FTP attachments? by yuna49 · 2008-03-12 14:58 · Score: 1
  
  there are commercial firewall appliances that do, indeed, watch HTTP streams and scan them.
  
  You can accomplish the same task for free with the Squid proxy and one of the plugins that adds virus scanning with ClamAV. Do a Google search for "squid clamav" for some pointers.
  
  I usually set up a transparent Squid proxy for my clients on the firewall. This enables us to block the types of garbage the article discusses. For instance, I usually have an access control rule that blocks downloads of files ending in .exe, with a prior rule permitting the local admin to do so for updates, etc. I don't usually bother setting up ClamAV with Squid. I do use ClamAV (with MailScanner and SpamAssassin) for e-mail, though.
  
  SpamAssassin normally consults online databases of dangerous URLs when scoring messages. I'm imagine that those databases have some bad FTP URLs along with the evil HTTP ones.
12. Re:FTP attachments? by Kalriath · 2008-03-12 15:20 · Score: 1
  
  NOD32 does indeed do this. It watches (and terminates infected) HTTP, SMTP/POP3/IMAP, and FTP streams.
  
  --
  For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
13. Re:FTP attachments? by FoamingToad · 2008-03-13 01:13 · Score: 1
  
  At my place of work, FTP streams are checked for dodgy code. This came to light when we needed to set up the transfer of some encrypted data from an educational establishment.
  
  It failed, and I had to approach our network guys to have encrypted traffic from ftp:\\somedomain.com permitted through the gateway.
  
  When I received the response "ftp:\\somedomain.com doesn't appear to be a valid e-mail address, can you clarify" I retreated into the server room for the rest of the day to meditate on what my life would have been like had I pursued my childhood dream to become a train driver.
FTP Attachment? by flajann · 2008-03-12 03:10 · Score: 3, Insightful

What the hell is a "FTP attachment"?
Doesn't make sense.

--
Ruby Neural Evolution of Augmenting Topologies
1. Re:FTP Attachment? by Ferzerp · 2008-03-12 03:15 · Score: 1
  
  Every get the feeling that the summary was written by someone who doesn't quite grasp all the relevant details of the topic?
  
  After that atrocious summary, I couldn't be bothered with RTFA
2. Re:FTP Attachment? by Blue+Stone · 2008-03-12 04:46 · Score: 2, Funny
  
  >What the hell is a "FTP attachment"?
  Doesn't make sense.
  I've only skimmed the summary, but from what I can tell it's something bad that you can get from the tubes like a malicious 'IM file' or a dodgy 'virus bug' that you might get from a pirated CD or something.
  
  --
  Corporation, n. An ingenious device for obtaining individual profit without individual responsibility. - Ambrose Bierce
3. Re:FTP Attachment? by idontgno · 2008-03-12 05:25 · Score: 1
  
  Every get the feeling that the summary was written by someone who doesn't quite grasp all the relevant details of the topic?
  You mean, edited by a typical /. editor? Yeah, it felt just like that.
  
  --
  Welcome to the Panopticon. Used to be a prison, now it's your home.
4. Re:FTP Attachment? by josh82 · 2008-03-12 20:25 · Score: 1
  
  "What the hell is a "FTP attachment"?
  Doesn't make sense."
  
  Were you to have RTFA, you'd have realized that the entire worry is that most links (e.g., to malware, viruses, etc.) in email are HTTP links.
  
  Given that these are the vast majority, some organizations (of whatever sort) only scan for (and thus block) HTTP hyperlinks.
  
  And so some brain farmers find it advantageous to use FTP links, which are neither scanned for nor blocked.
  
  This is a problem (especially for you, since it is apparent they've already farmed your brain).
  
  Here is an example of an FTP attachment: ftp://127.0.0.1/attachment.exe
5. Re:FTP Attachment? by flajann · 2008-03-14 12:40 · Score: 1
  
  "Here is an example of an FTP attachment: ftp://127.0.0.1/attachment.exe "
  That's a link, not an attachment. If it were an attachment, the actual binary of "attachment.exe" would be a part of the email, not a link to it.
  
  --
  Ruby Neural Evolution of Augmenting Topologies
6. Re:FTP Attachment? by josh82 · 2008-03-14 17:02 · Score: 1
  
  You have refuted me thus.
  
  (I admit I wrote my reply in haste; though, in my defense, I submit that the term 'attachment' is ambigous -- though I also admit the contrary, viz., that few people with sufficient knowledge would call an email link an 'attachment'. I normally don't -- except in haste, apparently.)
7. Re:FTP Attachment? by flajann · 2008-03-15 06:46 · Score: 1
  
  We make all kinds of mistakes in haste; though those who do these stories should be a bit more circumspect.
  
  --
  Ruby Neural Evolution of Augmenting Topologies
Dear Internets by phoxix · 2008-03-12 03:11 · Score: 2, Funny

Lets kill FTP once and for all! It doesn't serve a purpose anymoar! Its been replaced with HTTP, Rsync, and BT!
k thx bye!
1. Re:Dear Internets by Anne+Thwacks · 2008-03-12 03:23 · Score: 1
  
  Not to mention NYC!
  
  --
  Sent from my ASR33 using ASCII
2. Re:Dear Internets by ajs318 · 2008-03-12 05:10 · Score: 1
  
  Please explain how to upload pages to a shared webserver in co-lo using BitTorrent.
  
  --
  Je fume. Tu fumes. Nous fûmes!
3. Re:Dear Internets by nacturation · 2008-03-12 05:35 · Score: 2, Insightful
  
  Please explain how to upload pages to a shared webserver in co-lo using BitTorrent. WebDAV over SSL doesn't require FTP.
  
  --
  Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
F-Secure are FUDmeisters by Werrismys · 2008-03-12 03:13 · Score: 3, Informative

Just ignore them. It's good business for them to constantly cry "wolf".

--
'Once scientists, even the dim-witted social scientists, get muzzled, the Western Civilization is finished.' - oldhack
1. Re:F-Secure are FUDmeisters by IBBoard · 2008-03-12 03:21 · Score: 3, Insightful
  
  And it's all in the final line of TFA:
  Better make sure your gateway scanner is configured to scan FTP traffic as well. Our F-Secure Internet Gatekeeper does this by default.
  
  "This wasn't done as a sales pitch, but buy our Gatekeeper software!"
  
  So what's the major difference between an FTP hosted file and a HTTP hosted file for most people? Either way it downloads a file from a site that they can be convinced to run. Sounds all about the same to me.
2. Re:F-Secure are FUDmeisters by PlusFiveTroll · 2008-03-12 03:40 · Score: 1
  
  >Sounds all about the same to me.
  
  Yes, and this is where people fail and security problems come from. FTP is not HTTP. It is a different protocol. Your webbrowser uses a different mechanism to transfer files with it, and it goes over different ports on the internet. Your anti-virus/anti-spyware/firewall doesn't auto-magically block this stuff, it must be programmed to do so. If the programmer didn't think of a mechanism that files could get by the firewall for example, then a virus could get on the network.
  
  Let me create an analogy (and probably get it wrong). You have a jewelry factory that you want to keep secure. You check all incoming and out going employees that arrive in a car for stolen merchandise. A number of semis come and go per day, but you do not perform a security check on them. Where do you think the thief is going to attack?
3. Re:F-Secure are FUDmeisters by IBBoard · 2008-03-12 04:21 · Score: 1
  
  That's a corporate vs home situation, though, where you're blocking at the boundaries rather than relying on standard AV where the source of the file should make no difference - it's a browser download so it should get checked.
  
  FTP is a file download from a remote machine via an Internet connection. HTTP is a file download from a remote machine via an Internet connection. Both of them leave a file on your machine that you can then execute. I'd expect any normal firewall to check any files that a browser downloads - there's no obvious difference in where it comes from that means it is guaranteed safe just because it's a different protocol.
  
  If AV writers have been overlooking that yet have the sense to check HTTP and SMTP/IMAP incoming files then it just makes me feel even safer that I now only run Linux.
  
  As for FTP downloads at work, I've never been able to do them because the two places I've worked at have blocked them from most of their network. One let you access FTP if you dug out the necessary proxy settings, but in a corporate environment it solves the problem without needing some Gatekeeper product.
NEXT! by Frosty+Piss · 2008-03-12 03:14 · Score: 3, Insightful

I'm sorry, but if when setting up server services the admin "forgets" to lock down FTP, they need to be canned. That is all. NEXT.

--
If you want news from today, you have to come back tomorrow.
1. Re:NEXT! by JK_the_Slacker · 2008-03-12 04:56 · Score: 1
  
  I read that as "they need to be scanned"... nmap style? Sounds painful.
  
  --
  I'm waiting for a "-1 somepeoplejustshouldn'tgetmodprivileges" meta-moderation.
2. Re:NEXT! by nogginthenog · 2008-03-12 08:40 · Score: 1
  
  I remember many years ago (when most people were on dialup) I left open anonymous FTP access to a NT4 server. A few months later I was checking the server and found a bunch of MP3 files. It seems some people were using it to share files. So I replaced the files with more suitable music (I kept the same filenames) and denied write access. But then again I was only the admin because the company was too cheap to afford a proper network admin. I'm a lowly programmer by trade.
3. Re:NEXT! by k1t10 · 2008-03-12 20:02 · Score: 1
  
  I work for a company that uses it for client uploads and i cant disable it - only lock it down for access by certain Ip addresses. In this situation - how do you monitor and lock it down as much as you can?
  
  --
  "Don't ask me, i'm just a girl"
FTP through email by whitehatlurker · 2008-03-12 03:15 · Score: 4, Interesting

This has come full circle - back before internet connectivity was so wide spread, there were a few ftp via email gateways. (Yes, there were other networks alongside the internet.) You'd send your ftp commands and get email back (a few days later or the next week) with the uuencoded result.
Now you have email viruses delivered via FTP. Cool.
Yeah I'm old - get off my lawn!

--
.. paranoid crackpot leftover from the days of Amiga.
1. Re:FTP through email by pak9rabid · 2008-03-12 03:33 · Score: 1
  
  Yeah I'm old - get off my lawn! Hmm, it is true old people are often concerned that there are children on their lawns.
2. Re:FTP through email by Thornburg · 2008-03-12 04:25 · Score: 1
  
  You'd send your ftp commands and get email back (a few days later or the next week) with the uuencoded result. I actually remember doing that. I was a freshman in high school at the time. Does that mean I'm old too?
  
  My first computer access that required a password was a VAX...
3. Re:FTP through email by Fnordulicious · 2008-03-12 11:11 · Score: 1
  
  Did your VAX run VMS or Unix? What version of VMS? What flavor of Unix?
3rd Party Services by boris111 · 2008-03-12 03:33 · Score: 2, Interesting

Speaking of FTP I was appalled the other day when my girlfriend told me their small company is paying $100 a month for a service to use FTP for their clients. This service has a space limit of 300 MB!!! With GMAIL and Yahoo email offering unlimited storage this seems unbelievably small.
1. Re:3rd Party Services by Anonymous Coward · 2008-03-12 03:54 · Score: 0
  
  Speaking of FTP I was appalled the other day when my girlfriend told me their small company is paying $100 a month for a service to use FTP for their clients. This service has a space limit of 300 MB!!! With GMAIL and Yahoo email offering unlimited storage this seems unbelievably small. Uhh, what are they using it for? That doesn't seem to make any sense.
  
  Even if they did need it, you could get something like a Rosehosting virtual server for $30/mo, stick OpenVPN+samba or apache (WebDAV+ssl) and get something much more secure. 5gb storage, 300gb transfer. For $60/mo you get the same thing but they admin and support it.
  
  For OpenVPN+samba, just firewall off all ports except for udp 1194. Have each client computer OpenVPN into it and then access the samba shares. Everything will be nice and encrypted unlike with ftp.
  
  For WebDAV you can map it as a drive in windows/OS X/Gnome/KDE (iirc, xp has issues with webdav+ssl, though, not sure about 2k or vista). Or leave it unencrpyted and close it off and just access it via OpenVPN. Or just do the same with ftp through OpenVPN.
2. Re:3rd Party Services by boris111 · 2008-03-12 04:08 · Score: 1
  
  They're an advertising firm. Occasionally they need to send large files to their customers. We're talking 10-20 users at most. I should offer my services (for a small fee of course). They have an IT guy, but apparently he's stubborn and doesn't listen to the needs of the employees/customers.
3. Re:3rd Party Services by toadlife · 2008-03-12 06:07 · Score: 1
  
  It sounds like their "IT guy" is a moron.
  
  --
  I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
4. Re:3rd Party Services by IdeaMan · 2008-03-13 05:45 · Score: 1
  
  Anyone that can get away with charging $100/mon for ftp service qualifies as an unmitigated genius in my book.
  
  --
  They ARE out to get you simply because They are in it for themselves and they don't care about you.
5. Re:3rd Party Services by toadlife · 2008-03-13 07:20 · Score: 1
  
  The "IT Guy" I'm referring to isn't the one running the FTP service.
  
  --
  I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
FTP is BAD! About DAMN time THAT makes press by spitek · 2008-03-12 03:35 · Score: 4, Informative

Clear TXT PASSWD = BAD Might as well bend over. I've made my hosting customers use SFTP/SCP for YEARS. Been very happy I have. Just like POP3 one day.. IF we are lucky people will stop using it. It's like sending your tax return to the IRS in a clear envelope with your name birth date and SS # showing. Just plan STUPID!
1. Re:FTP is BAD! About DAMN time THAT makes press by omnipresentbob · 2008-03-12 04:21 · Score: 1
  
  It's like sending your tax return to the IRS in a clear envelope with your name birth date and SS # showing. Ah, shit. My mother's maiden name and bank account number are showing too. I'm boned, aren't I? :(
  Just plan STUPID! Well I already knew that.
2. Re:FTP is BAD! About DAMN time THAT makes press by Anonymous Coward · 2008-03-12 04:31 · Score: 0
  
  Clear TXT PASSWD = BAD Might as well bend over
  If only more users would accept that. While you're busy educating the users, could you do us a favor and remind them that is the same reason why they need to stop using telnet?
  
  I manage a Unix network for a department full of PhDs. And yet they insist on using telnet to communicate across the network, even after I set up all the ssh deamons for them.
3. Re:FTP is BAD! About DAMN time THAT makes press by Aceticon · 2008-03-12 04:52 · Score: 2, Insightful
  
  Well, when the username is "guest" and the password is "anyemail@example.com" it hardly needs encrypting.
  
  PS: The typical way to anonymously access and FTP server is using the "guest" or "anonymous" usernames and any e-mail address as password. This is actually the way a browser will access an ftp:// URL.
4. Re:FTP is BAD! About DAMN time THAT makes press by twistah · 2008-03-12 05:03 · Score: 1
  
  For environments that can't switch to SFTP/SCP, a decent alternative is to use FTP with SSL/TLS. Many FTP clients already support this, so it's often a simple checkbox for users.
5. Re:FTP is BAD! About DAMN time THAT makes press by courtarro · 2008-03-12 05:52 · Score: 1
  
  What part of an anonymous, read-only FTP login needs to be encrypted? There are still plenty of good uses for FTP that don't need the security of encryption.
6. Re:FTP is BAD! About DAMN time THAT makes press by spitek · 2008-03-12 05:58 · Score: 1
  
  I was not referring to FTP used in that situation. Read only FTP has it's place.
7. Re:FTP is BAD! About DAMN time THAT makes press by spitek · 2008-03-12 06:02 · Score: 1
  
  Stop projecting your issues on others. No one made you read my posting. Have you ever used tcpdump and wireshark? Or and application like that. Are you aware of what an exploit is? Do you understand what "clear txt" means? Just wondering because arrogance is not a healthy personality trait. Good luck with that. And besides, condoms are only what 90 some odd percent effective. So even than you still might have been in the situation where you choose to read my posting on this site. Sorry to burst your bubble.
8. Re:FTP is BAD! About DAMN time THAT makes press by myz24 · 2008-03-12 07:03 · Score: 1
  
  You are absolutely right. I can't believe that after all these years of "telnet is bad", "use ssh" that FTP is as popular as it is. I can get an FTP account to my hosting provider but not a shell. Is there a place for FTP?, yea but in this day and age that place is almost always taken up with HTTP anyway. FTP might be incrementally more efficient, but the ease of HTTP overrides it. FTP should be GONE.
9. Re:FTP is BAD! About DAMN time THAT makes press by spitek · 2008-03-12 07:25 · Score: 1
  
  Can I have a halaluiah? *FTP might be incrementally more efficient, but the ease of HTTP overrides it. If only that part could get through than we be cooking with fire.
What the article infers... by johnlcallaway · 2008-03-12 03:38 · Score: 2, Interesting

It sounds like that 'trusted' sites have been hacked, and that nefarious forces may place files on those trusted sites, then send emails that look authentic. That is, the email looks like it is from a responsible site and has an FTP URL for that site, but the file on the trusted site contains malware of some type.

I have gotten fake hallmark cards in the past, and only because the URLs were obviously not hallmark did I check the headers. Transform this into a malware that installs a back door, grabs your address book, then sends the address book full of trusted names back to the originator. Now you have an email from a trusted source that has URLs to a trusted site to help spread it.

Maybe I shouldn't have typed all that out.....

--
I rarely read replies, it's my opinion and if you thought about your opinion a little more, I'm OK with that.
1. Re:What the article infers... by tychovi · 2008-03-12 04:20 · Score: 1
  
  ...is nothing. It says "takes you to an owned computer that has a(n) FTP site setup on it" and if you look at the URL at the bottom of the client window you can see that it's obscured, so unless you know that ip address you shouldn't be clicking anything (I have to agree with Digital Sorceress). I hardly think that Hallmark is going to be serving up cards out of Romania, so anyone who clicks on a link from an email similar to the one listed should promptly be taken out to the parking lot and stoned with 1.44MB 3.5 inch floppies.
  
  FTP (tunneled, chrooted, whatever) is still a useful tool it's stable, resilient and does it's job. Blaming FTP for this is like blaming the hammer when your three year old uses it to smash your china...
2. Re:What the article infers... by johnlcallaway · 2008-03-12 07:26 · Score: 1
  
  Maybe we aren't reading the same article. The one I read said this:
  Last month, researchers at Finjan stumbled onto a cache of stolen FTP server administrative credentials that put nearly 9,000 FTP servers at some major global companies at risk, demonstrating just how widespread the old-school FTP remains at many organizations. Cybercriminals were selling a new crimeware package that would automatically infect those servers, some of which were from the world's top 100 domains.
  So ... that link grandma just clicked didn't go to hallmark.com.rm, it went to hallmark.com and just downloaded malware.
  
  I agree can really lock down FTP to be resistant to hacks. Until someone gets your credentials. Then it's Duck Season!
  
  --
  I rarely read replies, it's my opinion and if you thought about your opinion a little more, I'm OK with that.
3. Re:What the article infers... by tychovi · 2008-03-12 08:30 · Score: 1
  
  Maybe we aren't reading the same article. The one I read said this:
  Last month, researchers at Finjan stumbled onto a cache of stolen FTP server administrative credentials...
  So ... that link grandma just clicked didn't go to hallmark.com.rm, it went to hallmark.com and just downloaded malware.
  
  I agree can really lock down FTP to be resistant to hacks. Until someone gets your credentials. Then it's Duck Season! Hmmm, you would be correct. I looked only at the second link!?! *chagrin*
  
  I remember that story and now understand the disconnect. Of course your right, once you have admin access it's game over, I can only imagine what went on in the CIO offices of the affected companies.
  
  I remember thinking "Whoa, how do you let admin passwords like that get out in the wild?" that's gotta increase the pucker factor around the office by a couple orders of magnitude.
  
  I understand how it can happen especially in larger shops but that's why vigilant system administration and frequent audits are so crucial (and a complete pain in the butt).
  
  So my apologies Mr. Callaway next time I'll be sure and read (all of) TLA's
IPS are on target by bbasgen · 2008-03-12 03:41 · Score: 1

In mid-February Tipping Point (maker of an IPS) released new filters on FTP Put and Get commands due to this rise in exploits. Always nice to see the IPS on the leading edge, and it again provides a point of emphasis that the IPS is absolutely essential for an enterprise.
Xmodem! by wsanders · 2008-03-12 04:02 · Score: 0, Redundant

Dagnabbit you kids get the hell off my lawn, you're messing up my 2400 baud modem reception!

--
Give a man a fish and you have fed him for today. Teach a man to fish, and he'll say "WHERE'S MY FISH, YOU IDIOT?"
Moderation borked? by Anonymous Coward · 2008-03-12 04:13 · Score: 0

Staring score: -1, Informative moderation: 0?
1. Re:Moderation borked? by HTH+NE1 · 2008-03-12 05:09 · Score: 1
  
  Something is messed up wrt moderation of Anonymous Cowards. I grant one point to ACs so they should start at 1 instead of 0 for me, but I'm also seeing "Score: 0, Funny" on some AC postings with no other moderations applied than one +1 Funny mod. It's like the first mod up lowers the initial score.
  
  I have also noted that, when using Preview with Post Anonymously checked, the preview no longer reflects the anonymity.
  
  --
  Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
Anecdote by BigJClark · 2008-03-12 04:21 · Score: 1

Funny (to me) anecdote: My first day on my first job in the IT biz (network admin at the university I grad'd from) the old network admin was showing me the ropes, and actually telneted across the network and logged in with his root account. Needless to say my first order of business was to change the root password :)

ahhh...

--

Hi, I Boris. Hear fix bear, yes?
Nothing wrong with ftp by koffie · 2008-03-12 04:42 · Score: 4, Insightful

except perhaps for the sloppy authentication in the clear and the awkward use of random ports initiated in the wrong direction (from server to client).

What is wrong is that there are ftp servers allowing anonymous write access. That is how those miscreants work: they put a malicious file up on an anonymous ftp server (that allows write access) and then craft ftp URLs to spam people with.

I remember we warned all ftp server administrators about the issue 10 or more years ago, back when I was a rookie.

Of course scp/sftp is way better, everyone knows that. Or not?
1. Re:Nothing wrong with ftp by DKlineburg · 2008-03-12 20:43 · Score: 1
  
  For practice in my degree we hacked FTP. The class was on a closed network, some strange reason they didn't want 30 windows server's on there domain. The closer to hackers of the class closed FTP immediately. We found out that there were quite a few who didn't and left the port open. We spent the next part of the semester seeing who could hack more classmates who didn't bother block FTP. The greatest thing was to turn on remote desktop and send a message from themselves to them. Those people eventually dropped the class do to lack of knowledge, but it was an eye opener to see someone looking at a message sent from there computer to there computer saying random things. I liked 42. Theoretically in the real world, all those wholes are plugged. That is true because there is never a small business that has a new server that doesn't know what they are doing. Right?
  
  --
  Memory is deceptive because it is colored by today's events. - Albert Einstein
"Now"? by rrohbeck · 2008-03-12 04:46 · Score: 1

Rooted ftp sites have been used for warez and malware since the beginning of time, and the F-Secure folks discover this *now*?
Pretty lame.

--
thegodmovie.com - watch it
1. Re:"Now"? by mstahl · 2008-03-12 10:48 · Score: 1
  
  Yeah but F-Secure didn't have a product to sell for that at the beginning of time.
IDS and watchdog proxies can't do much either by toejam13 · 2008-03-12 04:55 · Score: 1

FTA: Elgamal says the bad guys can hop on Port 80 and ship FTP through that port, for example, and a firewall wouldn't block the file transfer. Some Internet gateways scan for FTP traffic, such as F-Secure's Internet Gatekeeper, which does so by default.

This completely depends on the firewall or proxy. Many newer perimeter security devices are L7 protocol aware, and will abort any connection over a well known port that doesn't look right. This means that the days of running an SSH daemon on your home rig on port 80 are slowly coming to an end.

Having said that, I believe that many payloads can continue to slip past secure gateway devices via old fashioned encryption. FTP can be wrapped up via SSL/TLS, making payload inspection impossible. How many of those devices can tell the difference between an unencrypted data channel and an encrypted one? Better still, how many of them recognize 'AUTH TLS', 'CCC' or 'CDC' commands? As long as you keep your control channel clear-text, FTP/S looks and acts very similar to regular FTP.
Got hit by it by ajs318 · 2008-03-12 04:57 · Score: 3, Informative

My company got hit by this. Basically, someone found a username / password combination on a web server and FTP'ed up a phishing website. This user didn't have a valid login shell {it was set to /bin/false} but that didn't matter here because they didn't need to run shell commands {and in any case, if they needed to, they had a perfectly good cgi-bin directory they could use}.

Obviously you have to have FTP and web servers on the same machine, otherwise your hosting customers can't upload their pages. To limit the potential damage, disable mod_userdir -- all your users should already have their own domain names anyway. And if you have any "email only" users {usually, these will be secondary mailbox accounts, i.e. when you have things like fred@freds-shed.org.uk going into one mailbox and charlie@freds-shed.org.uk going into another} whose only way of accessing files is by POP3 or IMAP, use a different shell for them. {I recommend /bin/true for FTP-enabled users without shell access -- this needs to be mentioned in /etc/shells, of course, for FTP access to work -- and /bin/false for non-FTP users. This should not be in /etc/shells.}

If you have users who want to use scp or fish to upload stuff, they'll have to have a Bourne-like shell such as /bin/bash or /bin/ash. In which case, as a bare minimum you should disable password-based logins. There are better solutions involving chroot and per-user bin folders.

--
Je fume. Tu fumes. Nous fûmes!
1. Re:Got hit by it by Alpha830RulZ · 2008-03-12 16:50 · Score: 1
  
  "Obviously you have to have FTP and web servers on the same machine, otherwise your hosting customers can't upload their pages."
  
  Alright, I'm no expert, but why do the ftp and http servers need to be the same machine? I maintain an FTP and an SFTP box for a transit point between machines inside separate firewalls. These are used by our consulting team to get files to and from customers. There are no business processes running on either of these machines (and indeed, any file that remains on the machine for more than two hours is swept into a non-visible directory). Their sole purpose is a transfer point. Seems like you could use that.
  
  Have your users use a two step process, where they upload to the ftp machine, and then log into the web server and pull the files down to the http machine. Then any compromise of the ftp machine doesn't affect your core machines. It's a bit more complex, to be sure, but it works for us. I have the advantage of a captive user base who has to use it this way, so I can udnerstand that this might not be acceptable in a hosted environment. But it's kept us out of trouble so far.
  
  --
  I was taught to respect my elders. The trouble is, it's getting harder and harder to find some.
Block port 21/tcp outbound by twistah · 2008-03-12 04:57 · Score: 1

It's easier to protect your network, especially a corporate network, from malware that uses FTP than HTTP. Just block 21/TCP outbound -- we recommend this to most of our clients. Granted, the bad guys can change the port, and then you don't have much recourse without deep packet inspection. But most compromised servers (which have the malware) will be on a standard port and dropping outbound FTP will be effective. Of course, there are legitimate uses for FTP (some AV companies use it to update their products, for example), but you can often get away with a whitelist.
I'm a victim by TheGreatOrangePeel · 2008-03-12 05:19 · Score: 2, Interesting

I fell victim to an FTP security issue in January of last year. The hosting provider for my website allows for anonymous FTP by default and an organization of hackers was able to use this to upload files which somehow enabled them to edit content on my Drupal powered website (I've seen Wordpress sites fall victim to the same hack). All they did was a meta-redirect, but I had about a week of downtime as I restored from dated backups and got technical questions answered on the Drupal.org forums.

As it turns out, my hosting provider doesn't offer any real real capacity to disable anonymous FTP and I had to set the maximum allowed data transfer amount to 0KB for anyone except myself.
HTTP through email by BenEnglishAtHome · 2008-03-12 05:26 · Score: 1

Are there any HTTP to email servers left out there? You sent an email to an address with the URL as the subject; the server on the other end fetched the web page and mailed you a copy.

I occasionally have use for such a thing but the last server I used for this (maintained at a Japanese university, iirc) shut down years ago.
ntpd-exp.c by commodoresloat · 2008-03-12 05:53 · Score: 2, Informative

Check it out. That, my friends, is a real Clock Gobbler.
not only stupid, against their own laws.... by filthpickle · 2008-03-12 06:06 · Score: 1

if they applied their own laws to themselves.

look up the HIPAA laws...Medicare is a gov't program that seems to be held (along with every other insurance plan) to a much higher standard.
Pay more attention... by timbck2 · 2008-03-12 06:11 · Score: 2, Informative

GP was talking about scp being implemented in 1995, not FTP.

--
Absurdity: A statement or belief manifestly inconsistent with one's own opinion. -- Ambrose Bierce
Printers and Copiers by flyingfsck · 2008-03-12 07:34 · Score: 0

All network printers also seem to have wide open FTP servers. With some ingenuity, one can hide a music collection on a networked photo-copier or something and the corporate MSCE droids will never fiure it out...

--
Excuse me, but please get off my Pennisetum Clandestinum, eh!
It is a big deal knot. by HTH+NE1 · 2008-03-12 08:10 · Score: 2, Interesting

Firefox spell-check agrees: two Ns, one L in "tunneling". Further, no ambiguity is introduced by not doubling the L.

It's a peculiar Americanism. There is robbing, but there's also robing as in the opposite of to disrobe. Raping and rapping are formed from rape and rap respectively, so there's where ambiguity steps in to set the rule. However, it is impelling and not impeling, or even compelling and not compeling. Is it the rule to limit how many repeated adjacent letters you have in a word? There's potterring (Brit.) and pottering (US) but there is only puttering and not putterring anywhere?

For me, it's trust the spell checker, but when in doubt verify. I'd rather have consistent rules, but English is such a mongrel language anyway, borrowing words everywhere. It's annoying, but at least it isn't annoyying. ;D

--
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
FTP Berkely, and BSD by Douglas+Goodall · 2008-03-12 16:11 · Score: 1

To the best of my knowledge, when the DOD paid UCB to implement the TCP/IP suite on Unix, the FTP protocol was included in the sample implementation. Virtually all TCP code in the world was derived from that code and therefore the most common file transfer functionality on the Internet is FTP. After all these years it still works, and sometimes ftp over slip is the best you can do to bootstrap a new firmware device. It is true that there are newer and more efficient protocols, but like "vi", it's one of the things that you are glad to have there when everything else is messing up.
FTP whails over SFTP/SCP by Kazoo+the+Clown · 2008-03-12 19:25 · Score: 1

FTP isn't going to go away until the readily available secure alternatives perform as well. Especially since data moving operations have been increasing their "need for speed" along with the amounts of data involved.

I've been involved with performance testing on a data warehouse product that must transfer umpteen-GB nightly, where we've found that FTP transfers typically perform at least 30x faster than then next fastest alternative-- scp, sftp, etc. On a 1000MB link between two computers sitting next to each other we're seeing a 20 minute FTP turn into like 3.5 hours when we switch to sftp. We've resorted to parallel connections as a work around which helps, but it's still dog-slow compared to FTP.

There's a patch to OpenSSH that helps, but FTP is still notably faster, and almost no OpenSSH program binary distributions contain the patch, so you have to have a development system and know how to use it to even try it (and on Windows, that also usually means $$$).

I agree there is a real need for a secure replacement for FTP, but have yet to seen any contenders that I can take seriously.
1. Re:FTP whails over SFTP/SCP by IdeaMan · 2008-03-13 05:49 · Score: 1
  
  Finally a valid reason to still use ftp. Wake up you sftp developers and crack that whip, those hamsters are loafin.
  
  --
  They ARE out to get you simply because They are in it for themselves and they don't care about you.