GA Tech: Internet's Mid-Layers Vulnerable To Attack

← Back to Stories (view on slashdot.org)

GA Tech: Internet's Mid-Layers Vulnerable To Attack

Posted by timothy on Monday August 22, 2011 @12:49PM from the soft-creamy-underbelly dept.

An anonymous reader writes "Evolution has ossified the middle layers of the Internet, leaving it vulnerable but security breaches could be countered by diversification of protocols, according to Georgia Tech, which recommends new middle layer protocols whose functionality does not overlap, thus preventing 'unnatural selection.' Extinction sucks, especially when it's my favorite protocols like FTP."

166 comments

Min score:

Reason:

Sort:

It's hard to take seriously... by msauve · 2011-08-22 12:56 · Score: 4, Insightful

an article which discusses "the six [sic] layers..."

I understand that IP protocols predate the 7 layer ISO/OSI model, but that's what everything is mapped to in modern terms.

The article seems even more confused, when it reverses the layers, claiming that "at layers five and six, where Ethernet and other data-link protocols such as PPP (Point-to-Point Protocol) communicate..."

What are they teaching at GA Tech? This is networking 101.

--
"National Security is the chief cause of national insecurity." - Celine's First Law
1. Re:It's hard to take seriously... by Anonymous Coward · 2011-08-22 13:03 · Score: 0
  
  N.B This advertisement has been brought to you by you friendly neighbourhood Microsoft evangelist.
  * MyCleanPC requires Microsoft Windows.
  * Most viruses require Microsoft Windows.
2. Re:It's hard to take seriously... by Anonymous Coward · 2011-08-22 13:23 · Score: 0
  
  Microsoft evangelist?
  Hardly. That spam was been brought to you by your local depraved zombie bot which has been pushing the same thing for the past few stories.
  I hope somebody in the admin circle adds it to the block filter shortly.
3. Re:It's hard to take seriously... by postbigbang · 2011-08-22 13:50 · Score: 1, Insightful
  
  It's pretty freshmen-ish stuff. FTP hasn't been used in a long time. Glass-screen protocols went the way of the 386 long ago. I'm surprised these guys don't understand various secure protocols, key exchange methods, and so forth. Nice fluffy stuff, but very dated for the reality check. Show me someone using ftp and I'll show you a password theft followed by a crack. Ye gawds.
  
  --
  ---- Teach Peace. It's Cheaper Than War.
4. Re:It's hard to take seriously... by JMZero · 2011-08-22 14:09 · Score: 2
  
  Variants of FTP are used widely in business to business transfers - sometimes secured with SSL, but often just by plaintext passwords, obscurity and/or IP whitelists. FTP is consistent between a large variety of platforms and lots of sysadmins like the simplicity of scripting, for example, a nightly FTP file transfer.
  Is there better solutions? Of course. But FTP is still very common - and lots of businesses still employ much more arcane tech than it. For a lot of businesses, terminal servers were a real boon, because now they could all connect to a single old desktop (which in turn has a much more arcane connection to some mainframe in a basement that everyone's scared of).
  It'll be a long time before FTP dies.
  
  --
  Let's not stir that bag of worms...
5. Re:It's hard to take seriously... by Skal+Tura · 2011-08-22 14:22 · Score: 1
  
  Our customers demand FTP, no matter how much we educate about SFTP and show how easy it is, still they insist on using FTP.
  if ftp goes down that's likely to get complaints faster than http being down. loss of SSH access they barely even notice oO;
  
  --
  Pulsed Media Seedboxes
6. Re:It's hard to take seriously... by postbigbang · 2011-08-22 14:26 · Score: 0
  
  Go on, gimme that loaded .357 so that I can swing it around. And you give it to them.
  SFTP is one idea. SCP. Notice the S?
  
  --
  ---- Teach Peace. It's Cheaper Than War.
7. Re:It's hard to take seriously... by tepples · 2011-08-22 14:32 · Score: 1
  
  SFTP is one idea. SCP. Notice the S?
  Which of these two protocols' client comes with Microsoft Windows brand operating systems? And which budget shared web host supports file uploads using such protocols?
8. Re:It's hard to take seriously... by garyebickford · 2011-08-22 14:32 · Score: 1
  
  Haha. One system I had to build and maintain at a previous employer, not that long ago (1999):
  PC .BAT job runs a Qualcomm application that dials up Qualcomm periodically to connect to their satellite truck monitoring system, capture session into a file in a special directory
  PC .BAT job looks periodically to see if a new file has come in; uses TFTP to transfer it to a Sun workstation - call it Sun-1.
  Sun-1 shell script mails the file to a special email account on another workstation
  Sun-2 uses fetchmail and procmail to filter the incoming data (now timestamped by dint of having been emailed) into a Perl script that logs into a database server and inserts the data.
  Sun-2 cron job runs all the Perl scripts that collect, doing the inserts.
  Sune-3 (a web server on the DMZ supported with an outbound-only tunnel from the database server) runs queries on the database and tells the user where the truck is at, where it's been and what it's doing, displayed as a graphic layer on a mapping system (we got our map data directly from the feds.)
  All this mostly because the Qualcomm application only ran in DOS, and only worked via dial-up. For the web user it was really sexy, but underneath it was a complete kluge, of necessity given the available tools.
  
  --
  It's easier to be a result of the past, but more fun to be a cause of the future! http://www.spacefinancegroup.com/
9. Re:It's hard to take seriously... by Tanktalus · 2011-08-22 14:38 · Score: 1
  
  First question: Dunno. Probably neither. Not hard to get, though. Second question: I switched to dreamhost.com because I can use rsync over ssh. Not posting any referral link to discourage thoughts about having a financial reason to say anything. Also: I don't work for them. I merely use them. I understand they have a less-than-stellar reputation, but for my purposes, it's been nearly nothing but positives.
10. Re:It's hard to take seriously... by colinrichardday · 2011-08-22 14:39 · Score: 1
  
  Show me someone using ftp and I'll show you a password theft followed by a crack.
  Does that include anonymous FTP? Or using FTP between two computers in my apartment?
11. Re:It's hard to take seriously... by Dhalka226 · 2011-08-22 14:41 · Score: 1
  
  And which budget shared web host supports file uploads using such protocols?
  Dreamhost. Being able to SSH in and pull down something with their pipes using wget has come in handy a number of times as well.
  The client thing, meh. If people are mucking around in command line FTP programs they're savvy enough to download one; if they're using a GUI an awful lot of them have SFTP support these days, including FileZilla (free/Free). I guess I could see an argument if they're just entering an FTP URL into their Explorer window.
12. Re:It's hard to take seriously... by Charliemopps · 2011-08-22 14:55 · Score: 1
  
  You're missing the point. A good example would be fast food restaurants. There used to be a Mexican based fast food chain called Taco Bell. It used to be the only place to get burritos, but then McDonalds introduced their breakfast burrito and drove Taco Bells nearly extinct like FTP. Please ignore the fact that you drove by 3 of them this morning or that it's impossible to update your website without using FTP.
13. Re:It's hard to take seriously... by retchdog · 2011-08-22 15:01 · Score: 1
  
  zombie bot? maybe, but it's probably some third-world peon doing this for pennies an hour.
  but maybe that's what you meant by zombie bot.
  
  --
  "They were pure niggers." – Noam Chomsky
14. Re:It's hard to take seriously... by mgiuca · 2011-08-22 15:14 · Score: 3, Informative
  
  I've never really been a fan of the OSI model. The idea of the hierarchy is great; sandwiching it into discrete layers seems problematic.
  Wikipedia's definition of the OSI model states that "there are seven layers, each generically known as an N layer. An N+1 entity requests services from the layer N entity." Makes sense. So, why are both ICMP and IP considered to be in layer 3? ICMP is built on top of IP, so it should be in the layer above IP, but it doesn't actually provide transport (or at least, isn't meant to). HTTP is in layer 7, but it can be sent directly on top of TCP, which is in layer 4, skipping over two layers. (Or it can be tunnelled over SSL, but still skipping layer 5.)
  I prefer to think of the IP stack being a directed acyclic graph of technologies, each depending on another, rather than an explicit linear division into layers.
15. Re:It's hard to take seriously... by colinrichardday · 2011-08-22 15:32 · Score: 1
  
  No, it's a wired connection. And why is mentioning anonymous FTP being smartass?
16. Re:It's hard to take seriously... by PopeRatzo · 2011-08-22 15:34 · Score: 1
  
  zombie bot? maybe, but it's probably some third-world peon doing this for pennies an hour
  Same thing.
  
  --
  You are welcome on my lawn.
17. Re:It's hard to take seriously... by Opportunist · 2011-08-22 16:15 · Score: 1
  
  Correction. FTP should not be used anymore. It is used. Widely. Why? Because it works, and because the person who could change it left the company years ago. But slowly.
  Turn back the time a decade. We're at the downturn after the dot.com bubble blew up, a lot of more or less sane IT people are out of a job (along with all the duds that got their job by spelling TCP/IP halfway correct and knowing that it ain't the Chinese secret service), and all of them are looking for work, any kind of work will do. So they're cheap, and that's where companies buy in and get their IT infrastructure up to speed. Back then, people cared even less about security than they do today, what they wanted was an IT infrastructure that works.
  In comes FTP, along with scripts to grab and send files around.
  And these servers still exist out there, they have never been touched, they were never secured, and I'm even sure that the passwords are still the same they were before 9/11 happened.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
18. Re:It's hard to take seriously... by Anonymous Coward · 2011-08-22 16:49 · Score: 0
  
  I use FTP on a daily basis to transfer files between my home and work. Of course... I do tunnel over SSH. Its not a security problem to use FTP, its how you use it.
19. Re:It's hard to take seriously... by Pentium100 · 2011-08-22 16:56 · Score: 4, Informative
  
  Well, you can imagine a "null" layer that does nothing, just passes the data unmodified to the next layer.
  For example, HTTPS would be HTTP over SSL, SSL wouls be level 6 (presentation). If you use HTTP without SSL then level 6 is empty or uses the "null" protocol.
  ICMP is part of IP, while you could say that the ICMP packet is inside an IP packet it is easier to imagine ICMP as just a part of IP, because it is used that way (for example, to signal that some other packet could not be delivered).
  Just because I can send the HTTP packet inside an Ethernet frame (without IP or TCP), does not mean that the model is broken, it's just that "null" is a valid protocol.
20. Re:It's hard to take seriously... by mikael_j · 2011-08-22 17:05 · Score: 1
  
  Back then, people cared even less about security than they do today, what they wanted was an IT infrastructure that works.
  Of course, I've seen ISP environments that used FTP heavily (as well as TFTP for a bunch of automated stuff). Why? Because when you're running an encrypted tunnel through another encrypted tunnel that runs between two trusted hosts on a segment of the network that does not allow incoming traffic from anywhere but the NOC it just seems silly to add another layer of encryption and the potential issues that could come with that for daily log transfers...
  
  --
  Greylisting is to SMTP as NAT is to IPv4
21. Re:It's hard to take seriously... by mgiuca · 2011-08-22 17:13 · Score: 1
  
  Good point about the null. I see that it works that way for non-SSL traffic, but I still don't see how the "session layer" sits in between HTTP and TCP (even if you consider it to be "null"). It seems like session layer protocols are an entirely different sort of connection.
  As for ICMP, I see what you mean that it's sort of part of the IP protocol (IP wouldn't work without ICMP), but it is syntactically formed inside an IP packet, and I do believe it is constructive to think of ICMP as being "on top of" IP and not part of it (that's certainly how you'd implement it -- your ICMP code would certainly be calling your "construct IP packet" code at some point).
22. Re:It's hard to take seriously... by lennier · 2011-08-22 17:46 · Score: 4, Informative
  
  So, why are both ICMP and IP considered to be in layer 3?
  Because the Internet protocols are not in fact part of the OSI model, despite lots of teaching materials claiming this. The neat little OSI layer diagrams you see with all the layers filled in are mostly retcons invented long after OSI was dead.
  The actual Internet protocol suite is not part of the OSI model but the 4-layer Internet model (Link, Internet, Transport, Application). Link is like OSI layers 1 and 2, Internet is like OSI Layer 3, Transport is like OSI Layer 4, Application is like OSI Layer 7, but there is no actual Internet equivalent of OSI's layers 5 and 6. Pretty much everything above 4 runs at Layer 7.
  In the Internet model, it makes perfect sense for DHCP, IP and ICMP and routing protocols like RIP and OSPF to be at the Internetworking level because they are both protocols dealing with datagram transmission between interconnecting disparate packet-switched services, while TCP and UDP are in the Transport layer because they make dealing with raw datagrams somewhat more pleasant.
  It would perhaps be sensible to invent a whole new layer model now that we have a lot more protocols. HTTP, for instance, should be a layer of its own, since so many things are now tunnelled over it. That would be sensible, though, so good luck.
  
  --
  You are not a brain: http://books.google.com/books?id=2oV61CeDx-YC
23. Re:It's hard to take seriously... by mgiuca · 2011-08-22 18:01 · Score: 1
  
  Thank you. Yes, the four-layer Internet Protocol Suite thing makes a lot more sense. Rather than trying to say "there are seven layers stacked on top of each other," it seems like here, the protocols are arranged into four logical "protocol groups" with clearly-defined roles, and no sense of "protocols in layer N run on top of those in layer N-1". In the IP suite, it seems valid for protocols in the same group to run on top of each other (e.g., HTTP runs over SSL; ICMP runs over IP).
24. Re:It's hard to take seriously... by Anonymous Coward · 2011-08-22 18:39 · Score: 0
  
  So? require them to tunnel it inside an ipsec tunnel, problem solved.
25. Re:It's hard to take seriously... by Animats · 2011-08-22 19:22 · Score: 2
  
  So, why are both ICMP and IP considered to be in layer 3? ICMP is built on top of IP.
  The real answer to that is that it's a Berkeley UNIXism. Some early TCP/IP implementations, including the one I worked on, had ICMP at a layer above IP, in the same layer with TCP and UDP. The Berkeley UNIX kernel, like other UNIX versions of the period, had real trouble communicating upward within the kernel, because this was before threads, let alone kernel threads.
  To get around that kernel limitation, ICMP was crammed in with IP. This had some downsides, including the demise of ICMP Source Quench for congestion control, which didn't fit well into the mode of ICMP as an error-reporting mechanism for IP.
26. Re:It's hard to take seriously... by FireFury03 · 2011-08-22 19:36 · Score: 4, Informative
  
  It would perhaps be sensible to invent a whole new layer model now that we have a lot more protocols. HTTP, for instance, should be a layer of its own, since so many things are now tunnelled over it. That would be sensible, though, so good luck.
  Thinking of a fixed set of layers stops being useful as soon as you get moderately complex network setups because these days encapsulations tend to happen at all sorts of layers. Modern networks can probably be thought of more as a stack of protocols with the link layer at the bottom, application at the top and chopped up repetitive bits of the stack in the middle.
  e.g. take for example a modern connection to a website and we probably see this kind of stack:
  HTTP
  SSL
  TCP
  IP
  PPP
  PPPoE
  Ethernet
  ATM VC-Mux
  ATM
  G.922.5 data link layer
  Physical ADSL
  And that's just for a plain home ADSL connection. In more complex networks it is common to encapsulate stuff further, for example using GRE tunnels or IPSEC tunnels, and it isn't uncommon to see something more like:
  HTTP
  SSL
  TCP
  IP
  IPSEC ESP
  IPSEC AH
  IP
  Ethernet
  GRE
  IP
  GRE
  IP
  PPP
  PPPoE
  Ethernet
  ATM VC-Mux
  ATM
  G.922.5 data link layer
  Physical ADSL
  And you can keep adding encapsulation layers at pretty much any point in the stack.
  
  --
  http://blog.nexusuk.org
27. Re:It's hard to take seriously... by Anonymous Coward · 2011-08-22 19:40 · Score: 0
  
  If you check he is also heavily funded by Cisco amongst others
28. Re:It's hard to take seriously... by maxwell+demon · 2011-08-22 19:47 · Score: 1
  
  So what is the advantage of sftp over ftps?
  
  --
  The Tao of math: The numbers you can count are not the real numbers.
29. Re:It's hard to take seriously... by TheRealGrogan · 2011-08-22 19:56 · Score: 1
  
  I wasn't going to pay any attention to that silliness, but I feel like saying that I use FTP all the time as well.
  Not for server work (SSH protocols for that), but I use FTP between computers here. It's a fast and reliable way to transfer data. If it's a lot of small files I tar it up first though. (I would always want to archive that kind of stuff for any method of data transfer, though)
  I still use FTP clients to download stuff where I can too. (e.g. kernel and other source tarballs, distro mirrors for ISOs etc.)
  I don't want FTP to go away. However, I don't think that's got anything to do with the premise of the article... it's just used as an example of the "evolution" he's talking about. It's got nothing to do with the "middle protocols" in question, it's one of the application protocols and I doubt it's going anywhere. Reliable resuming of transfers (by inserting markers in the data stream) means less wasted bandwidth.
30. Re:It's hard to take seriously... by Alioth · 2011-08-22 20:05 · Score: 4, Informative
  
  FTP (and FTPS) uses two ports: one fixed port number and the other random. You also have passive mode and "active" mode for FTP (but everyone these days uses passive, except one particularly backward vendor I had to deal with).
  This causes firewall headaches because now the packet filter must understand FTP and selectively punch holes in the firewall for the data connection, and close them when the data connection finishes. Either the packet filter in the OS kernel must understand FTP, or you must use an FTP proxy that can dynamically modify your packet filter rules.
  SFTP requires none of this. It works on a single port and this port doesn't change with each file you want to transfer or directory listing you want to see. You can also use the scp command which is much cleaner for scripting than writing FTP scripts. SFTP is a *lot* easier and cleaner to support, and the encryption is built right into the protocol, not added ad-hoc some time later.
  
  --
  Oolite: Elite-like game. For Mac, Linux and Windows
31. Re:It's hard to take seriously... by Anonymous Coward · 2011-08-22 21:10 · Score: 0
  
  Ha, ha. Spot the noob.
  We use ftp in interactions with a number of companies. Some are over VPNs, some are over the many variations of secure FTP and some are fully old school depending on the value of the data.
32. Re:It's hard to take seriously... by sjames · 2011-08-22 21:16 · Score: 1
  
  And of course layer 8 is where they make you sit in the comfey chair.
33. Re:It's hard to take seriously... by Kjella · 2011-08-22 21:31 · Score: 1
  
  Something tells me you'll have a rude wakeup call if you get out of school and start working for some big business. FTP is still an extremely common way of transferring files in batch scripts and such.
  
  --
  Live today, because you never know what tomorrow brings
34. Re:It's hard to take seriously... by unixisc · 2011-08-22 22:12 · Score: 1
  
  an article which discusses "the six [sic] layers..." I understand that IP protocols predate the 7 layer ISO/OSI model, but that's what everything is mapped to in modern terms. The article seems even more confused, when it reverses the layers, claiming that "at layers five and six, where Ethernet and other data-link protocols such as PPP (Point-to-Point Protocol) communicate..." What are they teaching at GA Tech? This is networking 101.
  I agree w/ you, although it would seem that maybe the reason they mention 6 layers is that there is no vulnerability @ the physical layer? None that doesn't involve the layers sitting on top of it anyay
35. Re:It's hard to take seriously... by unixisc · 2011-08-22 22:16 · Score: 1
  
  Only works if you have either non-NAT IPv4, or IPv6. But much of IPv4 now is NATed, and IPSEC does not work w/ that, b'cos the moment the NAT server strips the address header of the IPv4 packet in order to map it to its destination, IPSEC has problems w/ it, just like it should, and then it has to be ignored.
36. Re:It's hard to take seriously... by unixisc · 2011-08-22 22:47 · Score: 1
  
  The 7 vs 4 argument only seems to matter when one is discussing the Application layer in the 4 layer model, which in the 7 layer model is split b/w the Application, Presentation and Session layers, while the Link layer is split into Physical & Data link layers. Other than that, anything in the network or transport layers of one will be in the internet or transport layers of the other.
  
  While the 4 layer model may make sense from the upper layers POV, I do prefer separating the Link layers, and not mixing the media used w/ the switching layers.
37. Re:It's hard to take seriously... by Anonymous Coward · 2011-08-22 23:01 · Score: 0
  
  Well, the author is
  
  a graduate student advised by Prof. Constantine Dovrolis. I am interested in Internet evolution, evolutionary network modeling, and adaptive video streaming. Before joining Georgia Tech in Fall 2009, I spent four wonderful years at University of Tehran completing my B.Sc. in computer engineering.
  and the point of his paper in ACM SIGCOMM is only that the layered architecture leads to an "hourglass" structure with concentration in some of the middle layers. I think "security vulnerability" is just a speculative hook upon which to hang the broader observation.
38. Re:It's hard to take seriously... by Anonymous Coward · 2011-08-22 23:50 · Score: 0
  
  Anonymous FTP for public-facing things and SFTP for private things seems like a good combination.
39. Re:It's hard to take seriously... by Kagetsuki · 2011-08-23 00:06 · Score: 1
  
  SFTP is part of SSH, FTPS is FTP with encryption poorly stuck onto it. On top of that very few FTPS software packages seem to be compatible with eachother.
  If you don't know what SSH is please look it up yourself. SSH is one of the things that makes POSIX systems awesome.
40. Re:It's hard to take seriously... by maxwell+demon · 2011-08-23 00:42 · Score: 1
  
  SFTP is part of SSH, FTPS is FTP with encryption poorly stuck onto it.
  You mean like HTTPS is HTTP with encryption "poorly stuck onto it"?
  And why isn't SFTP just "SSH with FTP poorly stuck onto it"?
  I'm of the opinion that the base protocol and the encryption should be separate. Why should a separate security infrastructure (each with its own possibility for bugs) be built around each single protocol? Or should one extend SSH to also support a replacements for SMTP, IMAP, NNTP, etc.?
  
  On top of that very few FTPS software packages seem to be compatible with eachother.
  Well, that's of course a problem, but not exactly a fault of the protocol.
  
  If you don't know what SSH is please look it up yourself.
  Of course I know what SSH is. It's what you use to log into a computer where you have a shell account. It also supports file transfer, in its own, incompatible way.
  
  --
  The Tao of math: The numbers you can count are not the real numbers.
41. Re:It's hard to take seriously... by postbigbang · 2011-08-23 01:02 · Score: 1
  
  There might be one practical use where you won't violate security ideals-- anonymous ftp. Otherwise ftp is swiss cheese. I'm not joking. SO it sounded like you were finding the smart ass narrow exception. But you may in fact not really know the dangers otherwise.
  
  --
  ---- Teach Peace. It's Cheaper Than War.
42. Re:It's hard to take seriously... by postbigbang · 2011-08-23 01:09 · Score: 1
  
  Oh. Right. I was cleaning up DEC tape spews when you were a zygote. FTP may be common, but it's intensely insecure. Do your research. If you use it, you're irresponsible and endanger your organization.
  
  --
  ---- Teach Peace. It's Cheaper Than War.
43. Re:It's hard to take seriously... by datapharmer · 2011-08-23 01:10 · Score: 1
  
  That's nothing, I spoke with a colleague and they have an intern from a large state college with a computer engineering school that is considered pretty decent. The intern didn't even know what FTP was, and it wasn't because they knew about more secure protocols like sftp. I was shocked to say the least. What are they teaching in school these days? I'm really at a loss...
  
  --
  Get a web developer
44. Re:It's hard to take seriously... by datapharmer · 2011-08-23 01:11 · Score: 1
  
  nonsense. Tell them they can use sftp or scp and if they complain tell them you will restore the ftp access when they finish removing the locks from the building because "they aren't necessary".
  
  --
  Get a web developer
45. Re:It's hard to take seriously... by datapharmer · 2011-08-23 01:15 · Score: 1
  
  ummm.... which ones don't? Even godaddy supports sftp and scp now. As for windows, who cares if it comes with it or not? You can get filezilla, putty, or a number of other free alternatives. Heck, you can even install some of them using software deployment group policies.
  
  --
  Get a web developer
46. Re:It's hard to take seriously... by JDG1980 · 2011-08-23 01:16 · Score: 1
  
  Adobe has an FTP site. It's where I always download Reader because it's the only way to get a clean installer without the "download manager" plugin or any of the other crap.
47. Re:It's hard to take seriously... by joebagodonuts · 2011-08-23 01:39 · Score: 1
  
  Like anyone here has a say in what technology will be used. We can (and do) advise, but the decisions are made elsewhere. Most are told what they will support.
  
  --
  "Give a woman two glasses of wine and some pad thai, and they'll agree to just about anything." the Sports Guy
48. Re:It's hard to take seriously... by colinrichardday · 2011-08-23 01:41 · Score: 1
  
  Anonymous ftp is not that rare to be a narrow exception.
49. Re:It's hard to take seriously... by postbigbang · 2011-08-23 01:46 · Score: 1
  
  You can only hope that a cogent argument, repeated until PHBs take it seriously, then think it's theirs, will do some good. Too many systems get p0wn3d because of stupid stuff, and ftp is old, and is just plainly irresponsible-- save places where a secure channel exists. Mostly, they don't; secure channels are another problem for a different day.
  
  --
  ---- Teach Peace. It's Cheaper Than War.
50. Re:It's hard to take seriously... by postbigbang · 2011-08-23 01:49 · Score: 1
  
  The problem isn't really the downloader. It's the fact that the host is vulnerable to iterative attacks until it cracks. Then it's hijacked. Ftp can be cracked like an egg in its Unix and GNU form.... and that's not the only problem.
  
  --
  ---- Teach Peace. It's Cheaper Than War.
51. Re:It's hard to take seriously... by carleton · 2011-08-23 01:50 · Score: 1
  
  UDP 4500 would like a word with you. Mind you, if you have a VPN server and are NATing it, you may have a problem or at least require some registry hacks
52. Re:It's hard to take seriously... by Rubinstien · 2011-08-23 02:12 · Score: 1
  
  I would beg to differ. I spent a couple of hours last week setting up a regression test environment to run a patched version of our FTP connection layer through its paces with (the errors were actually in SFTP error handling, but we re-test everything). Some of the equipment our customers must collect data from supports no other method of retrieving it. Generally, the network is itself *very* secure, and our box is sitting inside of it. I guess the customers don't see it to be much of an issue, and will most likely not be replacing much of this equipment until POTS is simply phased out. There are also pieces of new equipment still being sold that get their firmware and boot configuration via TFTP, only.
53. Re:It's hard to take seriously... by dirtyhippie · 2011-08-23 02:29 · Score: 1
  
  A network tap doesn't involve the layers sitting on top of it.
54. Re:It's hard to take seriously... by JMZero · 2011-08-23 02:49 · Score: 1
  
  Yeah, cool. I'll tell clients and unrelated businesses what software they "can" use.
  I was reporting on the situation. Sure there's better options, but that doesn't stop "FTP is very common" from being reality.
  
  --
  Let's not stir that bag of worms...
55. Re:It's hard to take seriously... by tlhIngan · 2011-08-23 03:43 · Score: 1
  
  The client thing, meh. If people are mucking around in command line FTP programs they're savvy enough to download one; if they're using a GUI an awful lot of them have SFTP support these days, including FileZilla (free/Free). I guess I could see an argument if they're just entering an FTP URL into their Explorer window.
  Depending on the reason for FTP, they could just as well use Internet Explorer for FTP (or Firefox or whatever), because it comes standard. Or map the FTP to a drive on their PC (Windows supports mapping WebDAV and FTP sites to drives) so accessing files is the same as accessing a normal disk.
  And yeah, there's tons of FTP clients, but try to explain how to use one of those SFTP things to a secretary who just wants to upload the nightly data to the server before she leaves. (A lot of routine things aren't scripted - and some people get pretty damn angry if you try to help them out by automating part of their jobs).
  FTP is sweet and simple and works out of the box - just click a link and you're done. Plus a lot of corporate firewalls may only allow 21, 80 and 443 through (FTP, HTTP, HTTPS) - all other ports are blocked. It's why VPN software that works over HTTPS is fairly popular - it'll work where HTTPS works.
56. Re:It's hard to take seriously... by overlordofmu · 2011-08-23 03:51 · Score: 1
  
  You can wrap almost any TCP/IP traffic inside of SSH. You can rsync, ftp and even web browse inside of a SSH tunnel.
  
  In fact, that is exactly how I posted this message. I am at work, with an SSH tunnel to my home network which acts a SOCKS proxy to the internet for my work PC. Even my DNS queries go to my internal DNS server on my home LAN.
  
  All my corporate overlords see is a fuck ton of SSH traffic to my home IP on some very unusual ports. All Slashdot sees is a normal web connection from my home IP address. It is all encrypted and all on a single TCP connection to my home network from my work network.
  
  Obviously, it is unencrypted when it leaves my LAN for the wider internet, but if my corporate overlords want to snoop my private home internet, they are breaking federal law while I am merely violating the corporate IT policies.
  
  But we all see those corporate IT policies as challenges, dares if you will, not actual rules to be followed, don't we?
  
  My home IT policies are far more strict and effective than those of my corporate overlords. How does your walled garden grow?
57. Re:It's hard to take seriously... by jd · 2011-08-23 04:08 · Score: 1
  
  Unencrypted FTP with Kerberos? Anonymous FTP? Plenty of ways you can use FTP without putting an account at risk.
  As for your claim that "FTP hasn't been used in a long time" - it's clearly bogus. FTP is widely used. More web browsers support vanilla FTP than support FTP over SSH. If you want the Linux kernel sources, or a distro ISO image, the overheads of encryption aren't gaining you enough to make it worth the effort - the higher throughput and lower server loads win every time.
  Web hosting sites usually don't support SCP by default - you have to have it enabled, maybe even pay extra, and some sites don't provide it at all. You can argue all you like for what people SHOULD do in such cases, but it's total idiocy to claim that because people SHOULD insist on secure transfer that FTP is dead. The best you can claim is that you wish it dead. Sure, the world would be a better place if rsync+ssh and scp were universal. The world would doubtless have been better had fsp replaced ftp. Life would be infinitely more pleasent had multicasting become ubiquitous (we wouldn't have the damn bandwidth wars with the ISPs for a start). But that's not the world we're in.
  FTP exists, it is used, it is used extensively, it is probably used too much, but it's not going away.
  
  --
  It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
58. Re:It's hard to take seriously... by Anonymous Coward · 2011-08-23 04:17 · Score: 0
  
  Read the original paper. This article is a miserable job that has nothing to do with the original paper. The paper talks about a model to study the evolution of protocol stacks.
59. Re:It's hard to take seriously... by postbigbang · 2011-08-23 04:21 · Score: 1
  
  I've been really surprised by all of the purported ftp use cited in this thread... tftp as well. Web hosting sites are in need of some updates. Using https would at least prevent part of the problem. Yet it's up to people that understand infrastructure to help educate those that don't understand the nature of hacks and cracks. Organizations get banged with hammers that most people aren't willing to understand. Yesterday, my primary web facing server was under attack from two different places trying to beat my ssh into bits. While they didn't succeed, they could have if I hadn't been looking at the syslogs. There's not much behind it to steal, thankfully, but they don't know that.
  
  --
  ---- Teach Peace. It's Cheaper Than War.
60. Re:It's hard to take seriously... by jd · 2011-08-23 04:32 · Score: 1
  
  SSH has severe performance issues and hardly anyone uses the high-performance patches. (Hell, hardly anyone knows the high-performance patches exist!)
  You'll notice the patches are not being funded any more and that none of the SSH enthusiasts are, well, enthused enough to have volunteered to help the maintainer. Don't get me wrong, I like SSH, but it doesn't write itself and I have very little sympathy for those who complain about under-utilization when doing nothing about helping to address the issues that would improve the situation.
  
  --
  It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
61. Re:It's hard to take seriously... by jd · 2011-08-23 04:59 · Score: 1
  
  In need of updates? I fully agree.
  Exactly what those updates are, that's more debatable. tftp is excellent for bootstrapping a machine with an OS and is independent of machine architecture (ix86, MIPS, UltraSPARC) and BIOS (Corelis, Phoenix, UEFI, etc) - I really, really, really do NOT want to try implementing SCP in Forth for bootstrap purposes. I couldn't afford the psychiatric treatment afterwards.
  Likewise, I would not consider using any other authentication mechanism in environments already using SASLv2. MIT Kerberos is good for distributed environments and is safer against DDoS attacks.
  
  --
  It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
62. Re:It's hard to take seriously... by Pentium100 · 2011-08-23 06:34 · Score: 1
  
  Well, in that case ICMP is a transport layer protocol, I mean you can stuff arbitrary data inside an echo request packet, so you can use it as a way to send HTTP requests (and the recipient replies with the same data, so you can check whether it arrived correctly).
  Well, another example - I take an HTTP packet and send it straight over the wire (let's say a serial or parallel port of a PC), now it only has two layers - physical and application, all others are null. Or if you want a network, try an I2C bus, it has adressing (and layer 2), but no layer 3 or 4 (you can use it if you want though).
  HTTP can also drop to a lower layer if it is being used to transfer some other protocol, for example BitTorrent..
63. Re:It's hard to take seriously... by Unequivocal · 2011-08-23 06:59 · Score: 1
  
  Of course that solution is kooky in its way but also amazing in a way b/c each step actually makes sense and works with the other steps only b/c of the genius of the layered internet.
64. Re:It's hard to take seriously... by Unequivocal · 2011-08-23 07:03 · Score: 1
  
  Yeah - that protocol layer has a name to: PEBKAC
65. Re:It's hard to take seriously... by mgiuca · 2011-08-23 11:55 · Score: 1
  
  Well that makes my point, though: you can arbitrarily nest protocols inside one another, so it doesn't make sense to talk about them strictly in layers. Rather than saying "HTTP can drop to a lower layer", why not throw away the concept of layers, and just have a more vague concept of "application level" versus "transport level" and so on, like the 4-level IP stack.
66. Re:It's hard to take seriously... by Kagetsuki · 2011-08-23 16:01 · Score: 1
  
  If you know what SSH is then why did you ask about SFTP? SFTP is just an FTP-esque environment to copy files over SSH, for when you don't want to do so one by one over SCP or you don't know all the remote paths or whatever. So you say you know what SSH is, but have you actually ever used it?
67. Re:It's hard to take seriously... by Pentium100 · 2011-08-23 18:26 · Score: 1
  
  The OSI model is still useful to know in which order you want to do stuff.
  For example, take the application data, if you need to, convert it to something that the recipient can read (XML, some encoding), then encrypt it and/or use whatever session management protocols you want, after that put it in a transport protocol, then a network protocol and pass it down to data link which will send it over a physical connection.
  The fact that you can arbitrarily nest protocols inside one another is the result of the fact that each protocol cares only about its layer and does not care what is above and below it. I think that was the point of the OSI model.
68. Re:It's hard to take seriously... by maxwell+demon · 2011-08-23 19:05 · Score: 1
  
  If you know what SSH is then why did you ask about SFTP?
  Nowhere did I ask what SFTP is. I know that. I asked why it should be preferred over FTPS.
  
  --
  The Tao of math: The numbers you can count are not the real numbers.
69. Re:It's hard to take seriously... by petermgreen · 2011-08-24 00:29 · Score: 1
  
  While the 4 layer model may make sense from the upper layers POV, I do prefer separating the Link layers, and not mixing the media used w/ the switching layers.
  I think the key with TCP/IP is that you have two layers that are actually part of TCP/IP. Above those layers you have an application and below them you have a "link" . The application and the link may themselves be divided into multiple layers but that is outside the scope of TCP/IP. You may even have some layers occouring more than once in the stack.
  
  --
  note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
70. Re:It's hard to take seriously... by unixisc · 2011-08-24 15:50 · Score: 1
  
  Under the OSI model, does that make layers 4-7 a part of TCP? Or UDP? I thought that only layer 4 was TCP, and above it, the Application, Presentation & Session layers were different.
  As it is, Data Link & Physical Layers are not part of IP - you could have had IPX, or any other protocol in its place. I'd think the same is true for the top 3 - except for maybe the Session layer, the layers above it might be agnostic about the Transport mechanism used
71. Re:It's hard to take seriously... by petermgreen · 2011-08-27 03:23 · Score: 1
  
  TCP/IP was not designed to fit the OSI model therefore any attempt at mapping TCP/IP onto the OSI model will be imperfect
  TCP sits above IP and is conventionally considered to be at OSI level four (though according to wikipedia it implements some functionality that is in OSI level 5). UDP also sits above IP and therefore is also conventionally considered to be at OSI level four (though it implements hardly any of the functionality OSI associates with that layer).
  The rest of the functionality that OSI places in layer 5 and the functionality that OSI places in layer 6 is not provided by the TCP/IP stack. If applications require that functionality then they need to implement it themselves or use libraries to provide it.
  
  --
  note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
How to mod article? by whoever57 · 2011-08-22 12:57 · Score: 3

Surely this article should be nodded "massive ignorance"! It's the simplicity of the middle layers that enables the development of the upper and lower levels. It also makes the middle layer much more immune to security issues.

--
The real "Libtards" are the Libertarians!
1. Re:How to mod article? by Anonymous Coward · 2011-08-23 04:45 · Score: 0
  
  The original paper does not even talk about security. It tells a totally different story about protocol stacks and their evolution. Read the original paper!
So the internet is just like a human being then? by antifoidulus · 2011-08-22 13:04 · Score: 4, Funny

Well, I know for myself a good swift "attack" on my "middle layer" does cause me to fall to the ground and writhe around for a while, so I guess the internet and I do have a lot in common, really vulnerable mid-sections.

--
Monstar L
How did this article make it? by norpy · 2011-08-22 13:05 · Score: 3, Insightful

Not only did they combine the presentation and application layers from the OSI model they completely misunderstand WHY that the transport layer is less diverse in number of protocols.
They propose that we should create new transport protocols that do not overlap with existing ones.... The reason we only have a handful of them is because of the fact that there are not many ways to differentiate a transport protocol.
1. Re:How did this article make it? by after.fallout.34t98e · 2011-08-22 13:35 · Score: 1
  
  There are very many ways to differentiate them (I would hypothesize an infinite number of different ways), most of them are just not efficient.
  The trouble I have is understanding why we need so many. A transport protocol is a mechanism for ensuring the delivery of data from one point to another. Surely it would be far simpler to optimize a network (or write faster software for routers/switches) if there were only a few standard protocols (granted there are only a few in wide use and most network hardware is designed for that fact).
Fail by Anonymous Coward · 2011-08-22 13:07 · Score: 0

Yes, because it's very difficult to understand that protocols which aren't end-to-end require more standardisation then other protocols due to having to cross many nodes thus leading to a situation of relying on a select tried and true protocols. Yes, very difficult.
Unstated, and important, assumptions? by fuzzyfuzzyfungus · 2011-08-22 13:08 · Score: 4, Insightful

There seems to be the unstated(but vital to the conclusion asserted) assumption that competition actually makes protocols more secure and that competition must occur at the protocol level, rather than the implementation level. Without those assumptions holding, all this article really says is that people use TCP and UDP a lot. Yup. That they do.

This seems like it might be true in the (not necessarily all that common) case of a protocol whose security is fucked-by-design competing with a protocol that isn't fundamentally flawed, in a marketplace with buyers who place a premium on security, rather than price, features, time-to-market, etc.

Outside of that, though, much of the competition and security polishing seems to be at the level of competing implementations of the same protocols(and, particularly in the case of very complex ones, the de-facto modification of the protocol by abandonment of its weirder historical features). It also often seems to be the case that(unless you are in the very small formally-proven-systems-written-in-Ada market, or something of that sort) v1.0 of snazzynewprotocol is a bit of a clusterfuck, and is available in only a single implementation, also highly dubious, while the old standbys have been polished considerably and have a number of implementations available...
1. Re:Unstated, and important, assumptions? by masterwit · 2011-08-22 16:40 · Score: 1
  
  (unless you are in the very small formally-proven-systems-written-in-Ada market, or something of that sort) v1.0 of snazzynewprotocol is a bit of a clusterfuck, and is available in only a single implementation, also highly dubious, while the old standbys have been polished considerably and have a number of implementations available...
  Careful that we do not open Pandora's box here... (You know exactly what I am talking about, heh)
  But on another note your exactly right. This article seems to talk about how protocols "evolved" but this is just as useful as painting a picture of the internet:
  Time and time again I will see models looking at a picture of the internet "all at once", but without knowing what and why with each individual link, protocol, implementation, etc... this is a complete waste of time.
  As you have said in so many words above, what these "researchers" did is a complete waste of time. Maybe they need to do some research on peering 101?
  Disclaimer: I have not read the actual paper just a poorly written article linked by Slashdot. Perhaps there is much more to their work; if so, I do apologize.
  
  --
  We should start a new Slashdot and return control to the geeks. It actually wouldn't be that hard to get some users to
2. Re:Unstated, and important, assumptions? by fuzzyfuzzyfungus · 2011-08-22 17:06 · Score: 2
  
  As best I can tell, after going back and reading the paper, TFA is a miserable hatchetjob that has almost nothing to do with the paper.
  
  The paper dealt with modeling the survival or culling of protocols at various layers, under various selection criteria, from a sort of evolutionary-biology standpoint. This did entail examining what conditions resulted in monoculture end states, and what conditions might result in stable multiple-protocols-at-each-layer end states; but all at the level of a fairly abstract model, not an empirical examination of the State of The Intertubes, or much specifically security-related material(In TFA's defense, the paper did suggest that, if you wanted a stable-state outcome with multiple middle layer protocols, they would have to be non-overlapping, which TFA managed to at least parrot accurately, and both agree that the internet as it exists is pretty much an IP monoculture; but the two otherwise bear surprisingly little resemblance to one another.)
  
  TFA seems to be the result of picking the page with the least math, skimming it, and then adding some security-related alarmism...
Really? Why not link to the original paper? by Anonymous Coward · 2011-08-22 13:08 · Score: 5, Informative

It's the very first Google hit, is still on a public server, and doesn't obviously distort the conclusions like TFSA in an effort to get more clicks. A+ for poorly crafted summaries, Slashdot.
http://www.cc.gatech.edu/~sakhshab/evoarch.pdf
As long as... by v(*_*)vvvv · 2011-08-22 13:11 · Score: 1

... there is human error there will be weakness. Before innovation, there is caution and upkeep. Careless server admins just leave their gates open, a la Sony. A simple misconfiguration and the East goes dark, a la Amazon.
But like all things founded on good democratic freedoms, we are free to be idiots. And unless we add socialized security, the internet will always be full of gaping weaknesses. And all of us, including those that serve responsibly, will suffer their consequences. A la the United States of America.
Not that either is good or bad, but just sayin' this is the world we surf in.
1. Re:As long as... by Arivia · 2011-08-22 14:52 · Score: 1
  
  holy fucking crap how do you log in
  
  --
  The role of the writer is not to say what we can all say, but what we are unable to say. -Anais Nin
Use mutt by jrumney · 2011-08-22 13:12 · Score: 1

Evolution always seemed to be too like MS Outlook to me, this article just seems to confirm that, judging by the odd intelligible snippet I can make out from the overuse of metaphors and confused language of the summary. But fear not, mutt does not suffer these problems, and nor does Thunderbird if you need your middle layers of the internet client to have pretty icons.
SCTP by Anonymous Coward · 2011-08-22 13:13 · Score: 0

They forgot a major, new, "middle layer" protocol. Next.
Alrighty by khallow · 2011-08-22 13:14 · Score: 2

security breaches could be countered by diversification of protocols, according to Georgia Tech, which recommends new middle layer protocols whose functionality does not overlap, thus preventing 'unnatural selection.'

Let's have a lot of protocols right, but to prevent too much diversity (that is, stuff that doesn't work) we'll need to make sure these comply with one or two protocols that everyone will use...

Hmmm, "Middle layer protocols whose functionality does not overlap"... does that mean that we prune the vast abundance of current protocols with sometimes overlapping functionality? I guess we could call that "diversification" though at this level of semantic mismatch, we could call it "Frank" with equal justification.

I guess I'm not quite sold on the argument presented here.
Other things hampering evolution by jhantin · 2011-08-22 13:29 · Score: 2

Evolution at the middle layers is also hampered by the proliferation of middleboxes: monkeying with packet headers for policy-enforcement and profit. It's also pretty well de rigueur for IT departments to configure both middleboxes and "smart" switches to drop any unrecognized middle layer packets.

--
...when you're writing a game...tweak the difficulty of "Easy" to something [your mother] can cope with. -- onion2k
1. Re:Other things hampering evolution by Anonymous Coward · 2011-08-22 20:14 · Score: 0
  
  It's also worth to notice that middlebox implementations, even after decades since large-scale TCP/IP deployments, are still occasionally found to have vendor-independent weaknesses. This applies especially to deep packet inspection, but also, surprisingly enough, plain firewalls. And getting TCP/IP host stacks on IPv4 relatively bug-free took couple decades. With IPv6, we're still surprisingly far from that.
  As someone that works on such systems, I must make a personal remark: I don't want lots of extra protocols on the side of "classic" TCP/IP and regular IP (not to mention how unrealistic deploying anything beyond IPv4 and IPv6 would actually be!) - because it would create extra work, and especially lots of new unknowns on both protocol design and corresponding implementations. Especially in the security department.
  And on top of this: no corporate entity with understanding of network threats wants to lower their level of defence for these kind of experiments. Maybe market is driven by consumers these days, but even the assumption that consumer firewalls would let new protocols through is not based on reality. Especially NAT will stop these kind of new protocols on their tracks.
Let FTP die already by Dwedit · 2011-08-22 13:29 · Score: 1

Let FTP die already. Clear text passwords suck.
The only legitimate use of FTP is a way of transferring files over a LAN to something which doesn't have a good implementation of a CIFS or SSH server.
1. Re:Let FTP die already by colinrichardday · 2011-08-22 13:43 · Score: 2
  
  Let FTP die already. Clear text passwords suck.
  How do clear text passwords suck for anonymous FTP?
2. Re:Let FTP die already by wmbetts · 2011-08-22 14:41 · Score: 1
  
  Anonymous runs an ftp server? Aren't they worried about the FBI?
  
  --
  "Ubuntu" -- an African word, meaning "Slackware is too hard for me". - stolen from Dan C alt.os.linux.slackware
3. Re:Let FTP die already by Lehk228 · 2011-08-22 15:17 · Score: 2
  
  why should they, they have it installed on YOUR mainframe
  
  --
  Snowden and Manning are heroes.
4. Re:Let FTP die already by KiloByte · 2011-08-22 15:22 · Score: 1
  
  FTP has more flaws than just clear text passwords. Requiring multiple connections, often in opposite ways, for one.
  
  --
  The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
5. Re:Let FTP die already by wmbetts · 2011-08-22 15:47 · Score: 1
  
  Oh, fuck. That's probably why work has been calling me.
  
  --
  "Ubuntu" -- an African word, meaning "Slackware is too hard for me". - stolen from Dan C alt.os.linux.slackware
6. Re:Let FTP die already by lennier · 2011-08-22 17:50 · Score: 1
  
  Don't worry, it's just this kid called "Joshua".
  
  --
  You are not a brain: http://books.google.com/books?id=2oV61CeDx-YC
7. Re:Let FTP die already by maxwell+demon · 2011-08-22 20:21 · Score: 1
  
  Passive FTP should be standard these days, so the opposite direction problem doesn't occur; all connections go from the client to the server. Why multiple connections should be a problem, I don't see.
  
  --
  The Tao of math: The numbers you can count are not the real numbers.
8. Re:Let FTP die already by Alioth · 2011-08-22 20:43 · Score: 1
  
  They don't on anonymous ftp, but ftp fundamentally sucks: it needs two ports, a fixed port and a random data port that gets opened and closed for each transfer or directory listing, meaning added firewall complexity (the packet filter now must understand and parse the FTP protocol to be able to punch the holes to allow the random port traffic to pass, then close them again afterwards).
  HTTP is far better for doing what anonymous FTP does. It requires only one port. For anything authenticated, sftp beats ftp.
  
  --
  Oolite: Elite-like game. For Mac, Linux and Windows
9. Re:Let FTP die already by geekgirlandrea · 2011-08-22 22:15 · Score: 1
  
  That only counts as a flaw if you've bought into the delusion that NAT constitutes a functioning network.
10. Re:Let FTP die already by Anonymous Coward · 2011-08-22 22:34 · Score: 0
  
  Until you put the server behind the NAT, then you need active FTP. I have seen this.
  Now, imagine putting the client AND server behind NAT devices. At the client, active FTP doesn't work, passive is needed. But at the server, passive doesn't work. Active is needed. Result: End-to-end, neither works.
  Anonymous FTP should be replaced with HTTP, and authenticated FTP with SFTP (WEBDAV over HTTPS would be another option, if you webserver supports it).
11. Re:Let FTP die already by Viol8 · 2011-08-22 23:05 · Score: 1
  
  "HTTP is far better for doing what anonymous FTP does"
  Really? Try uploading to a directory using an HTTP server.
one man's weakness by decora · 2011-08-22 13:30 · Score: 1

is another man's freedom?
the paper is rubbish by Anonymous Coward · 2011-08-22 13:36 · Score: 0

Oh good lord. This paper was rubbish. I was at the conference presentation. Be assured that no one is taking it seriously. Their model can produce any kind of hourglass, and has essentially nothing to do with the internet. It can't account for any of the actual, observed diversity at the waist of the hourglass, and has zero predictive power (which *should* be a test for any model). It isn't grounded in anything particular about protocols or networks. Please just ignore this junk.
analyze this bullshit by Anonymous Coward · 2011-08-22 13:38 · Score: 0

>Anyone who has used the Internet for very long knows about its evolution by the number of extinct protocols that are no longer used.
No i know about the evolution by the fitness for a purpose. Like easy identification of a resource by an URL while being able to serve many different server names in a transparent way on a single IP (webhosting).
>For instance, FTP (File Transfer Protocol) used to be the only way to transmit files too large for SMTP (Simple Mail-Transfer Protocol),
Wrong. FTP was not the only way to transmit files "to large for SMTP" (Did i somehow miss a magical size limit in SMTP). I could name a few others, like uucp, tftp, smb, the novell filesystem, zmodem, xmodem, nfs etc.
> but clever programmers have devised ways of using server-side algorithms to deliver large files using HTTP (Hypertext Transfer Protocol).
It was always my impression that serving a large file via http does not require a specially clever programmer. Somehow it just works
> As a result, FTP has become virtually extinct on all but legacy systems.
Its the result on not being able to combine many customers ftp servers onto a single IP
>Researchers at the Georgia Institute of Technology wondered if these evolution and extinction phenomena on the Internet were in any way similar to evolution and extinction in nature.
Well - yes?
> After all, protocols could be viewed as species that compete for resources, with the weaker ones eventually becoming extinct. Similarly, the evolution of the Internet's architecture could be described as a competition among protocols, with some thriving and others becoming extinct.
Weaker ones?
> To test their theory, the group headed by computer science professor Constantine Dovrolis crafted a research program that tracks the evolution of architectures, called EvoArch. The overall goal was to help understand how protocols evolve in order to develop better ones that protect the Internet from the wide variety of threats it is facing today and to prevent extinctions that ossify the Internet, making it more vulnerable to attacks.
All right. So supporting a large number of protocols makes the internet more safe? Linux Kernel bug seem to speak another language. Its good if unused protocols become so extinct that you can turn them of on you server.
> The general conclusion derived from EvoArch was that unless new protocols are crafted to avoid competition, they will inevitably lead to extinctions.
Yes. Its orthogonality. But it does not have anything to do with protocols becoming extinct. These guys make it sound like the extinction is the problem in reality its the lack of orthogonality in the designs (and when it comes to security also in the layer functions - on how many layers are here half-assed attempts to authenticate?).
1. Re:analyze this bullshit by Anonymous Coward · 2011-08-22 13:54 · Score: 0
  
  Did i somehow miss a magical size limit in SMTP
  It sure seems that way, see rfc2821 - servers weren't actually required to support individual messages larger than 64k for a long time, though were encouraged to do so of course. 64k is not really a lot of binary data, but is quite a lot of plain text.
  
  message content The maximum total length of a message content (including any message headers as well as the message body) MUST BE at least 64K octets. Since the introduction of Internet standards for multimedia mail [12], message lengths on the Internet have grown dramatically, and message size restrictions should be avoided if at all possible. SMTP server systems that must impose restrictions SHOULD implement the "SIZE" service extension [18], and SMTP client systems that will send large messages SHOULD utilize it when possible.
  
  Plus, SMTP AFAIK still doesn't require 8-bit cleanliness, meaning everything sent by SMTP gets encoded inefficiently into 7-bit ASCII, which is incredibly wasteful.
What we need is a P2P by Anonymous Coward · 2011-08-22 13:41 · Score: 0

file sharing / distributed FS protocol that lives outside tcp/ip!
1. Re:What we need is a P2P by spauldo · 2011-08-22 14:17 · Score: 3, Informative
  
  There are plenty of those already. NetBIOS is an example of a non-TCP/IP peer-to-peer filesharing protocol (I'm talking LANMAN style NetBIOS, not NetBIOS over TCP/IP). It doesn't route outside your local network though. There's the good ol' IPX/SPX, which can actually be routed if your router supports them - while not filesharing protocols in themselves, they do support some very well-established filesharing protocols. You could probably adapt bittorrent to work on IPX/SPX.
  The problem is we can't even get IPv6 routed on the internet, much less some obscure non-IP protocol. Hell, we never even really got all of IPv4 - multicast would have been great for streaming video if anyone had bothered to set up their routers for it.
  That being said, you don't need to use TCP and UDP. You can create new protocols to run over IP, and the internet will generally pass them (your local firewall might be a different story). They'll stick out like a sore thumb to anyone searching for them, though.
  
  --
  Those who can't do, teach. Those who can't teach either, do tech support.
ossified? by Cyko_01 · 2011-08-22 13:48 · Score: 1

forgive me, but nothing useful turned up on Google or urban dictionary. what does this word mean? (I am a native English speaker)
1. Re:ossified? by Cyko_01 · 2011-08-22 13:50 · Score: 1
  
  ...unless this is some strange reference to bone formation
2. Re:ossified? by Anonymous Coward · 2011-08-22 13:56 · Score: 0
  
  How 'bout a regular dictionary?
  http://dictionary.reference.com/browse/ossified
3. Re:ossified? by Livius · 2011-08-22 14:06 · Score: 1
  
  They're trying to say 'petrified' (in its figurative meaning) but they think it will sound more impressive if they incorrectly use a somewhat similar word.
4. Re:ossified? by JMZero · 2011-08-22 14:16 · Score: 5, Informative
  
  No - the figurative sense of ossified is correct and common. Petrified is usually used figuratively to mean something like "scared stiff". Ossified, in common figurative use, means that something has become stiff and inflexible (often through disuse or rot) - like tissue that has become bone.
  If you check a reasonable dictionary (eg. http://dictionary.cambridge.org/dictionary/british/ossify_1?q=ossified) you'll find this definition.
  
  --
  Let's not stir that bag of worms...
5. Re:ossified? by Anonymous Coward · 2011-08-22 14:19 · Score: 0
  
  You're right. A better word in this context for English speakers would have been "fossilized." Kudos on your latin / spanish :)
  I'm pretty sure the metaphor was supposed to be that those layers were left behind to die, unmaintained, rather than "evolving" along with the outer layers. Not that I agree that the 7 layers have changed at all, since it's the individual protocols that reach their own "extinction," like Appletalk and IPX did.
6. Re:ossified? by Anonymous Coward · 2011-08-22 16:15 · Score: 0
  
  They're trying to say 'petrified' (in its figurative meaning) but they think it will sound more impressive if they incorrectly use a somewhat similar word.
  Just like you tried to sound more intelligent by making up the word "figurative" which clearly doesn't exist. Snark Snark!
  Of course one exists in the dictionary, and the other one does not. Oh wait...
7. Re:ossified? by Alioth · 2011-08-22 20:12 · Score: 1
  
  I recommend WordReference:
  English definition: http://www.wordreference.com/definition/ossified
  Synonyms: http://www.wordreference.com/thesaurus/ossified
  (WordReference will also give you the definition in a variety of languages).
  
  --
  Oolite: Elite-like game. For Mac, Linux and Windows
What did the GT grad say to the VT grad? by Anonymous Coward · 2011-08-22 13:58 · Score: 0

Do you want fries with that?
The premise and solution provided seem a little whimsical.
from my cold dead hands by Intropy · 2011-08-22 14:03 · Score: 1

gopher over SPX/IPX forever!
According to Georgia Tech? by Anonymous Coward · 2011-08-22 14:08 · Score: 0

Maybe researchers at Georgia Tech?
Or did some idiot named Mr. Tech name his kid Georgia?
More outstanding editing...
This just in by kelemvor4 · 2011-08-22 14:15 · Score: 1

Everything is vulnerable to attack, especially if it's connected to a worldwide network.
seriously by Anonymous Coward · 2011-08-22 14:19 · Score: 0

Let FTP die? go f__k yourself
What are you talking about? by reiisi · 2011-08-22 14:25 · Score: 3, Informative

ARPANET predates the OSI model, and the current Internet Protocols came after the definition of the OSI stuff. (That's a little hard to see in the current wikipedia articles, but it's there.) The IETF in fact deliberately chose to combine two of the OSI layers.
The article does have some issues. I'm not sure if the author actually doesn't understand the paper he or she is trying to summarize. Maybe the intent was to make it easier for the lay person to understand. But there is some creativity going on, and parts of the summary don't really reflect the paper.
The paper itself is offering a framework of analysis of the evolution of the Internet Protocols. It might have been interesting to see a bit more analysis of ARPANET and some of the other protocols the IP protocols eventually replaced. It might have been interesting to see them address the OSI model a bit more, but the OSI model never was really implemented fully, and might be considered not part of the evolution.
I see that the take IPv6 up as a competitor of IPv4 instead of the heir apparent, which is probably a useful thing to do, if we want to understand why so many IT managers are still failing to move in a timely manner.
I'm not sure I understand their work well enough to either agree or disagree, but I think it offers food for thought, including the idea that IPv4/6 doesn't actually have to be the only protocol existing at that layer.

--
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
1. Re:What are you talking about? by jd · 2011-08-23 04:38 · Score: 1
  
  You're absolutely right that it doesn't have to be the only protocol at that layer. The X protocols from Europe cover the full spectrum of the OSI model, including layers 3 and 4. The TUBA protocol (one of the candidates for IPv6) could perfectly well be implemented, again sitting at that layer. Infiniband has its own layers 2, 3 and 4. Other IP protocols exist - albeit in experimental form for the most part. (IPv0 could be said to still exist.)
  
  --
  It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Link to the original paper by reiisi · 2011-08-22 14:30 · Score: 1

Courtesy of this AC post down the page a bit.

--
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
The original paper by reiisi · 2011-08-22 14:33 · Score: 1

Hit post without thinking again. This AC post down the way a bit links the original paper.

--
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
FTP over TLS by tepples · 2011-08-22 14:34 · Score: 1

Show me someone using ftp and I'll show you a password theft followed by a crack.
Crack this: FTP over TLS.
1. Re:FTP over TLS by postbigbang · 2011-08-22 14:41 · Score: 0
  
  Gimme a tasty weak hash and I'll have you in about 20min. Less if you did something stupid. About several million years if you used a thick seed and 256 (now 251) bit encryption.
  
  --
  ---- Teach Peace. It's Cheaper Than War.
2. Re:FTP over TLS by errandum · 2011-08-22 15:19 · Score: 1
  
  Because that makes a lot more sense than just use SFTP or SCP.
  And something I noticed, files I transfer with SCP either fail or or things actually get done right. With FTP and others I've lost count of the times files actually got corrupted while transferring without any kind of warning.
  That adding to security concerns should be enough to force the switch in an enterprise environment.
3. Re:FTP over TLS by Anonymous Coward · 2011-08-22 16:22 · Score: 0
  
  Why now 251 bits?
4. Re:FTP over TLS by madmayr · 2011-08-22 19:59 · Score: 1
  
  i think he refered to this: http://it.slashdot.org/story/11/08/18/2338249/New-Research-Cracks-AES-Keys-3-5x-Faster, but i don't know why 251
5. Re:FTP over TLS by fatphil · 2011-08-22 20:22 · Score: 1
  
  Where did you pull '251 bits' from? Crasking AES-256 is 2^256 workfactor until you show me 2^88 bits of fast storage. If you read what they wrote, you'll see they clearly say that their attack has no practical implications at all.
  
  --
  Also FatPhil on SoylentNews, id 863
6. Re:FTP over TLS by postbigbang · 2011-08-23 01:07 · Score: 1
  
  You can shave five bits off. Whether other attack vectors will emerge are unknown. People use AES 128 then use the same salt over all of the base keys generated, too. That one takes a while.
  
  --
  ---- Teach Peace. It's Cheaper Than War.
7. Re:FTP over TLS by jd · 2011-08-23 04:27 · Score: 1
  
  FTP over TLS will - by dint of TLS providing a reliable data stream - avoid corruption issues. Honestly.
  SFTP isn't ubiquitous, FTP is. SCP is only useful if you have full filepaths to work with and is even rarer than SFTP.
  Besides, since people like the convenience of single-sign-on, you're better off using Kerberos (the MIT version). SASLv2 is also nice.
  Look, this is very simple. What "makes sense" doesn't matter. Betamax "made sense". The Transputer "made sense". Multicast "makes sense". IPv6 "makes sense". Infiniband "makes sense". The Itanium and MIPS architectures make far more sense than the x64. Tell me, do you always do what "makes sense"? No? Why not? Because it's sometimes more important to get the job done than to get it "done right"?
  You've seen the security fiascos in recent times. SCP isn't going to add any security to the enterprise environment because it's not on the critical path. Social engineering is, still, by far the weakest link, followed by societal incompetencies. Packet sniffing is a problem, yes, but in order of priorities I'd put lolcats ahead of them.
  
  --
  It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
8. Re:FTP over TLS by gstrickler · 2011-08-23 06:22 · Score: 1
  
  5x faster does not shave off 5 bits, it shaves of log2 (5) ~ = 2.32 bits. So, 256 bit AES is still ~ 253.68 bits (and only if you have 2^88 bytes of very low latency storage, which is many orders of magnitude more storage than humans have produced in recorded history).
  
  --
  make imaginary.friends COUNT=100 VISIBLE=false
Network effect? by michael_cain · 2011-08-22 15:10 · Score: 1

Having skimmed the article, I am concerned that they seem to ignore the well-known network effect: the value of a network to those attached to it increases at a rate faster than linear as a function of the number of others attached. This property has generally meant that once a network-layer protocol is sufficiently well established, it is hard to displace; a winner-take-all situation. Telegraph network. Telephone network. In the data world, IP, ATM, and a handful of others slugged it out, and eventually IPv4 reached critical mass and "won".
puma cat by Anonymous Coward · 2011-08-22 15:28 · Score: 0

on a les puma cat sur la site http://www.puma-ferrari-cat.com http://www.edhardyfrance.biz http://www.louboutin-sandales.com http://www.fingers-five.com
"Evolution has ossified the middle layers..." by anthroboy · 2011-08-22 15:37 · Score: 1

Dammit, I should have never trusted that e-mail client.
We all like to party but ur there 2 learn dammit by Anonymous Coward · 2011-08-22 16:58 · Score: 0

"Anyone who has used the Internet for very long knows about its evolution by the number of extinct protocols that are no longer used"
I'd have to think real hard to name any besides gopher.
"For instance, FTP (File Transfer Protocol) used to be the only way to transmit files too large for SMTP (Simple Mail-Transfer Protocol), but clever programmers have devised ways of using server-side algorithms to deliver large files using HTTP (Hypertext Transfer Protocol). "
LOL It takes more ingenuity to send a large file via HTTP.
"Researchers at the Georgia Institute of Technology wondered if these evolution and extinction phenomena on the Internet were in any way similar to evolution and extinction in nature"
I often wonder could a more useless question evolve from a group of monkies armed with glitter bombs?
All successful protocols have the following traits in common:
1. fulfill a real need
2. Do not require disruptive change unless abs necessary
3. simple/low cost
The IETF is full of morons who disregard the above for their own academic reasons. As a result their work never sees the light of day.
"In particular, the six layers of the Internet have evolved into an hour-glass shape where protocols at the very top and bottom continue to evolve, but where those toward the middle have become stagnant, leaving unnecessary security-risk opportunities open for exploitation."
Your mom is an unnecessary security risk.
"In the middle layers, however, extinction has left only a few survivors, ossifying its structure. At the transport layer (layer three), TCP (Transmission Control Protocol) competes with only a few other alternatives, such as UDP (User Datagram Protocol),"
Let me guess you found the list of registered IP protocols at IANA and drew some rediculous conclusion about the "decline" of all those protocols that have never actually ever been used by anyone.
"and at layer five, the network protocol, IP (Internet Protocol) and ICMP (Internet Control Message Protocol) are used almost exclusively." ...
"Diversity resurfaces at layers five and six, where Ethernet and other data-link protocols such as PPP (Point-to-Point Protocol) communicate "
It is actually layer 73. When you "ossify" something you set its value to 73 just because.
"From running simulations with the EvoArch program these researchers have concluded that the only way to reintroduce diversity into the middle layers without inevitable extinctions is to create protocols that do not overlap with the others. By thus eliminating competition for the same resources, a rich set of middle layer protocols with increased security should be able to survive"
The reason we don't see new L4 protocols is because TCP and UDP are good enough compared to the crap you have to go through to get E2E support for a new protocol implemented at the socket layer by all operating system vendors.
Our middle-layer animals have become ossified by Anonymous Coward · 2011-08-22 17:04 · Score: 0

The lynx, the tuna, and the lemming have become seriously ossified. They have overlapping functionality. Both the lynx and the lemming have legs. This is not acceptable. We must create a new lynx-lemming hybrid and kill off all remaining lemmings-only and lynxes-only. The tuna is an even bigger abomination. Much like the lynx and the lemming and probably the lynx-lemming hybrid, it has a brain and a central nervous system. However, it can swim. We must remove its brain. That way the tuna will swim and the lynx-lemming hybrids can follow each other off of cliffs, but will drown. This means the brainless tuna and the lynx-lemming hybrid will not be competing for the same ocean.
Re:Different issues by sanjeev123 · 2011-08-22 17:22 · Score: 0

Last time I checked, ICMP and IGMP were both layer 3 and pretty popular. According to Wikipedia IPSec is also "officially" layer 3, but I always considered it part of IPv6, and an extension to IPv4.
It really wasn't designed for security. by NicknamesAreStupid · 2011-08-22 17:34 · Score: 1

More for integrity, but the service layer architecture is purely based on trust. It turns out, that you can more readily do the most when you have trust, which partly explains the rapid growth of the Internet. However, a bunch of trusting souls make an irresistible target for those who are willing to exploit their trust. I believe the only way to deal with them is to move faster than they can. FTP should have been enhanced to the point that few would use the older version, hence a smaller target. I don't mean secure FTP. I refer to features and functionality. There should be no reason to use HTTP for file transfers, but that is now more common than FTP. Perhaps it has evolved after all, into HTTP.
Shell account by tepples · 2011-08-22 18:26 · Score: 1

Don't SFTP, SCP, and anything else tunneled over SSH require a shell account? A lot of budget web hosting services provide FTP but no shell account.
1. Re:Shell account by deek · 2011-08-22 22:03 · Score: 1
  
  Technically speaking, yes, SCP and SFTP need a shell to call the subsystem that provides the functions needed. You can install a package called "rssh" which will restrict a user to the SCP and SFTP subsystems, and prevent access to any other commands.
Too academic to be useful by Anonymous Coward · 2011-08-22 18:28 · Score: 0

Another study by academics who have no real world experience. Move along, nothing to see here.
It should have been read "OSIfied" by Anonymous Coward · 2011-08-22 18:29 · Score: 0

This has such a nice ring and the twist-in-tongue is really beautiful. But I'm afraid that almost no one here ever read X.200, the OSI reference model ...
Re:protocols by leenks · 2011-08-22 19:22 · Score: 1

People still use FTP? I exclusively use SFTP and/or SCP these days. I can't remember when I last used FTPS, let alone plain FTP.
End-to-End by Anonymous Coward · 2011-08-22 20:12 · Score: 0

These guys aren't aware of the end-to-end argument, I take it. Essentially, it's not possible to secure the mid-points of data communication as the mid-points have no idea of what they're transmitting. Only at the endpoints do you have enough information to properly secure the communication.
In essence, securing the middle layers can only give you a small amount of protection, at best, and at worst they can introduce a large overhead.
Hrm... by Anonymous Coward · 2011-08-22 20:16 · Score: 0

My mid-layers are pretty vulnerable to attack, too. Soft, squidgy, and flabby.
IPX by unixisc · 2011-08-22 22:38 · Score: 1

I'm not sure I understand their work well enough to either agree or disagree, but I think it offers food for thought, including the idea that IPv4/6 doesn't actually have to be the only protocol existing at that layer.
IPX is another layer 3 protocol, right? Was Netware's IPX something that exceeded the addressing capabilities of IPv4? Looking @ Wiki, I see

IPX addressing
- Logical networks are assigned a unique 32-bit hexadecimal address in the range of 0x1 - 0xFFFFFFFE.
- Hosts have a 48-bit node address which by default is set to the network interface card's MAC address. The node address is appended to the network address to create a unique identifier for the host on the network.
- Network number 00:00:00:00 means current network
- Broadcast address is FF:FF:FF:FF

Would the 48-bit address have been a viable stopgap until IPv6 was more widely adopted?
1. Re:IPX by dirtyhippie · 2011-08-23 02:23 · Score: 1
  
  Not really. IPX/SPX were really only designed for LANs. They don't deal with latency, lost packets, etc. anywhere near as gracefully as TCP/IP does.
2. Re:IPX by badkarmadayaccount · 2011-08-25 00:12 · Score: 1
  
  Though the performance is respectable. (Linux kernel implementation, of course)
  
  --
  I know tobacco is bad for you, so I smoke weed with crack.
bag over head by Anonymous Coward · 2011-08-23 00:09 · Score: 0

you know, I went to Georgia Tech in the late 80s (I remember the 88 Morris worm) and thought it was a reasonably prestigious school (not MIT but far from "generic") but these days whenever I see GT featured prominently on /. summary I cringe...
I do know (socially) some guys at GTRI who are doing some pretty cool work so there are definitely still some serious brains there even if they're not getting the press (some of that's intentional given nature of work)...
This article has nothing to do with the paper! by Anonymous Coward · 2011-08-23 04:09 · Score: 0

The original paper introduces an evolutionary framework to study network protocol stacks and their evolution. This article has almost nothing to do with the original paper. The six layers that they consider as one sample of such protocol stacks are clearly described in the paper. You can probably get more information from the introduction and conclusion of that paper rather than this hatchet job of an article!
The Evolution of Layered Protocol Stacks Leads to an Hourglass-Shaped Architecture
This article has nothing to do with the paper! by Anonymous Coward · 2011-08-23 04:28 · Score: 0

Read the original paper and you will see that this article is a hatchet job that has nothing to do with the original paper. The paper introduces a framework to study network protocol stacks and their evolution and it clearly describes the six layers (which are totally twisted in this article) as an instance of such protocol stacks. You can probably get more info from the intro and conclusion of the paper.
The Evolution of Layered Protocol Stacks Leads to an Hourglass-Shaped Architecture
Re:So the internet is just like a human being then by Anonymous Coward · 2011-08-23 06:32 · Score: 0

Sit ups...
Re:So the internet is just like a human being then by antifoidulus · 2011-08-23 12:55 · Score: 1

Didnt know sit ups made your nads stronger.

--
Monstar L
Bring back X.25! by JIDatiT4C · 2011-08-24 05:11 · Score: 1

Well, maybe not X.25, but you know how much grief has been caused by layering essentially connection-oriented traffic on IP. The world need a virtual circuit network layer!
1. Re:Bring back X.25! by badkarmadayaccount · 2011-08-25 01:03 · Score: 1
  
  You want to maintain dynamic state on core routers? Good luck.
  
  --
  I know tobacco is bad for you, so I smoke weed with crack.
Re:We all like to party but ur there 2 learn dammi by badkarmadayaccount · 2011-08-25 00:57 · Score: 1

You are free to install whatever network protocol drivers strike your fancy in any OS, AFAIK.

--
I know tobacco is bad for you, so I smoke weed with crack.