Slashdot Mirror

← Back to Stories (view on slashdot.org)

File-Sharing Software On State Election Servers Could Expose Them To Intruders (propublica.org)

Posted by BeauHD on from the poor-voting-security dept.

An anonymous reader quotes a report from ProPublica: As recently as Monday, computer servers that powered Kentucky's online voter registration and Wisconsin's reporting of election results ran software that could potentially expose information to hackers or enable access to sensitive files without a password. The insecure service run by Wisconsin could be reached from internet addresses based in Russia, which has become notorious for seeking to influence U.S. elections. Kentucky's was accessible from other Eastern European countries.

The service, known as FTP, provides public access to files -- sometimes anonymously and without encryption. As a result, security experts say, it could act as a gateway for hackers to acquire key details of a server's operating system and exploit its vulnerabilities. Some corporations and other institutions have dropped FTP in favor of more secure alternatives. Officials in both states said that voter-registration data has not been compromised and that their states' infrastructure was protected against infiltration. Still, Wisconsin said it turned off its FTP service following ProPublica's inquiries. Kentucky left its password-free service running and said ProPublica didn't understand its approach to security. "FTP is a 40-year-old protocol that is insecure and not being retired quickly enough," said Joseph Lorenzo Hall, the chief technologist at the Center for Democracy and Technology in Washington, D.C., and an advocate for better voting security. "Every communication sent via FTP is not secure, meaning anyone in the hotel, airport or coffee shop on the same public Wi-Fi network that you are on can see everything sent and received. And malicious attackers can change the contents of a transmission without either side detecting the change."

63 of 125 comments (clear)

  1. FTP can be secure by Anonymous Coward · · Score: 1, Informative

    The article talks about the how ftp can be used to peek at the operating system but any worthwhile ftp blocks that sort of nonsense. No, ftp doesn't encrypt or sign data but neither does http and people love that protocol.

    Ftp actually can be secure. See gss.

    1. Re: FTP can be secure by Anonymous Coward · · Score: 1

      Until you man in the middle attack it and read all the data or change the contents of the files being sent.

      Just use sftp, its standardised and secure

    2. Re:FTP can be secure by Gravis+Zero · · Score: 1, Troll

      No, ftp doesn't encrypt or sign data but neither does http and people love that protocol.

      Not for elections, you anontard! You seemed to have missed that this is a critical system that should NOT have ANY file sharing software on it at all.

      How dense can you be?! What fool modded you up?!

      --
      Anons need not reply. Questions end with a question mark.
    3. Re:FTP can be secure by ShanghaiBill · · Score: 2

      Ftp actually can be secure.

      Maybe it CAN be secure, but it isn't by default, and there are more secure protocols, such as scp, that make ftp unnecessary. There is no good reason to run it on any system, much less an election server.

    4. Re:FTP can be secure by Anonymous Coward · · Score: 1

      These computers are not VOTING systems. These are the servers "used to report voting results" - most likely web servers. Who gives a flip if someone defaces a web page? It'll be fixed shortly, and the results won't change. At worst, you're talking about a minor delay in the public finding out the results.

      For all your over-reaction, you seem to have failed to think through what the actual threats or risks are.

    5. Re: FTP can be secure by guruevi · · Score: 1

      Or FTPS, you can create TLS channels over "modern" FTP.

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
    6. Re: FTP can be secure by Junta · · Score: 2

      All this is true, ftp *can* be done secure.

      However, it's *much* easier to do rsync or sftp in so many ways that I could hardly see a reason to bother with ftp and trying to bolt on security through kerberos and/or tls.

      --
      XML is like violence. If it doesn't solve the problem, use more.
    7. Re:FTP can be secure by ctilsie242 · · Score: 2

      Why would you want to make an old protocol secure, when there are other protocols out that solve the issues FTP has from the ground up. FTPS (as in SSL/TLS over FTP) is a band-aid at best. Why even bother with that, when you have SFTP which is designed from the ground up to be secure, can be configured to allow for RSA authentication from both ends, so a password never goes in the clear, can't be brute-forced, and goes over only one port.

      With how easy it is to use SSH, why even bother with FTP these days?

    8. Re:FTP can be secure by f3rret · · Score: 1

      Yes.
      But what other systems are these connected to behind the scenes? Can you move laterally from these servers and deeper into more sensitive parts of the votins system?

      --
      Admit nothing. Deny Everything. Make Counter-accusations.
    9. Re:FTP can be secure by AmiMoJo · · Score: 1

      The only sensible way to do this, if you really must have remote access to the voting machines, is to have the machines connect to a VPN in your secure data centre. Anything that requires the machines to accept connections is a bad idea, they should be connecting to your secure network and verifying with up to date certificates and encryption protocols.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    10. Re: FTP can be secure by e3m4n · · Score: 1

      I think the article is misleading. They only imply this is a critical server to elections. They never actually said it. They said it was a server used for results. Well the state lottery websites are used for âresultsâ(TM) also. But try as you might, feel free to compromise the hell out of it if you want. Youâ(TM)re never actually getting access to the real lottery servers where all the information is stores. Bi-weekly the winnjng numbers are manually entered into the public server.

      They interesting part is that its âvulnerabilityâ(TM) was based entirely on the source countries having access. So had they still ran same software but blocked all the /8s to APNIC, Afrinic, RIPE, etc, they would be considered âsecureâ(TM). Which does nothing for snooping on the same network segment. However, if you have no overseas customers or needs, you should always block APNIC, RIPE, etc.

    11. Re:FTP can be secure by pnutjam · · Score: 1

      Because windows doesn't have built in ssh, and this sucks.

      --
      Cheap storage VM.
    12. Re: FTP can be secure by guruevi · · Score: 1

      Kerberos with SSH is also bolted on. Often it's easier to use an existing library or migrate existing infrastructure by simply checking a "secure" box. Windows until 2017 did not have native SSH support, many systems still rely on (virtualized) mainframes with complex programs in COBOL where you certainly won't find SSH. Anonymous SSH doesn't exist either.

      FTP is also more robust than SSH when it comes to establishing and maintaining connections and allows for point-to-point (eg external connections) TLS while internally backends continue to talk old-style FTP.

      The security issues with FTP have over time resulted in standard practices like chrooting the daemon while SSH still runs standard as root.

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
  2. Never heard of breaches in the tech news by evanh · · Score: 1

    FTP doesn't seem to be reported for getting compromised. Is that because it is mostly non-existent now?

    Or is it like the Vice item, where they reported on a something, browser history sniffing, that would only occur for those that don't care about how much they lose.

    1. Re:Never heard of breaches in the tech news by cwsumner · · Score: 1

      FTP doesn't seem to be reported for getting compromised. Is that because it is mostly non-existent now? ...

      Or maybe because people that don't know how to secure stuff, also don't know about FTP...

    2. Re:Never heard of breaches in the tech news by AlanObject · · Score: 1

      My guess is that you don't hear much because it is no longer on any default install package and why the hell would you install it when OpenSSH gives you scp which is secure and so much easier to use?

      Even in Windows.

      Also, most FTP install packages generally set it up so that it can only see one target directory that has nothing in it. You really have to go out of your way even with FTP to fsck yourself up.

    3. Re:Never heard of breaches in the tech news by Aighearach · · Score: 2

      It is just standard basic precautions, not a major attack vector.

      The fear isn't so much related to that it might be compromised, but that it isn't encrypted and so everybody on your subnet can read the traffic, and if somebody p0wned your router they could also alter that traffic. And the router in question really might be a consumer wifi router!

      Personally, I think election systems demand even stronger security than banks, but if we could at least get the security up to the level the local public library has it would be a great start!

    4. Re:Never heard of breaches in the tech news by 93+Escort+Wagon · · Score: 1

      FTP doesn't seem to be reported for getting compromised.

      How can one compromise a protocol which is insecure by design? There’s not really anything secure there which needs to be broken - the transactions are already out in the open.

      --
      #DeleteChrome
    5. Re:Never heard of breaches in the tech news by whoever57 · · Score: 1

      There have been privilege escalation attacks against FTP servers in the past.

      Snooping on an ftp transaction should only give you the credentials for an unprivileged account. If you can escalate to Administrator privileges, then you can do anything.

      --
      The real "Libtards" are the Libertarians!
    6. Re:Never heard of breaches in the tech news by Bert64 · · Score: 1

      There have been privilege escalation attacks against lots of protocols and the programs which implement them in the past...
      FTP at least is a relatively simple protocol, how it works is well known as is how to harden it... I'm actually far more comfortable with a simple protocol like FTP that provides a clear demarcation between authenticated and unauthenticated, than something extremely complex like SMB running as a high privilege process on the host box.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    7. Re:Never heard of breaches in the tech news by Junta · · Score: 1

      I also recall back in the day a wave of vulnerabilities to escape the anonymous ftp folder and get other things...

      --
      XML is like violence. If it doesn't solve the problem, use more.
    8. Re:Never heard of breaches in the tech news by Cassini2 · · Score: 2

      A common configuration for FTP servers was that they support all logins, both privileged and unprivileged. That means you can simply run a password guesser at it until you find the login for a privileged account. Alternatively, you can snoop on the traffic until someone logs in, steal there credentials, and hope they have privileged access. A privilege escalation attack works too.

      If you had the ability to snoop and modify the traffic, then a good approach would be to wait until the wait until election day and modify the results in real-time. As long as there are no other checks, it would be very difficult to prove.

      An interesting complication would be if multiple parties tried to hack the system simultaneously. A clever malicious hacker would keep the changes within the limits of statistical feasibility. A poor hacker would simply make everyone vote the same way. For the clever malicious hacker to be succeed, he would also need to secure the system against the poor hacker without being detected. Thus, for the malicious, there is an optimal level of security. Too much security, and the system can't be modified. Too little security, and it is possible that someone else will hack the system, and expose the flaws.

      A malicious actor requires a very specific level of insecurity. A competently designed system with paper ballots won't work, because an audit-check on the paper ballots would expose tampering. The malicious actor requires a system that appears to be secure, but has no effective audit checks. If the system was completely insecure, then some script kiddy could break in, and the scheme would unravel. Similarly, the system can't have any deliberately engineered security holes, because the author of the software could turn states-witness and the scheme would unravel too. The system needs a set of security holes that can be attributable to design incompetence. Is an FTP server might be a suitable middle-ground? Maybe ...

      It makes me feel so good to vote on Tuesday.

    9. Re:Never heard of breaches in the tech news by rtb61 · · Score: 2

      So drop all the electronic bullshit and go back to pencil and paper and eyeballs. Make you mark on you bit of paper and afterwards, reps of those representatives seeking election, count the votes togethor, tabulate them and put them up on a board and phone that information to the state vote counting centres, who under public camera view put the numbers up and tabulate, keeping in mind those who originally counted them can see their numbers go up on the central board for the total count.

      Elections should be about people, not corruptly created and manipulated electronics. Your elections are being stolen and will continue to be until you go back to an entirely manual system, accept the reality, you are being conned.

      --
      Chaos - everything, everywhere, everywhen
    10. Re:Never heard of breaches in the tech news by jythie · · Score: 1

      On the other end though, FTP and its various implementations not changed much in decades, so at this point the FTP services themselves are pretty well vetted. FTP is still in pretty common use for bulk data downloads that permit anonymous access, so it isn't even that it is 'rare'. Like any software that doesn't change much, it really has not been seeing new problems added in and old problems slowly being removed.

    11. Re:Never heard of breaches in the tech news by jythie · · Score: 1

      I think that last line is esp important. FTP, when installed, is pretty good about limiting where users can access on the server. It is a well vetted, well contained service at this point. The OP seems to mostly be upset that people can listen in to the traffic, but when the whole point is providing public access to data that is kinda a non-issue.

  3. can the MPAA and RIAA's shut down the vote if by Joe_Dragon · · Score: 3, Interesting

    can the MPAA and RIAA's shut down the vote if say the hot new movies where to be hosted there?

    1. Re:can the MPAA and RIAA's shut down the vote if by cwsumner · · Score: 1

      can the MPAA and RIAA's shut down the vote if say the hot new movies where to be hosted there?

      I can't tell if that is serious or joking. Maybe it is -both-? ;-)

    2. Re:can the MPAA and RIAA's shut down the vote if by sheramil · · Score: 1

      can the MPAA and RIAA's shut down the vote if say the hot new movies where to be hosted there?

      You need new movies that are hot, to do this.

    3. Re:can the MPAA and RIAA's shut down the vote if by Calydor · · Score: 1

      Only by the definition of the MPAA.

      --
      -=This sig has nothing to do with my comment. Move along now=-
  4. FTP you say? by Anonymous Coward · · Score: 1

    Well surely this new internet evil "FTP" should be banned. We need to draft new legislation against this new insidious threat actor.

    1. Re: FTP you say? by PopeRatzo · · Score: 1

      Better yet, let's just blame the Democrats as they don't support anything decent like building walls.

      Building a wall around your router isn't going to help. You're going to need a wall and razor wire to be really effective. Maybe a few gun turrets.

      --
      You are welcome on my lawn.
    2. Re: FTP you say? by Zocalo · · Score: 2

      You mean something like this on-going sequence of events concerning Georgia's equally exploitable voter registration system? It might not be the actually voting machines here, but the whole sequence of events and actions by those involved is sketchy as hell, so it's sure going to be interesting to see how many "dead people" etc. turn out to have voted in this one...

      --
      UNIX? They're not even circumcised! Savages!
  5. Re:FTP can be as secure as you make it... by Aighearach · · Score: 1

    FTP use by State and local employees at that level wouldn't have dedicated infrastructure, so accessing it from the wifi provided by coffee shops and hotels would be totally expected.

    So yes, you can be 100% certain that many involved routers are easily infiltrated.

    If you found a sucker to take that sort of bet; switch to sales. You have a gift and don't need to take chances.

  6. How the internet works by king+neckbeard · · Score: 1

    The insecure service run by Wisconsin could be reached from internet addresses based in Russia, which has become notorious for seeking to influence U.S. elections. Kentucky's was accessible from other Eastern European countries.

    These could also be reached from internet addresses based in any other country, because it's facing the internet and poorly secured.

    --
    This is my signature. There are many like it, but this one is mine.
  7. Oh Good Lord by 93+Escort+Wagon · · Score: 3, Insightful

    Regardless of the presence of state actors wanting to interfere in our elections...

    WHAT KIND OF MORON RUNS FTP ON AN ELECTIONS SERVER?

    --
    #DeleteChrome
    1. Re:Oh Good Lord by gtall · · Score: 1

      Maybe not a moron. It is possible, and I do not know this to be the case, that someone could set that up so that certain groups inside the U.S. could have access that they shouldn't.

    2. Re:Oh Good Lord by PopeRatzo · · Score: 1, Interesting

      WHAT KIND OF MORON RUNS FTP ON AN ELECTIONS SERVER?

      The kind that welcomes foreign interference?

      The kind that removes the only polling place in a town just because it has 60% Hispanic voters? The kind that will block your voter registration if your signature at age 60 looks at all different from your signature when you first registered to vote at 18? The kind that "loses" 60,000 vote-by-mail ballots from minority districts? The kind that tries to block half a state's population because they are Native American and live on reservations?

      When we're dealing with a certain political party who I will not name (but whose initials are, "GOP"), you should never ascribe to stupidity what can more readily be attributed to racism, evil, and a thirst for power that exceeds their own understanding.

      --
      You are welcome on my lawn.
    3. Re:Oh Good Lord by 93+Escort+Wagon · · Score: 4, Insightful

      I understand what you’re saying - and why - but I still ascribe to “never attribute to malice what can be adequately explained by incompetence”.

      --
      #DeleteChrome
    4. Re:Oh Good Lord by Immerman · · Score: 1

      That presupposes that incompetence is substantially more common than malice - I'm not sure that holds in politics, where both seem nearly ubiquitous.

      --
      --- Most topics have many sides worth arguing, allow me to take one opposite you.
    5. Re:Oh Good Lord by Nutria · · Score: 1

      The much more important question is, "What directories were exposed, and what was in them?"

      If -- and I mean if -- it's only /pub, and there's nothing in /pub then what's to worry about?

      --
      "I don't know, therefore Aliens" Wafflebox1
    6. Re:Oh Good Lord by Anonymous Coward · · Score: 1

      Plausible deniability. Manipulation of a secure system would leave very few possible suspects.

    7. Re: Oh Good Lord by Cmdln+Daco · · Score: 1

      Only dumbasses win elections. Or so it seems.

    8. Re:Oh Good Lord by Junta · · Score: 1

      Once upon a time, that would have been nearly excusable, as ftp as a common default was a thing, but locked down to uselessness. However it would be best practice to remove it.

      For anything in the last decade or so, the presence of an ftp server indicates intentional set up of ftp. Again this doesn't *have* to mean it is used poorly or can be attacked, but the presence certainly suggests that it is probably being used and it's almost certainly being used insecurely by someone. Someone mentioned theoretically you can truly secure ftp, but it's so convoluted and using sftp or an https service is much easier and occam's razor would say if it is ftp, it isn't being used securely.

      --
      XML is like violence. If it doesn't solve the problem, use more.
    9. Re:Oh Good Lord by Nutria · · Score: 1

      For anything in the last decade or so, the presence of an ftp server indicates intentional set up of ftp.

      You don't know government (or Big Business) very well. I wouldn't be surprised if that server is actually a 15 year old SCO server, not patched in 12 years, and the hardware out of support for 10 years.

      --
      "I don't know, therefore Aliens" Wafflebox1
    10. Re:Oh Good Lord by swillden · · Score: 2

      That presupposes that incompetence is substantially more common than malice - I'm not sure that holds in politics, where both seem nearly ubiquitous.

      What about incompetent malice?

      I assert that competence is rare everywhere -- including in politics -- and that this is the true basis of Hanlon's Razor. The reason you should never attribute to malice what can be adequately explained by stupidity (or incompetence) isn't so much that malice is rare [*], but that incompetence is so incredibly common. Nearly all attributions of malice implicitly assume competent malice, because the incompetently malicious generally screw up in some way, and it's this assumption of competence more than the assumption of malice that calls the assertion into question.

      Conspiracy theories are always dubious for exactly this same reason. Competent conspirators are really hard to find, so as the number of people who would have to be involved for the conspiracy to work rises, the probability that the conspiracy continues to successfully avoid leaking proof of its existence falls. If more than a handful of extraordinarily dedicated and competent people would have to be in on it, then it's just not so.

      [*] It's worth pointing out that malice is actually pretty rare, and that malice in its purest form -- malice for its own sake -- is extremely uncommon. Screwing your neighbor to benefit yourself is more common, but the fact that being known as someone who will shaft their neighbor to benefit themselves is almost always more costly than whatever benefit can be obtained from the betrayal means that people are pretty reluctant to do it. The vast majority of people are also held back by morality... though we also tend to have tremendous powers of self-justification. That last sentence really just describes emotions which are themselves an evolutionary adaptation to the fact that screwing your neighbor is likely to come back on you, and cooperation is likely to give the best outcome -- unless you can be really sure you won't be caught.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    11. Re:Oh Good Lord by swillden · · Score: 2

      The much more important question is, "What directories were exposed, and what was in them?"

      If -- and I mean if -- it's only /pub, and there's nothing in /pub then what's to worry about?

      Vulnerabilities in the FTP server and, far more likely, misconfigurations that mean that /pub isn't the only thing exposed. If a system is badly misconfigured enough to have an FTP server enabled by accident, what are the odds that it's configured correctly and patched up?

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    12. Re:Oh Good Lord by swillden · · Score: 1

      For anything in the last decade or so, the presence of an ftp server indicates intentional set up of ftp.

      You don't know government (or Big Business) very well. I wouldn't be surprised if that server is actually a 15 year old SCO server, not patched in 12 years, and the hardware out of support for 10 years.

      In which case it almost certainly has a raft of well-known vulnerabilities which can be exploited to break out of the locked-down configuration.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    13. Re: Oh Good Lord by astrofurter · · Score: 1

      "The kind that welcomes foreign interference?"

      Or the kind that welcomes domestic interference. Or both!

    14. Re: Oh Good Lord by astrofurter · · Score: 1

      If you leave your front door hanging wide open, there's very little chance a burglar will try to climb in the window.

    15. Re:Oh Good Lord by AmiMoJo · · Score: 1

      Incompetence is the correct answer. Their software sucks and is buggy. Installing updates and doing diagnostics on site is an expensive process, so the bosses demand it be made cheaper. They could do it properly, have the machine VPN back to their servers or something, but that requires infrastructure and administration... Cheapest option is just to enable FTP.

      Security is an expense they don't need. If someone hacks their machines they can just play the victim and besides which failure isn't really a problem when you have he politicians in charge of the bidding process in your pocket.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    16. Re:Oh Good Lord by strikethree · · Score: 1

      While I do have to wonder why anyone would run an FTP server on a server being used for Elections (what EXACTLY is an election server?), what has been described is not necessarily a problem.

      A properly configured FTP server used to be how the Internet shared files, long before WWW became as abused as it is today. Anonymous login is/was a feature that is/was routinely used.

      Assuming a secure and intelligent setup and purpose for the FTP server, sharing data is not necessarily an issue.

      Perhaps I should read the article, but the TL;DR version failed to get my panties bunched up.

      --
      "Someone needs to talk to the tree of liberty about its ghoulish drinking problem." by ohnocitizen
    17. Re:Oh Good Lord by Darkk · · Score: 1

      My uncle's invoice management system was written to run on a SCO server and has been running for 20+ years. Yes on a Pentium II processor! He's not concerned about it because the server is not even connected to the network. All connected via serial WYSE terminals. For giggles I've made a ghost image of the server and got it running as a VM but unfortunately the way the special serial cards are designed it won't work as a VM. The TCP/IP stack can't be installed on the version of the server he has now due to $$$. Eventually he will have to upgrade to something more modern but for now it works.
       

    18. Re:Oh Good Lord by painandgreed · · Score: 1

      [*] It's worth pointing out that malice is actually pretty rare, and that malice in its purest form -- malice for its own sake -- is extremely uncommon.

      I'm guessing you browse at +1 and just never see all the Anonymous Coward posts here.

    19. Re:Oh Good Lord by swillden · · Score: 1

      [*] It's worth pointing out that malice is actually pretty rare, and that malice in its purest form -- malice for its own sake -- is extremely uncommon.

      I'm guessing you browse at +1 and just never see all the Anonymous Coward posts here.

      Trolling is boredom, not actual malice.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  8. Pure FUDD by Anonymous Coward · · Score: 1

    This article is so much FUDD that is disgusts me.

    Yes, the servers the allow people to register and post the election results are connected to the Internet and they should have FTP so the public can get election data.

    The missing part is that the tabulation servers and equipment are air gapped and on their own separate system, as well as the state database that maintains registration. Can you hack the site and change the results? Yes, you can change the html export from the tabulation system to say whatever you want. It isn't going to change the official tabulation results that are communicated to the state and verified three times against the ballot boxes and tabulation systems.

    The system is secure. Don't believe me? You can ask to be an auditor and watch how the poll-workers conduct the election and the procedures used back at the warehouse. Every ballot is counted. The numbers must match ballots issued at the poll vs ballots tabulated vs voters checked in. These are three separate systems that are reconciled against each other by hand and electronically by multiple individuals.

    Overall the system is only as secure as the folks conducting it. They usually welcome outsiders to watch as it reinforces transparency.

  9. Is it really necessary by themusicgod1 · · Score: 1

    to explain what FTP is on a /. post? I get TFA might have ...but...in the preview text, really?

    --
    GENERATION 26: The first time you see this, copy it into your sig on any forum and add 1 to the generation.
  10. This the kind of razorsharp technical analysis we' by najajomo · · Score: 1

    As recently as Monday, computer servers .. ran software that could potentially expose information to hackers or enable access to sensitive files without a password. The insecure service .. could be reached from internet addresses based in Russia, which has become notorious for seeking to influence U.S. elections. Kentucky's was accessible from other Eastern European countries.”

    Yea, there's this thing called the Internet, it's like a network of computers that can connect to other computers on the same er .. doh .. network. Serious dudes, enough with this anti-Russian cyber bollix.

  11. Idiot by Anonymous Coward · · Score: 1

    It's not a voting machine, and it's not a critical system. It's a reporting machine that has to be publicly facing to give the public the election reports. In fact, putting FTP on it is a *good* idea to allow bulk transfer of data, as it's a much more appropriate protocol than HTTP for file transfer. Oh, and you idiots suggesting rsync or scp, the entire point is to allow the data to be available without a login. FTP does that, your favorite protocols don't.

  12. Oblig XKCD by dead_user · · Score: 2

    https://xkcd.com/463//

  13. FTP is for sales by astrofurter · · Score: 2

    100% of real-world FTP servers I've seen running in the last decade were setup on orders from Sales or Marketing departments. Those folks tend to have low technical ability, zero understanding of security, and far more political power than Dev or IT.

    In fact, the presence of an FTP server on an important host tells us something about their organizational structure. It tells us there is at least one zero-tech-knowledge person in the org, whose mere whim carries more weight than the CTO's (or CSO's) total office-political power.

    It's a social problem. We now live in a world where everything is controlled by computers. Yet programmers have no real upward career path and are systematically excluded from leadership positions in most organizations. Thus even highly tech- dependent orgs usually have 100% tech-illiterate leaders.

    Until this social problem is fixed, expect security incidents to get steadily worse and more frequent.

  14. Re: Intruders, oh my! by astrofurter · · Score: 1

    Rumor has it that AWS us-east-1, at least, is protected by a SAM battery (among other things, no doubt).

  15. there is nothing wrong with ftp by sad_ · · Score: 1

    there is nothing wrong with ftp, as long as it is used in the correct way.

    --
    On a long enough timeline, the survival rate for everyone drops to zero.
  16. FTP still has uses. by kbg · · Score: 1

    I still use FTP for file transfer. It's simple to set up and has many good features, it's extremely handy for transferring multiple and large files. I mean what else are you going to use? HTTP? Good luck trying to transfer that 500GB file without restarting the transfer when you are losing the connection every once in a while. FTP has restarts and retries and I don't see how you are going to get that with HTTP. FTP isn't insecure by default, it's just as secure as any other protocol.