SFTP is part of SSH, FTPS is FTP with encryption poorly stuck onto it.
You mean like HTTPS is HTTP with encryption "poorly stuck onto it"? And why isn't SFTP just "SSH with FTP poorly stuck onto it"?
I'm of the opinion that the base protocol and the encryption should be separate. Why should a separate security infrastructure (each with its own possibility for bugs) be built around each single protocol? Or should one extend SSH to also support a replacements for SMTP, IMAP, NNTP, etc.?
On top of that very few FTPS software packages seem to be compatible with eachother.
Well, that's of course a problem, but not exactly a fault of the protocol.
If you don't know what SSH is please look it up yourself.
Of course I know what SSH is. It's what you use to log into a computer where you have a shell account. It also supports file transfer, in its own, incompatible way.
Passive FTP should be standard these days, so the opposite direction problem doesn't occur; all connections go from the client to the server. Why multiple connections should be a problem, I don't see.
The problem with Libya was that it had a stable, successful socialist economy
Doesn't look stable to me. Recall that the rebellion predated the foreign powers.
Well, it was stable in the sense that without the help of NATO, Gaddafi would probably have been able to stop the rebellion. Yes, it would not have been good for the people, but since when do any governments care about the people (except for those of their own country, as far as they need them to get re-elected)?
Where does the fact that Libya was a tyranny fit into your explanation?
Well, it already was a tyranny before that. Yet nobody in the west seemed to care too much as long as they got a net benefit.
But for phishing/social engineering the expiration time is not very relevant, because unlike brute force, there is no trying passwords. The person tricked to give the password out will always give the current password, no matter whether it was set one hour ago or one year ago, and especially independent from what it was when the phishing/social engineering attack started. Nor will the password expiry time make the phishing/social engineering attack any harder (indeed, it could make it easier, because it could be used for phishing attacks specifically aimed at password expiration, like "your password is about to expire, click here to change it"). So the only effect of a 90 day password expiry is that an attacker has on average 45 days to exploit a phished/social-engineered password -- that's still plenty of time to use it.
Also it discourges using the same password for multiple accounts.
No, it encourages using the same password for multiple accounts. Because now you have to remember more passwords already per account (you can't simply un-remember the old one!), you're less likely to also use different passwords on different accounts, simply because more passwords mean more potential confusion.
Remember, it's always possible to change the password before the old one expires, therefore it's trivially easy to just change all of them at approximately the same time.
Long, complex passwords help prevent brute-force attacks. Expiration times guarantees that an attacker has only 90 days to hack and use a password before it becomes useless.
But then, wouldn't a better rule be that the expiration period is longer if your password is longer and more complex? After all, it takes much more time to crack such a password. And giving longer expiration times to longer, more complex passwords would also mean an incentive for people to actually use such passwords, instead of using the minimum length/complexity they can get away with.
"That digger has just one driver. Couldn't you replace it by 100 men with shovels? Then many more people would have work!" -- "Sure. I could also replace it with 10000 people with teaspoons."
What if a former student becomes teacher at the same school? Is then the school no longer allowed to have a teachers-only web site for their administration?
more than 3 consecutive characters that were also in a previous password are banned (so no more simply increasing the number at the end every 90 days)
Which means they either store the passwords in clear, or they store a hash of every three-letter sequence appearing in the password. Both look like a security nightmare to happen if the password file ever leaks.
Last I checked, only about 5% of people in the US are involved in agriculture.
Does this only include the actual farmers, or also the people working e.g. at Monsanto and McDonald's? You know, food production is more than just farming.
Well, it needs oil. It needs a motor. It needs wheels. It needs something to harvest. It needs computer hardware. And, yes, it also needs software. However, without software, people would just have to drive that thing themselves, as they have done before. Without oil, or without a motor, they would have to harvest by hand, which would already be a much larger drawback. But without something to harvest, the whole thing would be 100% useless.
I haven't used any Windows version Microsoft released in the last decade, so maybe I'm missing something. But I thought that apart from registration (which you can do per phone as well, if you prefer) and Windows Update (which you can switch off if you really want), there was no data exchange with Microsoft (unless you explicitly initiate one, of course).
Oh, and about why my PC (running Linux) phones home every day: It looks into the repositories for updates. And yes, this probably gives the repository server owner more information than Windows Update, because almost all software running on my computer was installed from the repository.
If Microsoft is clever, it can get the market for paranoid people. Both Apple and Google have a reputation to collect data about their customers. If Microsoft can credibly make their offering more privacy-compatible, they might have an edge.
Does this arm also achieve sinistrality, or is it restricted to dexterity? :-)
You mean like HTTPS is HTTP with encryption "poorly stuck onto it"?
And why isn't SFTP just "SSH with FTP poorly stuck onto it"?
I'm of the opinion that the base protocol and the encryption should be separate. Why should a separate security infrastructure (each with its own possibility for bugs) be built around each single protocol? Or should one extend SSH to also support a replacements for SMTP, IMAP, NNTP, etc.?
Well, that's of course a problem, but not exactly a fault of the protocol.
Of course I know what SSH is. It's what you use to log into a computer where you have a shell account. It also supports file transfer, in its own, incompatible way.
But maybe the lameness filter could be adapted to reject any post which contains several links to the exact same URL. Any such post is obviously spam.
Since when does a spam bot realize anything? Did spam bot technology advance far enough for the spam bots to get self aware?
Passive FTP should be standard these days, so the opposite direction problem doesn't occur; all connections go from the client to the server. Why multiple connections should be a problem, I don't see.
So what is the advantage of sftp over ftps?
The problem with Libya was that it had a stable, successful socialist economy
Doesn't look stable to me. Recall that the rebellion predated the foreign powers.
Well, it was stable in the sense that without the help of NATO, Gaddafi would probably have been able to stop the rebellion. Yes, it would not have been good for the people, but since when do any governments care about the people (except for those of their own country, as far as they need them to get re-elected)?
Where does the fact that Libya was a tyranny fit into your explanation?
Well, it already was a tyranny before that. Yet nobody in the west seemed to care too much as long as they got a net benefit.
But for phishing/social engineering the expiration time is not very relevant, because unlike brute force, there is no trying passwords. The person tricked to give the password out will always give the current password, no matter whether it was set one hour ago or one year ago, and especially independent from what it was when the phishing/social engineering attack started. Nor will the password expiry time make the phishing/social engineering attack any harder (indeed, it could make it easier, because it could be used for phishing attacks specifically aimed at password expiration, like "your password is about to expire, click here to change it"). So the only effect of a 90 day password expiry is that an attacker has on average 45 days to exploit a phished/social-engineered password -- that's still plenty of time to use it.
No, it encourages using the same password for multiple accounts. Because now you have to remember more passwords already per account (you can't simply un-remember the old one!), you're less likely to also use different passwords on different accounts, simply because more passwords mean more potential confusion.
Remember, it's always possible to change the password before the old one expires, therefore it's trivially easy to just change all of them at approximately the same time.
But then, wouldn't a better rule be that the expiration period is longer if your password is longer and more complex? After all, it takes much more time to crack such a password. And giving longer expiration times to longer, more complex passwords would also mean an incentive for people to actually use such passwords, instead of using the minimum length/complexity they can get away with.
Yeah, at the macro-level, if one person has an income of a billion dollars per day and another gets nothing, on average both are super-rich.
Reminds me of the following:
"That digger has just one driver. Couldn't you replace it by 100 men with shovels? Then many more people would have work!" -- "Sure. I could also replace it with 10000 people with teaspoons."
So you prefer to pay them with your taxes through public welfare instead?
Thank you for being a friend
Traveled down the road and back again
Your heart is true, you're a pal and a cosmonaut.
That's confidant, not cosmonaut.
Not that I can see any connection with this story, either way.
What if a former student becomes teacher at the same school? Is then the school no longer allowed to have a teachers-only web site for their administration?
Which means they either store the passwords in clear, or they store a hash of every three-letter sequence appearing in the password. Both look like a security nightmare to happen if the password file ever leaks.
Does this only include the actual farmers, or also the people working e.g. at Monsanto and McDonald's? You know, food production is more than just farming.
Well, it needs oil. It needs a motor. It needs wheels. It needs something to harvest. It needs computer hardware. And, yes, it also needs software. However, without software, people would just have to drive that thing themselves, as they have done before. Without oil, or without a motor, they would have to harvest by hand, which would already be a much larger drawback. But without something to harvest, the whole thing would be 100% useless.
The Matrix, of course. :-)
You cannot virtually grow food. In the end, humans need something real to eat.
RIM Still exists at least for now.
On tablets?
I haven't used any Windows version Microsoft released in the last decade, so maybe I'm missing something. But I thought that apart from registration (which you can do per phone as well, if you prefer) and Windows Update (which you can switch off if you really want), there was no data exchange with Microsoft (unless you explicitly initiate one, of course).
Oh, and about why my PC (running Linux) phones home every day: It looks into the repositories for updates. And yes, this probably gives the repository server owner more information than Windows Update, because almost all software running on my computer was installed from the repository.
But why should one go to WP7 if he can get in a much larger market on iOS?
If Microsoft is clever, it can get the market for paranoid people. Both Apple and Google have a reputation to collect data about their customers. If Microsoft can credibly make their offering more privacy-compatible, they might have an edge.
iOS is a complete failure on the desktop.