Subject: Re: uhhh.. OpenBSD was secure i thought?
To: None <tooleym@Douglas.BC.CA>
From: Bob Beck <>
List: current-users
Date: 11/15/1997 11:06:49
> Go check out in /incoming/test
> Is the way they've set up their incoming directory on purpose? So that
> anyone can just come in and store files there?

	Yes. is also It's a campus ftp
server. People can put stuff there for U of A people. That's the point of
an incoming directory.

> Correct me if I'm wrong, but usually when this happens it's called a
> misconfiguration and the ability to create directories in an open anonymous
> ftp directory which is as fast as their machine is is whipped closed as soon
> as the (usually embarrassed) sysadmin find out about it.
	Only when you can read the files back. This ftp server is running
over top of AFS, in which we can give people the permission to do stuff
like that without the ability to read it back. (at least from the ftp server)

> Ha ha ha..  and OpenBSD was bragging about how secure they are. Again, if
> I'm not mistaken, here's the perfect example of the fact that no matter how
> secure a system is supposed to be, if it's not admin'ed properly, it doesn't
> matter.
	Sure, I agree completely. It's completely dependent on what
pokes the keys on it in meatspace. So by your own point what does this
have to do with the security or insecurity of OpenBSD? 

> Of course, maybe this open /incoming directory is there for easy
> redistribution of certain source/fixes/whatever?
	Actually it's for the U of A.  Has nothing whatsoever to do 
with OpenBSD, and woudn't anyway. The OpenBSD mirror is on another 
machine, accessible to the ftp server via AFS. 

> However, it's in quite a ripe position to be exploited by pie_rats as a fast
> intermediary with a large storage capacity, is it not? A damn FAST
> repository. I was dl'ing the latest OpenBSD  release at nearly 50K/s at some
> point.

	Yes, I do like that it's fast. fast is good. pie_rats and
porn_hounds are unwelcome on murphy's boat tho. Thanks.