Subject: Re: uhhh.. OpenBSD was secure i thought?
To: None <tooleym@Douglas.BC.CA>
From: Bob Beck <firstname.lastname@example.org>
Date: 11/15/1997 11:06:49
> Go check out ftp.openbsd.org in /incoming/test
> Is the way they've set up their incoming directory on purpose? So that
> anyone can just come in and store files there?
Yes. ftp.openbsd.org is also ftp.ualberta.ca. It's a campus ftp
server. People can put stuff there for U of A people. That's the point of
an incoming directory.
> Correct me if I'm wrong, but usually when this happens it's called a
> misconfiguration and the ability to create directories in an open anonymous
> ftp directory which is as fast as their machine is is whipped closed as soon
> as the (usually embarrassed) sysadmin find out about it.
Only when you can read the files back. This ftp server is running
over top of AFS, in which we can give people the permission to do stuff
like that without the ability to read it back. (at least from the ftp server)
> Ha ha ha.. and OpenBSD was bragging about how secure they are. Again, if
> I'm not mistaken, here's the perfect example of the fact that no matter how
> secure a system is supposed to be, if it's not admin'ed properly, it doesn't
Sure, I agree completely. It's completely dependent on what
pokes the keys on it in meatspace. So by your own point what does this
have to do with the security or insecurity of OpenBSD?
> Of course, maybe this open /incoming directory is there for easy
> redistribution of certain source/fixes/whatever?
Actually it's for the U of A. Has nothing whatsoever to do
with OpenBSD, and woudn't anyway. The OpenBSD mirror is on another
machine, accessible to the ftp server via AFS.
> However, it's in quite a ripe position to be exploited by pie_rats as a fast
> intermediary with a large storage capacity, is it not? A damn FAST
> repository. I was dl'ing the latest OpenBSD release at nearly 50K/s at some
Yes, I do like that it's fast. fast is good. pie_rats and
porn_hounds are unwelcome on murphy's boat tho. Thanks.