[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 03/11/12 18:13, bad apple wrote:
yes and this applies to everyone on the street also; all are potential muggers.... I think the main thing to think about is, is my traffic valuable? Would anyone actually want the information? Do I really care? I don't mind (that much) if someone on the bus overhears me saying soppy stuff to my girl friend and I don't really care if some hackerette in McD's wiresharks the e-mail equivilent, much good it'll do them.On 03/11/12 16:49, Martijn Grooten wrote:On Sat, Nov 3, 2012 at 4:29 PM, Tony Sumner wrote:I use ftp to send stuff to my website. If I should stop what else is there?There's sftp, which uses ssh, but I don't think many hosts offer that these days. Some CMS's offer web-based file uploads, but this generally means directories have to be writeable by the web server, which isn't ideal. In most cases, ftp is your only option really. The most important thing is never to use it: - over unsecured wifi; - on someone else's computer. And, ideally, you shouldn't make your computer remember your password. That should reduce the chances of someone being able to get hold of your credentials significantly. No to zero though, so if there's a way for you to see when someone has uploaded files (using server logs or something), it's a good idea to regularly check, and contact your host (and change your password) if you find someone else has had access. Martijn. PS if you are able to use sftp, all of the above still applies (except for the unsecured wifi): the most likely attack scenarios are through keyloggers recording you entering your password and through the password being stored in a predictable place on the computer. Sftp helps against neither of these.Yeah, exactly what Martijn said with the following extra provisos: If your host doesn't use SFTP, they're idiots and you should try and bend their arm into not being useless and lazy. FTP should have died a long time ago but sadly lives on. Martijn's threat assessment also glossed over one element, the unsecured wifi bit - FTP passwords are cleartext, so if someone is on the same network segment as you any basic traffic sniffing tool can pull your password/user data straight out of the air, or off the wire. He's still completely correct, but I'd go further - on ANY network you don't completely trust or own yourself, you absolutely 100% must initiate a secure connection over SSH or VPN to a known good system first, and subsequently use that connection for all further traffic. Even a WPA2 secured wifi network in a reputable coffee shop or restaurant can't be trusted. I've had a lot of fun with my tatty old laptop in coffee shops and the like (purely research I should add, for mischief not evil!) and you'd be horrified if you could see what 4 wifi interfaces with modded injection-capable drivers are capable of in even vaguely skilled hands... Let's not forget that quite recently, a simple Firefox plugin (FireSheep) turned everyone briefly into a Starbucks hacker. Treat all networks as hostile, you'll be a lot safer. Cheers
Do you shred every letter, each piece of junk mail, before it goes it the recycling? Am I about to put a password on my home PC in case someone breaks in and posts nasty stuff to my facebook account?
Of course it is not a great idea to check your bank account in Starbucks or upload that *.pdf about the gzillion pound deal you're about to broker in Dubai, no more than to chuck your bank statements into the paper recycling box. And of course it is not great to leave yourself permanently logged in to google mail on that PC in the internet cafe you visited on holiday.
The care taken should be in proportion to the value of the data your dealing with. Presumably if your updating a website using ftp then the stuff that is uploaded will be content for the site. So it will be visable anyhow. Does it matter if someone gets to feel they are hacker of the month by attempting to read it as it flys past them in wireshark (or whatever), well good luck, get a life...
And at least with linux you can download as many dodgy e-mail attachments with hidden .exe files as you want, happy in the knowledge that nothing will happen.
The internet is really like talking on the bus. If someone is that interested they can probably hear you. If they're that interested they train a directional mic on you, and if the conversation is that important probably you should have it somewhere else, or the equivalent of a sound proof room with no windows (lip reading). And shouting out your PIN number etc is not a very inspired idea.
I suppose someone could read my fireftp uploads, get the password and turn it into a site selling viagra (if only I got so much traffic..)
proportionality, proportionality, proportionality.... -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq