On Mon, 5 Feb 2001 08:28:14 +0100, Åsmund Skjæveland said:
> > Well, to replicate what I assume a lot of people here do (i.e., maintain web
> > servers/ftp servers) it is crucial that you limit who can upload to the
> > machine, but not who sees what is *on* the machine. So the fact that I'm
> > uploading a new index.html to my machine isn't sensitive at all, anyone who
> > goes to my box can see that. However, I obviously don't want just anyone to
> > be able to upload to my machine. To be honest, that is a *lot* more common
> > for me than having actual sensitive data. If I didn't know that it would be
> > taken advantage of by script kiddies and idiots, I would open up my whole
> > machine to the 'net, cuz I frankly have nothing on there that I care if
> > anyone else sees. It's just limiting who can *change* it that I care about.
>
> In other words, you don't want anyone to be able to intercept and modify the
> datastream, and so the data are sensitive.
Um, I have *never* as in *never* had a man-in-the-middle attack aimed at me
or at anyone that I have ever spoken with. And before I get a flood of
"Well, my cousin did!" emails, I'm not saying it has never happened, it's
just not a common way of cracking a system. OTOH, packet sniffers are so
common, and scipt kiddies so prevalent, I *know* that every time I send my
user/pass combo in plaintext, someone is logging it somewhere. That,
combined with the latency issues that the list has been discussing lately
when using scp with good encryption, makes me wish that there was a way to
encrypt the authentication portion but not the actual data transfer. I don't
think that is such a bad thing, and it's probably a fairly common desire.
And since I know that there will be people out there (probably you, Asmund
;-) who are horrified at the thought of not encrypting everything and always
taking the most precautions availble, I'll just say that we don't agree and
leave it at that. 'Kay? :-)
HAND,
D.A.Bishop
