On Wed, Mar 14, 2001 at 02:34:32PM +0000, Jon Eyre wrote:
> > My several users use scp.
>
> is there an idiot-proof graphical front-end for scp? windows
> clients? my several users require them, or they'll just continue
> using ftp, because it's *easier*... People are lazy, and security
> measures which are a pain in the arse will fail to work because the
> users will bypass them (summarizing from Schneier's Secrets and Lies).
I'd like to see my users try to bypass them :-) There is simply no
other way of uploading a file. No ftp uploads, no rcp, no http uploads,
and none of the sneaky ways of getting in via smtp. Oh, and no smb, no
appletalk, and no nfs server. Of course, I don't acept idiots for
users.
But for Windows users, I recommend Secure iXplorer, for Mac users, macssh.
> > All of them can put anything they want on there.
> > If you're doing hosting and letting people upload code, you have no choice
> > but to trust your users. *BUT* by avoiding grotesqities like ftp, and by
> > setting permissions sanely, third-parties are hard-pressed to compromise
> > the server.
>
> dealing with clients who can't remember or don't know
> usernames/passwords, and the subsequent calls to isp
> helpdesks:
>
> "Hello, I am from web agency X, we need ftp details for customer Y
> so we can upload their site."
Evil reply: "that's your fucking problem, ask your client"
> And they just give 'em out. No checks, no confirming with the
> customers, nothing. There's little hope of
> securing stuff if people can be socially
> engineered so easily.
That's a matter of setting policy. If there's no policy in place to
prevent that, then you can expect people to do it. If you have a security
policy which states that you will fire people for such gross breaches -
and more importantly, you *enforce* it - then it won't happen more than
once or twice.
Anyway, how on earth can the helldesk grunts get at passwords? Not even
the sysadmin should be able to tell you a user's password. They should
*never* be stored in plain-text. If they are, fire the sysadmin.
BTW, when I've made those calls to ISPs in the past, my client has always
told them in advance that I'll be calling. Perhaps I just have a higher
class of clientele :-)
--
David Cantrell | [EMAIL PROTECTED] | http://www.cantrell.org.uk/david/
This is a signature. There are many like it but this one is mine.
** I read encrypted mail first, so encrypt if your message is important **
PGP signature