Kurt McKee

lessons learned in production

Hey there! This article was written in 2005.

It might not have aged well for any number of reasons, so keep that in mind when reading (or clicking outgoing links!).

The day I made a Linux server less secure

Posted 25 January 2005

Our Linux FTP server is configured and ready to receive the files on Thursday. I think that Brian is a little anxious about security, since Linux isn't something he's familiar with. That's fine, but we're using FTP, so there are inherent security problems. Remember how in my last post I mentioned that FTP is an awful way to transfer files? I meant it.

You see, FTP sends everything in a format called plaintext. This digital transmission is similar to sending a postcard in the real world. Brian said he doesn't mind that people will be able to see the information that we're going to be receiving. Who cares if someone can read what's on the postcard? Ah, but even if we don't care about protecting the files, we need to protect the computer. This of course means that the person sending us the files will have to enter a username and password to prove that they have the right to put files on our computer. Except that using FTP means that the software will be sending the username and password in plaintext.

This is equivalent to taping cash to the postcard with "Steal me!" scrawled on it.

I naturally have a strong opinion about this. There is much more secure software out there! However, in all practicality it probably will not make a big difference. I'll lock down the Linux server so that only one username will work, and only if the user is at the right computer, and only if it's on the right day within a certain timeframe.

So here's the take-home message: Even if I don't like that we have to rely on FTP, I do like that we're running the software on Linux. Once we know that it works we can just let it sit there doing its job until the hardware fails in A.D. 2037, although occasionally I'll log in from my dorm room and update the software.

Man, Linux is terrible for job security! At least we aren't using Linux for our desktop computers, or I wouldn't even be needed for cleaning up viruses and spyware!