Razorback
NewsProjectsGuidesResourcesContact

Archive

Quick Links

FTP is Dead, Millions are Suffering

October 8th, 2020 at 4:00 PM by Kugee
Category: Tech/Networking

One sleepy night, I quietly announced to my server that a new release of Windows 95D Lite was available for testing. I provided the download link to the new file... but being addressed to an FTP server, some asked me if I would provide HTTPS download support. Little did I know that Chrome completely ditched support for FTP some time ago, and Firefox is well on its way to do the same thing.

FTP is insecure insecure insecureeeee!!!!!

My first thought was this: how does one simply kill off an entire protocol that's still widely used to this day? Their justification is that FTP is old, insecure, and inefficient. What does that mean, now? FTP has been around since 1971 and hasn't changed too drastically since then. It has no built-in encryption features, so obviously it has to be a major security hole, right?

Well, here's the thing: a lot of FTP servers are public and permite anonymous, passwordless logins. Over the early decades of the internet, they've proven to be extremely useful for hosting large archives for anyone to access. Many actively maintained websites are now offering downloads over HTTPS, but they also have been shutting down their FTP services in turn. They've been heading in that direction for years, and now web browsers are following suit.

I have to ask them all something: why do they find it necessary to close off a file transfer service that many people still rely on? What exactly needs to be secured and encrypted when it comes to downloading a publicly available resource without the need for authentication? IP addresses, maybe, but I can't think of much else. It's not like your online activity is actually secure; ISPs, federal agencies, and data mining operations such as social media platforms can pick up on everything you do in a snap. This is common sense at this point.

The fetishization of encrypting literally everything among the security community is bizarre, and plays into the trap of planned obsolescence, one of the most significant environmental crises at large. Entire versions of operating systems quickly become abandoned because they have some kind of vulnerability that could probably be fixed with a quick update or service pack.

Sure, some security standards are pathetic and should be avoided at all costs, particularly LAN Manager password hashes that can be broken in minutes with modern hardware. What the tech community needs to understand, though, is that "insecure" platforms still have a variety of appropriate uses. If authentication is not of concern, FTP is all fine for the job. Anyone can quickly implement a decent firewall and some elegant solutions like fail2ban as a minimalistic, uncomplicated measure to keep their servers from falling apart.

It's quite ironic how everyone will virtue signal about security through forced obsolescence as many large companies load their websites with an endless amount of malicious cookies and scripts. On top of that, it seems a company can't go very far without experiencing a massive data breach, and in all too many of these cases the passwords tied to user accounts end up being stored in clear text. Oh, golly me, it was a slip up!

Hacking is Laughably Easy

Listen here real good, now. Don't blame old protocols for security problems. Those are caused by companies that don't know what they're doing. They act reflexively on security breaches and give their sysadmins these convoluted solutions to provide the false impression of security. They don't understand cybersecurity... not that I do either, but what I mean is that they don't get how you're supposed to secure a system at all. They don't know the basics of users, groups, file permissions, or anything like that. It's not even taught in high school; most you'll ever be told about security there is a Scantron-like quiz on what version of TLS is used nowadays, or a brief mention of a breach the school had.

In fact, that's exactly how it went in 12th grade for me. Some teacher mentioned my district had a major breach in the midst of a barebones discussion on cybersecurity that took up something like one minute of the day. They didn't know who did it, or what exactly happened... until I told them.

Yes, I "hacked" an entire school district, if you can even call it that... I would be considered below even script kiddies if you were to ask me, though. Hacking was the furthest thing from my mind until I found some document in a list of recent files in a taskbar program. It pointed to a local SMB address I hadn't seen before. I walked right into it, and found out that so much sensitive data stored there was accessible to everyone with access to the internal network without limitation. No leet tools, no brute force attacks, nothing... just a black hole that was probably neglected since the district first started using Windows NT Server.

I spoke to nobody about this, but I found myself very compelled to try to take a bunch of this data for myself with only a large flash drive handy. It wasn't out of smugness or anything like that, it was because I absolutely despised the district for how horribly they've treated me for all the years I've been enrolled there. More on that another day, but I wanted to find something so damning to the district that I could effortlessly prosecute them on it as revenge for them pummeling me down so hard.

I didn't find what I was looking for, and by that I mean something on the level of an obtuse conspiracy theory. What I did find, however, would probably make you shit yourself ten times over, especially if you were in the same district as I was. There were family-related personal exchanges between staff, records of various incidents caused by other students, and staff members, and the kinds of stuff that would be an identity thief's soaked dream. I refuse to get into detail on any of this as it is confidental. The point is that ALL of it had security and sharing permissions set to "Everyone".

The whole time I was hoarding from the security holes, somehow nobody in charge of the servers ever noticed, despite the fact that I was using my own account on the network to carry out the transfers. Windows NT has had audit logs for a very long time; wouldn't they have implemented that at all? I had to CONFESS that I was the one behind the security breach they caught glimpse of MONTHS LATER, if not an entire year.

By the time I did tell them about it, I was having severe anxieties over whether I would be able to get out of all of this in the end and if I really should have gone through with downloading all their stuff, considering I never found anything useful for putting the district on trial. Eventually I was let off the hook following some cooperation with the district to shred all of my copies of what I had, and the servers I walked into were finally locked down.

Looking back on it, this was definitely something that needed to happen by my hand. I could've made it much easier for everyone's minds by just brining this upfront the moment I found the security hole, but you also have to note that when you're beaten down so much, you might just try anything to get back at your oppressor regardless of the collateral consequences. Had I not even found this when I did, it almost certainly would've come back to bite me and thousands of others in the ass.

Security is Also Easy...

At this point, the subject's completely changed, so what exactly does it all have to do with an ancient means of transferring files? My point is that just because you buy new computers and ditch older technology does not mean your data becomes more secure. Many operating systems give you all the tools you need to implement a basic level of security that will ward off at least some attacks. The answers to the world's cybersecurity problems are often much simpler than needing to install some new software or ditch an outdated platform. It all boils down to addressing the misuse of things. Again, FTP is NOT an appropriate protocol if password authentication is necessary, but it works well in public setups.

It's sad how little is actually taught about security in computing unless you go to some college, and I'm not even sure they'll tell you enough about that. Perhaps it's no wonder FTP and other old standards are being killed off; those who deal with security in modern tech are basically forced to force everyone to move to something more secure, because too many companies are idiotically mishandling their networking applications and we're left to see this whole field as rocket science unless we look into it for ourselves. A crash course on file ownership and permissions could get anyone up to speed on how to secure their data.

You may very well be beholden to a company, school district, or other type of organization yourself, and chances are they're storing a plentiful of records about you. Those records could get leaked should they fall into the wrong hands, putting you and your friends at risk. You have the power to stop this from happening... if at all possible, try anything you can to see if there's something wrong with their security implementations. Do be ethical, don't leak anything, just let the tech personnel know if you found something, and a crisis may very well be preemptively averted. I'm sure you could be much more heroic than I ever will be.

How Razorback Plans to Handle Security

While this website is designed to work with a variety of old hardware and software, I also try to implement whatever security measures I can, both internally and externally as an option to those using modern software. In regards to HTTPS, I'm already enforcing TLS 1.2 at minimum, and do want to step up to TLS 1.3 whenever it becomes conveniently available in the Debian packages my server's tied to. Anything less than TLS 1.2, you drop to HTTP. Simple as that, you don't need to block out entire generations of web browsers.

Following what I've heard about FTP on my Discord server, I have now created a symbolic link to my FTP server, so you can easily access all of its contents through HTTPS just as you would through FTP. This should make it much easier for anyone using modern software to work with my website while still allowing old computers to download files off of it just as easily.

Here's hoping the future is not loaded with malicious data mining and password leaks...