Accellion blog has moved!

You should be automatically redirected in 6 seconds. If not, visit
and update your bookmarks.

Wednesday, November 22, 2006

What FTP access you can get with US$10,000 and other ACA Guy FTP hubris

Summary: "Moral outrage" was the sentiment the otherwise stoic ACA Guy felt when the reporting on an eBay auction for FTP access to a .gov domain surfaced. And, a few other incidents highlighting ACA Guy's FTP hubris quickly followed.


I thought I had seen it all but my jaw dropped when I read the posting about selling FTP access to a .gov domain server.

To quickly recap, there was an auction on eBay for access to "parasitic host" files on a .gov domain with a winning bid of nearly US$10,000.

What is in it for the buyer? You see, in the wild world of SEO/SEM (search engine optimization/search engine marketing), having your information/files addressed in a .gov domain name is like putting your SEO/SEM effort on a super steroid that nobody else can get. And, as a US$10 Billion industry that did not exist just a couple of years ago, there are plenty of SEO/SEM players who will do anything to get that extra edge.

And, this, what I can only presume to be unauthorized, "service" is rendered by sending the seller your files and the seller FTP'ing your files to the destination .gov domain. In other words, a legitimate web server, owned and operated by a government agency, will soon be playing host to unauthorized and unknown files. All because someone left an FTP access that is (I can only hope) unintentionally open.

Like a really good scary story, this is extra spooky precisely because everything makes sense and it could as easily happen to you and me.

ACA Guy's FTP hubris #1: I thought my FTP ghost story was good. But, monetizing unauthorized FTP access is, what can I say, wow!

While we are talking how human users can behave badly around FTP, here is another one as reported by Computer World. The gist of the story is that an employee uploaded a copy of Windows 2000 Professional OS onto a public-access FTP server that is frequently used to download software patches and the like. Needless to say it was not a legal distribution of the copyrighted software. Furthermore, this incident was only discovered after a product marketing person who just happened to notice the "odd" software image on the server. Let's not even speculate on the potential legal liability for the company.

ACA Guy's FTP hubris #2: I am reminded of that saying about firearms and crimals, and I thought - FTP does not kill, users do.

Looking for more ways to scare yourself on FTP? In the world of viruses and other malware, Panda Labs reported that the top ranking malicious code most frequently detected in October 2006 (and in fact, throughout 2006) is Sdbot.ftp which is a script used by the Sdbot family of worms to download themselves via FTP.

ACA Guy's FTP hubris #3: I thought, erroneously, FTP is relatively secure vis-a-vis email as the most prevalent target of virus and malware.

To be fair, FTP has a long and illustrious history in the world of scripted and machine-to-machine file transfers.

But, given the prospect of having somebody making off with US$10,000 in pure profit to insert unauthorized info onto my domain, I would much rather invest $3,500 on an Accellion Secure File Transfer Appliance (SFTA) to have secure control over internal and external file transfer access or, better yet, spend the whole US$10,000 for a beefy SFTA appliance and let your security and compliance officer have a thanksgiving day.

On that note, Happy Thanksgiving to all the gentle readers of ACA Guy based in the U.S. And, a most pleasant rest of the week for everyone else.


No comments: