[clug] What to do when confronted with usless security?

Michael James clug3 at james.st
Mon Jul 30 03:39:50 GMT 2007

I need a way of automatically retrieving files from an agency.

In the good old days, we had an FTP account for this.
Log in using our name and password and there were all our files.
Set up a cron script to wget-mirror the server twice daily and bingo.

Now they have a web front end, much friendlier for humans.
Not so easy for automating.

So I had a look...
What the web interface does is load a Java applet to do FTP.
But they use a single Generic login and password for all clients!

The username is there in the clear on the web page log screen.
Five minutes of ethereal and there is the password. It works.
I have access to everybodies files. Damn, that's more than I wanted.

A little more inspection shows the password is handed over
 in a sensibly named file. It's not hard to get,
 you don't even have to have a client login.
So a bit of obscurity and lack of interest
 is all that stops anybody on the net from getting in.

Should I tell them? After all, I have my solution,
 just fetch the password and use wget like before.
If they can write an app that only gives access
 to a particular directory, so can I.

What trouble could I get in if I do tell them
 how broken their client-based security is?


Konqueror has gotten so clever for its own boots
  that it has forgotten what a web browser is for.

More information about the linux mailing list