Thread: Microsoft to have XDA remove all ROMs next week.
View Single Post
  #51 (permalink)  
Old 02-20-2007, 04:54 PM
bigdoofus's Avatar
bigdoofus
N00b
Offline
 
Join Date: Dec 2006
Posts: 26
Reputation: 0
bigdoofus is a n00b
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quote:
Originally Posted by luv2chill
Hi Mike... here's a solution that is fairly easy to implement (it's what xda-dev does with their FTP).

There are two published login accounts for the ftp:

1. The download account. This account has no upload or file/folder modification privileges whatsoever. It is the account used to download only.

2. The upload account. This account only has access to an "Upload" directory off the root--nothing else. It can be used for uploading, folder creation and file system modification inside the "Upload" directory only. It has no access anywhere else.

Mods (or just you, or whomever) can have an individual login that has full permissions on all directories. They would periodically move files from the upload folder into the applicable download folders--where they will be safe from future deletion.

To make it even more secure, when someone uploads something, we can have a thread where they list the file name and the MD5 hash of the file (there are tools for all OSes that easily calculate this for you). If the FTP mod sees that the file in the upload folder matches the posted hash, then the file is safe to move to its permanent place outside of the Upload folder.

Users should think of the upload folder as a "demilitarized zone". There are no protections on anything put into that folder so use extra caution downloading anything from the Upload folder. Once a file has been moved out of there it has been deemed safe.

Anyway, that's my suggestion. We're no where near as big as xda-dev (yet, anyway!) so keeping up with moving uploads should not be too big a job, especially if several users help out with the task.

And I speak as one of the unfortunate souls who downloaded that malware from xda-dev (neither SAV corporate edtition nor Windows Defender caught it--both up to date with definitions). I watched in horror as it deleted most of my OS files. Luckily I had a USB drive hooked up at the time so I was able to copy over all my stuff immediately. Once I rebooted Windows would no longer load up.

Talk about embarassing. I hadn't been hit by a virus in years. And that thing is MALICIOUS with a captial M. I saved a copy of it intending to analyze it one day (I also need to submit it to the major AV vendors).

So I definitely think we need to implement something to keep people from being able to screw with the FTP structure. Having an Upload folder to be the one unprotected area seems like the best compromise to me.
Good point, this would probably be a lot simpler =P (I'm used to setting up multi-user FTP accounts that need the grainular permissions).
Reply With Quote