Microsoft to have XDA remove all ROMs next week.

[bigdoofus]

Quote:

Originally Posted by luv2chill

Hi Mike... here's a solution that is fairly easy to implement (it's what xda-dev does with their FTP).

There are two published login accounts for the ftp:

1. The download account. This account has no upload or file/folder modification privileges whatsoever. It is the account used to download only.

2. The upload account. This account only has access to an "Upload" directory off the root--nothing else. It can be used for uploading, folder creation and file system modification inside the "Upload" directory only. It has no access anywhere else.

Mods (or just you, or whomever) can have an individual login that has full permissions on all directories. They would periodically move files from the upload folder into the applicable download folders--where they will be safe from future deletion.

To make it even more secure, when someone uploads something, we can have a thread where they list the file name and the MD5 hash of the file (there are tools for all OSes that easily calculate this for you). If the FTP mod sees that the file in the upload folder matches the posted hash, then the file is safe to move to its permanent place outside of the Upload folder.

Users should think of the upload folder as a "demilitarized zone". There are no protections on anything put into that folder so use extra caution downloading anything from the Upload folder. Once a file has been moved out of there it has been deemed safe.

Anyway, that's my suggestion. We're no where near as big as xda-dev (yet, anyway!) so keeping up with moving uploads should not be too big a job, especially if several users help out with the task.

And I speak as one of the unfortunate souls who downloaded that malware from xda-dev (neither SAV corporate edtition nor Windows Defender caught it--both up to date with definitions). I watched in horror as it deleted most of my OS files. Luckily I had a USB drive hooked up at the time so I was able to copy over all my stuff immediately. Once I rebooted Windows would no longer load up.

Talk about embarassing. I hadn't been hit by a virus in years. And that thing is MALICIOUS with a captial M. I saved a copy of it intending to analyze it one day (I also need to submit it to the major AV vendors).

So I definitely think we need to implement something to keep people from being able to screw with the FTP structure. Having an Upload folder to be the one unprotected area seems like the best compromise to me.

Good point, this would probably be a lot simpler =P (I'm used to setting up multi-user FTP accounts that need the grainular permissions).

[Perasite]

Don't hate me... I'm a Windows admin. Doing what I suggested is easy there! For Linux, though, are you running your own server or is the FTP hosted? I'm pretty sure the site is hosted, thus the big move recently, but is the FTP hosted as well? I ask because if you have access to the server I'm sure we (I'd help as much as I can) can figure out some FTP server software that would allow this. I'm also sure we'd help as much as possible in setting it up. Do you have any idea how much bandwidth has gone through the FTP? Maybe seperate hosting for that could be the way to go.

[DopeWeasel]

Windows FTP is simple... if I had the bandwidth (or an open site to FXP through), I'd be happy to play host admin.

... I've done it in the past for certain beta IRC groups