Tell Verizon to bring back FTP [telecom]

[Bill Horne]

(Fascination of the abomination department: I know that ftp isn't
secure, but anyone who has struggled through getting Dreamweaver to
create a web page, and then found themselves unable to upload it, will
understand why I think this is worth publishing. Sorry, I couldn't
resist - Bill)

- - - - - - - - - - - - -
Tell Verizon to bring back FTP for web designers on Verizon.Net
Posted in the Verizon Forum

Jan 18, 2013

Please do me a favor and sign my petition asking Verizon to allow it's
Verizon.Net web designers to use FTP when creating and modifying their
personal web pages. FTP is the industry standard for uploading files
to web sites. We had it as a free service and they removed it stating
security issues. Without FTP users have to use Verizon's Site Builder
and it ain't pretty.

Please click -

http://www.change.org/petitions/verizon-return-ftp-to-users-who-maintain-web-sites-at-verizon-net?utm_source=guides&utm_medium=email&utm_campaign=petition_created
-or-
http://goo.gl/jdtxL

and sign.

Petition by
Venison Turner
West Bridgewater, MA

--
Bill Horne
(Remove QRM from my email address to write to me directly)

[Matt Simpson]

In article <2013051619...@telecom.csail.mit.edu>,

Bill Horne <bi...@horneQRM.net> wrote:

> I know that ftp isn't secure, but anyone who has struggled through
> getting Dreamweaver to create a web page, and then found themselves
> unable to upload it, will understand why I think this is worth
> publishing.

Instead of bringing back FTP, maybe they should offer SFTP. That should
eliminate their security woes, and any web page builder should be able
to find an SFTP client that's easy to use.

[Bill Horne]

The problem is that most web-design programs made before 2000 are only
coded for ftp, and turning off ftp is an effective way to force users
to use the brain-dead preformated sites and tools. Why an ISP would
want to do that is anyone's guess.

Bill

[David Scheidt]

Bill Horne <bi...@horneqrm.net> wrote:

:On Thu, May 16, 2013 at 06:52:00PM -0400, Matt Simpson wrote:
:> In article <2013051619...@telecom.csail.mit.edu>,
:> Bill Horne <bi...@horneQRM.net> wrote:
:>
:> > I know that ftp isn't secure, but anyone who has struggled through
:> > getting Dreamweaver to create a web page, and then found themselves
:> > unable to upload it, will understand why I think this is worth
:> > publishing.
:>
:> Instead of bringing back FTP, maybe they should offer SFTP. That should
:> eliminate their security woes, and any web page builder should be able
:> to find an SFTP client that's easy to use.

:The problem is that most web-design programs made before 2000 are only
:coded for ftp, and turning off ftp is an effective way to force users

It's 2013. Inability to use a secure file transfer program isn't
really a good reason to support insecurity, and neither is suporting
seriously obsolete web design tools.


:to use the brain-dead preformated sites and tools. Why an ISP would

:want to do that is anyone's guess.

Lower support costs, or they want to kill the service entirely.

--
sig 110

[Bill Horne]

On Fri, May 17, 2013 at 03:46:14AM +0000, David Scheidt wrote:
> Bill Horne <bi...@horneqrm.net> wrote:
> :The problem is that most web-design programs made before 2000 are only

> :coded for ftp, and turning off ftp is an effective way to force users ...

>
> It's 2013. Inability to use a secure file transfer program isn't
> really a good reason to support insecurity, and neither is suporting
> seriously obsolete web design tools.

My son drives a 1997 Buick. It's "obsolete" by your logic. It's also
capable of going 65 on the Interstate, gets about-the-same-mileage as
any other car, and moves him from home to job in a reliable
manner. Plus, the roof doesn't leak (I've owner cars where the roof
/did/ leak), and all the ergs that /might/ be saved by him purchasing
some newer, shinier model were amortized years ago.

"Obsolete" is in the eye of the owner: if it gets the job done, it's
not obsolete, by definition. I've had customer who ran DOS-based
accounting software in 2006. It's what their staff was trained on, and
it got the job done, so they used it.

Dreamweaver and similar programs are very expensive: they are
professional-grade web design tools, but cost the better part of a
thousand dollars to put in service. Small design shops that are
watching every penny sometimes choose to make do with older releases:
That's /their/ choice, not mine.

"Security" is relative: given that the material is, by its nature,
intended for public distribution, I don't see why keeping it "secure"
would be important. If you're referring to the ftp software itself
being insecure, I disagree: some /extensions/ have been problematic,
but the basic functions are no more "insecure" than http. /Any/
software needs maintenance: security and bug fixes are the bread and
butter of the sysadmin's day, and ftp daemons are no exception.

> : ...to use the brain-dead preformated sites and tools. Why an ISP

> : would want to do that is anyone's guess.

> Lower support costs, or they want to kill the service entirely.

They don't want to kill the service entirely: they just want to hobble
its users to the point where they go to commercial sites in
disgust. That's a win-win for the ISP: they get to claim that they
include "free" websites with their monthly fee, but charge extra for
webspace that's actually usable.

Bill, who is a Verizon DSL customer and therefore entitled to complain
about it.

--
Bill Horne
(Remove QRM from my address to write to me directly)

[Bill Horne]

On Fri, May 17, 2013 at 01:44:39PM -0000, John Levine wrote:
> >"Security" is relative: given that the material is, by its nature,
> >intended for public distribution, I don't see why keeping it "secure"
> >would be important.
>

> The security issue is that FTP passes your ID and password in the
> clear where it is more subject to snooping by bad guys who use it to
> upload malware droppers to your web site (which they do.)

Verizon can afford appropriate anti-malware measures.

> I agree that the chances of traffic being sniffed on the way from your
> home broadband to VZ are pretty low, but people update their web sites
> from coffee shop wifi which is notoriously sniffable.

If that were the problem, Verizon could require that uploads only come
from IP addresses that are assigned to the web site(s) in question, or
could demand that customers use separate passwords for ftp: it could
ask users to download a one-time upload key and use that instead of
their regular account password. The company could also require a
pre-authorization call from the phone number associated with the
account, or even charge a fee for uploads, thus leveraging the
security systems dedicated to preventing credit-card fraud.

> If you want to keep using antiqueware, run a local FTP server on your
> own PC, FTP the files to that, and use https or sftp or something more
> modern to move them to your host.

That's the issue in a nutshell: AFAIK, Verizon doesn't offer /any/
upload method, no matter how secure it might be. The company demands
that all web mods be done via a brain-dead, text only interface. (1)

I think Mr. Scheidt is correct: Verizon wants to kill the service. I think
I was right, too: Verizon doesn't want to give up whatever advertising
value it gets by /claiming/ to offer websites.

Bill

1. If anyone has a method to upload files to a "free" web server
associated with Verizon ADSL, I'd like to know it.

[John Levine]

>"Security" is relative: given that the material is, by its nature,
>intended for public distribution, I don't see why keeping it "secure"
>would be important.

The security issue is that FTP passes your ID and password in the
clear where it is more subject to snooping by bad guys who use it to
upload malware droppers to your web site (which they do.)

I agree that the chances of traffic being sniffed on the way from your
home broadband to VZ are pretty low, but people update their web sites
from coffee shop wifi which is notoriously sniffable.

[tlvp]

On Thu, 16 May 2013 21:36:23 -0400, Bill Horne wrote:

> ... The problem is that most web-design programs made before 2000 are only
> coded for ftp, ...

That's why many web designers use FileZilla (a SourceForge project attuned
to many operating systems) to transfer their files securely -- FileZilla
supports natively three different variations on a secure FTP(*) -- it
suffices to point the local panel in the FileZilla UI to the local
directory holding what your web-design programs produced, and the remote
panel to the remote directory you want to transfer those files to, and then
to drag'n'drop the files needing FTP-age.

HTH. Cheers, -- tlvp

(*) SFTP -- SSH File Transfer Protocol; FTPS -- FTP over implicit TLS/SSL;
and FTPES -- FTP over explicit TLS/SSL (using FileZilla's descriptions)
--
Avant de repondre, jeter la poubelle, SVP.

[tlvp]

On Fri, 17 May 2013 08:20:38 -0400, Bill Horne wrote:

> "Security" is relative: given that the material is, by its nature,
> intended for public distribution, I don't see why keeping it "secure"
> would be important. If you're referring to the ftp software itself
> being insecure, I disagree: some /extensions/ have been problematic,
> but the basic functions are no more "insecure" than http. /Any/
> software needs maintenance: security and bug fixes are the bread and
> butter of the sysadmin's day, and ftp daemons are no exception.

I hate arguing with an overwhelmingly friendly and knowledgable
sysadmin/moderator, but let me nonetheless point out that:

1) precisely because the web matter to be FTPed is intended for public
distribution, it's vital that no malicious malefactor be in a position to
tamper with the files -- not before they're in place, as might occur with
an insecure http-based transfer process; nor after they're in place, as
might happen with an insecure FTP ritual if an interloper could sniff your
web-host AUTH data from your FTP session, thereafter to log in as you and
replace stuff willy-nilly;

2) just as http is insecure (as compared with https), and there are
insecure and secure variations of the POP3 and IMAP and SMTP mail protocols
(and the NNTP net news transfer protocol), so one wants to be using a
secure version of FTP as urgently as one wants https for inline banking;

and 3) FileZilla itself keeps itself maintained with fresh security patches
and bug fixes, as must all working software.

Apologies if my best intentions came off as carping or trolling -- not what
I had in mind at all. Cheers, -- tlvp

[tlvp]

On Fri, 17 May 2013 03:46:14 +0000 (UTC), David Scheidt wrote:

> ... or they want to kill the service entirely.

That was certainly the motive of at&t WorldNet -- first they discouraged
FTP except on the part of folks dialed in to their own dial-up-modem pools,
though they had earlier allowed FTPES through DSL; later they dropped their
Personal Web Page offering entirely (with about 6 weeks' notice, at that).

Remember: forewarned is fore-armed. Cheers, -- tlvp

[HAncock4]

On May 17, 9:44 am, "John Levine" <jo...@iecc.com> wrote:

> I agree that the chances of traffic being sniffed on the way from your
> home broadband to VZ are pretty low, but people update their web sites
> from coffee shop wifi which is notoriously sniffable.

Seems to me the problem is doing mission critical work (like updating
a web site or conducting commerce) from seriously "sniffable"
locations, like coffee shops and the like.

As to FTP in general, I agree with Mr. Horne's comments, and do not
agree with Mr. Scheidt about obsolescence. As Mr. Horne pointed out,
frequent upgrading to stay "modern" is a cost in time, software, and
hardware that not everybody has.

Historically, in the mainframe world, great efforts were made to
maintain backward compatibility for _decades_ in order to protect the
software investments of the customers and end users. That also
applied in the telecom world and broadcast world.

Many companies are discovering that rewriting their legacy "green-on-
glass" mainframe systems into something modern is extremely costly and
disruptive to the organization.

[Scott Dorsey]

My suspicion is NOT that they want to eliminate FTP or SFTP or any other
such thing, but the purpose they are doing this is specifically to prevent
customers from providing their own code.

If they lock customers into using their own code generator, they have a lot
more control over their own security.

And, let's face it, this is not a high end hosting facility. If you want to
put up a real website, you probably want to get a real web provider. And
Verizon probably does not want you as a customer for their bundled web server
service anyway.
--scott

--
"C'est un Nagra. C'est suisse, et tres, tres precis."

[Bill Horne]

On Sun, May 19, 2013 at 04:13:09PM -0400, Scott Dorsey wrote:
> Matt Simpson <net-n...@jmatt.net> wrote:
> >In article <2013051619...@telecom.csail.mit.edu>,
> > Bill Horne <bi...@horneQRM.net> wrote:

>>> I know that ftp isn't secure, but anyone who has struggled through

>>> getting Dreamweaver to create a web page, and then found them-

>>> selves unable to upload it, will understand why I think this
>>> is worth publishing.

>> Instead of bringing back FTP, maybe they should offer SFTP. That should
>> eliminate their security woes, and any web page builder should be able
>> to find an SFTP client that's easy to use.
>
> My suspicion is NOT that they want to eliminate FTP or SFTP or any other
> such thing, but the purpose they are doing this is specifically to prevent
> customers from providing their own code.
>
> If they lock customers into using their own code generator, they have a lot

> more control over their own secuyrity.

I don't think Verizon cares about "Security" in the sense of wanting
to prevent bad code. I think the company wants to eliminate web
service in all but name; to be able to /claim/ that it offers
"Personal Web Pages", without having to support them or risk
embarassment by having any user employ one as a virus source.

Verizon has already eliminated some web page offerings: if my
experience trying to access "my" pwp is any guide, they've already
killed those associated with ADSL. I'll confirm that tomorrow, but if
anyone has a seen a change in the TOS that said this would happen,
please phone it in.

> And, let's face it, this is not a high end hosting facility. If you want to
> put up a real website, you probably want to get a real web provider. And
> Verizon probably does not want you as a customer for their bundled web server
> service anyway.

Most small companies have static content: basic information and
contacts, and maybe even a list of products, but no shopping cart or
other active pages. A "personal" page works fine for that kind of
thing, and it doesn't take a lot of computer muscle to deliver static
files: it's what /every/ web server starts off doing, after all.

The question, then, is "Why"? It's unlikely that any major new players
will emerge from basements or garages or dorm rooms, but even the next
Larry Page or Sergei Brin or whomever can afford commercial web space,
since the dot-bomb left so much capacity lying unused. So, why does
Verizon seek, AFAICT, to neglect its web service until it's only
available in theory?

Bill


--
Bill Horne
(Remove QRM from my address to write to me directly)

[Garrett Wollman]

In article <20130520032...@telecom.csail.mit.edu>,

Bill Horne <bi...@horneQRM.net> wrote:
>The question, then, is "Why"? It's unlikely that any major new players
>will emerge from basements or garages or dorm rooms, but even the next
>Larry Page or Sergei Brin or whomever can afford commercial web space,
>since the dot-bomb left so much capacity lying unused.

You're a decade out of date, Bill. The world doesn't work like that
any more, not for a long time. *Any* new Web service today is going
to start at a virtualization provider like Amazon or Rackspace, not on
the spare server in the back room -- and this includes the ones
founded in basements, garages, and dorm rooms. There is simply no
sense to tying up capital in any sort of physical infrastructure until
your business is big enough that you're building your own data
centers. (And frankly, even if you're a hotshot Web developer, server
operations is highly unlikely to be in your core competencies anyway;
better to leave that to someone else.)

-GAWollman
--
Garrett A. Wollman | What intellectual phenomenon can be older, or more oft
wol...@bimajority.org| repeated, than the story of a large research program
Opinions not shared by| that impaled itself upon a false central assumption
my employers. | accepted by all practitioners? - S.J. Gould, 1993

[Bill Horne]

On Mon, May 20, 2013 at 06:02:35AM +0000, Garrett Wollman wrote:
> In article <20130520032...@telecom.csail.mit.edu>,
> Bill Horne <bi...@horneQRM.net> wrote:
> >The question, then, is "Why"? It's unlikely that any major new players
> >will emerge from basements or garages or dorm rooms, but even the next
> >Larry Page or Sergei Brin or whomever can afford commercial web space,
> >since the dot-bomb left so much capacity lying unused.
>
> You're a decade out of date, Bill. The world doesn't work like that
> any more, not for a long time. *Any* new Web service today is going
> to start at a virtualization provider like Amazon or Rackspace, not on

> the spare server in the back room ...

The /question/ is, *why* is Verizon sabotaging its own web offering?

[John Levine]

>The /question/ is, *why* is Verizon sabotaging its own web offering?

It's Verizon. Because they can.

"We don't care. We don't have to. We wouldn't even know how."

HTH, HAND,

PS: They've probably noticed that the cable providers they compete with
don't provide any web hosting at all on consumer accounts.

[Bill Horne]

Well, that's certainly the simplest explanation, and Occam's Razor
would yield that result - if it fit all the facts. However, given the
"because they can" reason, I'd expect them to just turn the web
servers off.

But, it doesn't make sense to me. I'm the last guy in the world to
defend Ma Bell, but ISTM that /someone/ has to benefit from what
they're doing, and I don't see the logic.

Bill

--
Bill Horne
Moderator

[Scott Dorsey]

They aren't sabotaging it. They're doing something that is going to get
rid of the higher volume customers that they don't want.

It's not a "web offering." It's not a revenue source, it's a revenue sink.
It's a free bonus offered in with cheap consumer accounts. Verizon wants to
spend as little money as possible running it and have as few customers as
possible actually using it.

[Thad Floryan]

On 5/20/2013 10:11 AM, Bill Horne wrote:
> On Mon, May 20, 2013 at 03:15:29PM -0000, John Levine wrote:
>>> The /question/ is, *why* is Verizon sabotaging its own web offering?
>> It's Verizon. Because they can.
>>
>> "We don't care. We don't have to. We wouldn't even know how."
>>
>> HTH, HAND,
>>
>> PS: They've probably noticed that the cable providers they compete with
>> don't provide any web hosting at all on consumer accounts.
>
> Well, that's certainly the simplest explanation, and Occam's Razor
> would yield that result - if it fit all the facts. However, given the
> "because they can" reason, I'd expect them to just turn the web
> servers off.

Similar to ISPs shutting down all their NNTP Usenet servers -- it's
been happening for awhile now and it's continuing.

Duke University, where Usenet began, shut down their server(s)
on May 20, 2010, three years ago to the day:

http://www.dukenews.duke.edu/2010/05/usenet.html

> But, it doesn't make sense to me. I'm the last guy in the world to
> defend Ma Bell, but ISTM that /someone/ has to benefit from what
> they're doing, and I don't see the logic.

Inexpensive web hosting is readily available for dirt cheap. I've
directed many friends, colleagues and associates to the provider
I have been using since mid-1995 and they provide today a FreeBSD
virtual system with full shell access, Apache, WordPress, qmail,
spamassassin, Dovecot IMAP, etc. all bundled in together for just
$9.95/month. The account I have has been grandfathered and no
longer available for new customers -- it gives me backup hard drives
and a lot of other services for just $25/month and I've over 200GB
online (most of it private). Uptime is the proverbial 99.999% as
you can see (since the last OS update):

thadlabs bash 78070/78072> date
Mon May 20 14:06:02 PDT 2013
thadlabs bash 78070/78072> uptime
2:06PM up 579 days, 11:23, 5 users, load averages: 0.00, 0.00, 0.00
thadlabs bash 78070/78072> uname -sn
FreeBSD thadlabs.com

For those unaware, Dovecot is one of only three 100% IMAP conforming
servers as you can read here:

http://imapwiki.org/ImapTest/ServerStatus

Thad

[tlvp]

On 20 May 2013 15:15:29 -0000, John Levine wrote:

> They've probably noticed that the cable providers they compete with
> don't provide any web hosting at all on consumer accounts.

Ah, but have they noticed that those cable providers are providing *static*
IPs, so that their subscribers can register a domain with any registrar and
then host their very own servers from their very own basements?

No static IP from DSL providers except at extra cost AFAIK. Cheers, -- tlvp
---

Avant de repondre, jeter la poubelle, SVP.

***** Moderator's Note *****

Comcast forbids home servers, and blocks all common server ports,
including SMTP, HTTP, and FTP. Althouh it's possible to work around
the blocks, it's a PITA. Whenever I complained, the blocks would go
away for a couple of weeks, and then it was back to blockage as usual.

At one time, Comcast was also blocking ports used by competing
companies: an issue so sensititve to Bostonians that Comcast packed a
public FCC meeting to prevent local voices from being heard.

Bill Horne
Moderator

[Bill Horne]

On 5/16/2013 3:36 PM, Bill Horne wrote:
> - - - - - - - - - - - - -
> Tell Verizon to bring back FTP for web designers on Verizon.Net
> Posted in the Verizon Forum
>
> Jan 18, 2013
>
> Please do me a favor and sign my petition asking Verizon to allow it's
> Verizon.Net web designers to use FTP when creating and modifying their
> personal web pages. FTP is the industry standard for uploading files
> to web sites. We had it as a free service and they removed it stating
> security issues. Without FTP users have to use Verizon's Site Builder
> and it ain't pretty.
>
> Please click -
>
> http://www.change.org/petitions/verizon-return-ftp-to-users-who-maintain-web-sites-at-verizon-net?utm_source=guides&utm_medium=email&utm_campaign=petition_created
> -or-
> http://goo.gl/jdtxL

I just suffered through two hours of "Site Builder". That was after I
had to use *Google* to *find* the update page for the site that's
associated with my ADSL service!

I'm going to sign the petition, and I think you should, too.

BTW, my verizon.net site is at http://mysite.verizon.net/vze17ebj8/ .
Feel free to feedback your criticisms to my horne dot net address.

Bill


--
Bill Horne
(Remove QRM from my address to write to me directly)

[John Levine]

>> They've probably noticed that the cable providers they compete with
>> don't provide any web hosting at all on consumer accounts.
>
>Ah, but have they noticed that those cable providers are providing *static*
>IPs, so that their subscribers can register a domain with any registrar and
>then host their very own servers from their very own basements?

No, because the cable providers do not provide static IPs, except at
extra cost to "business class" customers. I'm a T-W cable customer,
my IP can change whenever my modem reboots which it does every couple
of weeks. Maybe my IPv6 address block will be static.

R's,
John

***** Moderator's Note *****

In the Boston area, just before my Comcast trial was over, I was
getting a "static" IP address which was changed about once a month,
for no discernable reason. It was, however, publicly addressable, so I
could point my domain names to it using a dynamic DNS service.

Of course, as I wrote before, it was impossible to run any kind of
server without using non-standard ports, and a glance at the server
logs of a site I visited showed that all outgoing http connections
were being diverted through Comcast's proxy servers.

Bill Horne
Moderator