On 11/16/2020 11:42 PM, Keith Moore wrote:
But there really should be a good reason to make such a change. I have run FTP servers before; they're not much trouble.
I've run SMTP servers quite a bit. They're not much trouble. Except for that one time when someone hit me with some kind of Postfix buffer overflow exploit that allowed them to append commands to the end of /etc/rc.local that downloaded heaven knows what (it appeared to take some blunt but effective measures to hide its tracks) and which got bootstrapped on reboot. I lost the most part of two days rebuilding the server from the ground up and painstakingly restoring data from backups as I examined it to ensure it hadn't been corrupted by the attacker. (And that was presumably someone just opportunistically scanning port 25 across the network randomly to look for vulnerable servers -- the risk is much higher for high-profile organizations that someone might take a beef with.)
The most important point that I made up-thread is that extra services provide extra attack surface.
That's the big cost -- and it's more significant an expense than opex by a fair amount. To be clear, it's a cost to be considered rather than a hard blocker. I mean, I still run an SMTP service on that same server, because it has ongoing utility for me that I can't easily replace. But I certainly scaled back the number of publicly-visible services I run on that machine after that experience. Each one added risk, and the amortized cost of that risk across time (as measured in potential person hours to recover from an attack) was generally larger than the value of the service for most of the services I had previously turned on.
And *that's* the calculus I'm applying in this scenario. Nothing to do with what's fashionable, or how I personally think everyone ought to use computers, or some notion that stable APIs are irrelevant. Those would all be questionable reasons for making a suggestion to retire a service, and it's uncharitable to assign such motives to me or anyone else without supporting evidence. I'm basing my suggestion here on a straight-up cost/value evaluation.
In any case, I've said my bit, and I believe my analysis holds up to the scrutiny you've put it through. You and others can make of my input what you may, but I'm really out of time to engage in a detailed back-and-forth here, so this is probably the last message I'll be sending on the topic.
/a
