Learning Something New About a 20-Year-Old Protocol

Ignorance abounds, and it's kind of sad really. Last night I was staying late at work and I got a phone call from a tech on the West Coast regarding an FTP problem his company was having inside my building.

Turns out they're trying to use FTP to move sensitive financial data across the country and it was SNAFU'd. I cannot rightly comprehend why any company capable of setting up their own FTP services wouldn't also understand why they shouldn't. Then again, this company hadn't gotten to the "capable" part yet.

So I explained it to the tech: "You had this exact same problem last week, and it turned out your company's router wasn't configured to forward high-numbered ports, so FTP naturally barfed." Emphasis on the "your company's" part, because I'm getting mighty sick and tired of giving them the copious amounts of free tech support that they've been taking from me since they arrived last month. Their problems go far beyond integration of subnet X with LAN Y. The company has simply not sent out anyone who has a clue, and so the on-site staff are stuck and have exactly one option presented to them: ask Toby to fix it. Ugh. I went on to explain to the tech how FTP uses two streams: one for control instructions and one for data. Their router was barely configured to forward one of those streams. And the ass kicker? The tech said to me, "Really? I—I never knew that before." He said this about the fact that FTP uses multiple ports and has since 1985.

So there is no question that ignorance abounds. And I wonder to myself what I've done wrong. Why aren't people getting the message that FTP isn't secure? Why are people still using FTP with usernames and passwords and STOR commands and everything? It's dangerous. There has to be some way to start getting the message out. I just wish I knew what it was.