The bane of file sharing

by Francois Joseph de Kermadec

I have worked with many flavors of Mac OS and Windows, from System 7 and Windows 95 to Tiger and XP, fooled around with some distributions of Linux and read plenty of stuff about a slew of embedded operating systems I couldn't even boot by myself with an instruction manual. All these operating systems have one thing in common: they all include, in some way or the other, the ability for users to share files over a local network, by dragging and dropping a couple files here and there, checking a couple boxes and sitting back. And of course, over the years, all these operating systems have seen security updates because of privilege escalation issues, because of information leaks, denial of service attacks, etc... all of these revolving around that one ability to share files.

Now, sharing files is a laudable goal but who on earth really uses File Sharing for good? After having worked in different offices, from independent places to large corporations, I have witnessed it in use just about everywhere, on every platform, but never in the right way. One of my former bosses used to share his confidential documents over the network (unknowingly, of course), some of my colleagues were hosting malware on their machines (again, not on purpose) and a couple servers I know were hacked through that very medium. In that mess, was anyone able to share files? Hardly, as most computer users are much more comfortable committing the ultimate heresy that is using email to send large files.

Solutions abound today to quickly and easily share files between users and computers, be it by setting up a dedicated server, renting some online space, transferring the file through IM... In fact, there is no other excuse I can see for File Sharing than the replacement of a real server in an office space that does not wish to invest in one. This, of course, is the first step towards a security nightmare as no file sharing system has really been designed to seriously share anything -- a few files, tops, all belonging to the same security group.

Today, operating systems would be much more attractive if they came bundled with an online service (think .Mac without the outages and included in the price tag) than by including some of these features whose meaning has long been lost. Through force of habit, though, and because they know users still go ahead and enable file sharing first thing, computing companies are reluctant to make that feature evolve. Apple, by actually shipping server-grade tools under the cover of "Personal" sharing in Mac OS X, has made the first step in that direction but lots of work still needs to be done to ensure users only share what they should.


2005-12-15 16:14:53
Apple also sets it up...
so that "Sharing" features aren't activated by default, and can only be activated by a user with admin-level privileges who affirmatively clicks a button indicating they want to activate such features.

IMO this is one of the best security practices built into OS X.

2005-12-16 01:07:06
Apple also sets it up...

You are entirely right, this is a very important security step Apple took and one can only applaud them for putting the "secure-by-default" idea into the mainstream spotlight.