Hi Joe, > In view of all the computer security problems UCAR has been having > recently, ATD is having to reconsider how we can automatically transfer > data from field projects. We formerly used scp to transfer files, but > I understand this will soon require a one-time password, which isn't > very practical for un-attended operations. > > Is LDM still considered a secure data transfer protocol, that we can use > to transfer data from the field to our (semi)exposed hosts at NCAR? > > I've used LDM for data transfers in IHOP, and it worked fine, so we'd > like to know if we can use it for future field projects. The only security issue I know about with the LDM is: http://my.unidata.ucar.edu/content/software/ldm/security_notices.html but I don't think that's anything to worry about unless you're running on platforms that haven't had this bug in their XDR libraries fixed. I'm not even sure why xdrmem_getbytes() is mentioned, since that's not called by any of the LDM software. xdr_array() is called, but vendors have had since 2002 to fix that bug in their libraries. The LDM is probably vulnerable to denial of service attacks or IP address spoofing, but I'm not aware of any exploits. There's also an AIX security patch that breaks the LDM: http://www.unidata.ucar.edu/cgi-bin/msgout?/glimpse/ldm/6228 but I'll bet you aren't using AIX. I'm CC:ing Steve Emmerson on this reply, since he's responsible for LDM6 and probably knows more about any security problems. --Russ
NOTE: All email exchanges with Unidata User Support are recorded in the Unidata inquiry tracking system and then made publicly available through the web. If you do not want to have your interactions made available in this way, you must let us know in each email you send to us.