| 1 |
Arun Raghavan wrote: |
| 2 |
>> We could use such an identifier to identify repeated submissions |
| 3 |
>> (users should send in more up to date again later) and handle |
| 4 |
>> some kind of "database pollution" attacks. We wouldn't catch |
| 5 |
>> attackers that change their MAC before submission. |
| 6 |
> |
| 7 |
> Not sure how you can deal with this. How does Smolt or Debian's thing |
| 8 |
> deal with it? |
| 9 |
|
| 10 |
A few words about how smolt is handling this: |
| 11 |
|
| 12 |
On first run or at installation time of smolt a machine ID is |
| 13 |
generated by reading from |
| 14 |
|
| 15 |
/proc/sys/kernel/random/uuid |
| 16 |
|
| 17 |
This ID is written to |
| 18 |
|
| 19 |
/etc/sysconfig/hw-uuid |
| 20 |
|
| 21 |
and used for any later profile submission. A profile is the |
| 22 |
collection of data to be submitted. To enable data gathering |
| 23 |
I had to start two deamons: dbus and hald. The data seems |
| 24 |
to be gathered from specific nodes in the file system |
| 25 |
from Python code directly. On successful submission |
| 26 |
the server hands out an "admin password" which enables you to |
| 27 |
fine tune details online like "device foo worked (a) out of the |
| 28 |
box (b) required additional config (c) ..." and so on for each |
| 29 |
device from the list you submitted. It seems that all communication |
| 30 |
is done over HTTP in an unencrypted manner. |
| 31 |
|
| 32 |
There are three programs any user can run: |
| 33 |
|
| 34 |
- smoltSendProfile |
| 35 |
- smoltDeleteProfile |
| 36 |
- smoltGui |
| 37 |
|
| 38 |
So you can also revoke your data from the official stats. |
| 39 |
The GUI frontend did not tell the admin password after submission, |
| 40 |
I guess upstream forgot showing it. |
| 41 |
|
| 42 |
|
| 43 |
|
| 44 |
Sebastian |
Archives