| 1 |
2009/4/2 Sebastian Pipping <webmaster@××××××××.org>: |
| 2 |
[...] |
| 3 |
>> What if there would be a unique identifier (hashed MAC |
| 4 |
>> address?) that just identifies the Gentoo installation, would that be |
| 5 |
>> enough? That way you can track without any privacy issues involved, I |
| 6 |
>> think. |
| 7 |
> |
| 8 |
> We could use such an identifier to identify repeated submissions |
| 9 |
> (users should send in more up to date again later) and handle |
| 10 |
> some kind of "database pollution" attacks. We wouldn't catch |
| 11 |
> attackers that change their MAC before submission. |
| 12 |
|
| 13 |
Not sure how you can deal with this. How does Smolt or Debian's thing |
| 14 |
deal with it? |
| 15 |
|
| 16 |
> I suppose a privacy issue still exists as you might be able to |
| 17 |
> resolve certain changes in submission data over time down |
| 18 |
> to a person. I better not construct scenarios here, but I'm |
| 19 |
> afraid that would be possible. |
| 20 |
|
| 21 |
Quite frankly, I think anybody who is worried about this attack would |
| 22 |
be too paranoid to send you that data anyway. I mean, you could even |
| 23 |
potentially match timestamps related to the db updates with server |
| 24 |
logs and IP addresses. Again, if someone is paranoid enough about |
| 25 |
their privacy to worry about such an attack, they wouldn't submit |
| 26 |
their data anyway. |
| 27 |
|
| 28 |
I think you'll need to strike a balance between the effort taken to |
| 29 |
increase privacy by a factor of 'x' and the number of particpating |
| 30 |
users you stand to increase because of this improvement. |
| 31 |
-- |
| 32 |
Arun Raghavan |
| 33 |
(http://nemesis.accosted.net) |
| 34 |
v2sw5Chw4+5ln4pr6$OFck2ma4+9u8w3+1!m?l7+9GSCKi056 |
| 35 |
e6+9i4b8/9HTAen4+5g4/8APa2Xs8r1/2p5-8 hackerkey.com |
Archives