1 |
2009/4/2 Sebastian Pipping <webmaster@××××××××.org>: |
2 |
[...] |
3 |
>> What if there would be a unique identifier (hashed MAC |
4 |
>> address?) that just identifies the Gentoo installation, would that be |
5 |
>> enough? That way you can track without any privacy issues involved, I |
6 |
>> think. |
7 |
> |
8 |
> We could use such an identifier to identify repeated submissions |
9 |
> (users should send in more up to date again later) and handle |
10 |
> some kind of "database pollution" attacks. We wouldn't catch |
11 |
> attackers that change their MAC before submission. |
12 |
|
13 |
Not sure how you can deal with this. How does Smolt or Debian's thing |
14 |
deal with it? |
15 |
|
16 |
> I suppose a privacy issue still exists as you might be able to |
17 |
> resolve certain changes in submission data over time down |
18 |
> to a person. I better not construct scenarios here, but I'm |
19 |
> afraid that would be possible. |
20 |
|
21 |
Quite frankly, I think anybody who is worried about this attack would |
22 |
be too paranoid to send you that data anyway. I mean, you could even |
23 |
potentially match timestamps related to the db updates with server |
24 |
logs and IP addresses. Again, if someone is paranoid enough about |
25 |
their privacy to worry about such an attack, they wouldn't submit |
26 |
their data anyway. |
27 |
|
28 |
I think you'll need to strike a balance between the effort taken to |
29 |
increase privacy by a factor of 'x' and the number of particpating |
30 |
users you stand to increase because of this improvement. |
31 |
-- |
32 |
Arun Raghavan |
33 |
(http://nemesis.accosted.net) |
34 |
v2sw5Chw4+5ln4pr6$OFck2ma4+9u8w3+1!m?l7+9GSCKi056 |
35 |
e6+9i4b8/9HTAen4+5g4/8APa2Xs8r1/2p5-8 hackerkey.com |