1 |
I'm thinking of lots of glue, a perl script for client and https server on |
2 |
gentoo.org to allow SSL (secure socket layer) communication between |
3 |
client/server. It's a fresh approach to solve just this problem... Well |
4 |
fresh is relative here ;) |
5 |
|
6 |
Here's a link |
7 |
http://developer.netscape.com/docs/manuals/security/sslin/contents.htm |
8 |
|
9 |
|
10 |
|
11 |
>From: Rufiao <rufiao@×××.net> |
12 |
>Reply-To: gentoo-dev@g.o |
13 |
>To: gentoo-dev@g.o |
14 |
>Subject: Re: [gentoo-dev] RFP: System to account users configurations |
15 |
>Date: Sun, 16 Jun 2002 20:11:37 -0300 |
16 |
> |
17 |
> |
18 |
>The abuse of this kind of system should be taken into account, since it may |
19 |
>be quite easy for someone to create a bot (or whatever) capable of feeding |
20 |
>the system with fake data, and by consequence destroy its reputation. |
21 |
> |
22 |
>However, I agree this issue should not complicate the system setup. There |
23 |
>are problems with the approach I've described, in particular for users who |
24 |
>maintain more than a couple of Gentoo boxes (it may be inconvenient even |
25 |
>for people who run more than one machine, due to the fact it's necessary to |
26 |
>have one key per machine). |
27 |
> |
28 |
>Debian's popularity-contest uses SMTP as its transport, both to avoid the |
29 |
>need for constant internet connection and to have some means to ensure the |
30 |
>identity of every contributing machine. I'm not sure SMTP can help on the |
31 |
>identification of users at all, and it may complicate the setup even more |
32 |
>for users who don't have local MTA spools set (and which want to |
33 |
>participate but don't have constant connectivity), so I've discarded it. |
34 |
> |
35 |
>Also, using the machine's IP addresses as a measure of abuse (by |
36 |
>investigating how many posts occur for a given address) may lead to bad |
37 |
>results, since some users have more than one machine under a 1:n NAT. |
38 |
> |
39 |
>In the end, it may be better to simply avoid the signup, and use some |
40 |
>'loose' approach, which is to ask the user's e-mail to be used just in the |
41 |
>case of abuse detection (of course a 'bad' user could provide a fake e-mail |
42 |
>address, but in this case, after the detection of abuse and a unsucessful |
43 |
>attempt to contact the user, all his provided data can be set to be |
44 |
>automatically rejected by the server-side system). |
45 |
> |
46 |
>But it may happen there's a better approach for this whole problem.. Any |
47 |
>thoughts? |
48 |
> |
49 |
>On Sun, 16 Jun 2002 17:12:52 -0400 |
50 |
>"Faust Tanasescu" <faust_tanasescu@×××××××.com> wrote: |
51 |
> |
52 |
> > >From: Rufiao <rufiao@×××.net> |
53 |
> > >Reply-To: gentoo-dev@g.o |
54 |
> > >To: gentoo-dev@g.o |
55 |
> > >Subject: [gentoo-dev] RFP: System to account users configurations |
56 |
> > >Date: Sun, 16 Jun 2002 17:16:21 -0300 |
57 |
>[...] |
58 |
> > > |
59 |
> > >In the client side, the procedure to provide data for the system is the |
60 |
> > >following: |
61 |
> > > |
62 |
> > >- User emerge the package, which: |
63 |
> > > - Sets a crontab entry to let the system run periodically, possibly |
64 |
> > > requiring user intervention to specify when the system should run |
65 |
> > > - Points to an URL (in the gentoo.org domain) for signup |
66 |
> > >- User go to the provided url, which requests the e-mail from the user, |
67 |
>and |
68 |
> > > that the user transcribe a random 4-letters message shown as an |
69 |
>image to |
70 |
> > > a text box. These requirements are used to ensure, as long as |
71 |
>possible, |
72 |
> > > the autenticity of the data and to avoid automated signups |
73 |
> > |
74 |
> > Users are required to 1) want to participate to this survey 2) asked |
75 |
>when |
76 |
> > system should run information grab 3) go to URL to subscribe to service |
77 |
>4) |
78 |
> > get magic key from server 5) set up client system 6) check it runs well. |
79 |
> > |
80 |
> > We don't have many users and setup is very complicated to my taste for |
81 |
> > somethng that brings nothing to me as a gentoo user. And we want people |
82 |
>to |
83 |
> > sue this. the more, the better. |
84 |
> > I don't know about this, but as a gentoo user, if a system like this |
85 |
>were |
86 |
> > available I would not bother installing it. It is way too lenghty and I |
87 |
>get |
88 |
> > nothing out of it as an individual. |
89 |
> > |
90 |
> > I propose making this whole process a lot simpler for the client. What |
91 |
>we |
92 |
> > must keep in mind is that no system is perfect, and to not fall into |
93 |
> > paranoia. I therefore propose shortening the setup of this survey system |
94 |
>to |
95 |
> > something smaller. |
96 |
> > |
97 |
> > 1) user required to emerge package. |
98 |
> > 2) they are asked when the collect should run |
99 |
> > |
100 |
> > and that's it |
101 |
> > |
102 |
> > now how to keep people from abusing of this system is a whole new |
103 |
>question |
104 |
> > and I think we should treat it separately. However I'd like to propose |
105 |
> > something as well. |
106 |
> > |
107 |
> > it's the server's duty to protect itself from idiots. When client |
108 |
>connects |
109 |
> > to server to upload it's information file, the server sends the client a |
110 |
> > unique key that expires after 1 week or couple days.. depends on how |
111 |
>often |
112 |
> > we want input. If client tries to send input again it could remove the |
113 |
>key |
114 |
> > file of course and claim it's new to the service, that's why the |
115 |
>submitter's |
116 |
> > IP address needs to be recorded for first-time users as well. |
117 |
> > |
118 |
> > Of course system is not perfect... the idiot could change his IP |
119 |
>address of |
120 |
> > course no problemo ... he could disconnect/reconnectto his ISP or |
121 |
>something |
122 |
> > similar but that would be rael stupid. I don't think that many people |
123 |
>would |
124 |
> > actually attempt that. |
125 |
> > |
126 |
> > I think that the person who would attempt this, if it's ever going to |
127 |
> > happen, it's because our user base has grown very, very large and his |
128 |
>impact |
129 |
> > would be minimal to our system. |
130 |
> > |
131 |
> > |
132 |
> > This is just an idea.. i'm sure there are better... |
133 |
>_______________________________________________ |
134 |
>gentoo-dev mailing list |
135 |
>gentoo-dev@g.o |
136 |
>http://lists.gentoo.org/mailman/listinfo/gentoo-dev |
137 |
|
138 |
|
139 |
|
140 |
|
141 |
_________________________________________________________________ |
142 |
Join the world’s largest e-mail service with MSN Hotmail. |
143 |
http://www.hotmail.com |