1 |
Arun Raghavan wrote: |
2 |
>> We could use such an identifier to identify repeated submissions |
3 |
>> (users should send in more up to date again later) and handle |
4 |
>> some kind of "database pollution" attacks. We wouldn't catch |
5 |
>> attackers that change their MAC before submission. |
6 |
> |
7 |
> Not sure how you can deal with this. How does Smolt or Debian's thing |
8 |
> deal with it? |
9 |
|
10 |
A few words about how smolt is handling this: |
11 |
|
12 |
On first run or at installation time of smolt a machine ID is |
13 |
generated by reading from |
14 |
|
15 |
/proc/sys/kernel/random/uuid |
16 |
|
17 |
This ID is written to |
18 |
|
19 |
/etc/sysconfig/hw-uuid |
20 |
|
21 |
and used for any later profile submission. A profile is the |
22 |
collection of data to be submitted. To enable data gathering |
23 |
I had to start two deamons: dbus and hald. The data seems |
24 |
to be gathered from specific nodes in the file system |
25 |
from Python code directly. On successful submission |
26 |
the server hands out an "admin password" which enables you to |
27 |
fine tune details online like "device foo worked (a) out of the |
28 |
box (b) required additional config (c) ..." and so on for each |
29 |
device from the list you submitted. It seems that all communication |
30 |
is done over HTTP in an unencrypted manner. |
31 |
|
32 |
There are three programs any user can run: |
33 |
|
34 |
- smoltSendProfile |
35 |
- smoltDeleteProfile |
36 |
- smoltGui |
37 |
|
38 |
So you can also revoke your data from the official stats. |
39 |
The GUI frontend did not tell the admin password after submission, |
40 |
I guess upstream forgot showing it. |
41 |
|
42 |
|
43 |
|
44 |
Sebastian |