FreeBSD Mail Archives

Date:      Fri, 11 Aug 2006 10:33:20 -0500
From:      Paul Schmehl <pauls@utdallas.edu>
To:        "Marc G. Fournier" <scrappy@freebsd.org>
Cc:        Nikolas Britton <nikolas.britton@gmail.com>, freebsd-questions@freebsd.org
Subject:   Re: BSDstats Project v2.0 ...
Message-ID:  <44DCA340.2050204@utdallas.edu>
In-Reply-To: <20060811100914.U7522@ganymede.hub.org>
References:  <20060807003815.C7522@ganymede.hub.org> <20060808201359.S7522@ganymede.hub.org> <44D91F02.90107@mawer.org> <20060808212719.L7522@ganymede.hub.org> <20060809072313.GA19441@sysadm.stc> <20060809055245.J7522@ganymede.hub.org> <44D9F9C4.4050406@utdallas.edu> <20060809130354.U7522@ganymede.hub.org> <ef10de9a0608091700x6cc268ear6566c26f93f1fdf0@mail.gmail.com> <ef10de9a0608100327r5b402d64xc4eef38a4f61ba4e@mail.gmail.com> <ef10de9a0608110342q62f81fc8p5fb4b4df37595593@mail.gmail.com> <20060811100914.U7522@ganymede.hub.org>


[-- Attachment #1 --]
Marc G. Fournier wrote:
> On Fri, 11 Aug 2006, Nikolas Britton wrote:
> 
>> Ok... With my new script it took only 158 minutes to compute ALL
>> TCP/IP address hashes. I'll repeat that... I have an md5 hash for
>> every IP address in the world! All I need to do is grep your hash and
>> it will tell me your IP address. yippee! :-)
> 
> Can someone please explain to me what exactly you are trying to secure 
> against in this case?
> 
If you know my IP, my hostname, what OS I'm running and *every* driver I 
have enabled on my box, you're half way toward breaking in to my box.

What he's saying is that you've chosen the IP address as the index key 
for the database.  Even though you're hashing it with MD5, he has 
written a script that generates, in less than an hour, the MD5 hash for 
every single IP address in the world.  *If* he can break in to your 
database and extract its information, he can simply match his hashes 
against yours and "decode" every IP address.

Once he's done that, he has a big fat list of juicy targets to go after. 
  This is the reason that the only hosts I've submitted on the two that 
are on public IP addresses.  You can get the same info by probing them 
directly.

You won't be getting my other boxes until this problem is solved.

I think two suggestions have been made that are quite worthy of 
consideration.

1) encrypt the data being fed to your systems by the script - this 
should be relatively easy using keys and would ensure that a man in the 
middle attack would fail.  You can connect using ssh and a unique key 
without having to reveal passwords to anyone.

2) use a unique hash, generated at the time of first conneciton, that 
identifies the box regardless of its IP, hostname, MAC address or any of 
the other myriad parameters that can all change over time.  This would 
actually make your data more reliable, since parameters change (IPs, 
MACs, hostnames, peripherals, etc.), boxes do not.

I realize everyone is very enthusiastic about this project, but, if you 
want a high adoption rate, you're going to have to consider the concerns 
of the more security conscious among us.

-- 
Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/

[-- Attachment #2 --]
0�	*�H��
��0�10	+0�	*�H��
��N0��0�A�A�=�������e0
	*�H��
0��10	UUS10U
VeriSign, Inc.1<0:U3Class 2 Public Primary Certification Authority - G21:08U1(c) 1998 VeriSign, Inc. - For authorized use only10UVeriSign Trust Network0
990331000000Z
090330235959Z0��1'0%U
The University of Texas System10UVeriSign Trust Network1;09U2Terms of use at https://www.verisign.com/rpa (c)991200U)Class 2 CA - OnSite Individual Subscriber1-0+U$The University of Texas at Dallas CA0��0
	*�H��
��0��������
��"�����zھ6�p`0`��S/5�ɨ)��=���d}�чTx���x�������L�IA
��ҥ��~�BQNt��hs�]1��)%c�#�Dj���9���FXú��K�z��I��#C���2����0��0)U"0 �010UPrivateLabel1-1400	`�H��B0DU =0;09`�H��E0*0(+https://www.verisign.com/RPA0U0�0U0
	*�H��
��S	�ܲ��� P��8y���I��S�o�̲�z|���_a^_��Zҕ"���T�T�T��T�i�!7��9������]�H9Y�$ C���܃t����j��11#%���,Q�Y���Ҵ�T0�s0�ܠ0�8�����'ƚE��0
	*�H��
0��1'0%U
The University of Texas System10UVeriSign Trust Network1;09U2Terms of use at https://www.verisign.com/rpa (c)991200U)Class 2 CA - OnSite Individual Subscriber1-0+U$The University of Texas at Dallas CA0
060721000000Z
070721235959Z0��1'0%U
The University of Texas System1-0+U$The University of Texas at Dallas CA1F0DU=www.verisign.com/repository/CPS Incorp. by Ref.,LIAB.LTD(c)9910UMail Stop - UTD10UPaul Schmehl1!0	*�H��
	pauls@utdallas.edu0��0
	*�H��
��0�����P��L;帽����N�C4��j��DQ�B�T�n�"Ε�Q�#�>��D��2+ٳ��E:���z��8��"�"��pX�X
����
��$�3\�
�Z���%����n;�v���wfcŀ��b�F����0�0	U00U0�pauls@utdallas.edu0�$U �0�0�`�H��E0�0++https://www.verisign.com/rpa-kr0��+0����NOTICE: Private key may be recovered by VeriSign's customer who may be able to decrypt messages you send to certificate holder.  Use is subject to terms at https://www.verisign.com/rpa-kr (c)99.0	`�H��B�0uUn0l0j�h�f�dhttp://onsitecrl.verisign.com/TheUniversityofTexasSystemTheUniversityofTexasatDallasCA/LatestCRL.crl0U 0U%0++0
	*�H��
��5�
ku��CO\��G��EzB�?�^�����2��&�?JF⠉ЪuPP�̲�+�%���&�mT������h����}���Q�����+b�W�����qXXJȨ��V6U�!����0��0�`�G@±-���	�_=c0
	*�H��
0��1'0%U
The University of Texas System10UVeriSign Trust Network1;09U2Terms of use at https://www.verisign.com/rpa (c)991200U)Class 2 CA - OnSite Individual Subscriber1-0+U$The University of Texas at Dallas CA0
060721000000Z
070721235959Z0��1'0%U
The University of Texas System1-0+U$The University of Texas at Dallas CA1F0DU=www.verisign.com/repository/CPS Incorp. by Ref.,LIAB.LTD(c)9910UMail Stop - UTD10UPaul Schmehl1!0	*�H��
	pauls@utdallas.edu0�"0
	*�H��
�0�
��l��SvN��ê7�a_^
�e7@�m#�e�qb�fjl2�O'���R�,ǹ�g<Қ���S҃0��}F,�hz��l��Nr�F���x���l�Pe��9TS�$��
1Ǥ�=��:.�n����i����Jܮ�md)�1��t��'���f�m8Z��?���P��\/(=&��h<|Q��q�B��&�����P��v)cf�O>���96S)�t��U_�p\�����Z�?
��I]��K�e��zc�Ʒ!����0�0	U00U0�pauls@utdallas.edu0�$U �0�0�`�H��E0�0++https://www.verisign.com/rpa-kr0��+0����NOTICE: Private key may be recovered by VeriSign's customer who may be able to decrypt messages you send to certificate holder.  Use is subject to terms at https://www.verisign.com/rpa-kr (c)99.0	`�H��B�0uUn0l0j�h�f�dhttp://onsitecrl.verisign.com/TheUniversityofTexasSystemTheUniversityofTexasatDallasCA/LatestCRL.crl0U�0U%0++0
	*�H��
��=Pjcr��:%�s#N�ܒE�ȴRB֐�)'�W��Tѹ�v>�!ɑog<\�/��
��fb�h�!��`�ؓ���?/)#�D����3�?J��}��36'3�u��z݋���bn�Ku9��|
MG1�0�0��0��1'0%U
The University of Texas System10UVeriSign Trust Network1;09U2Terms of use at https://www.verisign.com/rpa (c)991200U)Class 2 CA - OnSite Individual Subscriber1-0+U$The University of Texas at Dallas CAG@±-���	�_=c0	+���0	*�H��
	1	*�H��
0	*�H��
	1
060811153320Z0#	*�H��
	1������ު��g���M)Q�0R	*�H��
	1E0C0
*�H��
0*�H��
�0
*�H��
@0+0
*�H��
(0�	+�71�0��0��1'0%U
The University of Texas System10UVeriSign Trust Network1;09U2Terms of use at https://www.verisign.com/rpa (c)991200U)Class 2 CA - OnSite Individual Subscriber1-0+U$The University of Texas at Dallas CA0�8�����'ƚE��0�*�H��
	1����0��1'0%U
The University of Texas System10UVeriSign Trust Network1;09U2Terms of use at https://www.verisign.com/rpa (c)991200U)Class 2 CA - OnSite Individual Subscriber1-0+U$The University of Texas at Dallas CA0�8�����'ƚE��0
	*�H��
����D�7إzCyRs� W�����V���<����8T��%�K�@�V�]^n1�%�F���$��k#
�h�Dm��|����%�&z{BSiXӚp�r#�mL.v%��)s��?�0!O���}�g�G���?�1��m�.ȴ�?C��5|N^+(��k'D"�ț��v6�J��9��4���M��S|-D^���A
�X�Jѩ#i���N1^��c�}�dö	�
���S�{w6��u�r�+���r=��9�<�b�=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44DCA340.2050204>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation