From owner-freebsd-questions@FreeBSD.ORG Fri Aug 11 15:32:53 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 210D216A4DF; Fri, 11 Aug 2006 15:32:53 +0000 (UTC) (envelope-from pauls@utdallas.edu) Received: from smtp1.utdallas.edu (smtp1.utdallas.edu [129.110.10.12]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9BE8B43D4C; Fri, 11 Aug 2006 15:32:52 +0000 (GMT) (envelope-from pauls@utdallas.edu) Received: from UTDEVS08.campus.ad.utdallas.edu (utdex08.utdallas.edu [129.110.70.103]) by smtp1.utdallas.edu (Postfix) with ESMTP id 153A739312D; Fri, 11 Aug 2006 10:32:52 -0500 (CDT) Received: from [129.110.3.28] ([129.110.3.28]) by UTDEVS08.campus.ad.utdallas.edu with Microsoft SMTPSVC(6.0.3790.1830); Fri, 11 Aug 2006 10:32:51 -0500 Message-ID: <44DCA340.2050204@utdallas.edu> Date: Fri, 11 Aug 2006 10:33:20 -0500 From: Paul Schmehl User-Agent: Thunderbird 1.5.0.5 (X11/20060802) MIME-Version: 1.0 To: "Marc G. Fournier" References: <20060807003815.C7522@ganymede.hub.org> <20060808201359.S7522@ganymede.hub.org> <44D91F02.90107@mawer.org> <20060808212719.L7522@ganymede.hub.org> <20060809072313.GA19441@sysadm.stc> <20060809055245.J7522@ganymede.hub.org> <44D9F9C4.4050406@utdallas.edu> <20060809130354.U7522@ganymede.hub.org> <20060811100914.U7522@ganymede.hub.org> In-Reply-To: <20060811100914.U7522@ganymede.hub.org> Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms090900080201090601010107" X-OriginalArrivalTime: 11 Aug 2006 15:32:51.0478 (UTC) FILETIME=[68378360:01C6BD5B] Cc: Nikolas Britton , freebsd-questions@freebsd.org Subject: Re: BSDstats Project v2.0 ... X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Aug 2006 15:32:53 -0000 This is a cryptographically signed message in MIME format. --------------ms090900080201090601010107 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Marc G. Fournier wrote: > On Fri, 11 Aug 2006, Nikolas Britton wrote: > >> Ok... With my new script it took only 158 minutes to compute ALL >> TCP/IP address hashes. I'll repeat that... I have an md5 hash for >> every IP address in the world! All I need to do is grep your hash and >> it will tell me your IP address. yippee! :-) > > Can someone please explain to me what exactly you are trying to secure > against in this case? > If you know my IP, my hostname, what OS I'm running and *every* driver I have enabled on my box, you're half way toward breaking in to my box. What he's saying is that you've chosen the IP address as the index key for the database. Even though you're hashing it with MD5, he has written a script that generates, in less than an hour, the MD5 hash for every single IP address in the world. *If* he can break in to your database and extract its information, he can simply match his hashes against yours and "decode" every IP address. Once he's done that, he has a big fat list of juicy targets to go after. This is the reason that the only hosts I've submitted on the two that are on public IP addresses. You can get the same info by probing them directly. You won't be getting my other boxes until this problem is solved. I think two suggestions have been made that are quite worthy of consideration. 1) encrypt the data being fed to your systems by the script - this should be relatively easy using keys and would ensure that a man in the middle attack would fail. You can connect using ssh and a unique key without having to reveal passwords to anyone. 2) use a unique hash, generated at the time of first conneciton, that identifies the box regardless of its IP, hostname, MAC address or any of the other myriad parameters that can all change over time. This would actually make your data more reliable, since parameters change (IPs, MACs, hostnames, peripherals, etc.), boxes do not. I realize everyone is very enthusiastic about this project, but, if you want a high adoption rate, you're going to have to consider the concerns of the more security conscious among us. -- Paul Schmehl (pauls@utdallas.edu) Adjunct Information Security Officer The University of Texas at Dallas http://www.utdallas.edu/ir/security/ --------------ms090900080201090601010107 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIPTjCC A9gwggNBoAMCAQICEEHsHz2nFAeWxPbVDN3RD2UwDQYJKoZIhvcNAQEFBQAwgcExCzAJBgNV BAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE8MDoGA1UECxMzQ2xhc3MgMiBQdWJs aWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEcyMTowOAYDVQQLEzEoYykg MTk5OCBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MR8wHQYDVQQL ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMB4XDTk5MDMzMTAwMDAwMFoXDTA5MDMzMDIzNTk1 OVowgeoxJzAlBgNVBAoTHlRoZSBVbml2ZXJzaXR5IG9mIFRleGFzIFN5c3RlbTEfMB0GA1UE CxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazE7MDkGA1UECxMyVGVybXMgb2YgdXNlIGF0IGh0 dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEgKGMpOTkxMjAwBgNVBAsTKUNsYXNzIDIgQ0Eg LSBPblNpdGUgSW5kaXZpZHVhbCBTdWJzY3JpYmVyMS0wKwYDVQQDEyRUaGUgVW5pdmVyc2l0 eSBvZiBUZXhhcyBhdCBEYWxsYXMgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL/q 74frHgrBAPkiEcHRwczbetq+NtJwYDBg5RngUy819MmoKQXW3j2d8waaZH2+0YdUeJv/onjx +4erw/yHTMJJQQ3hwNKl1/x+/0JRTnTzAdVoc6VdBDH45iklY6gjmkRqgYsPsDnx79tGWMO6 uM9L83rBokmVgyNDupsajzKFAgMBAAGjgaUwgaIwKQYDVR0RBCIwIKQeMBwxGjAYBgNVBAMT EVByaXZhdGVMYWJlbDEtMTQwMBEGCWCGSAGG+EIBAQQEAwIBBjBEBgNVHSAEPTA7MDkGC2CG SAGG+EUBBwEBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9SUEEw DwYDVR0TBAgwBgEB/wIBADALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQEFBQADgYEAUwm13LK2 idEgUIPJOHncyAiySb+4U4Nvisyy5Hp8/KPoD19hXl+XBJUSWtKVASLxvO3xVLZUplQYoZ1U vAZpBMcCITeigjmIp6ygn+iDGV2SSDkaWYIkIEO8hpUS3IN04ebjE75qpIcAMTEjByWbr7os UZEOWaajF4jStM5UFxwwggVzMIIE3KADAgECAhAdMJQ44vbY+scnxppFEtDAMA0GCSqGSIb3 DQEBBAUAMIHqMScwJQYDVQQKEx5UaGUgVW5pdmVyc2l0eSBvZiBUZXhhcyBTeXN0ZW0xHzAd BgNVBAsTFlZlcmlTaWduIFRydXN0IE5ldHdvcmsxOzA5BgNVBAsTMlRlcm1zIG9mIHVzZSBh dCBodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhIChjKTk5MTIwMAYDVQQLEylDbGFzcyAy IENBIC0gT25TaXRlIEluZGl2aWR1YWwgU3Vic2NyaWJlcjEtMCsGA1UEAxMkVGhlIFVuaXZl cnNpdHkgb2YgVGV4YXMgYXQgRGFsbGFzIENBMB4XDTA2MDcyMTAwMDAwMFoXDTA3MDcyMTIz NTk1OVowgfQxJzAlBgNVBAoUHlRoZSBVbml2ZXJzaXR5IG9mIFRleGFzIFN5c3RlbTEtMCsG A1UECxQkVGhlIFVuaXZlcnNpdHkgb2YgVGV4YXMgYXQgRGFsbGFzIENBMUYwRAYDVQQLEz13 d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvQ1BTIEluY29ycC4gYnkgUmVmLixMSUFCLkxU RChjKTk5MRgwFgYDVQQLFA9NYWlsIFN0b3AgLSBVVEQxFTATBgNVBAMTDFBhdWwgU2NobWVo bDEhMB8GCSqGSIb3DQEJARYScGF1bHNAdXRkYWxsYXMuZWR1MIGfMA0GCSqGSIb3DQEBAQUA A4GNADCBiQKBgQCrBVCMoEwZGjvluL0Zlb//jU6SQzTT3WoQv6lEUYtCHflUzW6KIs6V5lGD I8c+qq9E6dkyK9mzpLFFOpuGuHqHghUEOIL5ItYRIui9znBYtVgKoJmx+Q2B4iS2M1yGDa1a hbMHtSX39s3vbjv1Dna7ouh3ZmPFgO2hYpdGGIYApQIDAQABo4ICDDCCAggwCQYDVR0TBAIw ADAdBgNVHREEFjAUgRJwYXVsc0B1dGRhbGxhcy5lZHUwggEkBgNVHSAEggEbMIIBFzCCARMG C2CGSAGG+EUBBwEGMIIBAjArBggrBgEFBQcCARYfaHR0cHM6Ly93d3cudmVyaXNpZ24uY29t L3JwYS1rcjCB0gYIKwYBBQUHAgIwgcUagcJOT1RJQ0U6IFByaXZhdGUga2V5IG1heSBiZSBy ZWNvdmVyZWQgYnkgVmVyaVNpZ24ncyBjdXN0b21lciB3aG8gbWF5IGJlIGFibGUgdG8gZGVj cnlwdCBtZXNzYWdlcyB5b3Ugc2VuZCB0byBjZXJ0aWZpY2F0ZSBob2xkZXIuICBVc2UgaXMg c3ViamVjdCB0byB0ZXJtcyBhdCBodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhLWtyIChj KTk5LjARBglghkgBhvhCAQEEBAMCB4AwdQYDVR0fBG4wbDBqoGigZoZkaHR0cDovL29uc2l0 ZWNybC52ZXJpc2lnbi5jb20vVGhlVW5pdmVyc2l0eW9mVGV4YXNTeXN0ZW1UaGVVbml2ZXJz aXR5b2ZUZXhhc2F0RGFsbGFzQ0EvTGF0ZXN0Q1JMLmNybDALBgNVHQ8EBAMCBSAwHQYDVR0l BBYwFAYIKwYBBQUHAwQGCCsGAQUFBwMCMA0GCSqGSIb3DQEBBAUAA4GBADXwtwprdba6Q09c Guq5Fe8UR5PsRXpC/D+zXhGswIv3AqUy/Osm1j9KRhrioInQqnVQUOl/zLL5GSvKJZHdzCap bVSdELy2pgb7x2iM+6awFX3yjs0bhlGOmakYsPorCGIX/Ff96PfFGQgFz3EOWBFYSsior8ZW NlXVIdcGqqC4MIIF9zCCBWCgAwIBAgIQRwBAwrEtuPEMlwm1Xz1jAjANBgkqhkiG9w0BAQQF ADCB6jEnMCUGA1UEChMeVGhlIFVuaXZlcnNpdHkgb2YgVGV4YXMgU3lzdGVtMR8wHQYDVQQL ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQgaHR0 cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYyk5OTEyMDAGA1UECxMpQ2xhc3MgMiBDQSAt IE9uU2l0ZSBJbmRpdmlkdWFsIFN1YnNjcmliZXIxLTArBgNVBAMTJFRoZSBVbml2ZXJzaXR5 IG9mIFRleGFzIGF0IERhbGxhcyBDQTAeFw0wNjA3MjEwMDAwMDBaFw0wNzA3MjEyMzU5NTla MIH0MScwJQYDVQQKFB5UaGUgVW5pdmVyc2l0eSBvZiBUZXhhcyBTeXN0ZW0xLTArBgNVBAsU JFRoZSBVbml2ZXJzaXR5IG9mIFRleGFzIGF0IERhbGxhcyBDQTFGMEQGA1UECxM9d3d3LnZl cmlzaWduLmNvbS9yZXBvc2l0b3J5L0NQUyBJbmNvcnAuIGJ5IFJlZi4sTElBQi5MVEQoYyk5 OTEYMBYGA1UECxQPTWFpbCBTdG9wIC0gVVREMRUwEwYDVQQDEwxQYXVsIFNjaG1laGwxITAf BgkqhkiG9w0BCQEWEnBhdWxzQHV0ZGFsbGFzLmVkdTCCASIwDQYJKoZIhvcNAQEBBQADggEP ADCCAQoCggEBALhs8O1TDnZOvdnDqje3YRFfXgqsZTdAy20jvGX+cWIMlGZqbDIFGu0eTyep ircIUposx7ngZzzSmo+p91PSgzDC8pF9Riy+aHoME9LEbP6UTnLURuYTyn+GeKzWEuxswFBl p9s5VFMToiT6jA0xBcek4D2ZvzoRLuNu4cbo12n8rKN/zkrcrqJtZCmIMbzWdMHpJ5S84WYZ j204WonJP6uxp1CSnR1cFC8oPSb8kRpoEzx8UYX9cbpC4usm4ITsxeKnUKHHEXYpY2bJTz6l oPM5NlMpx3TklslVX/VwXIP9tPPfWp0aPw4N3dlJXa4M8UuKZZiZGXpjr8a3GCHQ0wsCAwEA AaOCAgwwggIIMAkGA1UdEwQCMAAwHQYDVR0RBBYwFIEScGF1bHNAdXRkYWxsYXMuZWR1MIIB JAYDVR0gBIIBGzCCARcwggETBgtghkgBhvhFAQcBBjCCAQIwKwYIKwYBBQUHAgEWH2h0dHBz Oi8vd3d3LnZlcmlzaWduLmNvbS9ycGEta3IwgdIGCCsGAQUFBwICMIHFGoHCTk9USUNFOiBQ cml2YXRlIGtleSBtYXkgYmUgcmVjb3ZlcmVkIGJ5IFZlcmlTaWduJ3MgY3VzdG9tZXIgd2hv IG1heSBiZSBhYmxlIHRvIGRlY3J5cHQgbWVzc2FnZXMgeW91IHNlbmQgdG8gY2VydGlmaWNh dGUgaG9sZGVyLiAgVXNlIGlzIHN1YmplY3QgdG8gdGVybXMgYXQgaHR0cHM6Ly93d3cudmVy aXNpZ24uY29tL3JwYS1rciAoYyk5OS4wEQYJYIZIAYb4QgEBBAQDAgeAMHUGA1UdHwRuMGww aqBooGaGZGh0dHA6Ly9vbnNpdGVjcmwudmVyaXNpZ24uY29tL1RoZVVuaXZlcnNpdHlvZlRl eGFzU3lzdGVtVGhlVW5pdmVyc2l0eW9mVGV4YXNhdERhbGxhc0NBL0xhdGVzdENSTC5jcmww CwYDVR0PBAQDAgeAMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggrBgEFBQcDAjANBgkqhkiG9w0B AQQFAAOBgQA9UGpjcqqUOiW6cyNOH+jckkXIyLRSQtaQ0ykn1lelyR5U0bmcdj7PIcmRbxZn PFzqL6YPmxgN8hKHZhViuGivIRamwmD62JMXmJz1Py8pIxHsRJyXu7sz+D9KtM19zMAzNicz m3WBkXrdi6+QqWJum0sAAwJ1OaQf9AR8DU1HADGCBQgwggUEAgEBMIH/MIHqMScwJQYDVQQK Ex5UaGUgVW5pdmVyc2l0eSBvZiBUZXhhcyBTeXN0ZW0xHzAdBgNVBAsTFlZlcmlTaWduIFRy dXN0IE5ldHdvcmsxOzA5BgNVBAsTMlRlcm1zIG9mIHVzZSBhdCBodHRwczovL3d3dy52ZXJp c2lnbi5jb20vcnBhIChjKTk5MTIwMAYDVQQLEylDbGFzcyAyIENBIC0gT25TaXRlIEluZGl2 aWR1YWwgU3Vic2NyaWJlcjEtMCsGA1UEAxMkVGhlIFVuaXZlcnNpdHkgb2YgVGV4YXMgYXQg RGFsbGFzIENBAhBHAEDCsS248QyXCbVfPWMCMAkGBSsOAwIaBQCgggLdMBgGCSqGSIb3DQEJ AzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTA2MDgxMTE1MzMyMFowIwYJKoZIhvcN AQkEMRYEFBSkiYv79M3eqvrMZxTC8eJNKVGfMFIGCSqGSIb3DQEJDzFFMEMwCgYIKoZIhvcN AwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMC AgEoMIIBEQYJKwYBBAGCNxAEMYIBAjCB/zCB6jEnMCUGA1UEChMeVGhlIFVuaXZlcnNpdHkg b2YgVGV4YXMgU3lzdGVtMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYD VQQLEzJUZXJtcyBvZiB1c2UgYXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYyk5 OTEyMDAGA1UECxMpQ2xhc3MgMiBDQSAtIE9uU2l0ZSBJbmRpdmlkdWFsIFN1YnNjcmliZXIx LTArBgNVBAMTJFRoZSBVbml2ZXJzaXR5IG9mIFRleGFzIGF0IERhbGxhcyBDQQIQHTCUOOL2 2PrHJ8aaRRLQwDCCARMGCyqGSIb3DQEJEAILMYIBAqCB/zCB6jEnMCUGA1UEChMeVGhlIFVu aXZlcnNpdHkgb2YgVGV4YXMgU3lzdGVtMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3 b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29t L3JwYSAoYyk5OTEyMDAGA1UECxMpQ2xhc3MgMiBDQSAtIE9uU2l0ZSBJbmRpdmlkdWFsIFN1 YnNjcmliZXIxLTArBgNVBAMTJFRoZSBVbml2ZXJzaXR5IG9mIFRleGFzIGF0IERhbGxhcyBD QQIQHTCUOOL22PrHJ8aaRRLQwDANBgkqhkiG9w0BAQEFAASCAQCE5pjURNkfN9ilekN5UnP/ IFeb3+8bibBWtKoZsAI896CBqDhUh8olr0vRQAP6CFaMXV5uADGCJeqoRq+8/iShu2sjCp5o 2ERtsL18nQSC8dklF7AmentCU2lY05pw7XICI+dtTC52JeTZKXPs/z//BjAhT/qiHv19k2ez R6mz4D/KMf7Tba4uyLSVP0Pr8jV8Tl4rDCiO22snRCKHyJueH9V2NqhK+9c5s8w0k5cViQtN D5u2U3wtRF6alB7vQQ3xWLcQStGpI2mxlppOBRwxXhXe4w5j6xF942TDtgkT3Q2r4AGGU/p7 dzbu7HWJcsMrhpvzmnI90+g5izyfYtE9AAAAAAAA --------------ms090900080201090601010107--