Matthew Seaman wrote:
> Paul Schmehl wrote:
>
>> 1) encrypt the data being fed to your systems by the script - this
>> should be relatively easy using keys and would ensure that a man in the
>> middle attack would fail. You can connect using ssh and a unique key
>> without having to reveal passwords to anyone.
>
> Uh... HTTPS surely? Because it's relatively simple to implement on both
> client and server, doesn't require extra software installed on every client
> beyond the monthly stats script itself and because of the way that HTTPS
> uses a one-sided Diffie Helmann exchange to create session keys which means
> that you don't have any trouble with key management on the many thousands
> of client boxes out there...
>
I defer to your obviously greater experience and wisdom. :-)
I would note that these issues appear to be impacting the project. As
of right now, there are only 1612 systems reporting in, and I suspect
there are a much greater number of systems distributed throughout the
computing universe. Certainly some can be attributed to the newness of
the project and the small amount of promotion done to date, but I can't
help but think that at least some of it is due to hesitancy on the part
of some to submit their data.
For my part, I've submitted two public hosts. I have four others I will
not submit until I'm certain the data are securely transmitted and stored.
Surely I'm not alone?
--
Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/