Hi all,
in the actual GWN Gentoo announced the following:
Gentoo buildtime and statistics database client
After many months since the old Gentoo statistic database went away,
basc, a new buildtime and statistics client, is now in Portage. basc
updates information about a host running Gentoo Linux to a central
server [1] (in this example: RAM statistics). Among other information,
the client collects the kernel's .config and the xorg.conf files, and
the developers involved are currently evaluating whether it is possible
to have it 'suggest' configurations to new users based on previous
configuration file contributions.
[1] http://www.gentoo-stats.org/index.php?c=memstats
After looking at the page i discovered that the whole implementation has
"some" serious security problems:
You can easily track down all data acquired by "basc" to single systems.
This means, iff you have basc installed
-everyone can see what kernel you are using
-everyone knows your kernel config and
-everyone knows what ebuilds you have to installed.
IFF you provided a complete hostname
-everyone can easily find your system and use the information provided
against you.
You don't believe?
Here's the example:
http://www.gentoo-stats.org/index.php?c=userpage&sys=1
I think i don't have to tell how to see other systems or that one could
script the whole process of gaining information and using it against the
owner of the systems.
Regards
Tantive
in the actual GWN Gentoo announced the following:
Gentoo buildtime and statistics database client
After many months since the old Gentoo statistic database went away,
basc, a new buildtime and statistics client, is now in Portage. basc
updates information about a host running Gentoo Linux to a central
server [1] (in this example: RAM statistics). Among other information,
the client collects the kernel's .config and the xorg.conf files, and
the developers involved are currently evaluating whether it is possible
to have it 'suggest' configurations to new users based on previous
configuration file contributions.
[1] http://www.gentoo-stats.org/index.php?c=memstats
After looking at the page i discovered that the whole implementation has
"some" serious security problems:
You can easily track down all data acquired by "basc" to single systems.
This means, iff you have basc installed
-everyone can see what kernel you are using
-everyone knows your kernel config and
-everyone knows what ebuilds you have to installed.
IFF you provided a complete hostname
-everyone can easily find your system and use the information provided
against you.
You don't believe?
Here's the example:
http://www.gentoo-stats.org/index.php?c=userpage&sys=1
I think i don't have to tell how to see other systems or that one could
script the whole process of gaining information and using it against the
owner of the systems.
Regards
Tantive