Marc G. Fournier wrote:
On Fri, 11 Aug 2006, Nikolas Britton wrote:

Ok... With my new script it took only 158 minutes to compute ALL
TCP/IP address hashes. I'll repeat that... I have an md5 hash for
every IP address in the world! All I need to do is grep your hash and
it will tell me your IP address. yippee! :-)

Can someone please explain to me what exactly you are trying to secure against in this case?

If you know my IP, my hostname, what OS I'm running and *every* driver I have enabled on my box, you're half way toward breaking in to my box.

What he's saying is that you've chosen the IP address as the index key for the database. Even though you're hashing it with MD5, he has written a script that generates, in less than an hour, the MD5 hash for every single IP address in the world. *If* he can break in to your database and extract its information, he can simply match his hashes against yours and "decode" every IP address.

Once he's done that, he has a big fat list of juicy targets to go after. This is the reason that the only hosts I've submitted on the two that are on public IP addresses. You can get the same info by probing them directly.

You won't be getting my other boxes until this problem is solved.

I think two suggestions have been made that are quite worthy of consideration.

1) encrypt the data being fed to your systems by the script - this should be relatively easy using keys and would ensure that a man in the middle attack would fail. You can connect using ssh and a unique key without having to reveal passwords to anyone.

2) use a unique hash, generated at the time of first conneciton, that identifies the box regardless of its IP, hostname, MAC address or any of the other myriad parameters that can all change over time. This would actually make your data more reliable, since parameters change (IPs, MACs, hostnames, peripherals, etc.), boxes do not.

I realize everyone is very enthusiastic about this project, but, if you want a high adoption rate, you're going to have to consider the concerns of the more security conscious among us.

--
Paul Schmehl ([EMAIL PROTECTED])
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to