Matthew Seaman wrote:
Paul Schmehl wrote:1) encrypt the data being fed to your systems by the script - this should be relatively easy using keys and would ensure that a man in the middle attack would fail. You can connect using ssh and a unique key without having to reveal passwords to anyone.Uh... HTTPS surely? Because it's relatively simple to implement on both client and server, doesn't require extra software installed on every client beyond the monthly stats script itself and because of the way that HTTPS uses a one-sided Diffie Helmann exchange to create session keys which means that you don't have any trouble with key management on the many thousands of client boxes out there...
I defer to your obviously greater experience and wisdom. :-)I would note that these issues appear to be impacting the project. As of right now, there are only 1612 systems reporting in, and I suspect there are a much greater number of systems distributed throughout the computing universe. Certainly some can be attributed to the newness of the project and the small amount of promotion done to date, but I can't help but think that at least some of it is due to hesitancy on the part of some to submit their data.
For my part, I've submitted two public hosts. I have four others I will not submit until I'm certain the data are securely transmitted and stored.
Surely I'm not alone? -- Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas http://www.utdallas.edu/ir/security/
Description: S/MIME Cryptographic Signature