Matthew Seaman wrote:
Paul Schmehl wrote:
1) encrypt the data being fed to your systems by the script - this
should be relatively easy using keys and would ensure that a man in the
middle attack would fail.  You can connect using ssh and a unique key
without having to reveal passwords to anyone.

Uh... HTTPS surely?  Because it's relatively simple to implement on both
client and server, doesn't require extra software installed on every client
beyond the monthly stats script itself and because of the way that HTTPS
uses a one-sided Diffie Helmann exchange to create session keys which means
that you don't have any trouble with key management on the many thousands
of client boxes out there...

I defer to your obviously greater experience and wisdom.  :-)

I would note that these issues appear to be impacting the project. As of right now, there are only 1612 systems reporting in, and I suspect there are a much greater number of systems distributed throughout the computing universe. Certainly some can be attributed to the newness of the project and the small amount of promotion done to date, but I can't help but think that at least some of it is due to hesitancy on the part of some to submit their data.

For my part, I've submitted two public hosts. I have four others I will not submit until I'm certain the data are securely transmitted and stored.

Surely I'm not alone?

--
Paul Schmehl ([EMAIL PROTECTED])
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to