Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 29 Sep 2006 07:37:53 +0100
From:      Matthew Seaman <m.seaman@infracaninophile.co.uk>
To:        "Marc G. Fournier" <freebsd@hub.org>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: BSDStats v4.0: Attempt to address some major issues ...
Message-ID:  <451CBF41.1010208@infracaninophile.co.uk>
In-Reply-To: <20060928232533.Y51847@ganymede.hub.org>
References:  <20060928232533.Y51847@ganymede.hub.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig6552E66A44F1AB20E84D8EA2
Content-Type: text/plain; charset=ISO-8859-15
Content-Transfer-Encoding: quoted-printable

Marc G. Fournier wrote:

> I've increased the size of the IDTOKEN to 32 from 16, since I've been
> noticing alot of duplicates when two hosts submit at close to the same
> time ...

Ummm... that's actually really bad.  That means that the RNG used by Open=
SSL
(hence SSH and others) is not actually producing anything like a proper
random sequence for a lot of people.  Hence all sorts of crypto handled b=
y
those machines is potentially vulnerable to attack.  If this is the case,=

going from 16 to 32 bytes of random token won't actually help at all.

On the other hand, the duplicates could be the result of people deliberat=
ely
trying to frig the statistics or just innocently running the 300.statisti=
cs
script manually several times.  In either case, entries with duplicate to=
kens
should be discarded -- I guess you'ld always want to keep just the last e=
ntry
for any token.

	Cheers,

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.                       7 Priory Courtyard
                                                      Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey         Ramsgate
                                                      Kent, CT11 9PW


--------------enig6552E66A44F1AB20E84D8EA2
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFHL9H8Mjk52CukIwRCJIWAJ9l3ytuP5Lo+E9uL5M3hJ7+8mFy4ACePerB
zUkToHsLR6LFeaD2EsFdvWo=
=Zl1C
-----END PGP SIGNATURE-----

--------------enig6552E66A44F1AB20E84D8EA2--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?451CBF41.1010208>