On Tue, Jan 08, 2019 at 00:44:26 -0500,
John Harris <johnmh@xxxxxxxxxxxxx> wrote:
On Tuesday, January 8, 2019 12:32:45 AM EST Bruno Wolff III wrote:
The cost for pretending to be lots of machines is also reduced a lot in
this scheme over having to connect from lots of different IP addresses.
Though at some point spoofing too many would probably be considered
a denial of service attack and might get the perpatrator in legal trouble,
which might discourage people from doing that. If such an attack wasn't
noticed because of the request volume from a small amount of IP addresses,
it might be possible to have a significant affect on the aggregate stats.
So it might be worth having some filters watching out for this kind of
attack.
I definitely don't think it's best to start considering legal action against
Fedora users in a thread about invading on user privacy. This will only scare
folks.
I think it is reasonable to discuss mitigations to attacks on the proposed
system for counting unique users before implementation starts as that might
affect the design. The new system greatly reduces the cost for pretending to
be unique systems and someone mad at Fedora or just for laughs, might try to
spoof a very large number of systems. Legal risk is one thing that might
encourage people not to do this (possibly to the point where no one tries to
do an attack spoofing say multiple unique machines per second). Another
mitigation is proactively looking for lots of unique machines on a small
number of IP addresses and flagging this for evaluation by a human.
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
