Privacy -- Collecting statistics proposal

[Kai Hendry]

Quite some time ago, the portal Web page (default homepage) was taking
parameters like the MAC and webconverger-base:
http://git.webconverger.org/?p=webconverger-base;a=blob;f=usr/bin/persistent-browser;h=5fab6845359539de32f6bd6e9b7e3e0c48be8b67;hb=badf30029aa3fd31ef4be798f14eab051dcdbf18

I've long had statistics post disabled for a couple of reasons:
* I wasn't using the data
* A lot of users changed the homepage, so it was not accurate
* I thought it wasn't good for http://webconverger.org/privacy/ which
I care a lot about

Now as I'm trying to grow Webconverger as a company, investors
typically ask how many users I have. I honestly have to say, I don't
know and then I get a quizzical "are you an idiot?" look.

So I would like to simply know how many users Webconverger has and
perhaps what version they are running. I think the best is to have
Webconverger to "ping" _once_ on network startup, from
/etc/network/if-up.d/ping, like so:

#!/bin/sh
wget --timeout=5 --post-data="M=$(cat
/sys/class/net/eth0/address)&V=$(dpkg -s webconverger-base|awk
'/^Version: / { print $2 }')" http://ping.webconverger.org

And then I record this data like so (this is a prototype):
http://ping.webconverger.org/hgweb.cgi/file/tip/index.php

MacIDs imo are fairly anonymous and basically help me uniquely
identify a machine for counting the machines.

Anyway, it would be great to get your comments and feedback about this
proposal. The one thing that came to mind is that
ping.webconverger.org could be easily attacked and give me a lot of
useless information. Trying to think how to prevent that.

Kind regards,

[Guttorm Flatabø]

Looks good to me, firewall proof. MAC is probably good, but as they are frequently used for authentication you should be careful not to couple them with IP-addresses and such.

--
You received this message because you are subscribed to the Google Groups "Webconverger Users" group.
To post to this group, send email to webc-...@googlegroups.com.
To unsubscribe from this group, send email to webc-users+...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/webc-users?hl=en.

[Kai Hendry]

2010/10/29 Guttorm Flatabø <po...@guttormflatabo.com>:

> Looks good to me, firewall proof. MAC is probably good, but as they are
> frequently used for authentication you should be careful not to couple them
> with IP-addresses and such.

After some thought I am going to update the ping script to hash the
MAC, so the MAC cannot be determined.

[Steve Robson]

Kai Hendry wrote:
> 2010/10/29 Guttorm Flatab�<po...@guttormflatabo.com>:

Will you still be able to differentiate between hashed MACs such that
you don't count the same system more than once? In other words, will
the hash of any particular MAC address always be the same?

-Steve

[Kai Hendry]

On 2 November 2010 15:27, Steve Robson <sro...@cadence.com> wrote:
> Will you still be able to differentiate between hashed MACs such that you
> don't count the same system more than once?  In other words, will the hash
> of any particular MAC address always be the same?

Yes, a hash of a fixed string (a MAC in our case) will be the same.

echo foo | md5sum

[Casey]

How about GPG key authentication similar to Debian update servers?
Any session that doesn't authenticate gets dropped.
Or, maybe a pseudo-random number generator with a pre-set seed so that
all the Webconverger images will produce the same set of random
numbers. You could ask each Webconverger client to produce a
different number of the set, say 59th or whatever, and the server
would be running the same seed and could compare answers to determine
if it is authentic or spam.
I'm not sure if any of this would scale or work at all, but I had fun
thinking about it. Thanks.

On Oct 29, 7:52 am, Kai Hendry <hen...@webconverger.com> wrote:
> .... The one thing that came to mind is that