[wplug] osscensus?

terry mcintyre terrymcintyre at yahoo.com
Thu Apr 17 12:19:29 EDT 2008 

I'm not sure how good the data would be.

Suppose I work for corporation X which has 10,000
employees. Employees A, B, C ... Z each scan the
network and discover the same machines. But if the
security is halfway decent, information about
applications would not be visible unless it were to
cause a port to be open. Few "shares" are exported in
the Linux world. Why are they using the
windows-centric  "shares" instead of "filesystems?"
Could be that Windows users tend to be a good deal
more lax about exporting the contents of their disks
to the world.

In any case, 26 employees each report their results,
as "anonymous." Typically, the IP addresses will
reside in private IP space, sitting behind a NAT.
Collect the information from a few hundred
corporations, and there will be a lot of collisions in
the namespace. 

I would not export hostnames and so forth about my
corporation's computers; that would be irresponsible.
Before I'd release such a survey, it would be
sanitized to show only IP addresses -- and I might
even be paranoid enough to do some randomization of
those. The upshot is, many IP addresses are likely to
be oversampled, and there would be no way to clean up
the data due to collisions between multiple instances
of private namespaces.
  
In short, I wouldn't trust them, the data is likely to
have a huge number of duplicate records, it is
impossible to de-dupe the data because of namespace
collisions, and the goal - a total survey of open
source software usage - is actually unattainable for
security reasons.

When I release information about my company's
computers to external auditors, my company has a
signed NDA and a close relationship with those agents;
I examine the data which is released; I sanitize it to
remove sensitive information such as password hashes,
and I request a business reason for the release. I
would not participate in this oss census; the risks to
my employer are unreasonable.

--- "G.Pitman" <gpitman at gmail.com> wrote:

> https://www.osscensus.org/quick-start.php
> 
> Has anyone looked at this?
> Is there any compelling reason that I should trust
> them?
> 
> I do a `grep -R hostname ./*` after unpacking their
> ossdiscover package and
> there are more results than I care to look at.
> Don't they mention anonymous more than once?
> 
> I am not familiar with ruby or java but I know what
> hostname means...
> 
> -- 
> "There's plenty of room for all God's creatures...
> Right next to the mashed
> potatoes."
> > _______________________________________________
> wplug mailing list
> wplug at wplug.org
> http://www.wplug.org/mailman/listinfo/wplug
> 


Terry McIntyre &lt;terrymcintyre at yahoo.com&gt;

“Wherever is found what is called a paternal government, there is found state education. It has been discovered that the best way to insure implicit obedience is to commence tyranny in the nursery.”

Benjamin Disraeli, Speech in the House of Commons [June 15, 1874]


      ____________________________________________________________________________________
Be a better friend, newshound, and 
know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ

More information about the wplug mailing list