On 12/25/11 20:45 , Simon Josefsson wrote:
fre 2011-12-23 klockan 19:33 +0100 skrev Philip Homburg:
(From a technical point of view) releasing the source is not an issue. The probes come with key material that allows them to connect to the Atlas infrastructure. In theory you can get that out of the probe. But, you would violate the agreement as a probe host and it would be quite tricky to do. And, you can take over only one probe at a time which has to be in your physical possession.
If we would allow 'third party' probes to connect to the Atlas infrastructure then all of that changes. No need to physically obtain a probe. Just download the source, request a key. And start hacking away. How does this keying work today? I haven't seen this documented anywhere. The slides should give you a general idea of how it works: <http://ripe61.ripe.net/presentations/269-20101118-RIPE61-MAT-Robert.pdf>
If you embed a symmetric or asymmetric key in the probes, which sounds like what you are suggesting (and is more advanced than what I expected), there shouldn't be any threat to publish source code for the firmware: people will not have access to any private key that you will trust.
That's right.
My proposed solution to send a hash of the firmware was to be able to diagnose on the server side which firmware sent what information and to do larger-scale data mining. It is not a solution to malicious probes. Sorry if anything I said implied that.
So, assuming for a moment that we cannot let 'third party' probes connect to the Atlas infrastructure, because we cannot trust the results, what would be the point of releasing the source? One is that somebody may want to run his own private copy of the whole Atlas system. But that is going to to be a lot of work setting it all up. If we would allow third party probes to connect, but it ignore their results and not schedule any UDMs on those probes. Just publish the raw results somewhere. Would that be a net benefit to the community, or just a PR disaster waiting to happen?