[Insight-developers] gdcmUtil.cxx polling for a MAC Address

Mathieu Malaterre mathieu.malaterre at gmail.com
Thu Apr 10 09:37:35 EDT 2008


Hi Stephen,

On Thu, Apr 10, 2008 at 3:25 PM, Stephen Aylward
<Stephen.Aylward at kitware.com> wrote:
> On Thu, Apr 10, 2008 at 9:08 AM, Mathieu Malaterre
>  <mathieu.malaterre at gmail.com> wrote:
>  >  > This is of concern because asking for something like a mac address may be
>  >  > considered a security risk by our customer...
>  >
>  >  I will not entered to much in the subject, but they are using open
>  >  source software after all ;-P
>  >  And as a side note, there is a much much easier solution to avoid this
>  >  'security risk', and it's called mac address spoofing.
>
>  Hi - just to clarify - for certain software delivered to the DOD, they
>  will run it on a test machine before running it on their secure
>  computers.   If they notice any "odd" behavior on the test machine,
>  they will not approve the software for installation on their secure
>  machines.   Note that they do not look at source code; they just
>  monitor the software's activity (I know few details about what this
>  exactly means).

sweet ! I love those black box approaches. It so much more easier to
do that rather than go throught the entire VTK + ITK + Cmake source
code :)

> Well, not surprisingly, it causes red flags to have
>  a visualization program, that we said did not use the network, to
>  spontaneously post an error message about a MAC address not being
>  found because of no active internet card.   While we know it isn't a
>  security risk, it is easy to see how other folks could perceive this
>  as "suspicious."

Ok, makes perfect sense now.

>  It would be great if we could have a developer optionally specify a
>  key via cmake instead of always using the MAC address.   If no key is
>  given, then it would be ok to fall back to the MAC address.  If a key
>  is given, then no MAC address is requested.

BTW, before I forgot, Patrick, this is NOT ok to replace by an empty
string, because UID will contains '12345..6789' and you are not
allowed to have '.' without any component in between. At least put a
number [1-9]

I think I know how to implement a proper patch, because we save room
(~13bytes) not using the mac adress, I replace that with a random
number. Hopefully people replacing the MAC address implementation with
the large random number offer some kind of hardware implementation
(like /dev/urandom). Ref:

http://gdcm.svn.sourceforge.net/viewvc/gdcm/trunk/Utilities/uuid/gen_uuid.c?view=markup

Can this be done after ITK freeze ?

Regards,
-- 
Mathieu


More information about the Insight-developers mailing list