Choose style:

Author Topic: Mandatory personal computer information  (Read 1194 times)

0 Members and 1 Guest are viewing this topic.

Offline armageddon51

  • Jr. Member
  • **
  • Posts: 82
  • Karma: 11
  • New Forum User
    • View Profile
  • Peppermint version(s): 6
Mandatory personal computer information
« on: October 17, 2016, 05:53:52 pm »
my personal opinion on always requiring basic personal computer information before asking a question set a precedent on Linux. I use a lot of support forums and Peppermint is the first who enforce such mandatory information to answer ANY question.

This information can be use to gather statistical data of Peppermint users with what hardware they use. It's much like Google who is scrapping everything it can with their browser. Also that information can be use by hackers, after a break in into the site for accounts. They will have the signature of your computer (namely network interface type, kernel version and disk partitions information). I sound a bit paranoiac but in my opinion that information should only be voluntary for a person who just want to ask a question on a certain piece of software without being require to give irrelevant informations.

Shoot !

Offline PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 26276
  • Karma: 2855
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 10
Re: Mandatory personal computer information
« Reply #1 on: October 17, 2016, 07:00:26 pm »
There is absolutely NOTHING in the inxi -Fz output that is a security risk or of any use to anyone except someone trying to assist you .. the -z option filters out the ONLY thing that might be considered a security risk (hardware MAC address).

The ONLY reason we're pushing this policy is because we nearly always have to ask for the information .. do you know how frustrating it gets receiving questions like:-

My wifi won't connect, please help

It just makes sense to ask up front for what will likely be asked anyway, saving both the user and respondent time .. we're not "enforcing" the policy as such but I'll guarantee if we don't HEAVILY promote it, it will get ignored and we're back to square one .. heck it's getting ignored even now and we're STILL having to waste time asking.

I repeat, there is NOTHING in the inxi -Fz output that could be considered a security risk AT ALL .. nor would it be ANY use as statistical data (for us or anyone else) other than what issues may be associated with what hardware .. surely that's relevant info for a support forum and will is HIGHLY likely to get your issue resolved sooner ?

This is PURELY a time saving exercise .. we thought people would appreciate that ?



Quote
a person who just want to ask a question on a certain piece of software without being require to give irrelevant informations.

Most people who ask questions on here are stuck .. how would they know if it were relevant or not and considering it CAN'T hurt, where's the harm ?

Quote
They will have the signature of your computer (namely network interface type, kernel version and disk partitions information).

Without you MAC address (or even IMHO with it), the only network info they'd have is your network adapter make/model (useless), kernel version (useless and easy to guess anyway if you're up to date), and what use is partition info to a hacker ?

That output doesn't even give your LOCAL IP (which is also useless) let alone your external IP and MAC .....

I REPEAT, THERE IS NOTHING IN THE OUTPUT THAT IS ANY USE TO A HACKER OR COULD IN ANY WAY BE CONSIDERED A SECURITY RISK.

Unless of course you've made your PC's hostname something like "steve-jones@52_Mullholland_Drive &_heres_my_bank_details:_" .. in which case feel free to obfuscate (or remove) the command prompt before posting (then again we don't ask for the command prompt anyway, just the OUTPUT) ;)

[EDIT]

Also please note the autoresponse requesting that output is NOT on every board on this forum, only the boards specifically targetted at technical support where it is most likely to be needed for issue diagnosis :)
« Last Edit: October 17, 2016, 09:28:12 pm by PCNetSpec »
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Online VinDSL

  • Global Moderator
  • Hero
  • *****
  • Posts: 5439
  • Karma: 957
  • Peppermint Mod
    • View Profile
  • Peppermint version(s): Developmental Builds
Re: Mandatory personal computer information
« Reply #2 on: October 17, 2016, 07:31:41 pm »
Simply using a browser is more of a security risk than posting 'inxi' output, when it comes to fingerprinting machines !

Check this out:  https://panopticlick.eff.org/

Just saying ...  ;)

Offline PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 26276
  • Karma: 2855
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 10
Re: Mandatory personal computer information
« Reply #3 on: October 17, 2016, 07:36:42 pm »
it's not MORE of a security risk .. that implies the inxi -Fz output *is* but to a lesser degree

The inxi -Fz output is ZERO risk, and ZERO use to anybody except someone trying to assist you on this forum.

We wouldn't ask it if it were ;)
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Online VinDSL

  • Global Moderator
  • Hero
  • *****
  • Posts: 5439
  • Karma: 957
  • Peppermint Mod
    • View Profile
  • Peppermint version(s): Developmental Builds
Re: Mandatory personal computer information
« Reply #4 on: October 17, 2016, 07:52:57 pm »
Agreed !

Adding the '-z' switch was brilliant ...   :D

Offline PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 26276
  • Karma: 2855
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 10
Re: Mandatory personal computer information
« Reply #5 on: October 17, 2016, 08:08:50 pm »
It was, but I can't claim it .. it was one of the other guys, zeb or GNULINUX I think.
(if I got that wrong, sorry whoever it was :-[)
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Online VinDSL

  • Global Moderator
  • Hero
  • *****
  • Posts: 5439
  • Karma: 957
  • Peppermint Mod
    • View Profile
  • Peppermint version(s): Developmental Builds
Re: Mandatory personal computer information
« Reply #6 on: October 17, 2016, 08:20:52 pm »
I think it was 'veggie' ...  LoL !   :D

Offline perknh

  • Trusted User
  • Hero
  • *****
  • Posts: 3875
  • Karma: 303
  • Soy un huevo, nada más.
    • View Profile
  • Peppermint version(s): Peppermint 10
Re: Mandatory personal computer information
« Reply #7 on: October 17, 2016, 09:34:48 pm »
There is absolutely NOTHING in the inxi -Fz output that is a security risk or of any use to anyone except someone trying to assist you .. the -z option filters out the ONLY thing that might be considered a security risk (hardware MAC address).

Great thread!  Thank you, PCNetSpec.  I finally have learned what that z is all about.

And, VinDSL, I started using Privacy Badger again after clicking on Panopticlick, and, while doing so, I discovered a very clever extension called Canvas Defender too.

Thanks for the question, armageddon51.  You just helped me tighten up my browser's security.  ;)

perknh

P.S.

Here's a little about Canvas fingerprinting from Wikipedia.
« Last Edit: October 17, 2016, 11:39:22 pm by perknh »
We're all Peppermint users and that's what matters  ;).  -- AndyInMokum

Offline armageddon51

  • Jr. Member
  • **
  • Posts: 82
  • Karma: 11
  • New Forum User
    • View Profile
  • Peppermint version(s): 6
Re: Mandatory personal computer information
« Reply #8 on: October 18, 2016, 09:20:05 am »
Wow a lot of 4 stars generals here !  I like that.  :D ;D The question is you are right that the output is useless to a hacker UNLESS your users database is cracked which happen all the time even on the most secured sites. It contain username with the email address and now the computer information. There is way to get an IP address from an email even though it pass through an online service. Yes, network adapter type is relevant, some are easier to break in, the kernel version identify which security issues are presents. The partition information identify which OS the person is running, NTFS means Windows.

I use the Mint forum and through the millions of questions, very rarely that info is asked unless it is the hardware forum of course. I understand if the question is "wifi does not work" but if "Clementine does not load my music", I don't think the full computer bio is necessary. I think it is better then to have the responder use it's judgment in requiring the full hardware bio and not make it mandatory.

That said, it's your forum and your rules.

Cheers !   :P :P

Offline PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 26276
  • Karma: 2855
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 10
Re: Mandatory personal computer information
« Reply #9 on: October 18, 2016, 09:40:25 am »
Seriously ?

Visit a website and they have your IP .. knowing your kernel version isn't going to help them "hack" your system and it would be easy to guess anyway .. as with Windows they only need assume you're running the distros latest.

There is NOTHING in the inxi-Fz output that would help someone hack your system even if they had your name/address/phone number/IP

Quote
Yes, network adapter type is relevant, some are easier to break in, the kernel version identify which security issues are presents. The partition information identify which OS the person is running, NTFS means Windows.

That makes no sense....

Firstly the network adapter hardware is not relevant, it simply does a job, it's the underlying networking subroutines that could be vulnerable .. the hardware is irrelevant (unless you possibly had local access and a soldering iron), the Linux networking subroutines are open source anyway.

How does them knowing you have an NTFS partition help them ? .. they can safely assume 90+% of computer users have Windows anyway ?
(and how does that help/hurt anyway ? .. not that having an NTFS partition means you necessarily have Windows anyway so it'd still need to be an assumption on their part)

Be specific .. show me how knowing your hardware details and kernel version make Linux and your security weaker and I'll happily change the policy.

Kernel version is easy, we like ALL other distros advertise those anyway (and even if we didn't they'd only need to run Peppermint to find out) .. network hardware, there's only a limited amount of chipsets anyway (and knowing precisely which you have is useless and irrelevant to a hacker) .. partition info and filesystem again is irrelevant, it can in no way help someone 'get in' .. I'm still failing to see your point at all :-\
« Last Edit: October 18, 2016, 09:46:40 am by PCNetSpec »
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Offline armageddon51

  • Jr. Member
  • **
  • Posts: 82
  • Karma: 11
  • New Forum User
    • View Profile
  • Peppermint version(s): 6
Re: Mandatory personal computer information
« Reply #10 on: October 18, 2016, 09:58:20 am »
Please calm down  ;) Network adapters all have built in firmware/microcode which can be hack to run a specific piece of code. Older adapters are easier to hack. This is a Linux forum so you expect that people run only Linux but the presence of ntfs means that they also probably run windows which is much easier to break into.

Offline PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 26276
  • Karma: 2855
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 10
Re: Mandatory personal computer information
« Reply #11 on: October 18, 2016, 10:04:35 am »
Sure, theoretically any driver/firmware could have a vulnerability, but I've never heard of anyone waiting to release a hack until they have specific info on who has the hardware .. they release hacks that probe ALL machines until they find one with the flaw.
(effectively assuming every machine has that vulnerability until proven wrong)

That driver/firmware would then pretty quickly get updated.

Quote
This is a Linux forum so you expect that people run only Linux but the presence of ntfs means that they also probably run windows which is much easier to break into.

Again a fairly safe assumption, but covered by the argument above.

Still not seeing any increased risk here....

PS. to calm down, I'd first need to be worked up .. I'm simply stating the facts as I see them, but of course you're free to disagree ;)

Personally I thank you for starting this topic .. hopefully some stuff can get clarified here, for those that are unnecessarily worried :)
« Last Edit: October 18, 2016, 10:17:50 am by PCNetSpec »
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Offline GNULINUX

  • Trusted User
  • Member
  • *****
  • Posts: 987
  • Karma: 311
    • View Profile
  • Peppermint version(s): Peppermint Six (x64)
Re: Mandatory personal computer information
« Reply #12 on: October 18, 2016, 11:55:00 am »
Hi armageddon51,

Interesting question that I asked myself when I joined the forum! I have always removed the hardware id's of my network adapters (unless I was on a VM) because, for me, that could be privacy sensitive and not because it is a security risk.

I'm going to make a (personal) statement about this;
The inxi -F(z) output is not (never) a security risk on its own but may be a privacy risk! If that's your case... you are doing your privacy thing completely wrong!

Since I'm very interested in this subject you may always give (specific) examples why do you think it's a security risk!

Greets!  ;)
Peppermint 6  (x64)   -   Windows 7 Ultimate SP1  (x64)
Running different OS flavors in VirtualBox, just for fun!