[sclug] The SCLUG survey !!!
Graham Swallow
lists at Information-Cascade.co.uk
Mon Feb 14 20:08:38 UTC 2005
I vote for a second meeting in Bracknell/Maidenhead/SWTrains/M4
two weeks apart from WED-2, but I'd prefer it to be a technical meeting.
o interesting time filler discussion whilst everyone arrives
o two quick talks (short straw in rotation, no shirkers, my job involves ...)
o one prepared presentation per evening
o a general review of FAQ's answered since previous meets.
> Yes. The http variable that needs testing by the script writer is
> HTTP_FORWARDED_FOR instead of REMOTE_ADDR.
The 'subtle blend of both' is essential but not water tight:
This raises issues:
REMOTE_ADDR comes from the TCP/IP comms
It is harder to fake.
HTTP_FORWARDED_FOR comes from the headers from the cache.
Today PHP_script, I'll be ...
A genuine remote cache might be foolable.
(feed an unreliable story through a reliable source).
EG someone creating a DOS attack, can't be automatically rejected
because they claim to be an HTTP-relay, with innocent users.
One machine can appear to be many (avoiding three strikes and you're out)
by providing a different HTTP_FORWARDED_FOR each time.
If there IS a genuine (NTL) relay-cache, and IF it can be fooled,
a DOS would target genuine users as the origins, locking out friends.
If everyone does behave, you have excluded small workgroups with
a single IP address. Not likely to be problem for this survey, though.
One low-tech compromise, is to require unique email addresses,
confirmed subscriptions, plain-text-secret in a cookie (session-id),
a flag that says 'I'm the only user of this PC-browser'. Then send an
email confirming the vote (and allowing updates, to new options
proposed on the group).
Interestingly enough, this would also fix Companies House accepting
change of address (Identity theft of companies!). If they wrote to
the old address, you'd notice.
--
Graham
www . Information-Cascade .co.uk
More information about the Sclug
mailing list