[Koha-devel] Social Engineering, was: How to gather better popularity data?

Robin Sheat robin at catalyst.net.nz
Fri May 27 04:01:25 CEST 2011 

G. Laws schreef op do 26-05-2011 om 18:12 [-0500]:
> I don't believe that there is any meaningful way to obscure the ILS
> from
> an experienced person looking for that information. 

I'm being a bit too pedantic, but that's not the point. There are many
things that are fine to be known for an individual, but have a problem
when that knowledge is aggregated. (In intelligence circles, it's quite
possible for a document that's built from only public sources to be
classified.)

Software is one of those. If you want to attack all Koha system, it's
harder to find out who the victims would be by going to each library and
seeing if they run Koha then by going to a central list and looking them
up there.

That said, risk is is not a binary situation. Yes, there is risk by
centralising all that information. But I think it's a small risk
compared to the gains from doing so. There's a risk to me by me telling
you my phone number, or being in the phone book. But I do it anyway.
There's a risk of getting lured into a phishing attack by releasing my
email address (which then gets aggregated onto spam lists), but I do it
anyway.

I think the risk of being in libwebcats is so very minor that it's not
worth belabouring, especially when compared to the benefits gained by
aggregating all the data that Marshall does.

Especially because I can give you a URL that will give you many more
Koha catalogues than libwebcats tracks, in a less convenient way for
users, but about as useful for attackers:

http://www.google.com/webhp?hl=nl#q=intitle:%22Koha+Online+Catalog%22&hl=nl&site=webhp&prmd=ivns&ei=GgXfTf6pNu_SiAKMmdT0Cg&start=10&sa=N&bav=on.2,or.r_gc.r_pw.&fp=4f5adfb52970213d&biw=1678&bih=979

(also: congratulations Middletown Township Public Library, you seem to
have the most popular Koha OPAC out there :)

-- 
Robin Sheat
Catalyst IT Ltd.
✆ +64 4 803 2204
GPG: 5957 6D23 8B16 EFAB FEF8  7175 14D3 6485 A99C EB6D
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: </pipermail/koha-devel/attachments/20110527/57a0d661/attachment.pgp>

More information about the Koha-devel mailing list