When information like perl and OS characteristics are uploaded, the originating IP address is also uploaded. What could one do with this information? You can sometimes discover who owns this machine, starting with the IP.
- Ah, I know an exploit for perl 5.x.x. I'll bang on this IP to get root privleges.
- What? He's still using a 2.2 kernel? Wait till the chat forum hears about this!
- This fellow is using linux? I bet he'd be a good addition to the targetted list I am selling to Microsoft.
Now, I am not saying that you would do such dastardly deeds, but giving out such information does potentially decrease security.
If you implement something like this, it really should be opt-in, as people do install using CPAN, sometimes in an unattended fashion.
| [reply] |
the originating IP address is also uploaded.
Not necessarily, but for this discussion, let's assume direct connections.
You can sometimes discover who owns this machine, starting with the IP.
I can do the same by scanning networks. Why would I wait for you to install my module? :)
Ah, I know an exploit for perl 5.x.x. I'll bang on this IP to get root privleges.
Perl is not a netwok service and network services written in Perl can usually not be identified as such.
What? He's still using a 2.2 kernel? Wait till the chat forum hears about this! This fellow is using linux? I bet he'd be a good addition to the targetted list I am selling to Microsoft
Unrelated to the module installation.
decrease security
If you really think connecting to another host and thereby letting the other party know your IP address decreases security, please DISCONNECT IMMEDIATELY! THE WEB IS A DANGEROUS PLACE!
sometimes in an unattended fashion.
That's their fault. They shouldn't do that. Those who choose to do so take enormous risks already. They already implicitly agree to whatever license the module has, as not every module has the same license.
| [reply] |