Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The usernames do not need to be part of the audit trail -- the unique URL identifies the site it came from. You know you your own logins, presumably, so it doesn't need to be there.

myaudithooks.com should not be centralized -- I 100% agree. You should just be able to put any old URL there. If I want my audit entries to go to my box, I absolutely should be able to.

You're right, some attacker could post bogus information if the know the url... however, the urls should be unique enough that they can't just be randomly "guessed" by an attacker. Another alternative is to provide a callback url, the way stripe does, so the service can "authenticate" the audit log entry before I consider it valid. For example, if I receive an audit log entry with id "abcd1234", I can hit http://mydogfriends.com/audit/abcd1234 to make sure it responds appropriately.

The idea isn't fully fleshed out yet, but I think it wouldn't take a lot of work to make it happen.



The really tricky bit is always figuring out how to apply the idea to the general public.

Where would all the users who find websites by typing domain names into Google ask mydogfriends.com to send their audit entries?

People running websites are also not necessarily technical -- often there was a techie involved during set up, but then it's just "apply the wordpress updates when it prompts you" and that's that. Support for audit trails needs to be built-in by default if it'll be widespread.

Interesting stuff, anyway. It's worthwhile to keep fleshing out the ideas and possible pathways.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: