Leaking sensitive information

Dag_Bruck · October 20, 2003, 5:46am

By assigning sequential ticket ids, RT inadvertantly reveals the
amount of support requests generated by the entire user community.
This is sensitive information that we would prefer not to give out to
everyone.

Is there a way to assign “random” ticket ids? If not entirely random,
to use a random increment?

Is anyone else concerned about this, and how have you handled it?

Best regards,

Dag Bruck
Dynasim AB
Lund, Sweden

Robert_Spier · October 20, 2003, 6:53am

At Mon, 20 Oct 2003 07:46:27 +0200,
Dag Bruck wrote:

Is there a way to assign “random” ticket ids?

Not out of the box. And not without a lot of work.

If not entirely random, to use a random increment?

(mysql solution… postgres solution is equivalent, but looks different.)

You could have a program run once in a while and increment the
AUTO_INCREMENT id field in the Tickets table to some random number
above your current MAX(Tickets.id)

ALTER TABLE Tickets AUTO_INCREMENT=

Just remember, when you hit Ticket ID 2147483647, you will have
issues. So make sure you’re not going to get that high with your
additional increments. (That’s one ticket a second for the next 68
years, or so.)

-R (who almost suggested creating the id field as an UNSIGNED INTEGER
in mysql.)

seph1 · October 20, 2003, 10:52am

Is there a way to assign “random” ticket ids?

(mysql solution… postgres solution is equivalent, but looks different.)

You could have a program run once in a while and increment the
AUTO_INCREMENT id field in the Tickets table to some random number
above your current MAX(Tickets.id)

instead of that, you could run something daily that sets it to
something representing the day. such that your ticket ids are of the
form . If you do it by frobbing the db’s
autoincrementing thing directly, the impact on rt is minimal.

I think I saw patches awhile back to get rt to use date-sequnce ids,
but I might have imagined them.

seph

Vivek_Khera · October 20, 2003, 3:40pm

“RS” == Robert Spier rspier@pobox.com writes:

RS> (mysql solution… postgres solution is equivalent, but looks different.)

in postgres, you can alter the corresponding sequence’s increment
value. Choose some nice prime number and you should obfuscate it
nicely, unless someone is creating a lot of tickets simultaneously.

I wonder if you could set up a trigger to alter the sequence increment
after every insert into the table… hmmm…

Vivek Khera, Ph.D. Khera Communications, Inc.
Internet: khera@kciLink.com Rockville, MD +1-240-453-8497
AIM: vivekkhera Y!: vivek_khera http://www.khera.org/~vivek/