Today's GDPR-Bullshittery.

So we are using an open source remote update system for updating our embedded devices.
And today we learned that, that system logs ip-adress'. And low and behold mr.GDPR says that is a no no.

So either we completely drops it, finds a new update system and implements it..
Sift through all the source code of the update system "fix" it and recompile it.
Or we setup a Man in the middle attack on ourselves. To mask the ip-adress'.

GDPR encouraging hacking ourselves I fucking love it!

that's a lot of BS that mr GDPR is telling and clearly does not understand it's material... also those issues can easily be "masked" with a variety of tools.

also, it's in fact no issue to log the IP addresses, but you have to ensure that only qualified authorized personnel can access those logs for valid reasons

Basically, you need ELK with authentication on kibana for limited personnel and that's it.

Why i am telling this? I make my business implementing standards and compliance for customers. I successfully helped customers get through certification.

I back my shit up.

As far as I know it are a disputed area, and I am no GDPR expert so just following our GDPR person.
So I'll bring it up and ask into it thanks 😄

Why not just write a script that removes the IPs from the logs once a day?

If you want to delete IP addresses before logging, you can log them to a named pipe and another script reads from it, mask them and write the 'clean' log to the real log file.

the problem with "scripting the sensitive data away" is that sometimes for justified technical or security reasons you NEED that data.

So tooling that modifies the logs is really a no go..What you rather need is to restrict access to systems that generate these logs and collect/send them to a centralized logging system. that logging system needs to be administered properly, with ACL's and auditing of actions. that way you are ISO and GDPR compliant