On Sun, Sep 26, 1999 at 07:48:35PM +0200, Adam Morrison wrote:
> > Assuming sufficient skill on the intruders part, there isn't much you can
> > do. There are precautions you can take to make things harder, and to help
> > you analyze things after the event happened (Tripwire/ the likes).
>
> Again, this relies on underestimating the attacker. Once root is
> broken, anything (Tripwire included) can be fooled.
This is straying off topic, but readers of this thread may want to
take a look at Bruce Schneier and John Kelsey's paper about tamper
evident logs:
http://www.counterpane.com/audit-logs.html
(PDF and Postscript d/l)
Here's the abstract:
In many real-world applications, sensitive information must be kept
in log files on an untrusted machine. In the event that an attacker
captures this machine, we would like to guarantee that he will gain
little or no information from the log files and to limit his ability
to corrupt the log files. We describe a computationally cheap method
for making all log entries generated prior to the logging machine's
compromise impossible for the attacker to read, and also impossible
to undetectably modify or destroy.
--
believing is seeing
[EMAIL PROTECTED]
http://www.forum2.org/gaal/
=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]
