Re: And You Thought You Were Paranoid...


Richard Childers (avsd!childers@ucbvax.Berkeley.EDU)
11 Nov 88 23:56:52 GMT


In article <7080011@eecs.nwu.edu> naim@eecs.nwu.edu (Naim Abdullah) writes:

>In PRINCIPLE "ls -l" is not enough. The worm had root privs, it could have
>installed a modified /bin/ls so that if one of the files being listed
>was fsck, vmunix, ls, telnetd etc (the tampered binaries) /bin/ls
>would always show predetermined sizes. In that situation, "ls -l" wouldn't
>be enough.

I thought about this a long time ago, back when I first realized that given
a source license, one could be the source of a lot of trouble. I was just
starting as a system administrator, and so I didn't do anything fancy - I
made a script that used checksums generated from binaries off the tape and
stored a backup of the script on another tape.

A variation on this theme reports drift from network mean on the part of
any critical file on any critical machine ( 'critical' meaning 'important
enough for me to install this silly-assed paranoid script on' ) and keeps
backup copies at a secret location. If someone wants to play those games,
they're going to have to work harder than I am already.

>In such a situation, you would have no inkling that there was anything
>wrong.

Assume the worst from the first, then you won't be surprised.

>This kind of paranioa isn't worth it ...

It's saved me hours of work on a monthly basis for years.

> Naim Abdullah

-- richard



This archive was generated by hypermail 2.0b3 on Thu Mar 09 2000 - 14:44:30 GMT