Richard Childers (avsd!childers@ucbvax.Berkeley.EDU)
11 Nov 88 23:56:52 GMT
In article <firstname.lastname@example.org> email@example.com (Naim Abdullah) writes:
>In PRINCIPLE "ls -l" is not enough. The worm had root privs, it could have
>installed a modified /bin/ls so that if one of the files being listed
>was fsck, vmunix, ls, telnetd etc (the tampered binaries) /bin/ls
>would always show predetermined sizes. In that situation, "ls -l" wouldn't
I thought about this a long time ago, back when I first realized that given
a source license, one could be the source of a lot of trouble. I was just
starting as a system administrator, and so I didn't do anything fancy - I
made a script that used checksums generated from binaries off the tape and
stored a backup of the script on another tape.
A variation on this theme reports drift from network mean on the part of
any critical file on any critical machine ( 'critical' meaning 'important
enough for me to install this silly-assed paranoid script on' ) and keeps
backup copies at a secret location. If someone wants to play those games,
they're going to have to work harder than I am already.
>In such a situation, you would have no inkling that there was anything
Assume the worst from the first, then you won't be surprised.
>This kind of paranioa isn't worth it ...
It's saved me hours of work on a monthly basis for years.
> Naim Abdullah
This archive was generated by hypermail 2.0b3 on Thu Mar 09 2000 - 14:44:30 GMT