[GLLUG] monilithic kernel (debian 3.0) and ethernet devices

[Melson, Paul]

True enough.  Tools, or at least designs exist to falsify most checksum data (be it CRC, SHA1, or MD5), and falsifying mtime stamps is trivial as well.  This adds up to not being able to trust file system integrity software (i.e. Tripwire) 100%.  Realistically, there is no silver bullet for host-based security initiatives (or anything else, for that matter).

Another interesting article, this time from a trade rag, discusses applying Baye's theorem to security risk management.  (http://www.infosecuritymag.com/2002/feb/columns_executive.shtml)  The important thing to take away from this is that the more *complementary* tools you utilize, the more likely you will be to prevent, or at least detect an attack.

PaulM


-----Original Message-----
From: Ben Pfaff [mailto:blp@cs.stanford.edu]
Sent: Thursday, March 21, 2002 4:11 PM
To: Melson, Paul
Cc: linux-user@egr.msu.edu
Subject: Re: [GLLUG] monilithic kernel (debian 3.0) and ethernet devices

Well, yes, it's best for secure storage, but how do you make sure
that the code that computes checksums and compares them to what's
on the read-only medium has not itself been compromised?  You
can't.  And in fact rootkits do lie about file contents in order
to avoid this kind of issue.