[822] in Intrusion Detection Systems
RE: Signs of an Intruder
daemon@ATHENA.MIT.EDU (J.R.Valverde (jr))
Fri Dec 27 01:36:06 1996
Date: Tue, 17 Dec 1996 14:46:37 WET
From: "J.R.Valverde (jr)" <jrvalverde@Samba.cnb.uam.es>
To: ids@uow.edu.au
Reply-To: ids@uow.edu.au
>Just a couple comments. I agree paper logging is very safe, as dictated
>in"The Cuckoo's Egg," but I also remember reading in that book that Cliff
>ran into some paper jam problems, so that's one thing to keep in mind,
>phyisical reliablity of your logs. Another one is cost, how much paper
>
I think I have discussed this before, but probably not in this
forum.
Paper is OK, but HD is candy-dandy. Paper has many problems, besides
being a tree-killer of first magnitude, it is expensive, and may have jams.
You may run out of paper just when it gets most interesting (and by Murphy's
law you will), and a few years of logs may well take a few rooms space, and
worst, paging through a hundred kilograms of paper to haunt a hacker is, to
say the less, boring (though surely is good sport), as for making duplications
it's real hard (think of a handy fire burning all your proofs against that
damn employee just the day before the trial). Its main advantage is that
it cannot be tampered with remotely.
Hard Disk on the other hand, is lot cheaper, environmentally safer, takes
less space and doesn't jam. You may run out of it, but it's very difficult if
only you are a minimal careful. And can be as tamper-proof as paper. Even more
actually. Much much more.
The solution is simple: instead of a printer or a console, connect a
personal computer with a big HD or a removable HD system, using a serial line
as much as you would with the console, and a kermit-like program that logs
everything to disk. There's no way anyone can access remotely your hard disk,
it won't jam, it won't run slowly in a message storm, you can make as many
backup copies as needed, take them home, to trial, to a fire-safe, etc... and
you can process the data with automated tools. Moreover, you can have your
program save the logs in encrypted form if you want to feel paranoic about
co-workers. And you can always use it as a console at the same time (and BTW
keep a log of your changes).
The encryption bit is important: that ensures that no one with physical
access to the logger can modify the logs. Someone may run with part of your
paper, or throw a cartridge of toner/ink "accidentally" over your printout,
but they can't selectively modify your encrypted log. They can turn the computer
off, or type in a delete command, but there are hardware solutions to prevent
that.
It can fail, but not more than a printer, and has all the advantages.
The only reason I can see for paper is if a judge could refuse anything not
in paper during a trial, but you can still print your listings.
So, please, help save the rainforest and use less paper.
jr
