[7984] in bugtraq
Re: FreeBSD VM gremlin
daemon@ATHENA.MIT.EDU (der Mouse)
Sat Sep 19 19:26:07 1998
Date: Sat, 19 Sep 1998 03:24:38 -0400
Reply-To: der Mouse <mouse@RODENTS.MONTREAL.QC.CA>
From: der Mouse <mouse@RODENTS.MONTREAL.QC.CA>
To: BUGTRAQ@NETSPACE.ORG
>>> You should have md5 checksums of files that you are concerned
>>> about, as timestamps are useless in the face of a good attacker.
>> Rubbish! A checksum doesn't tell me that someone hadn't temporarily
>> replaced the file and has now put the original back.
> Ummm, you still can't tell that for a competant attacker.
Right. *Nothing* can tell you that, unless you have something like a
disk that can tell you how many times each sector has been written.
> A good attacker can set the system time, frob the file, set it back
> let time pass and then do the same thing to get the original back.
> You'd never know.
Well, setting the time usually leaves *some* traces - log entries,
timestamps on other files touched during that interval, etc. But if
you have root (necessary to set the time), you can - under most OSes -
modify the file underneath the filesystem, which leaves *no* traces,
short of those (hypothetical, AFAIK) sector write counts. I've done
this under a SunOS derivative (not for timestamp reasons but rather to
do a one-off modification on a filesystem mounted read-only).
der Mouse
mouse@rodents.montreal.qc.ca
7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
