[2774] in bugtraq
Re: Read only devices (Re: BoS: amodload.tar.gz - ...)
daemon@ATHENA.MIT.EDU (Mark Riggins Mark.Riggins@att.com)
Fri Jun 21 15:51:21 1996
Date: Fri, 21 Jun 1996 09:43:30 -0400
Reply-To: Bugtraq List <BUGTRAQ@netspace.org>
From: "Mark Riggins Mark.Riggins@att.com" <mdr@vodka.sse.att.com>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
In-Reply-To: <199606202323.AA01977@gateway.fedex.com> from "William McVey" at
Jun 20, 96 06:23:46 pm
> -- William wrote:
> It seems to me that this is the same as performing backups of your
> system onto tape. You still have the problem of needing to know
> when you've compromised and needing to know what backup tapes (or
> CDs) are tainted with hostile bits.
Depends upon the use of the box. If you can take a snapshot of the
box right after you load it from tape, such a CD is far more useful.
Of course you would have to go off-line, and reload from CD before
adding any software. Then you could safely cut another CD. Another
approach is to keep almost everything on a hard disk that has been
jumped read-only. This can be mounted and maybe even booted off,
although the OS will need some writable partitions elsewhere for files
that *must* change.
B1 and higher level operating systems are much better at protecting
themselves against alteration and detecting when such alteration might
have occured. My system runs continuous auditing w/ real-time alarms
that tell me whenever a trusted binary or configuration file changes.
Also, B1 systems are much more adept at keeping user and OS files
separated and identifiable for purposes of backup and restore.
Mark Riggins
Secure Systems Engineering
AT&T Bell Labs
