[2784] in bugtraq
Re: Write-only devices (Was read only devices)
daemon@ATHENA.MIT.EDU (Piete Brooks)
Mon Jun 24 02:47:09 1996
Date: Fri, 21 Jun 1996 22:00:19 +0100
Reply-To: Bugtraq List <BUGTRAQ@netspace.org>
From: Piete Brooks <Piete.Brooks@cl.cam.ac.uk>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
In-Reply-To: Your message of Fri, 21 Jun 1996 16:40:29 +0100.
<9606211540.AA28682@foo.oucs.ox.ac.uk>
> All the chat about mounting / and /usr read-only, with confusion over
> whether it was to be done in hardware or software, reminds me of a
> security device which ought to be well known and widely used but is
> hardly ever implemented.
Enter nit pick mode then :-))
> A write-only logger is incredibly useful when performing forensic work
> after something has gone badly wrong.
I cannot see why being unreadable helps for forensic work.
By making it unreadable, you can log "sensitive" material,
and the intruder cannot see what is being recorded.
Howevber, I would consider Write Once as being the important property.
> I do not know of any readily available write-only output device other
> than printers these days.
My plan is to get a small Linux box, put a MUX card in it, and connect all the
consoles to it.
I suspect most sites would be able to set up a "sufficiently" secure system to
allow it to be network connected, but you could opt not to network connect it.
You could change an Exabyte to which the data is written when it's full,
or if you want to collect evidence before that, login to the console,
select the required info, and write it to a floppy.
Where's the problem ??
> Clarification for pedants: by write-only, I mean something which is
> not readable, by the system performing the writing or, indeed, any other
> connected system without having to physically remove the device and
> re-connect it to a reading system. Printer paper can be OCR'ed, but
> unless the output is fed into an OCR system, it is unreadable.
Agreed.
> Further, it must not be possible for anything to be deleted once written,
No -- I disagree -- that's "write once".
