On Wed, 12 Jun 2002, Ben Nagy wrote: > I'll put all this more simpy - every scheme to provide "authenticated" > logs needs to use something secret. If it's onsite, then the secret > isn't safe, and the logs just can't be trusted by an outsider.
I think it's possible to do up a scheme with a TCB that makes the bar high enough that it's essentially tamper resistant (once upon a time I started to work on such a system, but then decided that the effort just wasn't worth it since most people just don't care that something is designed far enough to take care of the 99.9th percentile, 20% seems good enough :( ) Ideally, it'd include tamper resistant hardware, though that really just wants something like the flash RAM epoxied to the motherboard and a custom BIOS, as well as a physical tamper alarm on the case (I'll spare the boring thoughts there.) Given that, so that physical boots are an auditable event and there's a write-only BIOS area (enforced by the BIOS/OS) with some shared public/private OS<->BIOS checking going on (to stop foreign OS booting, which stops BIOS flashing, which keeps a relatively good level of integrity in the process, and given that as a mechanism for seeding the encryption of the filesystem(s), with only things in the TCB being able to have the key you get to the point where the manager will have much better luck slipping half a kilo of $narcotic in your car. Sure, you could go out, buy the equipment to monitor the RF, see the key exchange, get a newfangled crypto cracking machine and break the keys, overcome the physical tampering alerts, whip out the drive, add your "evidence," unepoxy the flash, remove the downtime record, then put it all back in place- but at that point the cost of the attack is well outside of the realm of sanity. It'd be easier to fake video of you carrying off the machine at that point. The point in infosec shouldn't be to try to negate an attack, that's a silly goal (and as you can see, it's possible to go to sillier lengths to "protect" things) it should be to make an attack vector not feasible. This theoretical uberManager could vacuum the skin cells off the chair you sat in, lift your prints from the mouse, and go plant physical evidence of you killing his Director (so he can nail you AND get a promotion) as well. With the right preperation, you'd still get to meet Susan- who'd still be happy to see you. > Sure, they're better than random logs in text, but if I were trying to > prove beyond reasonable doubt (if that's still required in the US - > lucky I'm not from the middle east... ;) that something happened based So long as you're lucky enough to hit the criminal justice system, that's still the case. If we decide you're an enemy combatant, then you go into a military brig and we let you rot[1]. Paul [1] I'm not necessarily against this policy. ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions [EMAIL PROTECTED] which may have no basis whatsoever in fact." _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls
