Path: utzoo!attcan!uunet!ncrlnk!ncrcae!ece-csc!mcnc!rutgers!apple!vsi1!octopus!avsd!childers
From: childers@avsd.UUCP (Richard Childers)
Newsgroups: comp.protocols.tcp-ip
Subject: Re: And You Thought You Were Paranoid...
Message-ID: <252@avsd.UUCP>
Date: 11 Nov 88 23:56:52 GMT
References: <7080011@eecs.nwu.edu>
Reply-To: childers@avsd.UUCP (Richard Childers)
Organization: AMPEX Corporation, Redwood City, CA
Lines: 32

In article <7080011@eecs.nwu.edu> naim@eecs.nwu.edu (Naim Abdullah) writes:

>In PRINCIPLE "ls -l" is not enough. The worm had root privs, it could have 
>installed a modified /bin/ls so that if one of the files being listed
>was fsck, vmunix, ls, telnetd etc (the tampered binaries) /bin/ls
>would always show predetermined sizes. In that situation, "ls -l" wouldn't
>be enough.

I thought about this a long time ago, back when I first realized that given
a source license, one could be the source of a lot of trouble. I was just
starting as a system administrator, and so I didn't do anything fancy - I
made a script that used checksums generated from binaries off the tape and
stored a backup of the script on another tape.

A variation on this theme reports drift from network mean on the part of
any critical file on any critical machine ( 'critical' meaning 'important
enough for me to install this silly-assed paranoid script on' ) and keeps
backup copies at a secret location. If someone wants to play those games,
they're going to have to work harder than I am already.

>In such a situation, you would have no inkling that there was anything
>wrong.

Assume the worst from the first, then you won't be surprised.

>This kind of paranioa isn't worth it ...

It's saved me hours of work on a monthly basis for years.

>		      Naim Abdullah

-- richard