On Wed, 2005-11-02 at 22:24 -0300, Leonardo Lopes Pereira wrote:
> > This particular idea is still new to me. We definitely do need to discuss
> > this to give me a better idea of how it would work in real life.
> I am not an security paranoic. But I cannot trust in someone that I do
> not know who is. I am the sysadmin of my computer, I trust on myself.
> My brother is the sysadmin of the other computer that I have, I trust
> him. But I do not know who is the sysadmin of the computer of my
> university. How can I know if it will not put backdoors on the
> programs?
Leonardo:
I understand what you are saying, but the situation is not quite so
black and white.
Once an OS is installed, there are really only two things that a
sysadmin is able to do:
1. Things that are done by tampering at the hardware layer
through disk forensics
2. Things that are enabled by the operating system, such
as replacing binaries.
3. Things that are permitted by the system administration software.
In this context, I mean to include the effects of text editors.
The ability to edit a configuration file is only important because
some piece of software reads that file.
It is possible to architect and operating system in such a way that (2)
cannot be used to bypass the administration tools, and (3) effectively
limits the feasible actions of the administrator -- for example,
prevents spying.
*If* the operating system is designed this way, then we are reduced to
two cases:
1. The system administrator used forensics. This is a complicated
attack. It is expensive in terms of time. It is not unreasonable
to base your estimation of your safety on the high cost of the
attack. Maybe trusting your brother is better, maybe not. (I
certainly *hope* so, but I don't know your brother).
2. The installed OS may not be the OS you think it is. This is also
a relatively high cost attack, because it introduces risk into
the entire administrative domain. The administrator must balance
the desire to spy on you against the loss of support.
Also, this attack can be made prohibitively expensive by secure
boot hardware such as TPM.
So there is a great deal of truth in your statement, but there may be
more room for confidence than you believe.
shap
_______________________________________________
L4-hurd mailing list
L4-hurd@gnu.org
http://lists.gnu.org/mailman/listinfo/l4-hurd
