Re: Shades of FV's Nathaniel Borenstein: Carnivore's Magic Lantern
Jay Sulzberger writes: On Wed, 21 Nov 2001 [EMAIL PROTECTED] wrote: Jay Sulzberger writes: On Wed, 21 Nov 2001 [EMAIL PROTECTED] wrote: R. A. Hettinga writes: Everyone remember First Virtual's Nat Borenstein's major discovery of the keyboard logger? 'Magic Lantern' part of new 'Enhanced Carnivore Project' [etc] In the same vein, but a different application, does anyone know what the state of the art is for detecting such tampering? In particular, when sitting at a PC doing banking, is there any mechanism by which a user can know that the PC is not corrupted with such a key logger? The last time I checked, there was nothing other than the various anti-virus software. Paul If you are running a source secret operating system, it is more difficult to detect tampering. I'm sure it is, unless you have to be the company that owns the source-secret operating system, in which case you can presumably do whatever is done by an open-source system. Now, what (beyond AV and tripwire) is done? Paul There is much that the holder of copyright on a source secret OS could do. But their best efforts would likely be less effective than the best efforts called forth by the market forces which operate on free software. Unclear at this point. The fact that a certain company produces a poor OS, does not mean all secret source OSes are poor. Are AIX, HPUX, Solaris, VMS, VM, ... all worse than Linux on this point? They certainly tend to be tampered with far less. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Shades of FV's Nathaniel Borenstein: Carnivore's Magic Lantern
Jay D. Dyson writes: -BEGIN PGP SIGNED MESSAGE- On Wed, 21 Nov 2001 [EMAIL PROTECTED] wrote: Yet another reason why Open Source is your friend. I did not mean to imply that I am running some variety of windows. I am interested in the technical problem of what is the state of the art for detecting whether or not a computer has been tampered with. The use of some version of un*x does not per se solve this. I'm afraid we're still in the arms race model in that respect. Every time one party comes up with a new widget, another party quickly follows with a widget-defeater. Then the original party releases an updated widget with a widget-defeater-defeater feature. Then the opposing party responds in kind. On and on it goes...like a dog chasing its tail. My original response handles the electronic portion of the equation (though I do concede the point another writer made that all bets are off when the day of the Backdoored BIOS arrives). If you mean only the physical aspect of the equation, there are a number of tricks you can use ranging from sealing a system with epoxy, locks and so on...or (for those who dig Mission: Impossible stuff), boobytrapping a system to either explode a dye-pack (like that used in banks) or commit digital seppuku if an unauthorized party dicks with it. I must admit the dye-pack idea has a certain appeal to it. Nothing would make my day like seeing some goons come out of my house with bright Candy Apple Red faces. I'm not actually worried about physical access at this point. Breaking and entering is a lot more difficult that hacking into a system, and frequently leaves evidence. More to the point, this is no different as a risk than that experienced whenever you use a physical ATM machine to access cash. My concern is with software access to a machine that is to be used in the same manner as an ATM. Paul - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Shades of FV's Nathaniel Borenstein: Carnivore's Magic Lantern
Jay D. Dyson writes: On Wed, 21 Nov 2001 [EMAIL PROTECTED] wrote: But this doesn't really address the question. Certainly you take various precautions. The question is: how can I know if the system is compromised? There's a wealth of utilities that can indicate system compromise. These tools range from Tripwire to the Advanced Intrusion Detection Environment (AIDE), plus a range of network sniffing utilities that can be configured to look for unusual traffic. There's also the CryptoFileSystem that precludes the Great Forces of Malevolence from sneaking things onto your drive without your knowledge. Thanks. All of these security-enhancing features must be predicated by cradle-to-grave security, though. That means trusted installation of a trusted OS from a trusted source on a trusted, non-networked box. Coupled with that is assured physical security of the system by tamper-evident systems. I assume you mean non-networked at installation time, not afterwards. In the final analysis, there's no substitute for simple human vigilance and a healthy amount of paranoia. Not one of these tools are of any use if you have a user at the helm who will gleefully download and execute the latest trojan horse. I'm not entirely sure I believe that last statement. Let's say I have a tripwire-like system, but the process is constantly running. So you cannot compromise the code on disk in a useful fashion. What can a trojan actually do without being detected? - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Shades of FV's Nathaniel Borenstein: Carnivore's Magic Lantern
Kent Borg writes: On Wed, Nov 21, 2001 at 10:40:11AM -0500, [EMAIL PROTECTED] wrote: In the same vein, but a different application, does anyone know what the state of the art is for detecting such tampering? In particular, when sitting at a PC doing banking, is there any mechanism by which a user can know that the PC is not corrupted with such a key logger? The last time I checked, there was nothing other than the various anti-virus software. I can imagine an arms race between the Feds and anti-virus-types, that is until the anti-virus programs are strong-armed one way or the other into backing down. I am certain that will happen, either behind the scenes or by public law. I think you are toast if you are sitting at a PC and the Feds ~really~ want to catch your keystrokes. That is, if the Feds are acting competently. They might be coy with their good keyloggers to keep samizdat word of their details from getting out. They might save the good stuff for important targets. My concern isn't with the Feds snooping. It is with some criminal who wants banking-type information so as to rob the account, though it would appear that solving the one implies solving the other. Alternatively, to move to a physical analogy, instead of leaving a telltale thread on your door and trying to spot intruders that way, you might instead invest in good locks in the first place. That is, to use a reasonably secure operating system. At risk of starting an OS war, a well managed Linux box is going to be pretty secure. Or, for a practical example, I am typing this on a Linux notebook that mostly is obscured behind firewalls. If I keep damn Javascript OFF and don't launch viruses that might be sent to me, and don't reuse passwords between here and an unsecure computer, I think they are going to have a very hard time cracking in without my knowing. But this doesn't really address the question. Certainly you take various precautions. The question is: how can I know if the system is compromised? Paul - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Shades of FV's Nathaniel Borenstein: Carnivore's Magic Lantern
At 10:40 AM 11/21/2001 -0500, [EMAIL PROTECTED] wrote: In the same vein, but a different application, does anyone know what the state of the art is for detecting such tampering? In particular, when sitting at a PC doing banking, is there any mechanism by which a user can know that the PC is not corrupted with such a key logger? The last time I checked, there was nothing other than the various anti-virus software. I have not used them, but you might find these of interest, all for Windows systems - Spycop http://spycop.com Hook Protect or PC Security Guard http://www.geocities.com/SiliconValley/Hills/8839/utils.html I note that the latter URL loads a page which Bugnosis http://www.bugnosis.org identifies as containing possible web bug single-pixel images and complicated cookies. -- Greg Broiles -- [EMAIL PROTECTED] -- PGP 0x26E4488c or 0x94245961 5000 dead in NYC? National tragedy. 1000 detained incommunicado without trial, expanded surveillance? National disgrace. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Shades of FV's Nathaniel Borenstein: Carnivore's Magic Lantern
On Wed, 21 Nov 2001 [EMAIL PROTECTED] wrote: R. A. Hettinga writes: Everyone remember First Virtual's Nat Borenstein's major discovery of the keyboard logger? 'Magic Lantern' part of new 'Enhanced Carnivore Project' [etc] In the same vein, but a different application, does anyone know what the state of the art is for detecting such tampering? In particular, when sitting at a PC doing banking, is there any mechanism by which a user can know that the PC is not corrupted with such a key logger? The last time I checked, there was nothing other than the various anti-virus software. Paul If you are running a source secret operating system, it is more difficult to detect tampering. oo--JS. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Shades of FV's Nathaniel Borenstein: Carnivore's Magic Lantern
Jay Sulzberger writes: On Wed, 21 Nov 2001 [EMAIL PROTECTED] wrote: R. A. Hettinga writes: Everyone remember First Virtual's Nat Borenstein's major discovery of the keyboard logger? 'Magic Lantern' part of new 'Enhanced Carnivore Project' [etc] In the same vein, but a different application, does anyone know what the state of the art is for detecting such tampering? In particular, when sitting at a PC doing banking, is there any mechanism by which a user can know that the PC is not corrupted with such a key logger? The last time I checked, there was nothing other than the various anti-virus software. Paul If you are running a source secret operating system, it is more difficult to detect tampering. I'm sure it is, unless you have to be the company that owns the source-secret operating system, in which case you can presumably do whatever is done by an open-source system. Now, what (beyond AV and tripwire) is done? Paul - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]