[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [inbox] Re: [Full-Disclosure] Reacting to a server compromise

To: Curt Purdy <purdy@tecman.com>
Subject: RE: [inbox] Re: [Full-Disclosure] Reacting to a server compromise
From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Tue, 5 Aug 2003 09:45:59 +0200 (CEST)

On Mon, 4 Aug 2003, Curt Purdy wrote:

> Actually the traditionally accepted court evidence is real-time printouts of
> data received by the syslog server.

So what would stop anyone from replacing some of the printouts after the
fact?

It's pretty much as insecure as log files in terms of being susceptible to
tampering with by the alleged victim (although less susceptible to remote
manipulation by the attacker after the fact, true).

-- 
------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2003-08-05 09:43 --

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- RE: [inbox] Re: [Full-Disclosure] Reacting to a server compromise
  - From: "Curt Purdy" <purdy@tecman.com>
- Re: [inbox] Re: [Full-Disclosure] Reacting to a server compromise
  - From: Valdis.Kletnieks@vt.edu

Prev by Date: RE: [Full-Disclosure] f-prot not catching mimail ?
Next by Date: [Full-Disclosure] vulnrability for dummy 101
Prev by thread: Re: [Full-Disclosure] f-prot not catching mimail ?
Next by thread: RE: [inbox] Re: [Full-Disclosure] Reacting to a server compromise
Index(es):
- Date
- Thread