>>> You should have md5 checksums of files that you are concerned >>> about, as timestamps are useless in the face of a good attacker. >> Rubbish! A checksum doesn't tell me that someone hadn't temporarily >> replaced the file and has now put the original back. > Ummm, you still can't tell that for a competant attacker. Right. *Nothing* can tell you that, unless you have something like a disk that can tell you how many times each sector has been written. > A good attacker can set the system time, frob the file, set it back > let time pass and then do the same thing to get the original back. > You'd never know. Well, setting the time usually leaves *some* traces - log entries, timestamps on other files touched during that interval, etc. But if you have root (necessary to set the time), you can - under most OSes - modify the file underneath the filesystem, which leaves *no* traces, short of those (hypothetical, AFAIK) sector write counts. I've done this under a SunOS derivative (not for timestamp reasons but rather to do a one-off modification on a filesystem mounted read-only). der Mouse mouseat_private 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:16:54 PDT