>>> You should have md5 checksums of files that you are concerned
>>> about, as timestamps are useless in the face of a good attacker.
>> Rubbish! A checksum doesn't tell me that someone hadn't temporarily
>> replaced the file and has now put the original back.
> Ummm, you still can't tell that for a competant attacker.
Right. *Nothing* can tell you that, unless you have something like a
disk that can tell you how many times each sector has been written.
> A good attacker can set the system time, frob the file, set it back
> let time pass and then do the same thing to get the original back.
> You'd never know.
Well, setting the time usually leaves *some* traces - log entries,
timestamps on other files touched during that interval, etc. But if
you have root (necessary to set the time), you can - under most OSes -
modify the file underneath the filesystem, which leaves *no* traces,
short of those (hypothetical, AFAIK) sector write counts. I've done
this under a SunOS derivative (not for timestamp reasons but rather to
do a one-off modification on a filesystem mounted read-only).
der Mouse
mouseat_private
7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:16:54 PDT