Well, I've been keeping quiet. . . .enjoying the thread, and now that I'm
all wound up on Mt. Dew, how 'bout a release?!!? :)
It appears at some point the technical merit and focus of this thread has
gone askew - much like the ill-fated (IMO) CFTT board over at Yahoo. WHY
anyone is getting to OS design questions, I cannot fathom. But, it's been
good lurking, and I'd like to add some points:
1) Please move beyond the OS . . . anyone could question anyone about
anything, is that general enough? But the fact of the matter is, whether
one uses Win32, *nix, Mac, BeOS, DOS, or whatever, the point needing care
is that the acquisition and analysis was done in a thorough and sound
manner. That's the bare bones of it. Granted, it'd be icing if the
examiner is skilled and versed enough to be able to both:
a) speak intelligently
b) speak in a day to day manner
to the court as to what they did, how they did it, and in a manner such
that non-technical humans can grasp/understand/and nod their heads in
agreement.
(I think I got lost on the comment about how Linux moves data from disk to
disk????)
2) I think the community would benefit if the blinders were removed -
remember, there are many focus areas for forensics (toxicology, arson,
etc.). Perhaps we look to the other more experienced, defined, and been-
around-a-lot-longer-than-ya fields and observe with an open mind and ask
questions. How does one stand up in court and defend a microscope used
(yah, pretty extreme, but appropriate for this thread)? At some point you
have to say "I did my job, this is my skillset, this is how I did it, these
were the tools I used, I did not write them, here are my findings."
3) As for "How do you know that the data that ends up on the target drive
isn't stuff..." Well, you wipe the drive, simple enough. I mean, you can
testify that after 'x' number of years, and 'xxxx' number of times wiping,
that this is the process, this is how I know the data was wiped. And look,
all we have is a big ol' drive full of 0s. So, it is now clean and ready
for use. I grab a drive, I wipe the drive, I ensure it's clean (search for
any non-zero), and then I use it.
4) Not sure about the "why Linux has a history of..." question? Huh?
Times they are a changin, wasn't that Dylan? Evolution, betterment,
design, foresight, just a few. James hit it on the head, FAT12, FAT16,
FAT32, NTFS, and same applies to Linux. But, also, filesystem design is
not just because of 'problems with old ones'. It also happens by need.
Have you looked into GFS, XFS, ReiserFS -> there is a need for journalled
file systems. This is not to say that non-journaled have problems, but
more appropriately, that this is an added value, a benefit, a need for this
type of FS. Not for everyone, in all cases, on all systems.
5) What about virtual memory? How does this apply? If you examine
thoroughly, neutrally, and send off your findings, what of VM? Let's say
nothing good or bad is in VM. What's the point? If VM is a concern, what
about the NTLDR, the mods, the maintenance fdisk sector, etc. It gets
ridiculous after a while, no? IF found in VM, okay, so?
6) Why are we talking about complete code audits of OSs? Huh?
Applicability? The fact boils back to have you followed a documented and
accepted methodology/practice, and if so, what were the findings? Is this
duplicable? Are there sound answers accepted by the scientific community
as to these findings? There are, oh, cool.
7) "The security history of linux" ? ? ? what? I don't know, maybe too
much dew! What is security having to do with any of this?
moving on. . .
8) what's wrong with linux being 'developed by a bunch of hobbyists'?
Well, please define 'developed'. Please also define 'hobbyists.' When
you've defined those two, please argue why whom developed it matters.
Please then argue as to whom developed win32, AIX, HP-UX, etc. I'm getting
the impression you're anti penguin?!!? :)
Oh, BTW, these 'hobbyists' - I work with some of them, side by side, day in
and day out. I ran this by them, and it plenty of laughter, head shaking,
as well as some fun comments and a tinge or resentment. You see, some have
Masters, some PhDs, and some have none - but all have a technical expertise
that is developed, refined, and the drive to improve when the day is done!!
What are the industry best practices? Hmm. . . . security (check), scaling
(check), documentation (check), portability (check), do I go on?
Linux can be used whenever the examiner is comfortable using it, when the
situation warrants, and when tools are available. Same for win32, mac,
*nix, etc. No? Whether a home pc or an enterprise 6000, what tools do you
have, what can you use to interface and acquire, and where are you
skillsets, those matter!
Linux is just an OS - I wouldn't call it a tool. TCT is a tool, gpart is a
tool, lde is a tool, encase is a tool, expert witness is a tool, ftk is a
tool, ilook is a tool, glimpse is a tool, dd is a tool, md5sum is a tool,
cryptcat is a tool, etc. etc. etc. Get it straight, the difference between
tools and OSs, for there is a big one!
alright, I've done squashed this soap box! back to work at RED HAT!! :)
farmerdude
please, if I've had to much dew, just send the flames to /dev/null
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see:
http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sat Jun 30 2001 - 12:35:01 PDT