Well, I've been keeping quiet. . . .enjoying the thread, and now that I'm all wound up on Mt. Dew, how 'bout a release?!!? :) It appears at some point the technical merit and focus of this thread has gone askew - much like the ill-fated (IMO) CFTT board over at Yahoo. WHY anyone is getting to OS design questions, I cannot fathom. But, it's been good lurking, and I'd like to add some points: 1) Please move beyond the OS . . . anyone could question anyone about anything, is that general enough? But the fact of the matter is, whether one uses Win32, *nix, Mac, BeOS, DOS, or whatever, the point needing care is that the acquisition and analysis was done in a thorough and sound manner. That's the bare bones of it. Granted, it'd be icing if the examiner is skilled and versed enough to be able to both: a) speak intelligently b) speak in a day to day manner to the court as to what they did, how they did it, and in a manner such that non-technical humans can grasp/understand/and nod their heads in agreement. (I think I got lost on the comment about how Linux moves data from disk to disk????) 2) I think the community would benefit if the blinders were removed - remember, there are many focus areas for forensics (toxicology, arson, etc.). Perhaps we look to the other more experienced, defined, and been- around-a-lot-longer-than-ya fields and observe with an open mind and ask questions. How does one stand up in court and defend a microscope used (yah, pretty extreme, but appropriate for this thread)? At some point you have to say "I did my job, this is my skillset, this is how I did it, these were the tools I used, I did not write them, here are my findings." 3) As for "How do you know that the data that ends up on the target drive isn't stuff..." Well, you wipe the drive, simple enough. I mean, you can testify that after 'x' number of years, and 'xxxx' number of times wiping, that this is the process, this is how I know the data was wiped. And look, all we have is a big ol' drive full of 0s. So, it is now clean and ready for use. I grab a drive, I wipe the drive, I ensure it's clean (search for any non-zero), and then I use it. 4) Not sure about the "why Linux has a history of..." question? Huh? Times they are a changin, wasn't that Dylan? Evolution, betterment, design, foresight, just a few. James hit it on the head, FAT12, FAT16, FAT32, NTFS, and same applies to Linux. But, also, filesystem design is not just because of 'problems with old ones'. It also happens by need. Have you looked into GFS, XFS, ReiserFS -> there is a need for journalled file systems. This is not to say that non-journaled have problems, but more appropriately, that this is an added value, a benefit, a need for this type of FS. Not for everyone, in all cases, on all systems. 5) What about virtual memory? How does this apply? If you examine thoroughly, neutrally, and send off your findings, what of VM? Let's say nothing good or bad is in VM. What's the point? If VM is a concern, what about the NTLDR, the mods, the maintenance fdisk sector, etc. It gets ridiculous after a while, no? IF found in VM, okay, so? 6) Why are we talking about complete code audits of OSs? Huh? Applicability? The fact boils back to have you followed a documented and accepted methodology/practice, and if so, what were the findings? Is this duplicable? Are there sound answers accepted by the scientific community as to these findings? There are, oh, cool. 7) "The security history of linux" ? ? ? what? I don't know, maybe too much dew! What is security having to do with any of this? moving on. . . 8) what's wrong with linux being 'developed by a bunch of hobbyists'? Well, please define 'developed'. Please also define 'hobbyists.' When you've defined those two, please argue why whom developed it matters. Please then argue as to whom developed win32, AIX, HP-UX, etc. I'm getting the impression you're anti penguin?!!? :) Oh, BTW, these 'hobbyists' - I work with some of them, side by side, day in and day out. I ran this by them, and it plenty of laughter, head shaking, as well as some fun comments and a tinge or resentment. You see, some have Masters, some PhDs, and some have none - but all have a technical expertise that is developed, refined, and the drive to improve when the day is done!! What are the industry best practices? Hmm. . . . security (check), scaling (check), documentation (check), portability (check), do I go on? Linux can be used whenever the examiner is comfortable using it, when the situation warrants, and when tools are available. Same for win32, mac, *nix, etc. No? Whether a home pc or an enterprise 6000, what tools do you have, what can you use to interface and acquire, and where are you skillsets, those matter! Linux is just an OS - I wouldn't call it a tool. TCT is a tool, gpart is a tool, lde is a tool, encase is a tool, expert witness is a tool, ftk is a tool, ilook is a tool, glimpse is a tool, dd is a tool, md5sum is a tool, cryptcat is a tool, etc. etc. etc. Get it straight, the difference between tools and OSs, for there is a big one! alright, I've done squashed this soap box! back to work at RED HAT!! :) farmerdude please, if I've had to much dew, just send the flames to /dev/null ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sat Jun 30 2001 - 12:35:01 PDT