----- Original Message ----- From: "Harris, John P" <John.Harrisat_private> To: <loganalysisat_private> Sent: Tuesday, December 04, 2001 12:13 PM Subject: Re: [logs] Due Diligence for Admission in Court > While I would agree that syslog alone can be easily made inadmissible in > court, one can also set up the appropriate security defenses to negate most > of those arguments. So what you are saying then is that un-secured syslog should be inadmissible since it is unreliable. I agree if there is any evidence of tampering with them. > Such as local filter software on the syslog host such as > ipchains or others. Also filtering at the router level. These serve to > "firewall" off the machine and one could control where the syslog data was > originating from. So then with the proper tools in place and processes to operate them with Syslog Data is likely to be reliable? - I also agree here. > This would not, however, stop someone from compromising a > machine that is allowed and send syslogs the falsify syslog messages from > that host, thus bypassing this type of security. Actually maybe not - It is more likely that the transgression will get caught. And the connections between machines are easily secured (STunnel, SSH, etc). > Log to multiple hosts so you > could see time differences to show log time patterns, etc?? OK now there is the issue of provable synchronicity. I refer to this as making the "Trust model portable", i.e. easily compared to others. > > The real question (and one that will have no basis in logic!) is where will > the courts find log data to be as reliable a source as say a "word of mouth" > evidence stream? i.e. Look at the differences between first hand and hear-say testimony. These are the real issues, what constitutes hear-say evidence from a computer. > Joe User's word against Sarah Managers word. An > Example: Currently they will take Sarah Managers dated notebook as evidence > even though she could have made most of that up at any time as there is no > witness to her personal. notes! Not in any court I have ever stood in - Sara Managers note book is as valid as her verbal testimony and nothing more. As to who's word is better, Sara's or the other party - that is up to the spin or the theory of the cause of action submitted by each counsel to the Judge and Jury. But this is an important concept you have hit on - that being the need to extract the Human from the Trust Process and its Operations!. > A judge or most lawyers will have little or no > visibility/understanding into our world I wouldn't bet on that - I can introduce you to any number of lawyers that will get it from the gate. > and will translate our evidence into > "paper" evidence and treat it as such?? Is this a question or a statement? if its a statement then I disagree, look at the local Federal Court's responses to unauthenticated Email - these judges are not so ignorant after all I think. If you need more on this look at Ms. Her Honor, Judge Patel's rulings on Napster. > The plot thickens! No, I disagree - actually it doesn't; this is not Arthur Conan Doyle's world, it is the world of the 21st century and these issues are all easily addressable by training the operations staff and putting in place simple operating regimens that support the proper operations there of. This stuff is really simple. Secure the system and its processes and the logging data will likely be good. Simple. You just have to be able to identify and quantify the specific steps needed to implement these visions. T/ --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Tue Dec 04 2001 - 14:15:08 PST