On Wed, 23 Oct 2002, Blue Boar wrote: > But who cares? The question asked was whether it would be possible to > make a covert channel detector product. My answer is that you can do as > much with a covert channel detector as with an IDS. Wrong question - you can make everything into a product, it's a matter of marketing ;-) The real question is, would it be possible to, with same level of coverage and accuracy, cover newer and newer covert channel techniques just like we cover new attack methods? The answer: yes, to a point where covert channels are sophisticated enough to mimick valid traffic to a level that is simply indistinguishable for a human or machine without reading person's mind. There's no such issue with attack detection IDSes, because attacks can be distinguished as a valid traffic, but only to a degree, whereas covert channels can be *made of* valid traffic, simple as that. -- ------------------------- bash$ :(){ :|:&};: -- Michal Zalewski * [http://lcamtuf.coredump.cx] Did you know that clones never use mirrors? --------------------------- 2002-10-23 18:01 --
This archive was generated by hypermail 2b30 : Wed Oct 23 2002 - 15:14:55 PDT