On Wed, 23 Oct 2002, Blue Boar wrote:
> But who cares? The question asked was whether it would be possible to
> make a covert channel detector product. My answer is that you can do as
> much with a covert channel detector as with an IDS.
Wrong question - you can make everything into a product, it's a matter of
marketing ;-) The real question is, would it be possible to, with same
level of coverage and accuracy, cover newer and newer covert channel
techniques just like we cover new attack methods? The answer: yes, to a
point where covert channels are sophisticated enough to mimick valid
traffic to a level that is simply indistinguishable for a human or machine
without reading person's mind. There's no such issue with attack detection
IDSes, because attacks can be distinguished as a valid traffic, but only
to a degree, whereas covert channels can be *made of* valid traffic,
simple as that.
--
------------------------- bash$ :(){ :|:&};: --
Michal Zalewski * [http://lcamtuf.coredump.cx]
Did you know that clones never use mirrors?
--------------------------- 2002-10-23 18:01 --
This archive was generated by hypermail 2b30 : Wed Oct 23 2002 - 15:14:55 PDT