lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: lcamtuf at (Michal Zalewski)
Subject: [inbox] Re: Reacting to a server compromise

On Sun, 3 Aug 2003, Curt Purdy wrote:

> Jennifer, I made a reply to someone disagreeing with your statement on
> copying the drive, supporting your contention.  However, most courts
> will not accept log files on magnetic media as evidence due to the ease
> of alteration.  This is why we collect all logs on a central syslog
> server that writes directly to write-once media.  That is irrefutable
> evidence.

Of that someone spoofed a log message to your central log server, or that
someone messed with the log server itself to log fake entries?

What is your write-once media? Does it ensure integrity of the data stored
(so that it is evident when a prinout or a cd or whatnot is replaced)?
If not, it's hardly "irrefutable". If yes, what was the cost of this
device and how many businesses can afford one?

Besdies, what do your logs prove? That someone sent packets with some poor
guy's IP address as a source?

Most courts - IANALBMSUTO - will accept electronic logs, although they
usually expect them to be confirmed by several sources (i.e.  the attacked
host, your ISP) and backed with an official expert opinion to be of any

Still, hardly an evidence the owner of the box was in control of the
application that sent the offending traffic. The hard evidence comes from
a different source, usually.

------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * []
    Did you know that clones never use mirrors?
--------------------------- 2003-08-03 22:54 --

Powered by blists - more mailing lists