lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <3F2F44F2.5060202@ameritech.net>
From: dbailey27 at ameritech.net (northern snowfall)
Subject: Re: Reacting to a server compromise

>
>
>The FBI loaded some software (by booting off a floppy) prior
>to allowing him to copy data off of the machine. He was told by the agents
>that the software made the disk read-only. He was observed by the agents
>duing the copy process. Is the FBI still operating like this?
>
Might be checksum monitoring software to determine whether
given vectors of data representing security sensitive files
are maintained. This way the FBI knows the person creating
the image isn't also exploiting access to the raw disk. Yes,
it is necessary, but it's usually implemented in a special
imaging machine, IIRC.

However, I don't know of any instance where the software is
on a boot disk. Besides, the software couldn't make the data on
the disk read-only. That isn't how hard disks work. The only
way image monitoring software can work is if the executive is
loaded then the software is loaded. Then the image has to be
created while the executive is loaded, which creates probability
of the image changing during mirror.

Any SCSI or ATA can be altered during raw data access. Unless
you're working with an optical WORM (et al) there is no way to
make it read-only.

Besides, executives can't see all the data on a disk. So, an
imager cannot work in co-operation with the executive. Check the
security facilities of the ATA (I'm not sure if the T10 has
implemented this?), you can create segments of an ATA that are
hidden from any executive.

The ATA Technical Committee:
    http://www.t13.org/

The SCSI Technical Committee:
    http://www.t10.org/

Most government agencies should be using their specialized
hardware unit that creates a raw image vector of one disk
mirrored onto another. Your friend might be pulling your
leg. Or, the FBI agents really *don't* know what they're
doing.

Don

http://www.7f.no-ip.com/~north_




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ