On Jul 13, 2007, at 4:03 PM, Douglas Allan Tutty wrote:
Then you have to worry about sshd on the remote host being trojaned so it feeds you what you expect to see, not the actual data. If you're assuming a machine might have been compromised, you can't trust *any* binaries on that machine, full stop. You also can't trust its kernel, so running binaries off a CD without rebooting doesn't help, either -- you may only *think* it's running your binaries, while it's actually running a trojaned version. This isn't to say that tools like tripwire don't have any value, but it's important to recognize their limitations. If you run a local copy of tripwire on a machine, if it fails you know the machine is compromised. But if it succeeds, you still can't be sure the machine is clean. David Brodbeck Information Technology Specialist 3 Computational Linguistics University of Washington |