From owner-freebsd-security  Thu May 11  9:23:34 2000
Delivered-To: freebsd-security@freebsd.org
Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20])
	by hub.freebsd.org (Postfix) with ESMTP id 347A737B754
	for <freebsd-security@FreeBSD.ORG>; Thu, 11 May 2000 09:23:29 -0700 (PDT)
	(envelope-from bright@fw.wintelcom.net)
Received: (from bright@localhost)
	by fw.wintelcom.net (8.10.0/8.10.0) id e4BGtD405475;
	Thu, 11 May 2000 09:55:13 -0700 (PDT)
Date: Thu, 11 May 2000 09:55:13 -0700
From: Alfred Perlstein <bright@wintelcom.net>
To: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
Cc: Paul Hart <hart@iserver.com>, freebsd-security@FreeBSD.ORG
Subject: Re: envy.vuurwerk.nl daily run output
Message-ID: <20000511095512.D4889@fw.wintelcom.net>
References: <391A8A3C.795C15F7@algroup.co.uk> <Pine.BSF.4.21.0005110953510.8386-100000@anchovy.orem.iserver.com> <200005111611.MAA17380@khavrinen.lcs.mit.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0.1i
In-Reply-To: <200005111611.MAA17380@khavrinen.lcs.mit.edu>; from wollman@khavrinen.lcs.mit.edu on Thu, May 11, 2000 at 12:11:40PM -0400
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

* Garrett Wollman <wollman@khavrinen.lcs.mit.edu> [000511 09:46] wrote:
> <<On Thu, 11 May 2000 10:03:38 -0600 (MDT), Paul Hart <hart@iserver.com> said:
> 
> > If I can root your box, what's to stop me from falsifying the
> > reference data in /var used by /etc/security to detect system
> > changes?
> 
> Stupidity and inexperience.

That and chflags. :)

> Also, not all break-ins result in root compromise.

Most I've seen lately result in pretty hysterical /root/.bash_history
files. :)

-Alfred


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message