From owner-freebsd-security@FreeBSD.ORG Tue Jul 11 20:45:29 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0846116A4E8 for ; Tue, 11 Jul 2006 20:45:29 +0000 (UTC) (envelope-from arne_woerner@yahoo.com) Received: from web30304.mail.mud.yahoo.com (web30304.mail.mud.yahoo.com [68.142.200.97]) by mx1.FreeBSD.org (Postfix) with SMTP id 9B70643D7E for ; Tue, 11 Jul 2006 20:45:21 +0000 (GMT) (envelope-from arne_woerner@yahoo.com) Received: (qmail 80200 invoked by uid 60001); 11 Jul 2006 20:45:21 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=0a97r0Y8dO2mXS56pB2EH/zG9PhWrurxD++jouifTKSZOIvNT1t6Aa7J1YMGWPutUz56v6kUGhySWAC0CzKRiPav7nyWO/vK1w7MzYiP1nO8tQ5Tk03ndiuF/jzFCNfNPPvdY5Js2DN9w0ShzGAWU06G+xY6mE3kfwmUIuF6q9Q= ; Message-ID: <20060711204521.80198.qmail@web30304.mail.mud.yahoo.com> Received: from [213.54.82.225] by web30304.mail.mud.yahoo.com via HTTP; Tue, 11 Jul 2006 13:45:21 PDT Date: Tue, 11 Jul 2006 13:45:21 -0700 (PDT) From: "R. B. Riddick" To: Poul-Henning Kamp , Mike Tancsa In-Reply-To: <77192.1152649343@critter.freebsd.dk> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Cc: freebsd-security@freebsd.org Subject: Re: Integrity checking NANOBSD images X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Jul 2006 20:45:29 -0000 --- Poul-Henning Kamp wrote: > Arming a trojan to just do 'sleep 145 ; echo "sha256 = 0248482..."' > when you thing you're running sha256 would be trivia. > But what if the trojan copies its files to the RAM disc and waits for this sha256 binary showing up? And then, when it is there, it removes its changes on the hard disc (those changes certainly must be in unused (formerly zeroed) areas of the hard disc or in the (zeroed) end of certain shell scripts... Or do I miss something? Wasn't is usual some years ago to switch the boot disc hardware to "read only" mode? I dont know how to do that, but my source seemed to be trustworthy (although I never saw him - I just heard his voice...)... ;-)) A switch like on those 1.44'' floppy discs would be good... But then software/OS updates would require physical access to the box... -Arne __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com