From owner-freebsd-security@FreeBSD.ORG  Sat Jun 12 21:29:39 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id D87C816A4CE
	for <freebsd-security@freebsd.org>;
	Sat, 12 Jun 2004 21:29:39 +0000 (GMT)
Received: from mail006.syd.optusnet.com.au (mail006.syd.optusnet.com.au
	[211.29.132.63])
	by mx1.FreeBSD.org (Postfix) with ESMTP id D23D143D48
	for <freebsd-security@freebsd.org>;
	Sat, 12 Jun 2004 21:29:38 +0000 (GMT)
	(envelope-from PeterJeremy@optushome.com.au)
Received: from cirb503493.alcatel.com.au
	(c211-30-75-229.belrs2.nsw.optusnet.com.au [211.30.75.229])
	i5CLTRx15561;	Sun, 13 Jun 2004 07:29:27 +1000
Received: from cirb503493.alcatel.com.au (localhost.alcatel.com.au
	[127.0.0.1])i5CLTQVd035021;	Sun, 13 Jun 2004 07:29:26 +1000 (EST)
	(envelope-from pjeremy@cirb503493.alcatel.com.au)
Received: (from pjeremy@localhost)i5CLTQDj035020;
	Sun, 13 Jun 2004 07:29:26 +1000 (EST)	(envelope-from pjeremy)
Date: Sun, 13 Jun 2004 07:29:26 +1000
From: Peter Jeremy <PeterJeremy@optushome.com.au>
To: Thordur Ivar <thib@mi.is>
Message-ID: <20040612212926.GL1596@cirb503493.alcatel.com.au>
References: <019101c45072$a8b9cfe0$3501a8c0@pro.sk>
	<20040612130307.2c4483cb.thib@mi.is>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20040612130307.2c4483cb.thib@mi.is>
User-Agent: Mutt/1.4.2i
cc: freebsd-security@freebsd.org
Subject: Re: Hacked or not appendice
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Jun 2004 21:29:40 -0000

On Sat, 2004-Jun-12 13:03:07 +0000, Thordur Ivar wrote:
>I have on a CD a number of binarys ( sources actually ) ( e.g. ls,
>find, grep, awk, sed, locate e.t.c. ) and when I belive that a
>machine has been cracked I remove the network cable from that machine
>and mount the cdrom build the sources and start looking. If I need
>something in that process I put it on my USB memstick from a 'trusted
>machine' and move it by hand over.

[Please wrap your mail before 80 characters]

Why would you trust the toolchain on a potentially hacked machine?
There's an old paper by Ken Thompson that dicusses patching the C
compiler to recognize the login sources and re-introduce a backdoor -
even it was removed from the login sources.

You would be much better off booting a fixit CD-ROM and using that
rather than trusting anything on the potentially hacked system.

-- 
Peter Jeremy