On 12/26/2011 4:45 PM, Claudio Freire wrote:
On Mon, Dec 26, 2011 at 5:22 PM, Greg Freemyer<greg.freemyer@gmail.com> wrote:
On Mon, Dec 26, 2011 at 10:00 AM, Stefan Seyfried <stefan.seyfried@googlemail.com> wrote:
2) Ability to write and read logs faster then before. Speed is not an issue. I've processed gigabytes of text logs quickly enough when doing forensics.
If you've really ever done real forensics, you'd probably value signed tamper-proof log entries.
I have done the work and definitely would love signed tamper-proof logs.
I have reviewed FTP, Webserver, and SMTP logs for legal reasons. It complicates life not knowing if those logs can be truly trusted as really having been originated by the daemon in question.
Note that it is too late by the time the investigation starts. The underlying logging needs to be tamper resistant from prior to the incident under investigation.
That will never happen. In order to sign entries, the logging daemon needs to have the keys.
The task can be made very difficult, but the jist is, if the daemon can have access to the signing keys, so does an attacker that compromises the daemon.
So, it cannot be made provably secure for legal purposes. But it *can* be made difficult for most attackers, a good yet not infalible protection for practical purposes.
Or, it may just be a great way to allow people in power to delude themselves longer. Things stay hacked longer because idiots believe the logs "prove" they have not been hacked. People go to jail because the logs "prove" they did something. People don't go to jail because the logs "prove" they didn't do something. Idiots in positions of authority routinely mis-use the tools to everyone's harm, and new admins routinely over-trust claims of quality/effectiveness. Remember http://news.ycombinator.com/item?id=3088687 ? They were convinced everything the they saw from their end must be true. At least no one can expect that a plain file can really prove anything by itself. I am intrigued by the idea of utterly trustworthy logs but I don't think they can really exist as easily as that. So again it's just a bad trade. You lose compatibility and flexibility, and gain essentially nothing. This is an example of "progress often isn't". Someone get's an idea, and since they're new they think it's a fine idea, and since all the rest of their generation are just as new they also all think it's a fine idea. Doesn't make it a fine idea. 10 or 15 years after AOL and Microsoft put the internet and email into the hands of the unwashed masses, a research paper came out that "discovered" what the cranky old timers who suddenly comprised only .001% of the internet had been saying since day one to the other 99.99% about the wasted time and effort and increased miscommunications from top-posting. It was very funny reading them "discover" this. -- bkw -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org