OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 2nd quarter (Apr-Jun) 1996: Re: Write-only devices (Was read only devices) [via LSMTP - see

Re: Write-only devices (Was read only devices) [via LSMTP - see

Paul C Leyland (pclfoo.oucs.ox.ac.uk)
Mon, 24 Jun 1996 16:27:01 +0100

> > A write-only logger is incredibly useful when performing forensic work
> > after something has gone badly wrong.
>
> I cannot see why being unreadable helps for forensic work.
> By making it unreadable, you can log "sensitive" material,
> and the intruder cannot see what is being recorded.

That is the point.  The intruder can't see what is being logged.
Intruders tend to make fewer relevant mistakes when they know what is
being auditted and what is not.  For post-incident forensic work, the
more mistakes the better!

If all you want is deterrence then advertizing what is logged, and how,
works better, at least in our environment.

An advantage of paper over magnetic records is that they are human
readable.  Rightly or wrongly, important people such as law enforcement,
lawyers and juries tend to trust paper more than magnetic records.

> However, I would consider Write Once as being the important property.

Write-once is undeniably important, but it ought to be truly write-once.
Hence my dig at CD-R.  Printers must not be able to do reverse linefeeds
(line starves?) for the same reason.

> > I do not know of any readily available write-only output device other
> > than printers these days.

> My plan is to get a small Linux box, put a MUX card in it, and connect
> all the consoles to it.  I suspect most sites would be able to set up
> a "sufficiently" secure system to allow it to be network connected,
> but you could opt not to network connect it.  You could change an
> Exabyte to which the data is written when it's full, or if you want to
> collect evidence before that, login to the console, select the
> required info, and write it to a floppy.

OK, I'll accept a computer writing a dribble file as a write-once device
as long as it is truly impossible for anyone not physically present at
the machine to read that file.  Even then, I'd feel happier if the
logging machine did not have software to read the file without a reboot
from removable media.

I would not trust any networked machine as a high-security data logger.
String together the logged machines with serial lines and ensure that
the logger is truly write-only (i.e. snip its Tx lines and use hardware
flow control) and you're probably ok.

> Where's the problem ??

In a word: complexity.  Cheap 9-pin printers are simple, reliable and
understandable.  Linux boxes are complicated and go wrong more often and
in mysterious ways.  On the other hand, their great advantages are
higher storage density and more powerful log analysis tools.


Paul