Bernard Peek wrote
The Natural Philosopher wrote

Well thats uyouir knowelege limits and I have mine.

I know.

Let's say that if anyone has broken in they have left no trace and
altered nothing. Or I would *know*. Which makes it 'not compromised'

Absence of evidence is not evidence of absence.

Hint: there is no such thing as an undetectable change.

I'd like to see evidence for that assertion.

It isnt that hard to do a file check over the entire storage to check what gets changed.

I think it's probably true but it's not relevant here because the issue at hand isn't undetectable change, but
undetected change. The two are different.

Waffle. Isnt that hard to check for any change.

"The Natural Philosopher" wrote in message
...
Bernard Peek wrote:
On 26/02/12 20:58, The Natural Philosopher wrote:

Well thats uyouir knowelege limits and I have mine.

I know.

Let's say that if anyone has broken in they have left no trace and
altered nothing. Or I would *know*. Which makes it 'not compromised'

Absence of evidence is not evidence of absence.


Hint: there is no such thing as an undetectable change.

I'd like to see evidence for that assertion.

Are you really stupid?

If a change makes no difference to anything, ipso facto, it is not a
change. All changes therefore must make a difference, and are therefore
detectable.



I think it's probably true
but it's not relevant here because the issue at hand isn't undetectable
change, but undetected change. The two are different.



Right. Given two computers, how can you use one to tell if the others
disk content has changed?


Fascinating watching the sophisticated cut and thrust of intellectual
debate.

IIRC there used to be a standard security feature in Linux where you could
run a full system checker which scanned the complete filestore to identify
any changes.
I never ran it because I couldn't work out how you knew if any of the
zillion changes made each day was good or bad.
Also, I did wonder what would happen if the system checker was compromised.
Also, I did wonder if the system did a bit by bit comparison of every single
file or relied on things like date, time, size in the indexes which can be
changed if you get deep enough into the entrails of the system.
However this should identify if you have just received 1,000 incoming emails
to your root account telling you that you aare a plonker :-)

Cheers

Dave R
--
No plan survives contact with the enemy.
[Not even bunny]

Helmuth von Moltke the Elder

(\__/)
(='.'=)
(")_(")

On 27/02/2012 08:28, David WE Roberts wrote:
I never ran it because I couldn't work out how you knew if any of the
zillion changes made each day was good or bad.

This is why I haven't even bothered to look for a tool.

I've got a couple of hundred apps on my machine, everyone from Apple to
XVid. A number of them have associated services.

I know I don't know. I don't think anyone else does either.

Andy

Andy Champ wrote:
On 27/02/2012 08:28, David WE Roberts wrote:
I never ran it because I couldn't work out how you knew if any of the
zillion changes made each day was good or bad.

This is why I haven't even bothered to look for a tool.

I've got a couple of hundred apps on my machine, everyone from Apple to
XVid. A number of them have associated services.

I know I don't know. I don't think anyone else does either.

Andy

well thats wWndows for you

There is a school of thought that says the machine is compromised the
moment you install it.

Now I NOW hat if anything I have NOT been ****ing with changes on my
public server, then its a problem.

And I know what has changed, because it tells me every might..

And because I built and installed it and understand what's on it, and it
doesn't run windows, its stays the way I set it up.

"The Natural Philosopher" wrote in message
...
Andy Champ wrote:
On 27/02/2012 08:28, David WE Roberts wrote:
I never ran it because I couldn't work out how you knew if any of the
zillion changes made each day was good or bad.

This is why I haven't even bothered to look for a tool.

I've got a couple of hundred apps on my machine, everyone from Apple to
XVid. A number of them have associated services.

I know I don't know. I don't think anyone else does either.

Andy

well thats wWndows for you

There is a school of thought that says the machine is compromised the
moment you install it.

Now I NOW hat if anything I have NOT been ****ing with changes on my
public server, then its a problem.

And I know what has changed, because it tells me every might..

And because I built and installed it and understand what's on it, and it
doesn't run windows, its stays the way I set it up.

Server with more or less fixed configuration and batch updates of patches at
big intervals can probably be watched O.K.
Commercial secure systems tend to work that way.

Not sure a desktop with all sorts of regular updates, downloads, emails,
virus updates etc. is as trackable, though.


--
No plan survives contact with the enemy.
[Not even bunny]

Helmuth von Moltke the Elder

(\__/)
(='.'=)
(")_(")

David WE Roberts wrote:

"The Natural Philosopher" wrote in message
...
Andy Champ wrote:
On 27/02/2012 08:28, David WE Roberts wrote:
I never ran it because I couldn't work out how you knew if any of the
zillion changes made each day was good or bad.

This is why I haven't even bothered to look for a tool.

I've got a couple of hundred apps on my machine, everyone from Apple
to XVid. A number of them have associated services.

I know I don't know. I don't think anyone else does either.

Andy

well thats wWndows for you

There is a school of thought that says the machine is compromised the
moment you install it.

Now I NOW hat if anything I have NOT been ****ing with changes on my
public server, then its a problem.

And I know what has changed, because it tells me every might..

And because I built and installed it and understand what's on it, and
it doesn't run windows, its stays the way I set it up.

Server with more or less fixed configuration and batch updates of
patches at big intervals can probably be watched O.K.
Commercial secure systems tend to work that way.

Not sure a desktop with all sorts of regular updates, downloads, emails,
virus updates etc. is as trackable, though.


we were talking about network servers.

However the same holds true for my desktop.

I expect changes in logs, mail files, and web caches. Nothing else
except files I have been editing

Anything else is a cause to investigate.

Every single disk on every machine I use* is backed up and a full
difference file emailed to me daily,. I read them. If a file has even
changed size, it will show up.

*except 250 GB of recorded TV programs. Sod that.

On 27/02/2012 20:53, The Natural Philosopher wrote:
well thats wWndows for you

There is a school of thought that says the machine is compromised the
moment you install it.

Now I NOW hat if anything I have NOT been ****ing with changes on my
public server, then its a problem.

And I know what has changed, because it tells me every might..

And because I built and installed it and understand what's on it, and it
doesn't run windows, its stays the way I set it up.

It's the curse and the beauty of Windows that I can have a couple of
hundred apps.

Andy

On 26/02/12 22:08, The Natural Philosopher wrote:
Bernard Peek wrote:
On 26/02/12 20:58, The Natural Philosopher wrote:

Well thats uyouir knowelege limits and I have mine.

I know.

Let's say that if anyone has broken in they have left no trace and
altered nothing. Or I would *know*. Which makes it 'not compromised'

Absence of evidence is not evidence of absence.


Hint: there is no such thing as an undetectable change.

I'd like to see evidence for that assertion.

Are you really stupid?

I'm a philosopher. I was hoping that you knew something that I didn't
and I could learn something. It seemed improbable given the ignorance
that you appeared to be displaying but hope springs eternal.


If a change makes no difference to anything, ipso facto, it is not a
change. All changes therefore must make a difference, and are therefore
detectable.

Yes, but as I pointed out in the post to which you replied absence of
evidence is not evidence of absence. You can know that you haven't
detected a change, but you can't know that there is no change. Absence
of a change is not detectable.


--
Bernard Peek

Andy Champ wrote:
On 27/02/2012 20:53, The Natural Philosopher wrote:
well thats wWndows for you

There is a school of thought that says the machine is compromised the
moment you install it.

Now I NOW hat if anything I have NOT been ****ing with changes on my
public server, then its a problem.

And I know what has changed, because it tells me every might..

And because I built and installed it and understand what's on it, and it
doesn't run windows, its stays the way I set it up.

It's the curse and the beauty of Windows that I can have a couple of
hundred apps.


The beauty of Linux is that I don't need a couple of hundred apps.

Andy

Bernard Peek wrote:
On 26/02/12 22:08, The Natural Philosopher wrote:
Bernard Peek wrote:
On 26/02/12 20:58, The Natural Philosopher wrote:

Well thats uyouir knowelege limits and I have mine.

I know.

Let's say that if anyone has broken in they have left no trace and
altered nothing. Or I would *know*. Which makes it 'not compromised'

Absence of evidence is not evidence of absence.


Hint: there is no such thing as an undetectable change.

I'd like to see evidence for that assertion.

Are you really stupid?

I'm a philosopher. I was hoping that you knew something that I didn't
and I could learn something. It seemed improbable given the ignorance
that you appeared to be displaying but hope springs eternal.


If a change makes no difference to anything, ipso facto, it is not a
change. All changes therefore must make a difference, and are therefore
detectable.

Yes, but as I pointed out in the post to which you replied absence of
evidence is not evidence of absence. You can know that you haven't
detected a change, but you can't know that there is no change. Absence
of a change is not detectable.

It is.

On Tue, 28 Feb 2012 20:41:13 +0000, The Natural Philosopher
wrote:

Bernard Peek wrote:
On 26/02/12 22:08, The Natural Philosopher wrote:
Bernard Peek wrote:
On 26/02/12 20:58, The Natural Philosopher wrote:

Well thats uyouir knowelege limits and I have mine.

I know.

Let's say that if anyone has broken in they have left no trace and
altered nothing. Or I would *know*. Which makes it 'not compromised'

Absence of evidence is not evidence of absence.


Hint: there is no such thing as an undetectable change.

I'd like to see evidence for that assertion.

Are you really stupid?

I'm a philosopher. I was hoping that you knew something that I didn't
and I could learn something. It seemed improbable given the ignorance
that you appeared to be displaying but hope springs eternal.


If a change makes no difference to anything, ipso facto, it is not a
change. All changes therefore must make a difference, and are therefore
detectable.

Yes, but as I pointed out in the post to which you replied absence of
evidence is not evidence of absence. You can know that you haven't
detected a change, but you can't know that there is no change. Absence
of a change is not detectable.

It is.

It would be theoretically possible to hide any change if you had the
resources and opportunity. For example if you use hashes to detect
changes then someone could alter the hashes.

You can reduce the risk of this happening but it will always be 0.
--
(\__/) M.
(='.'=) If a man stands in a forest and no woman is around
(")_(") is he still wrong?

On Tue, 28 Feb 2012 20:25:00 +0000, Bernard Peek wrote:

Yes, but as I pointed out in the post to which you replied absence of
evidence is not evidence of absence. You can know that you haven't
detected a change, but you can't know that there is no change. Absence
of a change is not detectable.

Pfft. Just look harder.

Alice in Wonderland: "I can see nothing."
Cheshire Cat: "My, you must have good eyes!"


Thomas Prufer

Mark wrote
The Natural Philosopher wrote
Bernard Peek wrote:
The Natural Philosopher wrote
Bernard Peek wrote
The Natural Philosopher wrote

Well thats uyouir knowelege limits and I have mine.

I know.

Let's say that if anyone has broken in they have left no trace
and altered nothing. Or I would *know*. Which makes it 'not
compromised'

Absence of evidence is not evidence of absence.

Hint: there is no such thing as an undetectable change.

I'd like to see evidence for that assertion.

Are you really stupid?

I'm a philosopher. I was hoping that you knew something that I
didn't and I could learn something. It seemed improbable given the
ignorance that you appeared to be displaying but hope springs eternal.

If a change makes no difference to anything, ipso facto, it is not
a change. All changes therefore must make a difference, and are
therefore detectable.

Yes, but as I pointed out in the post to which you replied absence
of evidence is not evidence of absence. You can know that you
haven't detected a change, but you can't know that there is no
change. Absence of a change is not detectable.

It is.

It would be theoretically possible to hide any change if you had the
resources and opportunity. For example if you use hashes to detect
changes then someone could alter the hashes.

Not if they arent on that system they cant.

You can reduce the risk of this happening but it will always be 0.

Nope. Its perfectly possible to have a risk of 0.

Rod Speed wrote:

Mark wrote
The Natural Philosopher wrote
Bernard Peek wrote:
The Natural Philosopher wrote
Bernard Peek wrote
The Natural Philosopher wrote

Well thats uyouir knowelege limits and I have mine.

I know.

Let's say that if anyone has broken in they have left no trace
and altered nothing. Or I would *know*. Which makes it 'not
compromised'

Absence of evidence is not evidence of absence.

Hint: there is no such thing as an undetectable change.

I'd like to see evidence for that assertion.

Are you really stupid?

I'm a philosopher. I was hoping that you knew something that I
didn't and I could learn something. It seemed improbable given the
ignorance that you appeared to be displaying but hope springs eternal.

If a change makes no difference to anything, ipso facto, it is not
a change. All changes therefore must make a difference, and are
therefore detectable.

Yes, but as I pointed out in the post to which you replied absence
of evidence is not evidence of absence. You can know that you
haven't detected a change, but you can't know that there is no
change. Absence of a change is not detectable.

It is.

It would be theoretically possible to hide any change if you had the
resources and opportunity. For example if you use hashes to detect
changes then someone could alter the hashes.

Not if they arent on that system they cant.

You can reduce the risk of this happening but it will always be 0.

Nope. Its perfectly possible to have a risk of 0.

Even against aliens with telekinetic abilities?

And as you cannot prove such aliens don't exist, I suspect your risk is 0
even if you bury your computer in a concrete block inside a metal box.


--
Tim Watts

On 28/02/2012 20:25, Bernard Peek wrote:
On 26/02/12 22:08, The Natural Philosopher wrote:
Bernard Peek wrote:

If a change makes no difference to anything, ipso facto, it is not a
change. All changes therefore must make a difference, and are therefore
detectable.

Yes, but as I pointed out in the post to which you replied absence of
evidence is not evidence of absence. You can know that you haven't
detected a change, but you can't know that there is no change. Absence
of a change is not detectable.

Simple example would be waving a neodymium magnet near the computer but
not close enough to actually corrupt any data but close enough to alter
the magnetic domain strengths stored on the platter. There is a change
to the system but it is not detectable by standard drive electronics.

But for all practical purposes with a PC if the bitwise comparison of
the media with a standard reference copy is identical (including all the
bits not normally accessible) then it is unchanged.

I used to degauss my bank cards magnetic stripes with monotonous
regularity when I worked with powerful magnets.

--
Regards,
Martin Brown

On Wed, 29 Feb 2012 20:27:57 +1100, "Rod Speed"
wrote:

Mark wrote
The Natural Philosopher wrote
Bernard Peek wrote:
The Natural Philosopher wrote
Bernard Peek wrote
The Natural Philosopher wrote

Well thats uyouir knowelege limits and I have mine.

I know.

Let's say that if anyone has broken in they have left no trace
and altered nothing. Or I would *know*. Which makes it 'not
compromised'

Absence of evidence is not evidence of absence.

Hint: there is no such thing as an undetectable change.

I'd like to see evidence for that assertion.

Are you really stupid?

I'm a philosopher. I was hoping that you knew something that I
didn't and I could learn something. It seemed improbable given the
ignorance that you appeared to be displaying but hope springs eternal.

If a change makes no difference to anything, ipso facto, it is not
a change. All changes therefore must make a difference, and are
therefore detectable.

Yes, but as I pointed out in the post to which you replied absence
of evidence is not evidence of absence. You can know that you
haven't detected a change, but you can't know that there is no
change. Absence of a change is not detectable.

It is.

It would be theoretically possible to hide any change if you had the
resources and opportunity. For example if you use hashes to detect
changes then someone could alter the hashes.

Not if they arent on that system they cant.

What if they get in?

You can reduce the risk of this happening but it will always be 0.

Nope. Its perfectly possible to have a risk of 0.

No.

--
(\__/) M.
(='.'=) If a man stands in a forest and no woman is around
(")_(") is he still wrong?

"Bernard Peek" wrote in message
...
On 26/02/12 22:08, The Natural Philosopher wrote:
Bernard Peek wrote:
On 26/02/12 20:58, The Natural Philosopher wrote:

Well thats uyouir knowelege limits and I have mine.

I know.

Let's say that if anyone has broken in they have left no trace and
altered nothing. Or I would *know*. Which makes it 'not compromised'

Absence of evidence is not evidence of absence.


Hint: there is no such thing as an undetectable change.

I'd like to see evidence for that assertion.

Are you really stupid?

I'm a philosopher. I was hoping that you knew something that I didn't and
I could learn something. It seemed improbable given the ignorance that you
appeared to be displaying but hope springs eternal.


If a change makes no difference to anything, ipso facto, it is not a
change. All changes therefore must make a difference, and are therefore
detectable.

Yes, but as I pointed out in the post to which you replied absence of
evidence is not evidence of absence. You can know that you haven't
detected a change, but you can't know that there is no change. Absence of
a change is not detectable.


Why don't we ask Schrödinger's cat?
Damn - it's hiding in its box.

Best you can do is affirm that you have been unable to detect a significant
chage in the items you are measuring and this meets your requirements for
assurance and security.

--
No plan survives contact with the enemy.
[Not even bunny]

Helmuth von Moltke the Elder

(\__/)
(='.'=)
(")_(")

"Rod Speed" wrote in message
...

It would be theoretically possible to hide any change if you had the
resources and opportunity. For example if you use hashes to detect
changes then someone could alter the hashes.

Not if they arent on that system they cant.

You can't be sure that what you installed wasn't compromised in the first
place.
There are even possible attacks if you compile the C source from scratch.
for example..

its possible to build a compiler that puts unwanted stuff into programs it
compiles.
It is possible to hide these from the source code of the compiler by
recognising the compiler and adding the code to do this when the compiler is
compiled.
Before you say this can't be done, did you use a binary to compile your last
program or did you do it by hand to ensure the above wasn't done?


You can reduce the risk of this happening but it will always be 0.

Nope. Its perfectly possible to have a risk of 0.

You also put a chainsaw through your computer then?

Mark wrote:
On Tue, 28 Feb 2012 20:41:13 +0000, The Natural Philosopher
wrote:

Bernard Peek wrote:
On 26/02/12 22:08, The Natural Philosopher wrote:
Bernard Peek wrote:
On 26/02/12 20:58, The Natural Philosopher wrote:

Well thats uyouir knowelege limits and I have mine.

I know.

Let's say that if anyone has broken in they have left no trace and
altered nothing. Or I would *know*. Which makes it 'not compromised'
Absence of evidence is not evidence of absence.

Hint: there is no such thing as an undetectable change.
I'd like to see evidence for that assertion.
Are you really stupid?
I'm a philosopher. I was hoping that you knew something that I didn't
and I could learn something. It seemed improbable given the ignorance
that you appeared to be displaying but hope springs eternal.

If a change makes no difference to anything, ipso facto, it is not a
change. All changes therefore must make a difference, and are therefore
detectable.
Yes, but as I pointed out in the post to which you replied absence of
evidence is not evidence of absence. You can know that you haven't
detected a change, but you can't know that there is no change. Absence
of a change is not detectable.
It is.

It would be theoretically possible to hide any change if you had the
resources and opportunity. For example if you use hashes to detect
changes then someone could alter the hashes.

You can reduce the risk of this happening but it will always be 0.

I think the possibility of altering a file so that not only is its hash,
but also its size, identical to before and still make it do something
malicious is so close to zero as to be one of the things I simply don't
worry about.

AND the AGENCY that does that change would leave traces of doing it. So
that's all the LOG files that may or may not be implicated, that have
to be cleaned up. And THAT leaves traces on the disk image as well.

I don't doubt that given a couple of years I could not develop a tool
that would probably do that, ..and then I would also have to hack into
the machine and get root level access as well....and hope that some
upgrade didn't wipe out whatver it was I had modified.

So there is actually GETTING this 'invisible' change in. Its very very hard.

Now consider: what is it to do? That IS malicious? well it can **** the
server over, but that is a BIG change and I have a full backup of
course. So no big deal.

Perhaps its going to send SPAM? well there again, look at the log files
of the ISP service its connected to..bursts of traffic not in the mail
log on the machine? I will investigate.

Unless the hacker can totally control not only the machine itself in
every respect, but also the ISP to which it is connected - and even I
can't do THAT - at some level anything it *does* is going to be detectable.

In short if someone makes a change that results in no detectable
activity or audit trail, I actually don't care. Its not actually
therefore doing anything it isn't set up by me to do.

In the REAL world malware exists because people don't take SIMPLE
precautions.

Some kid puts up a server on the net, leaves it wide open, doesn't
bother to even read his logs or inspect his disk structure and someone
plonks a completely visible file on it that creates a load of traffic
and the owner simply doesn't notice..!!!

Sheesh. He's a far more likely target than me.

All the hacks and viruses I have come across leave audit trails of some
sort. You can only comprise a system to the extent you control it.
One of the huge benefits of open source and a heterogeneous Internet, is
that no one person does.

Even teh best STUXNET in the whole world is detected eventually.

Tim Watts wrote:
Rod Speed wrote:

Mark wrote

You can reduce the risk of this happening but it will always be 0.
Nope. Its perfectly possible to have a risk of 0.

Even against aliens with telekinetic abilities?

And as you cannot prove such aliens don't exist, I suspect your risk is 0
even if you bury your computer in a concrete block inside a metal box.



Shhesh, if there are aliens with telekinetic abilitoes then either they
do something I can detect, or they haven't done anything I care about.

Either way its no big deal. It is still zero risk.

Martin Brown wrote:
On 28/02/2012 20:25, Bernard Peek wrote:
On 26/02/12 22:08, The Natural Philosopher wrote:
Bernard Peek wrote:

If a change makes no difference to anything, ipso facto, it is not a
change. All changes therefore must make a difference, and are therefore
detectable.

Yes, but as I pointed out in the post to which you replied absence of
evidence is not evidence of absence. You can know that you haven't
detected a change, but you can't know that there is no change. Absence
of a change is not detectable.

Simple example would be waving a neodymium magnet near the computer but
not close enough to actually corrupt any data but close enough to alter
the magnetic domain strengths stored on the platter. There is a change
to the system but it is not detectable by standard drive electronics.

It is.

It would almost certainly result in several parity errors and 'bad blocks'


But for all practical purposes with a PC

Who said anything about a PC?

if the bitwise comparison of
the media with a standard reference copy is identical (including all the
bits not normally accessible) then it is unchanged.

I used to degauss my bank cards magnetic stripes with monotonous
regularity when I worked with powerful magnets.

Mark wrote:
On Wed, 29 Feb 2012 20:27:57 +1100, "Rod Speed"
wrote:

Mark wrote
The Natural Philosopher wrote
Bernard Peek wrote:
The Natural Philosopher wrote
Bernard Peek wrote
The Natural Philosopher wrote
Well thats uyouir knowelege limits and I have mine.
I know.
Let's say that if anyone has broken in they have left no trace
and altered nothing. Or I would *know*. Which makes it 'not
compromised'
Absence of evidence is not evidence of absence.
Hint: there is no such thing as an undetectable change.
I'd like to see evidence for that assertion.
Are you really stupid?
I'm a philosopher. I was hoping that you knew something that I
didn't and I could learn something. It seemed improbable given the
ignorance that you appeared to be displaying but hope springs eternal.
If a change makes no difference to anything, ipso facto, it is not
a change. All changes therefore must make a difference, and are
therefore detectable.
Yes, but as I pointed out in the post to which you replied absence
of evidence is not evidence of absence. You can know that you
haven't detected a change, but you can't know that there is no
change. Absence of a change is not detectable.
It is.
It would be theoretically possible to hide any change if you had the
resources and opportunity. For example if you use hashes to detect
changes then someone could alter the hashes.
Not if they arent on that system they cant.

What if they get in?

they will still leave a trail.


You can reduce the risk of this happening but it will always be 0.
Nope. Its perfectly possible to have a risk of 0.

No.

yes.

David WE Roberts wrote:

"Bernard Peek" wrote in message
...
On 26/02/12 22:08, The Natural Philosopher wrote:
Bernard Peek wrote:
On 26/02/12 20:58, The Natural Philosopher wrote:

Well thats uyouir knowelege limits and I have mine.

I know.

Let's say that if anyone has broken in they have left no trace and
altered nothing. Or I would *know*. Which makes it 'not compromised'

Absence of evidence is not evidence of absence.


Hint: there is no such thing as an undetectable change.

I'd like to see evidence for that assertion.

Are you really stupid?

I'm a philosopher. I was hoping that you knew something that I didn't
and I could learn something. It seemed improbable given the ignorance
that you appeared to be displaying but hope springs eternal.


If a change makes no difference to anything, ipso facto, it is not a
change. All changes therefore must make a difference, and are therefore
detectable.

Yes, but as I pointed out in the post to which you replied absence of
evidence is not evidence of absence. You can know that you haven't
detected a change, but you can't know that there is no change. Absence
of a change is not detectable.


Why don't we ask Schrödinger's cat?
Damn - it's hiding in its box.

Best you can do is affirm that you have been unable to detect a
significant change in the items you are measuring and this meets your
requirements for assurance and security.


exactly, An undetectable change that results in no detectable activity
by anyone in the whole universe is not a security risk.

"The Natural Philosopher" wrote in message
...
David WE Roberts wrote:

"Bernard Peek" wrote in message
...
On 26/02/12 22:08, The Natural Philosopher wrote:
Bernard Peek wrote:
On 26/02/12 20:58, The Natural Philosopher wrote:

Well thats uyouir knowelege limits and I have mine.

I know.

Let's say that if anyone has broken in they have left no trace and
altered nothing. Or I would *know*. Which makes it 'not compromised'

Absence of evidence is not evidence of absence.


Hint: there is no such thing as an undetectable change.

I'd like to see evidence for that assertion.

Are you really stupid?

I'm a philosopher. I was hoping that you knew something that I didn't
and I could learn something. It seemed improbable given the ignorance
that you appeared to be displaying but hope springs eternal.


If a change makes no difference to anything, ipso facto, it is not a
change. All changes therefore must make a difference, and are therefore
detectable.

Yes, but as I pointed out in the post to which you replied absence of
evidence is not evidence of absence. You can know that you haven't
detected a change, but you can't know that there is no change. Absence
of a change is not detectable.


Why don't we ask Schrödinger's cat?
Damn - it's hiding in its box.

Best you can do is affirm that you have been unable to detect a
significant change in the items you are measuring and this meets your
requirements for assurance and security.


exactly, An undetectable change that results in no detectable activity by
anyone in the whole universe is not a security risk.

Come on, sense of balance ;-)
You are not everyone in the Universe.
There might be someone out there who knows a way to change a system which is
not detectable by the currently publicly available tools.
The likelihood of this, and also the added likelihood of this person
choosing to attack your system instead of any other, is part of your risk
assessment.

--
No plan survives contact with the enemy.
[Not even bunny]

Helmuth von Moltke the Elder

(\__/)
(='.'=)
(")_(")

Tim Watts wrote
Rod Speed wrote
Mark wrote
The Natural Philosopher wrote
Bernard Peek wrote:
The Natural Philosopher wrote
Bernard Peek wrote
The Natural Philosopher wrote

Well thats uyouir knowelege limits and I have mine.

I know.

Let's say that if anyone has broken in they have
left no trace and altered nothing. Or I would *know*.
Which makes it 'not compromised'

Absence of evidence is not evidence of absence.

Hint: there is no such thing as an undetectable change.

I'd like to see evidence for that assertion.

Are you really stupid?

I'm a philosopher. I was hoping that you knew something that I didn't
and I could learn something. It seemed improbable given the ignorance
that you appeared to be displaying but hope springs eternal.

If a change makes no difference to anything, ipso facto,
it is not a change. All changes therefore must make a
difference, and are therefore detectable.

Yes, but as I pointed out in the post to which you replied absence
of evidence is not evidence of absence. You can know that you
haven't detected a change, but you can't know that there is no
change. Absence of a change is not detectable.

It is.

It would be theoretically possible to hide any change if you
had the resources and opportunity. For example if you use
hashes to detect changes then someone could alter the hashes.

Not if they arent on that system they cant.

You can reduce the risk of this happening but it will always be 0.

Nope. Its perfectly possible to have a risk of 0.

Even against aliens with telekinetic abilities?

Yep. Any change they make that matters will be detectable.

And as you cannot prove such aliens don't exist, I suspect your risk is
0 even if you bury your computer in a concrete block inside a metal box.

You're wrong.

Mark wrote
Rod Speed wrote
Mark wrote
The Natural Philosopher wrote
Bernard Peek wrote:
The Natural Philosopher wrote
Bernard Peek wrote
The Natural Philosopher wrote

Well thats uyouir knowelege limits and I have mine.

I know.

Let's say that if anyone has broken in they have left no trace
and altered nothing. Or I would *know*. Which makes it 'not
compromised'

Absence of evidence is not evidence of absence.

Hint: there is no such thing as an undetectable change.

I'd like to see evidence for that assertion.

Are you really stupid?

I'm a philosopher. I was hoping that you knew something that I
didn't and I could learn something. It seemed improbable given the
ignorance that you appeared to be displaying but hope springs eternal.

If a change makes no difference to anything, ipso facto, it is
not a change. All changes therefore must make a difference,
and are therefore detectable.

Yes, but as I pointed out in the post to which you replied absence
of evidence is not evidence of absence. You can know that you
haven't detected a change, but you can't know that there is no
change. Absence of a change is not detectable.

It is.

It would be theoretically possible to hide any change if you
had the resources and opportunity. For example if you use
hashes to detect changes then someone could alter the hashes.

Not if they arent on that system they cant.

What if they get in?

My 'they' was the hashes.

You can reduce the risk of this happening but it will always be 0.

Nope. Its perfectly possible to have a risk of 0.

No.

Yep.

dennis@home wrote
Rod Speed wrote

It would be theoretically possible to hide any change if you had the resources and opportunity. For example if you
use hashes to detect changes then someone could alter the hashes.

Not if they arent on that system they cant.

You can't be sure that what you installed wasn't compromised in the first place.

You dont have to install anything on the system being checked.

And you can test whether it can detect changes by making your own changes too.

There are even possible attacks if you compile the C source from scratch. for example..

Yes, but if that system isnt even on the system being protected...

its possible to build a compiler that puts unwanted stuff into programs it compiles.

But they have no control over what compiler you use with a common language.

It is possible to hide these from the source code of the compiler by recognising the compiler and adding the code to
do this when the compiler is compiled.

But they have no control over what compiler you use with a common language.

Before you say this can't be done, did you use a binary to compile your last program or did you do it by hand to
ensure the above wasn't done?

My last program isnt relevant. What matters is what is used to
compile the system that does the checks. With hashes the code
can be so simple that its quite practical to compile it by hand.

You can reduce the risk of this happening but it will always be 0.

Nope. Its perfectly possible to have a risk of 0.

You also put a chainsaw through your computer then?

Dont need to do that.

Rod Speed wrote:

Tim Watts wrote
Rod Speed wrote
Mark wrote
The Natural Philosopher wrote
Bernard Peek wrote:
The Natural Philosopher wrote
Bernard Peek wrote
The Natural Philosopher wrote

Well thats uyouir knowelege limits and I have mine.

I know.

Let's say that if anyone has broken in they have
left no trace and altered nothing. Or I would *know*.
Which makes it 'not compromised'

Absence of evidence is not evidence of absence.

Hint: there is no such thing as an undetectable change.

I'd like to see evidence for that assertion.

Are you really stupid?

I'm a philosopher. I was hoping that you knew something that I didn't
and I could learn something. It seemed improbable given the ignorance
that you appeared to be displaying but hope springs eternal.

If a change makes no difference to anything, ipso facto,
it is not a change. All changes therefore must make a
difference, and are therefore detectable.

Yes, but as I pointed out in the post to which you replied absence
of evidence is not evidence of absence. You can know that you
haven't detected a change, but you can't know that there is no
change. Absence of a change is not detectable.

It is.

It would be theoretically possible to hide any change if you
had the resources and opportunity. For example if you use
hashes to detect changes then someone could alter the hashes.

Not if they arent on that system they cant.

You can reduce the risk of this happening but it will always be 0.

Nope. Its perfectly possible to have a risk of 0.

Even against aliens with telekinetic abilities?

Yep. Any change they make that matters will be detectable.

And as you cannot prove such aliens don't exist, I suspect your risk is
0 even if you bury your computer in a concrete block inside a metal box.

You're wrong.

Nope - I don't accept an exactly 0 risk is possible on any non isolated
computer. Very close, perhaps, but not exactly 0.
--
Tim Watts

The Natural Philosopher wrote:


exactly, An undetectable change that results in no detectable activity
by anyone in the whole universe is not a security risk.

You may have a "potentially detectable" change, but for any practical
detection mechanism, I feel fairly safe in asserting that it could
potentially be hacked so as not to leave a trace *detectable by the
detection mechanism".

It's an arms race - however many tripwires you put up, there's always a way,
no matter how improbable, that a change could be effected that does not trip
the tripwires.

It's been demonstrated time and time again that everytime you put an
obstacle in the way of people who care, they will eventually defeat it if
determined enough.


--
Tim Watts

The Natural Philosopher wrote
Mark wrote
The Natural Philosopher wrote
Bernard Peek wrote
The Natural Philosopher wrote
Bernard Peek wrote
The Natural Philosopher wrote

Well thats uyouir knowelege limits and I have mine.

I know.

Let's say that if anyone has broken in they have left no trace and altered nothing. Or I would *know*. Which
makes it 'not compromised'

Absence of evidence is not evidence of absence.

Hint: there is no such thing as an undetectable change.

I'd like to see evidence for that assertion.

Are you really stupid?

I'm a philosopher. I was hoping that you knew something that I
didn't and I could learn something. It seemed improbable given the
ignorance that you appeared to be displaying but hope springs eternal.

If a change makes no difference to anything, ipso facto, it is not a change. All changes therefore must make a
difference, and are therefore detectable.

Yes, but as I pointed out in the post to which you replied absence
of evidence is not evidence of absence. You can know that you
haven't detected a change, but you can't know that there is no
change. Absence of a change is not detectable.

It is.

It would be theoretically possible to hide any change if you had the resources and opportunity. For example if you
use hashes to detect changes then someone could alter the hashes.

You can reduce the risk of this happening but it will always be 0.

I think the possibility of altering a file so that not only is its
hash, but also its size, identical to before and still make it do something malicious is so close to zero as to be
one of the things I simply don't worry about.

And its quite literally zero if you have more than one hash per file.

AND the AGENCY that does that change would leave traces of doing it.
So that's all the LOG files that may or may not be implicated, that have to be cleaned up. And THAT leaves traces on
the disk image as well.

I don't doubt that given a couple of years I could not develop a tool
that would probably do that, ..and then I would also have to hack into
the machine and get root level access as well....and hope that some
upgrade didn't wipe out whatver it was I had modified.

So there is actually GETTING this 'invisible' change in. Its very very hard.

It can be made impossible. Most obviously by just restoring the image even say daily.

Now consider: what is it to do? That IS malicious? well it can ****
the server over, but that is a BIG change and I have a full backup of
course. So no big deal.

Perhaps its going to send SPAM? well there again, look at the log files of the ISP service its connected to..bursts of
traffic not in the mail log on the machine? I will investigate.

Unless the hacker can totally control not only the machine itself in
every respect, but also the ISP to which it is connected - and even I
can't do THAT - at some level anything it *does* is going to be detectable.

Yep, thats the real problem for those that claim it will always be possible.

In short if someone makes a change that results in no detectable
activity or audit trail, I actually don't care. Its not actually
therefore doing anything it isn't set up by me to do.

In the REAL world malware exists because people don't take SIMPLE precautions.

Some kid puts up a server on the net, leaves it wide open, doesn't bother to even read his logs or inspect his disk
structure and someone plonks a completely visible file on it that creates a load of traffic and the owner simply
doesn't notice..!!!

Not just some kid, even Sony was that stupid.

Sheesh. He's a far more likely target than me.

All the hacks and viruses I have come across leave audit trails of
some sort. You can only comprise a system to the extent you control it. One of the huge benefits of open source and a
heterogeneous Internet,
is that no one person does.

Even teh best STUXNET in the whole world is detected eventually.

Trouble with that line is that you cant be sure what has never been detected.

David WE Roberts wrote
The Natural Philosopher wrote
David WE Roberts wrote
Bernard Peek wrote
The Natural Philosopher wrote
Bernard Peek wrote
The Natural Philosopher wrote

Well thats uyouir knowelege limits and I have mine.

I know.

Let's say that if anyone has broken in they have left no trace
and altered nothing. Or I would *know*. Which makes it 'not
compromised'

Absence of evidence is not evidence of absence.

Hint: there is no such thing as an undetectable change.

I'd like to see evidence for that assertion.

Are you really stupid?

I'm a philosopher. I was hoping that you knew something that I
didn't and I could learn something. It seemed improbable given the
ignorance that you appeared to be displaying but hope springs eternal.

If a change makes no difference to anything, ipso facto, it is
not a change. All changes therefore must make a difference, and
are therefore detectable.

Yes, but as I pointed out in the post to which you replied absence
of evidence is not evidence of absence. You can know that you
haven't detected a change, but you can't know that there is no
change. Absence of a change is not detectable.

Why don't we ask Schrödinger's cat?
Damn - it's hiding in its box.

Best you can do is affirm that you have been unable to detect a
significant change in the items you are measuring and this meets
your requirements for assurance and security.

exactly, An undetectable change that results in no detectable
activity by anyone in the whole universe is not a security risk.

Come on, sense of balance ;-)
You are not everyone in the Universe.
There might be someone out there who knows a way to change a system
which is not detectable by the currently publicly available tools.

Nope, not with hashes over the entire storage system there isnt.

And the other obvious way to completely protect a system is
to just restore it entirely periodically so what any change that
ever did happen just gets wiped out.

Corse that last is only practical for some situations, but would
work fine if say you want a completely secure web browser and
dont want to keep any local record of what you have browsed etc.

One loon I communicate with ocassionally is so mindlessly oaranoid
that he quite literally uses a DOS machine with some utterly obscure
approach to net access to usenet from, so he cant actually use any
links in usenet posts. It would make a hell of a lot more sense to just
restore that machine from an image after every usenet session instead
and do whatever looks useful links wise in that session with no risk whatever.

The likelihood of this, and also the added likelihood of this person
choosing to attack your system instead of any other, is part of your
risk assessment.

David WE Roberts wrote:

"The Natural Philosopher" wrote in message

exactly, An undetectable change that results in no detectable activity
by anyone in the whole universe is not a security risk.

Come on, sense of balance ;-)
You are not everyone in the Universe.
There might be someone out there who knows a way to change a system
which is not detectable by the currently publicly available tools.


The likelihood of this, and also the added likelihood of this person
choosing to attack your system instead of any other, is part of your
risk assessment.


You have missed the fundamental philosophical point.



If you wake up one morning with entirely false memories of a life going
back to your birth, and so does everybody else, it is indistinguishable
from the life that you have now. Logically if it cannot be detected, it
MIGHT AS WELL not exist.

A change, that changes nothing, is not a security risk. It is not even a
change.

A change that changes something you can detect, is detectable.

a change that changes something you cant detect *even in principle* is
not a change at all. Its sophistry. Like invisible weightless non
interactive unicorns.

If it changes ANYTHING it is in principle detectable. If it does
anything Useful its got to do a lot more than just 'be detectable'.

The problem is not sophisticated hackers: The problem is dorks running
huge computer systems with absolutely zero understanding of computers.

Tim Watts wrote:
The Natural Philosopher wrote:


exactly, An undetectable change that results in no detectable activity
by anyone in the whole universe is not a security risk.

You may have a "potentially detectable" change, but for any practical
detection mechanism, I feel fairly safe in asserting that it could
potentially be hacked so as not to leave a trace *detectable by the
detection mechanism".

Agreed, but then the second point kicks in, if its that invisible it
cant do anything useful


It's an arms race - however many tripwires you put up, there's always a way,
no matter how improbable, that a change could be effected that does not trip
the tripwires.


No, it is not.


It's been demonstrated time and time again that everytime you put an
obstacle in the way of people who care, they will eventually defeat it if
determined enough.


Indeed, and that's why you don't rely on them not getting in: You
monitor inside to see if they have and keep a backup and lots of audit
trails.

And look at them.

So you KNOW they dont get in, or conversely, that they did.

OTOH to maintain a server on the internet that is virtually impossible
to hack is actually not hard. Its a lot harder to protect an
organisation or internet. To many variables and too many users. BUT a
server is a simple thing to protect.

Rod Speed wrote:
..

Even teh best STUXNET in the whole world is detected eventually.

Trouble with that line is that you cant be sure what has never been detected.



Yep, I have this terminal illness that's never been detected and hasn't
killed me. And leaves no symptoms.

Am I worried?

The only malware on my desktop computer - and its in quarantine in
virtualbox- is Microsoft Windows XP.

Tim Watts wrote
Rod Speed wrote
Tim Watts wrote
Rod Speed wrote
Mark wrote
The Natural Philosopher wrote
Bernard Peek wrote:
The Natural Philosopher wrote
Bernard Peek wrote
The Natural Philosopher wrote

Well thats uyouir knowelege limits and I have mine.

I know.

Let's say that if anyone has broken in they have
left no trace and altered nothing. Or I would *know*.
Which makes it 'not compromised'

Absence of evidence is not evidence of absence.

Hint: there is no such thing as an undetectable change.

I'd like to see evidence for that assertion.

Are you really stupid?

I'm a philosopher. I was hoping that you knew something that I
didn't and I could learn something. It seemed improbable given
the ignorance that you appeared to be displaying but hope
springs eternal.

If a change makes no difference to anything, ipso facto,
it is not a change. All changes therefore must make a
difference, and are therefore detectable.

Yes, but as I pointed out in the post to which you replied
absence of evidence is not evidence of absence. You can know
that you haven't detected a change, but you can't know that
there is no change. Absence of a change is not detectable.

It is.

It would be theoretically possible to hide any change if you
had the resources and opportunity. For example if you use
hashes to detect changes then someone could alter the hashes.

Not if they arent on that system they cant.

You can reduce the risk of this happening but it will always be 0.

Nope. Its perfectly possible to have a risk of 0.

Even against aliens with telekinetic abilities?

Yep. Any change they make that matters will be detectable.

And as you cannot prove such aliens don't exist, I suspect your risk is
0 even if you bury your computer in a concrete block inside a metal box.

You're wrong.

Nope - I don't accept an exactly 0 risk is possible on any non isolated computer.

Corse its possibile, most obviously with a full restore from image
after every use on the net with a box used for browsing for example.

Doesnt matter a damn what anyone does to the system while its being
used for browsing if you restore it completely after you stop browsing,
whatever change they manage to make to the system is gone.

Very close, perhaps, but not exactly 0.

Yes, exactly zero.

Tim Watts wrote
The Natural Philosopher wrote

exactly, An undetectable change that results in no detectable
activity by anyone in the whole universe is not a security risk.

You may have a "potentially detectable" change, but for
any practical detection mechanism, I feel fairly safe in
asserting that it could potentially be hacked so as not to
leave a trace *detectable by the detection mechanism".

Doesnt matter if you are fairly certain or not, there are obvious
examples where that isnt possible. Most obviously with a full
restore from image using a machine that isnt even net accessible.

Doesnt matter what change was done, its gone after the restore
so there isnt anything it can do that matters. Even if it corrupts the
system, the restore fixes that.

It's an arms race - however many tripwires you put up, there's always
a way, no matter how improbable, that a change could be effected that
does not trip the tripwires.

Have fun spelling that out with the full restore.

It's been demonstrated time and time again that everytime you put an
obstacle in the way of people who care, they will eventually defeat
it if determined enough.

Thats wrong too. When the obstacle relys on the laws of physics, they
can be as determined as they like, they cant change the laws of physics.

If you dont believe that, show us your perpetual motion machine.

Rod Speed wrote:

Tim Watts wrote

I don't accept an exactly 0 risk is possible on any non isolated computer.

Corse its possibile, most obviously with a full restore from image
after every use on the net with a box used for browsing for example.

Then your backup image becomes the target, if it's on readonly medium it
gets mysteriously swapped ... depends on you adversary, but the risk is
definitely 0

Andy Burns wrote
Rod Speed wrote
Tim Watts wrote

I don't accept an exactly 0 risk is possible on any non isolated computer.

Corse its possibile, most obviously with a full restore from image
after every use on the net with a box used for browsing for example.

Then your backup image becomes the target,

Cant be if its not net accessible.

if it's on readonly medium it gets mysteriously swapped

The ****ing great Alsatian and the CCTV system ensures
that it cant be without a record of that happening.

... depends on you adversary, but the risk is definitely 0

Fraid not.

Rod Speed wrote:

Andy Burns wrote

if it's on readonly medium it gets mysteriously swapped

The ****ing great Alsatian and the CCTV system ensures
that it cant be without a record of that happening.

Alsatians like steak, CCTV operatives like loose women, recordings like
to go missing. Risk is still 0 if they're definitely after you.

Rod Speed wrote:

David WE Roberts wrote
The Natural Philosopher wrote
David WE Roberts wrote
Bernard Peek wrote
The Natural Philosopher wrote
Bernard Peek wrote
The Natural Philosopher wrote

Well thats uyouir knowelege limits and I have mine.

I know.

Let's say that if anyone has broken in they have left no trace
and altered nothing. Or I would *know*. Which makes it 'not
compromised'

Absence of evidence is not evidence of absence.

Hint: there is no such thing as an undetectable change.

I'd like to see evidence for that assertion.

Are you really stupid?

I'm a philosopher. I was hoping that you knew something that I
didn't and I could learn something. It seemed improbable given the
ignorance that you appeared to be displaying but hope springs eternal.

If a change makes no difference to anything, ipso facto, it is
not a change. All changes therefore must make a difference, and
are therefore detectable.

Yes, but as I pointed out in the post to which you replied absence
of evidence is not evidence of absence. You can know that you
haven't detected a change, but you can't know that there is no
change. Absence of a change is not detectable.

Why don't we ask Schr�dinger's cat?
Damn - it's hiding in its box.

Best you can do is affirm that you have been unable to detect a
significant change in the items you are measuring and this meets
your requirements for assurance and security.

exactly, An undetectable change that results in no detectable
activity by anyone in the whole universe is not a security risk.

Come on, sense of balance ;-)
You are not everyone in the Universe.
There might be someone out there who knows a way to change a system
which is not detectable by the currently publicly available tools.

Nope, not with hashes over the entire storage system there isnt.

What's protecting the hashes?

More hashes... And what protects them?

It's a parallel problem to the old: who watches the watchers...

And the other obvious way to completely protect a system is
to just restore it entirely periodically so what any change that
ever did happen just gets wiped out.

Did they hack your install media?

Corse that last is only practical for some situations, but would
work fine if say you want a completely secure web browser and
dont want to keep any local record of what you have browsed etc.

One loon I communicate with ocassionally is so mindlessly oaranoid
that he quite literally uses a DOS machine with some utterly obscure
approach to net access to usenet from, so he cant actually use any
links in usenet posts. It would make a hell of a lot more sense to just
restore that machine from an image after every usenet session instead
and do whatever looks useful links wise in that session with no risk
whatever.

I still maintain ZERO risk is impossible and I am confident that I am right.

However, what matters in the real world is whether that risk is
acceptable... For most people, reasonable precautions are sufficient.

For me, if "they" hack my home servers, they might delete my data or use it
as a staging post to hack someone else. It would be a pain, but I have many
backups in different places and "they" would have to be targetting me
personally to locate, attack and damage all of them. In reality, my box
*might* be attractive as a bot or a proxy but I doubt anyone would bother to
damage it. So I class my risk factor as quite low and generally stick with
auto patching stuff.

Work is different - with 2GBit/sec connectivity, we are a more useful target
so the risk is higher. Work is also more visible.

If the computer however is in the final loop of a nuclear missile lauch
chain, then (barring more primite interlocks in its way), a small risk is
highly unacceptable.

Getting back to reality again - there was a problem in the US where someone
got control of some big water pumps which may, or could have cause pump
damage:

http://www.itproportal.com/2011/11/1...outh-houstons-
water-supply-network/

http://www.huffingtonpost.com/2011/1...is-water-pump-
failu_n_1103498.html

The likelihood of this, and also the added likelihood of this person
choosing to attack your system instead of any other, is part of your
risk assessment.
--
Tim Watts