Rod Speed wrote:

Tim Watts wrote
The Natural Philosopher wrote

exactly, An undetectable change that results in no detectable
activity by anyone in the whole universe is not a security risk.

You may have a "potentially detectable" change, but for
any practical detection mechanism, I feel fairly safe in
asserting that it could potentially be hacked so as not to
leave a trace *detectable by the detection mechanism".

Doesnt matter if you are fairly certain or not, there are obvious
examples where that isnt possible. Most obviously with a full
restore from image using a machine that isnt even net accessible.

You are assuming all hacking involves net access. What's wrong with physical
access? It's all part of security.


--
Tim Watts

Rod Speed wrote:

Andy Burns wrote
Rod Speed wrote
Tim Watts wrote

I don't accept an exactly 0 risk is possible on any non isolated
computer.

Corse its possibile, most obviously with a full restore from image
after every use on the net with a box used for browsing for example.

Then your backup image becomes the target,

Cant be if its not net accessible.

if it's on readonly medium it gets mysteriously swapped

The ****ing great Alsatian and the CCTV system ensures
that it cant be without a record of that happening.

... depends on you adversary, but the risk is definitely 0

Fraid not.

They hack your CCTV and drug your dog.

For every assertion I can produce a counter assertion, which no matter how
silly, is still possible.

--
Tim Watts

The Natural Philosopher wrote:

Tim Watts wrote:
The Natural Philosopher wrote:


exactly, An undetectable change that results in no detectable activity
by anyone in the whole universe is not a security risk.

You may have a "potentially detectable" change, but for any practical
detection mechanism, I feel fairly safe in asserting that it could
potentially be hacked so as not to leave a trace *detectable by the
detection mechanism".

Agreed, but then the second point kicks in, if its that invisible it
cant do anything useful


It's an arms race - however many tripwires you put up, there's always a
way, no matter how improbable, that a change could be effected that does
not trip the tripwires.


No, it is not.


It's been demonstrated time and time again that everytime you put an
obstacle in the way of people who care, they will eventually defeat it if
determined enough.


Indeed, and that's why you don't rely on them not getting in: You
monitor inside to see if they have and keep a backup and lots of audit
trails.

And look at them.

So you KNOW they dont get in, or conversely, that they did.

OTOH to maintain a server on the internet that is virtually impossible
to hack is actually not hard. Its a lot harder to protect an
organisation or internet. To many variables and too many users. BUT a
server is a simple thing to protect.

And the integrity of your audit trails is guaranteed how exactly?

--
Tim Watts

Andy Burns wrote
Rod Speed wrote
Andy Burns wrote

if it's on readonly medium it gets mysteriously swapped

The ****ing great Alsatian and the CCTV system ensures
that it cant be without a record of that happening.

Alsatians like steak,

Mine likes intruders much more than steak.

Likely the fact that its resisting being eaten that lights his fire.

CCTV operatives like loose women,

No operatives with mine.

recordings like to go missing.

Mine cant.

Risk is still 0 if they're definitely after you.

Nope. There will still be a record of what happened, even if
its just the bloody clothes of the intruder and a burping Alsatian.

"Rod Speed" wrote in message
...
dennis@home wrote
Rod Speed wrote

It would be theoretically possible to hide any change if you had the
resources and opportunity. For example if you use hashes to detect
changes then someone could alter the hashes.

Not if they arent on that system they cant.

You can't be sure that what you installed wasn't compromised in the first
place.

You dont have to install anything on the system being checked.

We are talking about real computer systems that are used to do things.

And you can test whether it can detect changes by making your own changes
too.

There are even possible attacks if you compile the C source from scratch.
for example..

Yes, but if that system isnt even on the system being protected...

Which system?


its possible to build a compiler that puts unwanted stuff into programs
it compiles.

But they have no control over what compiler you use with a common
language.

well you do, but the fact that you don't use that control means you may well
be compromised from the very start and you wouldn't know.


It is possible to hide these from the source code of the compiler by
recognising the compiler and adding the code to do this when the compiler
is compiled.

But they have no control over what compiler you use with a common
language.

Are you sure it isn't in say the GNU compiler?
You can't detect it by reading the source and if you compile the source with
an infect compiler you have an infected compiler.


Before you say this can't be done, did you use a binary to compile your
last program or did you do it by hand to ensure the above wasn't done?

My last program isnt relevant. What matters is what is used to
compile the system that does the checks. With hashes the code
can be so simple that its quite practical to compile it by hand.

So you don't understand what I said then.


You can reduce the risk of this happening but it will always be 0.

Nope. Its perfectly possible to have a risk of 0.

You also put a chainsaw through your computer then?

Dont need to do that.

Tim Watts wrote
Rod Speed wrote
David WE Roberts wrote
The Natural Philosopher wrote
David WE Roberts wrote
Bernard Peek wrote
The Natural Philosopher wrote
Bernard Peek wrote
The Natural Philosopher wrote

Well thats uyouir knowelege limits and I have mine.

I know.

Let's say that if anyone has broken in they have
left no trace and altered nothing. Or I would *know*.
Which makes it 'not compromised'

Absence of evidence is not evidence of absence.

Hint: there is no such thing as an undetectable change.

I'd like to see evidence for that assertion.

Are you really stupid?

I'm a philosopher. I was hoping that you knew something that I didn't
and I could learn something. It seemed improbable given the ignorance
that you appeared to be displaying but hope springs eternal.

If a change makes no difference to anything, ipso facto, it is
not a change. All changes therefore must make a difference,
and are therefore detectable.

Yes, but as I pointed out in the post to which you replied absence
of evidence is not evidence of absence. You can know that you
haven't detected a change, but you can't know that there is no
change. Absence of a change is not detectable.

Why don't we ask Schr?dinger's cat?
Damn - it's hiding in its box.

Best you can do is affirm that you have been unable to detect
a significant change in the items you are measuring and this
meets your requirements for assurance and security.

exactly, An undetectable change that results in no detectable
activity by anyone in the whole universe is not a security risk.

Come on, sense of balance ;-)
You are not everyone in the Universe.
There might be someone out there who knows a way to change a system
which is not detectable by the currently publicly available tools.

Nope, not with hashes over the entire storage system there isnt.

What's protecting the hashes?

A system that isnt even net accessible.

More hashes... And what protects them?

A system that isnt even net accessible.

It's a parallel problem to the old: who watches the watchers...

Fraid not.

And the other obvious way to completely protect a system
is to just restore it entirely periodically so that any change
that ever did happen just gets wiped out.

Did they hack your install media?

Not even possible if its read only media.

Corse that last is only practical for some situations, but would
work fine if say you want a completely secure web browser and
dont want to keep any local record of what you have browsed etc.

One loon I communicate with ocassionally is so mindlessly oaranoid
that he quite literally uses a DOS machine with some utterly obscure
approach to net access to usenet from, so he cant actually use any
links in usenet posts. It would make a hell of a lot more sense to
just restore that machine from an image after every usenet session
instead and do whatever looks useful links wise in that session with
no risk whatever.

I still maintain ZERO risk is impossible

You're wrong on that.

and I am confident that I am right.

Your confidence doesnt change a thing.

However, what matters in the real world is whether that risk is
acceptable... For most people, reasonable precautions are sufficient.

And its perfectly possible to have zero risk too.

For me, if "they" hack my home servers, they might delete my data
or use it as a staging post to hack someone else. It would be a pain,
but I have many backups in different places and "they" would have to
be targetting me personally to locate, attack and damage all of them.

And its perfectly possible to ensure that they cant find them all.

In reality, my box *might* be attractive as a bot or a proxy but
I doubt anyone would bother to damage it. So I class my risk
factor as quite low and generally stick with auto patching stuff.

Work is different - with 2GBit/sec connectivity, we are a more
useful target so the risk is higher. Work is also more visible.

If the computer however is in the final loop of a nuclear missile
lauch chain, then (barring more primite interlocks in its way), a
small risk is highly unacceptable.

Its easy enough to eliminate the risk there too.

Getting back to reality again - there was a problem in the
US where someone got control of some big water pumps
which may, or could have cause pump damage:

http://www.itproportal.com/2011/11/1...upply-network/

http://www.huffingtonpost.com/2011/1...n_1103498.html

The likelihood of this, and also the added likelihood of this person
choosing to attack your system instead of any other, is part of your
risk assessment.

Tim Watts wrote
Rod Speed wrote
Tim Watts wrote
The Natural Philosopher wrote

exactly, An undetectable change that results in no detectable
activity by anyone in the whole universe is not a security risk.

You may have a "potentially detectable" change, but for
any practical detection mechanism, I feel fairly safe in
asserting that it could potentially be hacked so as not to
leave a trace *detectable by the detection mechanism".

Doesnt matter if you are fairly certain or not, there are obvious
examples where that isnt possible. Most obviously with a full
restore from image using a machine that isnt even net accessible.

You are assuming all hacking involves net access.

Nope, I know that its even easier to ensure that physical access is recorded.

What's wrong with physical access?

Its even easier to ensure that that doesnt go undetected.

It's all part of security.

Sure, and even easier to ensure that doesnt go undetected.

And even easier to ensure that even if it happens, it doesnt matter, by replication.

You have to do that to protect against natural and unnatural disasters anyway.

Tim Watts wrote
Rod Speed wrote
Andy Burns wrote
Rod Speed wrote
Tim Watts wrote

I don't accept an exactly 0 risk is possible on any non isolated computer.

Corse its possibile, most obviously with a full restore from image
after every use on the net with a box used for browsing for example.

Then your backup image becomes the target,

Cant be if its not net accessible.

if it's on readonly medium it gets mysteriously swapped

The ****ing great Alsatian and the CCTV system ensures
that it cant be without a record of that happening.

... depends on you adversary, but the risk is definitely 0

Fraid not.

They hack your CCTV

Not even possible, and even if it was, its trivial to record that that happened.

and drug your dog.

Not even possible, and even if it was, its trivial to record that that happened.

For every assertion I can produce a counter assertion,

Yes.

which no matter how silly, is still possible.

Fraid not.

Tim Watts wrote
The Natural Philosopher wrote
Tim Watts wrote
The Natural Philosopher wrote

exactly, An undetectable change that results in no detectable
activity by anyone in the whole universe is not a security risk.

You may have a "potentially detectable" change, but for any
practical detection mechanism, I feel fairly safe in asserting that
it could potentially be hacked so as not to leave a trace
*detectable by the detection mechanism".

Agreed, but then the second point kicks in, if its that invisible it cant do anything useful

It's an arms race - however many tripwires you put up, there's
always a way, no matter how improbable, that a change could be
effected that does not trip the tripwires.

No, it is not.

It's been demonstrated time and time again that everytime you put an
obstacle in the way of people who care, they will eventually defeat
it if determined enough.

Indeed, and that's why you don't rely on them not getting in: You
monitor inside to see if they have and keep a backup and lots of
audit trails.

And look at them.

So you KNOW they dont get in, or conversely, that they did.

OTOH to maintain a server on the internet that is virtually
impossible to hack is actually not hard. Its a lot harder to protect
an organisation or internet. To many variables and too many users.
BUT a server is a simple thing to protect.

And the integrity of your audit trails is guaranteed how exactly?

Plenty of obvious ways to do that.

dennis@home wrote
Rod Speed wrote
dennis@home wrote
Rod Speed wrote

It would be theoretically possible to hide any change if you had the resources and opportunity. For example if
you use hashes to detect changes then someone could alter the hashes.

Not if they arent on that system they cant.

You can't be sure that what you installed wasn't compromised in the first place.

You dont have to install anything on the system being checked.

We are talking about real computer systems that are used to do things.

Sure, but its still perfectly possible to completely protect those.

And you can test whether it can detect changes by making your own changes too.

There are even possible attacks if you compile the C source from scratch. for example..

Yes, but if that system isnt even on the system being protected...

Which system?

The one checking the hashes.

its possible to build a compiler that puts unwanted stuff into programs it compiles.

But they have no control over what compiler you use with a common language.

well you do, but the fact that you don't use that control means you
may well be compromised from the very start and you wouldn't know.

Nope, not with something as simple as using hashes to check what gets changed.

It is possible to hide these from the source code of the compiler by recognising the compiler and adding the code to
do this when the compiler is compiled.

But they have no control over what compiler you use with a common language.

Are you sure it isn't in say the GNU compiler?

Its easy enough to be sure of that.

You can't detect it by reading the source and if you compile the
source with an infect compiler you have an infected compiler.

So you ensure you dont use infected compiler.

Before you say this can't be done, did you use a binary to compile your last program or did you do it by hand to
ensure the above wasn't done?

My last program isnt relevant. What matters is what is used to
compile the system that does the checks. With hashes the code
can be so simple that its quite practical to compile it by hand.

So you don't understand what I said then.

Wrong. There doesnt have to be any compiler involved at all.

You can compile by hand if you are that paranoid.

You can reduce the risk of this happening but it will always be 0.

Nope. Its perfectly possible to have a risk of 0.

You also put a chainsaw through your computer then?

Dont need to do that.

Rod Speed wrote:

You can compile by hand if you are that paranoid.


Ah, but was the PROCESSOR you bought secretly hacked my Men In Black
Helicopters?

Or you secretly have a chip in your brain that makes it impossible for
you to see hacks and their effects.

You know, like the one that makes people vote Labour even when it
patently obvious they have no idea how to run anything.

The Natural Philosopher wrote
Rod Speed wrote

You can compile by hand if you are that paranoid.

Ah, but was the PROCESSOR you bought secretly hacked my Men In Black Helicopters?

Trivially avoidable by running it on all processors available and seeing if they all say the same thing.

Or you secretly have a chip in your brain that makes it impossible for you to see hacks and their effects.

Trivially avoidable by getting the dog to check it.

You know, like the one that makes people vote Labour even when it patently obvious they have no idea how to run
anything.

Off with their heads. That'll fix that.

On 29/02/2012 18:39, Tim Watts wrote:
You may have a "potentially detectable" change, but for any practical
detection mechanism, I feel fairly safe in asserting that it could
potentially be hacked so as not to leave a trace *detectable by the
detection mechanism".

It's an arms race - however many tripwires you put up, there's always a way,
no matter how improbable, that a change could be effected that does not trip
the tripwires.

It's been demonstrated time and time again that everytime you put an
obstacle in the way of people who care, they will eventually defeat it if
determined enough.

Beautifully put.

Now then, zero risk. There's no significant risk that I'll be killed by
a meteor on the way to work tomorrow. As far as I can tell although
several people have been struck, and a few animals killed, no human in
history has been killed by one. But zero? Ask any dinosaur.

The risk is insignificant, which is not the same thing at all.

Andy

Rod Speed wrote:

Tim Watts wrote
Rod Speed wrote
David WE Roberts wrote
The Natural Philosopher wrote
David WE Roberts wrote
Bernard Peek wrote
The Natural Philosopher wrote
Bernard Peek wrote
The Natural Philosopher wrote

Well thats uyouir knowelege limits and I have mine.

I know.

Let's say that if anyone has broken in they have
left no trace and altered nothing. Or I would *know*.
Which makes it 'not compromised'

Absence of evidence is not evidence of absence.

Hint: there is no such thing as an undetectable change.

I'd like to see evidence for that assertion.

Are you really stupid?

I'm a philosopher. I was hoping that you knew something that I
didn't and I could learn something. It seemed improbable given the
ignorance that you appeared to be displaying but hope springs
eternal.

If a change makes no difference to anything, ipso facto, it is
not a change. All changes therefore must make a difference,
and are therefore detectable.

Yes, but as I pointed out in the post to which you replied absence
of evidence is not evidence of absence. You can know that you
haven't detected a change, but you can't know that there is no
change. Absence of a change is not detectable.

Why don't we ask Schr?dinger's cat?
Damn - it's hiding in its box.

Best you can do is affirm that you have been unable to detect
a significant change in the items you are measuring and this
meets your requirements for assurance and security.

exactly, An undetectable change that results in no detectable
activity by anyone in the whole universe is not a security risk.

Come on, sense of balance ;-)
You are not everyone in the Universe.
There might be someone out there who knows a way to change a system
which is not detectable by the currently publicly available tools.

Nope, not with hashes over the entire storage system there isnt.

What's protecting the hashes?

A system that isnt even net accessible.

More hashes... And what protects them?

A system that isnt even net accessible.

It's a parallel problem to the old: who watches the watchers...

Fraid not.

And the other obvious way to completely protect a system
is to just restore it entirely periodically so that any change
that ever did happen just gets wiped out.

Did they hack your install media?

Not even possible if its read only media.

Replace the disc with the same media brand, forge the handwriting or printed
label, subletly different content. If the forgery were perfect, how would
you know?

Corse that last is only practical for some situations, but would
work fine if say you want a completely secure web browser and
dont want to keep any local record of what you have browsed etc.

One loon I communicate with ocassionally is so mindlessly oaranoid
that he quite literally uses a DOS machine with some utterly obscure
approach to net access to usenet from, so he cant actually use any
links in usenet posts. It would make a hell of a lot more sense to
just restore that machine from an image after every usenet session
instead and do whatever looks useful links wise in that session with
no risk whatever.

I still maintain ZERO risk is impossible

You're wrong on that.


I'm afarid you're wrong.

You are talking in absolutes and as such, zero risk is not possible.

If you wish to rephrase and say the risk can be made insignificant, I would
accept that.
--
Tim Watts

Rod Speed wrote:

Tim Watts wrote
Rod Speed wrote
Andy Burns wrote
Rod Speed wrote
Tim Watts wrote

I don't accept an exactly 0 risk is possible on any non isolated
computer.

Corse its possibile, most obviously with a full restore from image
after every use on the net with a box used for browsing for example.

Then your backup image becomes the target,

Cant be if its not net accessible.

if it's on readonly medium it gets mysteriously swapped

The ****ing great Alsatian and the CCTV system ensures
that it cant be without a record of that happening.

... depends on you adversary, but the risk is definitely 0

Fraid not.

They hack your CCTV

Not even possible, and even if it was, its trivial to record that that
happened.

Specifically how? If the recording were got at and a section were spliced in
with great care to replace the bit with the incriminating parts on?

If your CCTV contains scenes of the sky with clouds or waving trees, I
accept this would be difficult. If the CCTV is pointing at a wall across
from a walkway, it would be relatively easy for someone who knows what they
are doing to replace a scene with an earlier section repeated.

and drug your dog.

Not even possible, and even if it was, its trivial to record that that
happened.

No? Dart gun then - or is your dog armoured too?

For every assertion I can produce a counter assertion,

Yes.

which no matter how silly, is still possible.

Fraid not.
--
Tim Watts

"Rod Speed" wrote in message
...
dennis@home wrote
Rod Speed wrote
dennis@home wrote
Rod Speed wrote

It would be theoretically possible to hide any change if you had the
resources and opportunity. For example if you use hashes to detect
changes then someone could alter the hashes.

Not if they arent on that system they cant.

You can't be sure that what you installed wasn't compromised in the
first place.

You dont have to install anything on the system being checked.

We are talking about real computer systems that are used to do things.

Sure, but its still perfectly possible to completely protect those.

And you can test whether it can detect changes by making your own
changes too.

There are even possible attacks if you compile the C source from
scratch. for example..

Yes, but if that system isnt even on the system being protected...

Which system?

The one checking the hashes.

its possible to build a compiler that puts unwanted stuff into programs
it compiles.

But they have no control over what compiler you use with a common
language.

well you do, but the fact that you don't use that control means you
may well be compromised from the very start and you wouldn't know.

Nope, not with something as simple as using hashes to check what gets
changed.

Nothing does get changed on the system, you are hacked from the start.
The hack is loaded on startup, runs in ram, disappears when you look for it,
reappears on restart, still no changes to your hashes.
Sure if you monitor all the outputs you may find the system is doing
something odd but you reinstall it and the hack is still there and the
hashes are the same.

It is possible to hide these from the source code of the compiler by
recognising the compiler and adding the code to do this when the
compiler is compiled.

But they have no control over what compiler you use with a common
language.

Are you sure it isn't in say the GNU compiler?

Its easy enough to be sure of that.

How?


You can't detect it by reading the source and if you compile the
source with an infect compiler you have an infected compiler.

So you ensure you dont use infected compiler.

How?


Before you say this can't be done, did you use a binary to compile your
last program or did you do it by hand to ensure the above wasn't done?

My last program isnt relevant. What matters is what is used to
compile the system that does the checks. With hashes the code
can be so simple that its quite practical to compile it by hand.

So you don't understand what I said then.

Wrong. There doesnt have to be any compiler involved at all.

You can compile by hand if you are that paranoid.

So now you are required to be paranoid to meet your security claim?


You can reduce the risk of this happening but it will always be 0.

Nope. Its perfectly possible to have a risk of 0.

You also put a chainsaw through your computer then?

Dont need to do that.

"Rod Speed" wrote in message
...

Off with their heads. That'll fix that.


So now you agree with the chain saw approach.

Andy Champ wrote
Tim Watts wrote

You may have a "potentially detectable" change, but for any practical detection mechanism, I feel fairly safe in
asserting that it could potentially be hacked so as not to leave a trace *detectable by the detection mechanism".

It's an arms race - however many tripwires you put up, there's
always a way, no matter how improbable, that a change could be
effected that does not trip the tripwires.

It's been demonstrated time and time again that everytime you put an
obstacle in the way of people who care, they will eventually defeat
it if determined enough.

Beautifully put.

Trouble is that no matter now determined anyone has
ever been to eat beans, no one has ever managed to
fart their way to the moon and return to tell the tale
about what brand of beans did the job.

Now then, zero risk. There's no significant risk that I'll be killed by a meteor on the way to work tomorrow. As far
as I can tell although several people have been struck, and a few animals killed, no human in history has been killed
by one. But zero? Ask any dinosaur.

The risk is insignificant, which is not the same thing at all.

There is still zero risk of you doing a perpetual motion machine.

Tim Watts wrote
Rod Speed wrote
Tim Watts wrote
Rod Speed wrote
David WE Roberts wrote
The Natural Philosopher wrote
David WE Roberts wrote
Bernard Peek wrote
The Natural Philosopher wrote
Bernard Peek wrote
The Natural Philosopher wrote

Well thats uyouir knowelege limits and I have mine.

I know.

Let's say that if anyone has broken in they have
left no trace and altered nothing. Or I would *know*.
Which makes it 'not compromised'

Absence of evidence is not evidence of absence.

Hint: there is no such thing as an undetectable change.

I'd like to see evidence for that assertion.

Are you really stupid?

I'm a philosopher. I was hoping that you knew something that I
didn't and I could learn something. It seemed improbable given
the ignorance that you appeared to be displaying but hope
springs eternal.

If a change makes no difference to anything, ipso facto, it is
not a change. All changes therefore must make a difference,
and are therefore detectable.

Yes, but as I pointed out in the post to which you replied
absence of evidence is not evidence of absence. You can know
that you haven't detected a change, but you can't know that
there is no change. Absence of a change is not detectable.

Why don't we ask Schr?dinger's cat?
Damn - it's hiding in its box.

Best you can do is affirm that you have been unable to detect
a significant change in the items you are measuring and this
meets your requirements for assurance and security.

exactly, An undetectable change that results in no detectable
activity by anyone in the whole universe is not a security risk.

Come on, sense of balance ;-)
You are not everyone in the Universe.
There might be someone out there who knows a way to change a
system which is not detectable by the currently publicly available tools.

Nope, not with hashes over the entire storage system there isnt.

What's protecting the hashes?

A system that isnt even net accessible.

More hashes... And what protects them?

A system that isnt even net accessible.

It's a parallel problem to the old: who watches the watchers...

Fraid not.

And the other obvious way to completely protect a system
is to just restore it entirely periodically so that any change
that ever did happen just gets wiped out.

Did they hack your install media?

Not even possible if its read only media.

Replace the disc with the same media brand, forge the handwriting or printed
label, subletly different content. If the forgery were perfect, how would you know?

By comparing the hash with the hash of original stored where they dont even know about.

And I have a record of the physical access required to change the media anyway.

Corse that last is only practical for some situations, but would
work fine if say you want a completely secure web browser and
dont want to keep any local record of what you have browsed etc.

One loon I communicate with ocassionally is so mindlessly oaranoid
that he quite literally uses a DOS machine with some utterly
obscure approach to net access to usenet from, so he cant actually
use any links in usenet posts. It would make a hell of a lot more
sense to just restore that machine from an image after every
usenet session instead and do whatever looks useful links wise in
that session with no risk whatever.

I still maintain ZERO risk is impossible

You're wrong on that.

I'm afarid you're wrong.

Nope.

You are talking in absolutes and as such, zero risk is not possible.

There is absolutely zero risk of you producing a perpetual
motion machine, or of ever being able to fart you way to
the moon, no matter how many cans of bean you eat.

There is absolutely zero risk of anyone being able turn the sun off too.

If you wish to rephrase and say the risk can be made insignificant, I would accept that.

Doesnt matter what you accept.

Tim Watts wrote
Rod Speed wrote
Tim Watts wrote
Rod Speed wrote
Andy Burns wrote
Rod Speed wrote
Tim Watts wrote

I don't accept an exactly 0 risk is possible on any non isolated computer.

Corse its possibile, most obviously with a full restore from image
after every use on the net with a box used for browsing for example.

Then your backup image becomes the target,

Cant be if its not net accessible.

if it's on readonly medium it gets mysteriously swapped

The ****ing great Alsatian and the CCTV system ensures
that it cant be without a record of that happening.

... depends on you adversary, but the risk is definitely 0

Fraid not.

They hack your CCTV

Not even possible, and even if it was, its trivial to record that that happened.

Specifically how?

By having a remotely monitored CCTV with a heartbeat
system that allows you to detect when it ever stops.

If the recording were got at

Not even possible when it isnt anywhere near what is being monitored.

and a section were spliced in with great care
to replace the bit with the incriminating parts on?

Not even possible when they cant even get to it.

If your CCTV contains scenes of the sky with
clouds or waving trees, I accept this would be difficult.

Impossible actually when they cant even get access to whats recorded.

If the CCTV is pointing at a wall across from a walkway, it would
be relatively easy for someone who knows what they are doing to
replace a scene with an earlier section repeated.

So you dont point it like that.

and drug your dog.

Not even possible, and even if it was, its trivial to record that that happened.

No?

Nope.

Dart gun then

Useless, he's an inside dog and cant even get out when I'm not around.

Yes, you could break into the house, but the remotely
monitored CCTV system means that that event will be recorded.

And the dog makes such a hell of a racket when anyone even just
shows up and knocks on the door, let alone succeeds in breaking
in that that alone is one hell of a movement alarm that can be used
to trigger the alarm system.

And its trivial to have the system detect that he has
died and alarm on that too if you are that paranoid.

- or is your dog armoured too?

Doesnt need to be.

For every assertion I can produce a counter assertion,

Yes.

which no matter how silly, is still possible.

Fraid not.

dennis@home wrote
Rod Speed wrote
dennis@home wrote
Rod Speed wrote
dennis@home wrote
Rod Speed wrote

It would be theoretically possible to hide any change if you
had the resources and opportunity. For example if you use
hashes to detect changes then someone could alter the hashes.

Not if they arent on that system they cant.

You can't be sure that what you installed wasn't compromised in the first place.

You dont have to install anything on the system being checked.

We are talking about real computer systems that are used to do things.

Sure, but its still perfectly possible to completely protect those.

And you can test whether it can detect changes by making your own changes too.

There are even possible attacks if you compile the C source from scratch. for example..

Yes, but if that system isnt even on the system being protected...

Which system?

The one checking the hashes.

its possible to build a compiler that puts unwanted stuff into programs it compiles.

But they have no control over what compiler you use with a common language.

well you do, but the fact that you don't use that control means you
may well be compromised from the very start and you wouldn't know.

Nope, not with something as simple as using hashes to check what gets changed.

Nothing does get changed on the system, you are hacked from the start. The hack is loaded on startup, runs in ram,
disappears when you look for it, reappears on restart, still no changes to your hashes.

Just how do you propose to get that hack onto a system
you dont even know is even going to be assembled ?

Even if you were to put it into Win and Linux on everyone's
system, that wont help you if I ame so mindlessly parnoid
that I hand compile the hash checker and use no OS whatever.

Sure if you monitor all the outputs you may find the system is doing something odd

It has to do that if its to do anything useful and not change any of the files.

And with the completely secure browsing system, all you
have to do is ensure that you dont even have anything on
the completely secure browsing system that give a damn
about if someone chose to steal the entire contents of anyway.

but you reinstall it and the hack is still there and the hashes are the same.

But nothing you give a damn about is on that system, so you dont give a damn.

It is possible to hide these from the source code of the compiler
by recognising the compiler and adding the code to do this when
the compiler is compiled.

But they have no control over what compiler you use with a common language.

Are you sure it isn't in say the GNU compiler?

Its easy enough to be sure of that.

How?

By hand compiling the hash checker.

You can't detect it by reading the source and if you compile the
source with an infect compiler you have an infected compiler.

So you ensure you dont use infected compiler.

How?

By hand compiling the hash checker.

Before you say this can't be done, did you use a binary to
compile your last program or did you do it by hand to ensure the
above wasn't done?

My last program isnt relevant. What matters is what is used to
compile the system that does the checks. With hashes the code
can be so simple that its quite practical to compile it by hand.

So you don't understand what I said then.

Wrong. There doesnt have to be any compiler involved at all.

You can compile by hand if you are that paranoid.

So now you are required to be paranoid to meet your security claim?

Nope. And it isnt a claim, its a fact.

You can reduce the risk of this happening but it will always be 0.

Nope. Its perfectly possible to have a risk of 0.

You also put a chainsaw through your computer then?

Dont need to do that.

dennis@home wrote
Rod Speed wrote
The Natural Philosopher wrote
Rod Speed wrote

You can compile by hand if you are that paranoid.

Ah, but was the PROCESSOR you bought secretly hacked my Men In Black Helicopters?

Trivially avoidable by running it on all processors available and seeing if they all say the same thing.

Or you secretly have a chip in your brain that makes it impossible for you to see hacks and their effects.

Trivially avoidable by getting the dog to check it.

You know, like the one that makes people vote Labour even when it patently obvious they have no idea how to run
anything.

Off with their heads. That'll fix that.

So now you agree with the chain saw approach.

Nope, a gillotine works much better.

"Rod Speed" wrote in message
...

Even if you were to put it into Win and Linux on everyone's
system, that wont help you if I ame so mindlessly parnoid
that I hand compile the hash checker and use no OS whatever.

How will that help?
The hashes for the compromised system will be the same.
You obviously can't/won't understand.


Sure if you monitor all the outputs you may find the system is doing
something odd

It has to do that if its to do anything useful and not change any of the
files.

And with the completely secure browsing system, all you
have to do is ensure that you dont even have anything on
the completely secure browsing system that give a damn
about if someone chose to steal the entire contents of anyway.

but you reinstall it and the hack is still there and the hashes are the
same.

But nothing you give a damn about is on that system, so you dont give a
damn.

Well its not zero risk.


It is possible to hide these from the source code of the compiler
by recognising the compiler and adding the code to do this when
the compiler is compiled.

But they have no control over what compiler you use with a common
language.

Are you sure it isn't in say the GNU compiler?

Its easy enough to be sure of that.

How?

By hand compiling the hash checker.

So what the hash checker doesn't matter.


You can't detect it by reading the source and if you compile the
source with an infect compiler you have an infected compiler.

So you ensure you dont use infected compiler.

How?

By hand compiling the hash checker.

So it doesn't matter the hashes will be the same.

dennis@home wrote
Rod Speed wrote

Even if you were to put it into Win and Linux on everyone's
system, that wont help you if I am so mindlessly parnoid that I hand compile the hash checker and use no OS whatever.

How will that help?
The hashes for the compromised system will be the same.

There is no compromised system.

You obviously can't/won't understand.

Sure do.

Sure if you monitor all the outputs you may find the system is doing something odd

It has to do that if its to do anything useful and not change any of the files.

And with the completely secure browsing system, all you
have to do is ensure that you dont even have anything on
the completely secure browsing system that give a damn
about if someone chose to steal the entire contents of anyway.

but you reinstall it and the hack is still there and the hashes are the same.

But nothing you give a damn about is on that system, so you dont give a damn.

Well its not zero risk.

Corse it is if there is nothing on that system that can be stolen.

They can steal what they can get off the net any time they want it ?

Whoopy bloody do.

It is possible to hide these from the source code of the compiler by recognising the compiler and adding the
code to do this when the compiler is compiled.

But they have no control over what compiler you use with a common language.

Are you sure it isn't in say the GNU compiler?

Its easy enough to be sure of that.

How?

By hand compiling the hash checker.

So what the hash checker doesn't matter.

Corse it does if the hack wants to do anything that matters to the system.

You can't detect it by reading the source and if you compile the
source with an infect compiler you have an infected compiler.

So you ensure you dont use infected compiler.

How?

By hand compiling the hash checker.

So it doesn't matter the hashes will be the same.

If they are, the hack hasnt done anything that matters to the system.

If its snooped on your system while its booted, doesnt matter a damn
if there is nothing on that system that isnt available to anyone on the net.

Rod Speed :
Tim Watts wrote
Rod Speed wrote
Tim Watts wrote
Rod Speed wrote
Andy Burns wrote
Rod Speed wrote
Tim Watts wrote
[...]

Please don't feed the troll. Try this instead:

http://www.sensationbot.com/jschat.php?db=rodspeed

More information:

https://groups.google.com/group/comp...ea774e304aef58

--
Mike Barnes

On 29/02/12 20:44, Rod Speed wrote:


My last program isnt relevant. What matters is what is used to
compile the system that does the checks. With hashes the code
can be so simple that its quite practical to compile it by hand.

So you don't understand what I said then.

Wrong. There doesnt have to be any compiler involved at all.

You can compile by hand if you are that paranoid.

Rather more than that:

http://dl.acm.org/ft_gateway.cfm?id=358210&ftid=801607&dwn=1&CFID=68 419480&CFTOKEN=24779211

Reflections on trusting trust
Ken Thompson AT&T Bell Labs, Murray Hill, NJ

Communications of the ACM
Volume 27 Issue 8, Aug 1984
ACM New York, NY, USA
doi: 10.1145/358198.358210


--
djc

Andy Champ wrote:
On 29/02/2012 18:39, Tim Watts wrote:
You may have a "potentially detectable" change, but for any practical
detection mechanism, I feel fairly safe in asserting that it could
potentially be hacked so as not to leave a trace *detectable by the
detection mechanism".

It's an arms race - however many tripwires you put up, there's always
a way,
no matter how improbable, that a change could be effected that does
not trip
the tripwires.

It's been demonstrated time and time again that everytime you put an
obstacle in the way of people who care, they will eventually defeat it if
determined enough.

Beautifully put.

Now then, zero risk. There's no significant risk that I'll be killed by
a meteor on the way to work tomorrow. As far as I can tell although
several people have been struck, and a few animals killed, no human in
history has been killed by one. But zero? Ask any dinosaur.


There is zero risk you will have you leg removed and not notice it.

Which is more what we are talking about.


The risk is insignificant, which is not the same thing at all.

Andy

Tim Watts wrote:
Rod Speed wrote:

Tim Watts wrote
Rod Speed wrote
David WE Roberts wrote
The Natural Philosopher wrote
David WE Roberts wrote
Bernard Peek wrote
The Natural Philosopher wrote
Bernard Peek wrote
The Natural Philosopher wrote
Well thats uyouir knowelege limits and I have mine.
I know.
Let's say that if anyone has broken in they have
left no trace and altered nothing. Or I would *know*.
Which makes it 'not compromised'
Absence of evidence is not evidence of absence.
Hint: there is no such thing as an undetectable change.
I'd like to see evidence for that assertion.
Are you really stupid?
I'm a philosopher. I was hoping that you knew something that I
didn't and I could learn something. It seemed improbable given the
ignorance that you appeared to be displaying but hope springs
eternal.
If a change makes no difference to anything, ipso facto, it is
not a change. All changes therefore must make a difference,
and are therefore detectable.
Yes, but as I pointed out in the post to which you replied absence
of evidence is not evidence of absence. You can know that you
haven't detected a change, but you can't know that there is no
change. Absence of a change is not detectable.
Why don't we ask Schr?dinger's cat?
Damn - it's hiding in its box.
Best you can do is affirm that you have been unable to detect
a significant change in the items you are measuring and this
meets your requirements for assurance and security.
exactly, An undetectable change that results in no detectable
activity by anyone in the whole universe is not a security risk.
Come on, sense of balance ;-)
You are not everyone in the Universe.
There might be someone out there who knows a way to change a system
which is not detectable by the currently publicly available tools.
Nope, not with hashes over the entire storage system there isnt.
What's protecting the hashes?
A system that isnt even net accessible.

More hashes... And what protects them?
A system that isnt even net accessible.

It's a parallel problem to the old: who watches the watchers...
Fraid not.

And the other obvious way to completely protect a system
is to just restore it entirely periodically so that any change
that ever did happen just gets wiped out.
Did they hack your install media?
Not even possible if its read only media.

Replace the disc with the same media brand, forge the handwriting or printed
label, subletly different content. If the forgery were perfect, how would
you know?

Corse that last is only practical for some situations, but would
work fine if say you want a completely secure web browser and
dont want to keep any local record of what you have browsed etc.
One loon I communicate with ocassionally is so mindlessly oaranoid
that he quite literally uses a DOS machine with some utterly obscure
approach to net access to usenet from, so he cant actually use any
links in usenet posts. It would make a hell of a lot more sense to
just restore that machine from an image after every usenet session
instead and do whatever looks useful links wise in that session with
no risk whatever.
I still maintain ZERO risk is impossible
You're wrong on that.


I'm afarid you're wrong.

You are talking in absolutes and as such, zero risk is not possible.

If you wish to rephrase and say the risk can be made insignificant, I would
accept that.


Ok what is the risk that I shoot off your kneecap and you don't notice it?

Given that you took a photo of yourself with it, yesterday, and you are
now looking in a mirror and at the photograph?

dennis@home wrote:


Nothing does get changed on the system, you are hacked from the start.
The hack is loaded on startup, runs in ram, disappears when you look for
it, reappears on restart, still no changes to your hashes.
Sure if you monitor all the outputs you may find the system is doing
something odd but you reinstall it and the hack is still there and the
hashes are the same.

Ok, so how is it going to avoid appearing in the process table?


It is possible to hide these from the source code of the compiler
by recognising the compiler and adding the code to do this when the
compiler is compiled.

But they have no control over what compiler you use with a common
language.

Are you sure it isn't in say the GNU compiler?

Its easy enough to be sure of that.

How?

By compiling code to assembler and looking at it.

Or in the limit disassembling the object files.


What you have to understand that as long as there is ONE trusted system
out there, you can uses it to assess an untrusted system,

IF of course you consider that no system can be trusted, and the men in
black helicopters have exploits on every single piece of hardware and
software, and have mind controlled all et software engineers working on
them, and that Neo is really not in the Matrix at all, then all I can
say is take the blue pill.



You can't detect it by reading the source and if you compile the
source with an infect compiler you have an infected compiler.

So you ensure you dont use infected compiler.

How?

By inspecting what it is doing.


Before you say this can't be done, did you use a binary to compile
your last program or did you do it by hand to ensure the above
wasn't done?

My last program isnt relevant. What matters is what is used to
compile the system that does the checks. With hashes the code
can be so simple that its quite practical to compile it by hand.

So you don't understand what I said then.

Wrong. There doesnt have to be any compiler involved at all.

You can compile by hand if you are that paranoid.

So now you are required to be paranoid to meet your security claim?


No Dennis, that doesn't mean there is a job waiting for you as a
security consultant: It means that you are ill.

Take the blue pill.


To people who know nothing, anything is possible. To people who know too
much, it is a sad fact that they know how little is really possible and
how hard it is to achieve it.

dennis@home wrote:


"Rod Speed" wrote in message
...

Off with their heads. That'll fix that.


So now you agree with the chain saw approach.

Prefer an angle grinder

Rod Speed wrote:
Tim Watts wrote


You are talking in absolutes and as such, zero risk is not possible.

There is absolutely zero risk of you producing a perpetual
motion machine, or of ever being able to fart you way to
the moon, no matter how many cans of bean you eat.


That is true within the context of known science.

I am sure Tim will say that something COULD change the laws of
physics..but there you go.

Since its an event that has never to our knowledge happened, and now one
knows how it might be achieved, it is not meaningful to assign a
probability to it.


There is absolutely zero risk of anyone being able turn the sun off too.

If you wish to rephrase and say the risk can be made insignificant, I would accept that.

Doesnt matter what you accept.


Then why bother talking to him?

The Natural Philosopher wrote
Rod Speed wrote
Tim Watts wrote

You are talking in absolutes and as such, zero risk is not possible.

There is absolutely zero risk of you producing a perpetual
motion machine, or of ever being able to fart you way to
the moon, no matter how many cans of bean you eat.

That is true within the context of known science.

I am sure Tim will say that something COULD change the laws of physics..but there you go.

Yeah, I like your leg amputation and kneecapping examples much better than mine.

Since its an event that has never to our knowledge happened, and now one knows how it might be achieved, it is not
meaningful to assign a probability to it.

There is absolutely zero risk of anyone being able turn the sun off too.

If you wish to rephrase and say the risk can be made insignificant, I would accept that.

Doesnt matter what you accept.

Then why bother talking to him?

To point out the massive holes in his claim that there are no zero risk situations.

"Mike Barnes" wrote in message
...
Rod Speed :
Tim Watts wrote
Rod Speed wrote
Tim Watts wrote
Rod Speed wrote
Andy Burns wrote
Rod Speed wrote
Tim Watts wrote
[...]

Please don't feed the troll.

Are you sure he is a troll, I thought he was just thick, very thick.

dennis@home wrote

I thought he was just thick, very thick.

Its now obvious what Adam was talking about.

dennis@home wrote:


Are you sure he is a troll, I thought he was just thick, very thick.

Its alawys a mistake to see yourself in others, dennis.


--
To people who know nothing, anything is possible.
To people who know too much, it is a sad fact
that they know how little is really possible -
and how hard it is to achieve it.

The Natural Philosopher :
There is zero risk you will have you leg removed and not notice it.

Doesn't that depend on what else is going on?

--
Mike Barnes

On Wed, 29 Feb 2012 19:57:22 +0000, Tim Watts
wrote:

[-snip-]

I still maintain ZERO risk is impossible and I am confident that I am right.

(In this context) I agree.

However, what matters in the real world is whether that risk is
acceptable... For most people, reasonable precautions are sufficient.

Yes.

--
(\__/) M.
(='.'=) If a man stands in a forest and no woman is around
(")_(") is he still wrong?

On Thu, 01 Mar 2012 06:30:06 +1100, Rod Speed wrote:

Tim Watts wrote
The Natural Philosopher wrote

exactly, An undetectable change that results in no detectable activity
by anyone in the whole universe is not a security risk.

You may have a "potentially detectable" change, but for any practical
detection mechanism, I feel fairly safe in asserting that it could
potentially be hacked so as not to leave a trace *detectable by the
detection mechanism".

Doesnt matter if you are fairly certain or not, there are obvious
examples where that isnt possible. Most obviously with a full restore
from image using a machine that isnt even net accessible.

Technically, is it possible to re-flash a PC's BIOS from a binary running
with sufficient permissions under the host OS, such that malicious code
could potentially run undetected following reboot, regardless of whether
hard disk contents were restored from an image on another system?

I've never heard of it happening, but I'm curious whether it could in
theory be done.

cheers

Jules

Jules Richardson wrote:
On Thu, 01 Mar 2012 06:30:06 +1100, Rod Speed wrote:

Tim Watts wrote
The Natural Philosopher wrote
exactly, An undetectable change that results in no detectable activity
by anyone in the whole universe is not a security risk.
You may have a "potentially detectable" change, but for any practical
detection mechanism, I feel fairly safe in asserting that it could
potentially be hacked so as not to leave a trace *detectable by the
detection mechanism".
Doesnt matter if you are fairly certain or not, there are obvious
examples where that isnt possible. Most obviously with a full restore
from image using a machine that isnt even net accessible.

Technically, is it possible to re-flash a PC's BIOS from a binary running
with sufficient permissions under the host OS, such that malicious code
could potentially run undetected following reboot, regardless of whether
hard disk contents were restored from an image on another system?

I've never heard of it happening, but I'm curious whether it could in
theory be done.

Yes.

http://www.tomshardware.com/news/bio...door,7400.html

The first one I heard of was in the early days of the flashable BIOS and
I received the warning from a sysadmin in South Africa, alleging that it
had originated in Israel.

I have since had a number of motherboards with a jumper which had to be
installed before trying to update the BIOS to prevent you or malware
from accidentally flashing it.

--
Tciao for Now!

John.

Jules Richardson wrote:
On Thu, 01 Mar 2012 06:30:06 +1100, Rod Speed wrote:

Tim Watts wrote
The Natural Philosopher wrote
exactly, An undetectable change that results in no detectable activity
by anyone in the whole universe is not a security risk.
You may have a "potentially detectable" change, but for any practical
detection mechanism, I feel fairly safe in asserting that it could
potentially be hacked so as not to leave a trace *detectable by the
detection mechanism".
Doesnt matter if you are fairly certain or not, there are obvious
examples where that isnt possible. Most obviously with a full restore
from image using a machine that isnt even net accessible.

Technically, is it possible to re-flash a PC's BIOS from a binary running
with sufficient permissions under the host OS, such that malicious code
could potentially run undetected following reboot, regardless of whether
hard disk contents were restored from an image on another system?


It is not clear that Linux uses the BIOS at all, except to boot..

I SUPPOSE the bios might write something to the disk during boot..

I've never heard of it happening, but I'm curious whether it could in
theory be done.


Its sort of along the lines of 'well you have smashed down the front
door and all you are going to steal is a magazine?'

in other words, given that sort of access, you could find easier targets.

Obviously what you want to build is a daemon that doesn't show up in the
process table, either as a process or in terms of RAM used,... doesn't
get logged, whose internet accesses don't get recorded in the machines
ethernet statistics.. so its probably going to be a new ethernet
driver..oh, and it must have the same file length and checksum as the
proper one. And you must erase all entries in all logfiles relating to
your access to install it.

Whilst all that is theoretically possible, I am not sure that I could
actually find a way to implement it, let alone install it. And YOU want
a boot ROM to do that?

Hmm.





cheers

Jules




--
To people who know nothing, anything is possible.
To people who know too much, it is a sad fact
that they know how little is really possible -
and how hard it is to achieve it.