Eric Hughes writes:
From: Jeff Barber <jeffb@sware.com>
Nothing is gained -- other than additional irritation and delay.
What is at issue is making it difficult for a not-completely-dedicated-to-your-destruction sysadmin to subvert personal files.
But you're advocating what are non-trivial measures in an attempt to solve a problem which is not the easiest attack anyway. You have been arguing that it might be possible to download a new MD5, then modify it in unusual ways to prevent hacking of the local compiler to recognize it. Then, when folks point out other ways to subvert your integrity check, you complain that you're not trying to solve ALL the problems, only a certain subset. I think the subset you've selected is arbitrary and not particularly realistic. Let's face it, creating the compiler-to-recognize-MD5 is quite a difficult problem, and if I were your system administrator and wanted to obtain access to your files, creating a special compiler version or otherwise attempting to cause your integrity check to fail would be one of the last forms of attack I'd try.
Furthermore, the pragmatics of a personal tripwire are that it only needs to indicate failure once. As soon as I found out that my files weren't safe in their place of residence, I'd leave. The practical question should not be one of fighting a running battle with a hostile root; root always wins, period. A useful outcome of this discussion would be a feasible way of detecting the first modification. Almost always this will not be a full-scale effort.
I agree that would be useful. But the problem with this whole argument is that the number of things whose modification you need to detect is large and their detection is non-trivial. One of the easiest ways to subvert your security is simply to record your keystrokes. It doesn't take a rocket scientist to hack your kernel (or whatever it's called on your OS) to do this. And how do you detect it? The original kernel can be restored after booting with a hacked kernel so you can't use modification times. Perhaps you can then detect that the system was rebooted? Well, maybe, but hiding that is not so difficult either, and a reboot may not necessarily seem suspicious in any case. The bottom line is that, as an ordinary user, you are relying completely on your trust in the system administrator. -- Jeff