RE: [inbox] Re: Reacting to a server compromise

[Michal Zalewski <lcamtuf () coredump cx>]

On Tue, 5 Aug 2003, Curt Purdy wrote:

> The key here is to have the paper handled by only one person and witnessed
> by another and the access to that paper by only that person.

[...]

On Tue, 5 Aug 2003 Valdis.Kletnieks () vt edu wrote:

> It's kind of hard to replace sheet 1,487 from a box of fanfold paper. :)

That's different. You're suddenly introducing certain additional
circumstances that render the approach more reliable.

However, I was arguing only with the original statement that claimed that
logs on read-write media are not admissable in the court, whereas
read-only media is. Period.

Once again, IANAL, maybe that is the case, although it is contrary to what
I've heard. I don't believe that would be reasonable. I don't think
there's an essential difference between storing logs on, say, cd-r as
opposed to cd-rw or magnetic tapes (or even a trusted monitoring system,
in some cases), as long as the material is handled the same way and there
is no integrity protection - be it the relative difficulty of replacing a
single sheet in a bulk amount of fanfold paper, yes, or some cryptographic
signatures on every recorded CD that are backed by a trusted hardware and
OS.

*If* there is a difference in how the media is handled, or if there is a
physical or cryptographical method of ensuring the integrity and
authenticity of every piece, it would be different, I'm not arguing with
that.

-- 
------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2003-08-06 09:57 --

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html