From: firstname.lastname@example.org (Jeff Licquia)
Message Hash: 55106d6afd9a06a86dbff0cf440e127264869759f4dbf1d4b95edda13457b5ea
Message ID: <9412282021.AA01830@firefly.prairienet.org>
Reply To: N/A
UTC Datetime: 1994-12-28 20:20:56 UTC
Raw Date: Wed, 28 Dec 94 12:20:56 PST
From: email@example.com (Jeff Licquia) Date: Wed, 28 Dec 94 12:20:56 PST To: firstname.lastname@example.org Subject: Re: Why I have a 512 bit PGP key Message-ID: <9412282021.AA01830@firefly.prairienet.org> MIME-Version: 1.0 Content-Type: text/plain From: Jeff Barber <email@example.com> >Let's face it, creating the compiler-to-recognize-MD5 is quite a difficult >problem, and if I were your system administrator and wanted to obtain >access to your files, creating a special compiler version or otherwise >attempting to cause your integrity check to fail would be one of the last >forms of attack I'd try. Perhaps, then, we need to discuss exactly what attacks your average sysadmin would be expected to make. I would think that you'd need to guard against two kinds of sysadmins: 1. The "gentleperson" sysadmin. Though this person might have reason to want to do nasty things to you, (s)he is restricted, either by personal morals or company policy, to doing things that are "proper". Hacking the kernel or the compiler would be out; rather, this person would be more apt to be liberal in his/her use of root privileges, possibly installing user-space keypress monitors (like ttysnoop or some X keygrabber). Schemes like a "personal tripwire", MD5 hashes of various important programs, and so on would be effective against this kind of attacker. 2. "Sysadmin Hatfield." You're McCoy; you get the picture. Nothing is below him/her. Your best protection: never log in. The problem lies in distinguishing the two, and specifically detecting the latter at any point (in case the former becomes the latter by, say, a policy change), as Eric pointed out. >The bottom line is that, as an ordinary user, you are relying completely >on your trust in the system administrator. ...or your computer policy department. Remember, not even sysadmins are God. While it's likely that a sysadmin could hack the kernel to substitute bogus MD5 hashes, doing so in certain environments could earn the sysadmin a quick exit from employment. If your sysadmin just didn't like you, it's possible to get the upper hand; if the sysadmin has the added advantage of little to no oversight, you're screwed.