From: Bill Stewart <bill.stewart@pobox.com>
Date: Sat, 7 Mar 1998 03:19:11 -0800 (PST)
To: Ken Williams <cypherpunks@toad.com
Subject: Re: tripwires when you're not superuser.
In-Reply-To: <Pine.SOL.3.96.980305125302.21425A-100000@c00069-100lez.eos.ncsu.edu>
Message-ID: <3.0.5.32.19980306181151.0089ba10@popd.ix.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain


At 01:11 PM 3/5/98 -0500, Ken Williams wrote:
>trying to set up "tripwires" in the various computer accounts that i have
>so i will know if a superuser or sysadmin has accessed them.  

In the general case, you can't do it, though there may be
special environments which let you do this but still let you
do useful work.

If somebody else controls the RAM, file systems, and communications
on a computer, and you don't, you have no way to tell what they've done.
For instance, anybody who can read raw blocks off the disk can
read your files without triggering any mechanisms you control.
Anybody who can read incoming packets off the LAN and WAN
can read your email before putting it in your mailbox.
If you convince people to encrypt mail before sending it to you,
and you encrypt any data you store on the system's disk blocks, 
using programs that aren't running on that computer,
reading your stuff may not be very interesting to the sysadm.
But if you run the decryption program on the system,
and the sysadm can read your keystrokes (either from a keyboard
or tty driver or telnet daemon), you're still naked.

There's been some theoretical work done into computing entirely
with encrypted data, and for a few specific mathematical problems
it's probably possible to get useful work done by an untrusted processor,
but usually the computations required for blinding and unblinding
are more work that the untrusted processor did for you anyway.

Short of that, the closest you'll find are secure operating systems
rated at Orange Book B2 or above (B3 and A, if any), which don't
have one all-powerful superuser.  In those systems, if the person
who has access to the raw disk (either physically or by asking the OS)
doesn't cheat, you have some guarantees about security, and in particular
you have some guarantees that nobody _but_ the semi-super-users
can crack the system in ways that give them access to your bits.
Unless all writes to the disk drive are encrypted, anybody who's got
unsupervised physical access to the disk is a semi-super-user, 
because they can steal the disk and plug it into their own machine,
where they're as super a user as they want to be.

If you're concerned about the machine being physically compromised,
you could set up an application that's always sending keepalives
across the net to your off-site monitoring location, but that's
pretty annoying, leads to lots of false alarms, may still be crackable
(though cracking may interrupt the system briefly, which is the win),
and is overall not very practical.  But it might let you know
that the disk drive has been stolen.
				Thanks! 
					Bill
Bill Stewart, bill.stewart@pobox.com
PGP Fingerprint D454 E202 CBC8 40BF  3C85 B884 0ABE 4639