Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: IRC spying on EEYE!
From: Gadi Evron <ge () linuxbox org>
Date: Tue, 16 Nov 2004 09:54:10 +0200

rap1st wrote:

Since the government is increasing it spying on irc, I too have increased
my irc spying. Ive recently intercepted some communication between EEYE's
own Marc Maiffret aka the chameleon, and RLoxley of Team Hackphreak!

<RLoxley> hey
<RLoxley> waykee
<chame|eon> hey man!
<chame|eon> long time

Although this is most likely fake, it bugged me for a few minutes once a week for a while now.

I tried to figure out a good reason to have a "few instances" of tripwire.

As tripwire was basically an offline tool, running "once" and saving checksums, knowing which file is a binary and would never change, etc. etc. etc. I didn't get the idea behind running a few instances of it.

I came up with a few remote possibilities:

1. If you are running tripwire or the like on an existing system, online. That could mean someone is already on it.. but the possibility of them playing with tripwire or tripwire being your problem is remote. Even if tripwire gets the job done - it will be the compromised files that are stored in checksums.

2. Running the tool from a few locations so that the above also can't happen if for some reason the virgin system you just created, and is off-line, might be hacked by all-powerful aliens (or the NSA, why not. They have magic software rays).

3. Blah. Use tripwire from a cd, and don't save the resulting information locally, maybe put it on the same cd? After all.. someone ACTUALLY could change the files locally. Now, to that I have to say - duh. So, running a not connected backup - okay. That is just best practices.

As for actual "few instances" - make a backup, people. :o)

I am sorry, but the log is just so silly, I had to. Now it is off my mind... unless someone thinks differently, or secretly re-invented the somewhat dead (and shamefully so) amazing technology of tripwire and is running it in real time?

Well, there is always aide.


Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
  • Re: IRC spying on EEYE! Gadi Evron (Nov 16)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]