mailing list archives
Re: IRC spying on EEYE!
From: Gadi Evron <ge () linuxbox org>
Date: Tue, 16 Nov 2004 09:54:10 +0200
Since the government is increasing it spying on irc, I too have increased
my irc spying. Ive recently intercepted some communication between EEYE's
own Marc Maiffret aka the chameleon, and RLoxley of Team Hackphreak!
<chame|eon> hey man!
<chame|eon> long time
Although this is most likely fake, it bugged me for a few minutes once a
week for a while now.
I tried to figure out a good reason to have a "few instances" of tripwire.
As tripwire was basically an offline tool, running "once" and saving
checksums, knowing which file is a binary and would never change, etc.
etc. etc. I didn't get the idea behind running a few instances of it.
I came up with a few remote possibilities:
1. If you are running tripwire or the like on an existing system,
online. That could mean someone is already on it.. but the possibility
of them playing with tripwire or tripwire being your problem is remote.
Even if tripwire gets the job done - it will be the compromised files
that are stored in checksums.
2. Running the tool from a few locations so that the above also can't
happen if for some reason the virgin system you just created, and is
off-line, might be hacked by all-powerful aliens (or the NSA, why not.
They have magic software rays).
3. Blah. Use tripwire from a cd, and don't save the resulting
information locally, maybe put it on the same cd? After all.. someone
ACTUALLY could change the files locally. Now, to that I have to say -
duh. So, running a not connected backup - okay. That is just best practices.
As for actual "few instances" - make a backup, people. :o)
I am sorry, but the log is just so silly, I had to. Now it is off my
mind... unless someone thinks differently, or secretly re-invented the
somewhat dead (and shamefully so) amazing technology of tripwire and is
running it in real time?
Well, there is always aide.
Full-Disclosure - We believe in it.
- Re: IRC spying on EEYE! Gadi Evron (Nov 16)