[logs] Star Trek and Log Integrity
Tom Le
dottom at gmail.com
Wed May 7 11:13:47 PDT 2008
I think the correct reference is "Schneier, et al" and you can get the paper
here without needing an ACM account:
http://www.schneier.com/paper-auditlogs.html
Cliff notes for lazy folks:
- Use changing hashes for logging authentication key (change after every
log event)
- Encrypt each log message, using one-way encryption key
- Each log entry contains element in hash chain to verify all previous
entries (think how token servers work, but in reverse)
- Says weakness in sending logs to remote server is the link itself
(reliability & subject to DoS attack) and ability to provide selective read
access (though most log indexing solutions today provide some level of
role-based-access)
I just don't see authentication + encryption ever happening in the the
logging universe anywhere in the next decade, outside of one-off add-ons to
syslog or SNMP. Most of log archiving & indexing functionality available
today is "good enough" to provide non-repudiation of log data, with the one
exception of spoofed data (which would require server compromise in the
Schenier scheme).
Also, consider that firewalls and hosts generate just as much logging
activity today (order of magnitude) than in 1999, yet log archiving &
indexing capabilities are orders of magnitude better: better indexing,
better context-driven search capability, faster CPU, more memory, more disk,
faster network, etc.
Tom
On Tue, May 6, 2008 at 1:49 PM, <chris.wee at loglogic.com> wrote:
> It is so disappointing that even in the 24th century, computer logs are
> not tamper-proof.
>
> At least the logs are tamper-evident. Kelsey, et.al. showed us how in
> 1999
> http://portal.acm.org/citation.cfm?id=317089&coll=portal&dl=ACM
>
> -chris
>
> -----Original Message-----
> From: loganalysis-bounces at loganalysis.org
> [mailto:loganalysis-bounces at loganalysis.org] On Behalf Of Tina Bird
> Sent: Tuesday, May 06, 2008 1:38 PM
> To: loganalysis at loganalysis.org
> Subject: [logs] Star Trek and Log Integrity
>
>
> I can't believe we've been talking about log data on this list for what,
> over 6 years now, and no one's ever brought it up.
>
> The CBS network Web site provides episodes of classic TV shows for
> viewing,
> at the cost of 90 seconds of advertising breaks per episode:
>
> http://www.cbs.com/video/?showname=classics/star_trek
>
> There's no obvious way to link directly to an episode, but if you click
> to
> page 5, you'll see episode 20, "Court Martial," in which Captain Kirk is
> proved innocent of a crew member's death after Spock is able to prove
> that
> the computer logs have been tampered with. I am *so* going to
> incorporate
> this into my logging tutorial :-)
>
> enjoy -- tbird
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis at loganalysis.org
> http://www.loganalysis.org/mailman/listinfo/loganalysis
>
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis at loganalysis.org
> http://www.loganalysis.org/mailman/listinfo/loganalysis
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.loganalysis.org/pipermail/loganalysis/attachments/20080507/1efbe6e0/attachment.html
More information about the LogAnalysis
mailing list