by redmail.netbsd.org with SMTP; 14 Mar 2000 18:59:40 -0000
	by digital.clock.org (8.8.8/8.8.8) with ESMTP id KAA06413;
	Tue, 14 Mar 2000 10:59:05 -0800 (PST)
Mime-Version: 1.0
Message-Id: <v04220802b4f42cd5b404@[10.66.51.205]>
In-Reply-To: <20000314090204.N10872@dhcp0.wlan.shagadelic.org>
References: <200003140306.NAA04792@mallee.awadi>
 <20000314090204.N10872@dhcp0.wlan.shagadelic.org>
Date: Tue, 14 Mar 2000 09:57:16 -0800
To: thorpej@zembu.com
From: Erik Fair <fair@clock.org>
Subject: Re: Kernel modification that verifies execs against a md5
 fingerprint
Cc: Brett Lymn <blymn@baea.com.au>, tech-security@netbsd.org
Content-Type: text/plain; charset="us-ascii" ; format="flowed"

What about netbooted systems (e.g. DEC Shark)? There was a paper 
given not too many years ago about modifying binaries as they fly by 
on the wire. I suppose once we have NFS working by default on top of 
IPsec, this will be less of a concern...

It is also possible to modify binaries directly, through the disk 
device. Granted, your program to do so must now understand various FS 
formats, but since we're all open source here, this shouldn't be too 
difficult for an attacker, even if it makes his tools fat.

I don't want this md5 facility on by default, but it wouldn't 
necessarily be a bad thing to have as an option for the truly 
paranoid. (of course, you're not paranoid if they're really out to 
get you...).

	Erik <fair@clock.org>