> Richard Gooch <rgooch@atnf.csiro.au> wrote:
> > This seems to be contrary to the accepted view by security people
> > which is to close of the holes *fast* and then worry about evidence. I
> > think the consensus is that "evidence" does not translate into
> > convictions (unless you are lucky and the cracker is in the same
> > state/country as you and has left other clues lying around).
>
> What?
>
> You're talking about losing information at reboot, not any kind of
> immediate fix. That's security by coincidence, at best.
>
> Furthermore, you're talking about "correcting" changes introduced by root.
> That's *never* a security fix. That barely even counts as security by
> obscurity.
If the real root user did it he/she would have used one of the many
methods available to preserve the modified ownership/permissions.
Furthurmore, the simple fact that you've changed the device node back to
whatever default it should have been does not lose you anything
evidentury. If that's you're only info, I'd say you're screwed.
-Shawn
<=========== America Held Hostage ===========>
Day 2037 for the poor and the middle class.
Day 2056 for the rich and the dead.
885 days remaining in the Raw Deal.
<============================================>
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.altern.org/andrebalsa/doc/lkml-faq.html