[EROS-Arch] Error logging

Ben Laurie ben@algroup.co.uk
Wed, 26 Sep 2001 16:34:46 +0100 

"Jonathan S. Shapiro" wrote:
> 
> > > This is not an absolute impediment, but it presents to the user a level
> of
> > > both technical difficulty and practical risk that for many developers it
> > > constitutes an acceptable disincentive to discovery.
> >
> > I'm all for pragmatism, but basing your security primitives on such
> > ideas seems erroneous to me.
> 
> I understand what you are saying, but I think you are misunderstanding
> something about the nature of security. Any security can be broken at a
> cost.
>
> I am not proposing that the need to do disk forensics is a sufficient
> barrier in all cases. Rather, I'm proposing that it is a sufficient
> impediment for many applications, and that for most users it is much much
> harder than bringing up the log viewer.

History does not agree with you - check the web for zillions of copies
of any dongled program you can think of, for example. If there's any
incentive to break the application then someone will do it on behalf of
all users.

> Whether this impediment is good enough is something the application designer
> needs to decide. In some cases the answer will be "you can only run my app
> on a machine where the disk is encrypted."

But this is another unenforcable requirement!

> For most general-purpose
> applications, however, the developer is concerned only to avoid casual
> disclosure. It's either that or they demand an encrypted disk.

They can demand all they like - but how do they ensure they get it on
_my_ machine? They can't.

> At the next level up in security enforcement, disk-level forensics is an
> interesting impediment threshold because now (given tamperproofing) we can
> encrypt the disk to close the exposure.

You can only tamperproof a machine you own. The application author is
not in that position.

I entirely agree that the _administrator_ of the machine is in a
position to demand and enforce all these things, but I can't see how an
application author has any way to enforce it, and, indeed, it is such a
weak protection that I can see no point in implementing it at all - at
best it does nothing, but it is, in fact, likely to cause a false sense
of security.

Of course, it would work perfectly in a legal sense, given the DMCA, but
I am 100% in agreement with Kragen on that point. I'm beginning to get a
nasty suspicion that you are not, however.

Cheers,

Ben.

--
http://www.apache-ssl.org/ben.html

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff