[Search for users] [Overall Top Noters] [List of all Conferences] [Download this site]

Conference noted::hackers_v1

Title:-={ H A C K E R S }=-
Notice:Write locked - see NOTED::HACKERS
Moderator:DIEHRD::MORRIS
Created:Thu Feb 20 1986
Last Modified:Mon Aug 03 1992
Last Successful Update:Fri Jun 06 1997
Number of topics:680
Total number of notes:5456

491.0. "Touch file trace" by MSAV01::MIKEWARREN (Mike Warren SWS Malaysia) Tue Jun 09 1987 09:11

Hi,

Is there any way i can find out who has been reading my files ? Assuming
others have all privs on a system. 

Any way to put settings on my files so that others (even with privs) can't
get at them ? Can ACLs allow me to do this ? I'm not too familiar with them.

Even better still, that a priv user can read my file, and to inform me as
to which files were touched, so that i can give them hell (or hack) later.

Regards, Mike.
T.RTitleUserPersonal
Name
DateLines
491.1MARVIN::PALKATue Jun 09 1987 09:2414
    You can put security alarms on your files, but they can easily be
    side stepped by a privileged user.
    
    Any privileged user can change his UIC or grant any identifiers
    to himself to allow access to your files no matter what you put
    in the ACL. (I think BYPASS privilege will always bypass ACLs anyway).
    A privileged user can always pretend to be you, in such a way as
    to fool any security system you can put on a file. If you can't trust
    privileged users then you have to encrypt your data (and even then
    a dedicated hacker might be able to find the encryption key when
    you use it to decrypt the file).
    
    Andrew Palka
491.2ERIS::CALLASI have nothing to say, but it's okayTue Jun 09 1987 13:2611
    Well, yes and no. If someone's masquerading as you, then there's
    nothing you can do (except catch them at it -- and it's a firing
    offense) to keep them from looking at them, but you *can* put an alarm
    on your files that fires on a successful access. 
    
    You can also set up auditing to trace use of amplified privileges. You
    can track the use of BYPASS, GRPPRV, SYSPRV, and READALL. You can also
    get fine-grained enough to (say) read or write access via BYPASS. See
    the manual (or help file) for SET AUDIT/ENABLE.
    
    	Jon
491.3There are ways...UTRTSC::GUEDHAIs infertility hereditary?Thu Jun 11 1987 12:2322
    Giving them false names works as good a way as any. Nobody ever
    tries to type a file with an extention .EXE.
    
    On the other hand you can use patch to give them an illegal filename
    Like *.*. If you keep a large executable file with who's name and
    extention are ASCII codes less than 42 but greater that 31 then
    they cannot type it out using TYPE %.%
    
    I have used the latter method (under TOPS-10) for years, it drives
    the operators mad.
    
    An other method is to leave a nice interesting looking file which
    contains the escape code sequence that kicks of the auto test sequence
    on a terminal. As I remember there is one sequence that locks the
    terminal in the test loop until it is powered off. There are many
    "nice" escape sequences that screw up terminals. I recomend the
    handbook of the terminal that is used by the snooper may make very
    interesting reading.
    
    Have Fun,
    
    Jamie Anderson.
491.4^S' them off !PILOU::BONGARTZHappy HackerFri Jun 19 1987 07:408
    
    Another  method I use to drive them mad is give a file name like
    "privileged_account_passwords.txt" containing a header, then the
    messages "* OUTPUT OFF *", "* INPUT OFF *", and a ^S ...it locks
    your  terminal  until  you  do a "clear comm" (vt2xx) or go into
    setup (VT1xx) ...
    
    		Marc