[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Destroying Data (Re: Remailer Policies)

> Unix weenies of old will recall "clri" to clear an inode. ...

clri destroys the file "handle" (the inode, thus the owner, mode,
length, pointers to data blocks, etc.) but not the contents of the
data blocks.  stringing them together is another story, but not
impossible if you know what you're looking for.

>                                 -- so why not just write a little C program
> to open the logfile and overwrite it to the end with NULL's?

u.w.o.o. often go to great lengths to avoid writing a few lines of c,
which, i suppose, is not so bad. 

but i agree with hkhenson that the best way to secure the remailer logs
is to encrypt them.

which raises a sticky point, since i don't see an easy way to do that
on a machine that you can't secure physically.

i'm familiar with the andrew environment (e.g., afs or the andrew
toolkit), which is more or less a kerberos environment, wherein secure
service providers run on physically secure machines.  this lets
sysadmins store cleartext passwords (in essence) on their local disks
to support reauthentication daemons (to refresh tokens for long-lived
jobs, since kerberos tickets time out).

this clearly would not achieve the objectives here.  the only option i
see is to enter a password at boot time (or when the remailer is started).