On Wed, 10 May 1995, Dr. Frederick B. Cohen wrote: > All current (2) programs can be detected by comparing the OS programs > with their original distribution versions using MD5 or a similar > cryptographic checksum technique. This has been widely published for > over 5 years. > > Thus, not only is detection of all Unix-based real-world sniffers not > impossible or infeasible, it is downright easy and simple. > Correct me if I am wrong, but the sniffers we have seen here do not modify any OS programs. The OS program may have been trojaned as a separate attack to provide entry points, but the sniffer itself does not modify anything (Other than putting /dev/nit into promiscuos mode on SunOS). Assuming that you are correct, all I have to do is get our 10,000 machines to run tripwire and the 400 part-time system administrators to be observant... easy.... simple.... I don't think so, Fred... ------------ Ron Holland holland@telchar.jpl.nasa.gov Communications, Computer & Network Services JPL / NASA - Pasadena, CA Visualize Whirled Peas... Ummmm.. Make that World Peace!