[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Monotone-devel] db kill_rev_locally

From: Ethan Blanton
Subject: Re: [Monotone-devel] db kill_rev_locally
Date: Sat, 11 Oct 2008 18:03:05 -0400
User-agent: Mutt/1.5.17+20080114 (2008-01-14)

Daniel Carrera spake unto us the following wisdom:
> Against this particular attack, Monotone only has recovery. Monotone has  
> a great recovery system, but something in the way of prevention or  
> detection would be a worthy improvement. For example:
> 1) Prevention: Remove or somehow restrict the "db kill_rev_locally"  
> command and the "db execute" command.
> 2) Detection: Record who runs "db kill_rev_locally" (recording "db  
> execute" is kind of pointless).

Monotone *cannot* have anything but recovery.  If the attacker has
write access to your database on the filesystem (which is necessary
for thsi attack), he/she can just fire up 'sqlite' and remove as many
records as desired.  It doesn't matter what monotone wrote or
annotated, in that case.

In general, yes, audit trails are great -- but make sure your
prevention and detection match the threat model you're supposing.


The laws that forbid the carrying of arms are laws [that have no remedy
for evils].  They disarm only those who are neither inclined nor
determined to commit crimes.
                -- Cesare Beccaria, "On Crimes and Punishments", 1764

Attachment: signature.asc
Description: Digital signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]