If the kids who broke into the site had the knowledge to alter the irc clients code, then it's not a great leap of the imagination to suppose they would have little problem defeating such an obvious protection method either. More than anything this would simply make the site admins feel (falsely) secure. As another guy on here wrote, authenticity verification data of that sort should be kept on read-only media. Furthermore, it should be run manually and not automatically since if I had hacked into a site, one of the first things I would do is turn off that crontab job running tripwire while I trojaned the binary (if the admin was silly enough to leave it on their HD) or trojaned the kernel to render it ineffective if they had it on read-only media. Finally, having another (locked down) machine performing verification via a network link to the files might be beneficial as the kid(s) can't fool that machine without making it send the original files over the network, possibly defeating the purpose.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/462/13009#13009