EFF's Logfinder

clonebarkins writes "EFF has just released a new software tool called "logfinder" to help server admins find (and delete) unnecessary log files on their boxen. "By finding unwanted log files, logfinder informs system administrators when their servers are collecting personal data and gives them the opportunity to turn logging off if it isn't gathering information necessary for administering the system.""

WTF is Boxen?

[Evil+W1zard]

Am I behind the times in cool admin speak or was this simply boxes mispelled? In any case I could definitely see this being used for both good and bad.

Re:WTF is Boxen?

[Mr.+Slippery]

Just trying to figure out why admins call them "boxen," not supporting the strange practice.

It's a running joke. See also this.

Re:Can't subpeona what doesn't exist?

[xC0000005]

I think so, but really it's just another step in an arms race. How long until we see court orders to collect this sort of information? Or forbidding the use of log destruction/filtering tools?

Interesting Motive

[peterdaly]

My first thought was the main purpose of this would be to identify and eliminate "wasted" disk space. There are a bunch of logs that, without management, really just end up being wasted bits on your disk. Generally, that may be a useful utility, at least to me.

I was suprised to see the EFF seems to have a totally different motivation. It seems their real motivation is that the government can't demand logs that don't exists, or more specifically you can't get in trouble for not providing what you don't actually have.

Not sure what I think of that...

Re:I appreciate the effort but...

[Otter]

Unix admins versus MCSE's aside -- do you want your admin (on any platform) deleting files without understanding why they're there, just because some script from the EFF pointed them out to him?

Good work, but...

[IBeatUpNerds]

You could be treading in some dangerous territory. Let's say, for instance, as a sysadmin, you know one of your users has been accessing some machine they should not access for whatever reason (immoral, illegal, etc...). Well, you run this tool and uncover evidence to support that theory, then discuss with JaneUser and, out of the goodness of your heart, decide to remove the logs in question. All is well.

Two months later, "they" subpoena your logs to find no trace of evidence. Suspecting log-alteration, they subpoena the upstream providers logs and find correlating evidence that is mysteriously missing from your logs. So, JaneUser ends up getting in trouble, and the kind-hearted sysadmin gets slapped with evidence tampering.

I think, if you're going to carry out any activity that needs covering up, then you need to be more in tune with the circumstances rather than dealing with these sort of things after the fact. Or you could just avoid illegal activity all together...

Re:Only if you don't do backups.

[tchuladdiass]

That's why you use a tape backup tool that has an "Enron/Anderson" mode. Before writing any file to tape, encrypt it with a random key and store that key in you file locator database. Then when it is time to expire a particular file version, all you have to do is delete the index record. No need to wipe the tape. This is useful if you have data on a tape that expires at different times.
Also, for security, the random keys should then be passed through a public key encryption prior to being written to the database.

anybody else have this lock up their system?

[rcpitt]

OK - I downloaded it, untar'd, and ran it as root on my Toshiba laptop (RH-9 2.4.20-31.9 kernel, 1G RAM) and the machine locked up. I had switched to another window and was looking at a log file while the program "thought" in the original window. I also had a number of remote ssh sessions open. The machine had been up for about 30 minutes today already.

This system is rock solid, in use for hours/day with the exact same mix of programs running constantly (evolution, mozilla, ssh/rxvt windows to external systems, etc.)

comments?