[Cryptography] Write-protect switches, etc.

[Jerry Leichter]

> One significant problem with malware is that it can *delete log files*, so that finding out what it was up to can be difficult.
> 
> Soooo, you need a *write-once*, *append-only* device to act as a logger.
> 
> It's sad, in this day and age, that the best logger may be an old-style continuous paper printer.
At one time, you could get special "logging magnetic tape drives":  They physically could not backspace the tape, and when they reached end-of-tape they automatically rewound and unmounted the reel.  (The old magnetic tapes also had a "write ring" that had to be inserted in the back to be writeable at all.  Given the technology of the era, these almost certainly controlled physical switches controlling the write current.)

> The Bitcoin blockchain is an analogous system that would require overwhelming force (i.e., some plurality of the computing power) to change an entry.
A number of mechanisms to implement append-only logs have have been proposed over the years - I think Bruce Schneier is a co-author on one.  They all have the property that an attacker can only destroy the previous logs completely, not modify entries within them - the strongest property such a system can have.  (Add periodic distribution to a number of independent storage sites if you want to ensure availability.)  While the blockchain would do it, it's likely overkill for this particular problem.  (Of course, if you already have it and are using it for other purposes, there's no reason not to use it here, too.)

> The malware can force the log files to be encrypted with a key of their choosing -- sort of like ransomware -- so the resulting log files may exist, but will be gibberish.
As I noted above, it's always possible to destroy the log.  If all else fails, physical destruction of any recording medium is available.  All you can expect is that tampering (or destruction) is always detectable.
                                                        -- Jerry