On Tue, 12 Feb 2002 17:48:13 EST, Shoten <shotenat_private> said: > Not to mention that in this case, the file with the same checksum would have > to be EXACTLY the same size as the KaZaA executable, AND be a functional > virus on top of that. And even if you got all that, you'd have to worry > about it getting mixed with a valid client during download from multiple > sources. For those who think this is possible, go ahead and try...good luck This is all assuming, of course, that you have reason to trust the original size and checksum, and that you have reasonable assurance that you *are* in fact downloading from multiple sources, at least one of which is not in collusion. How do you know that you aren't the victim of a man-in-the-middle attack on your download? Before you say "That can't be", go read this: http://www.securityfocus.com/archive/1/245693 Hint: That's why the PGP documentation suggests key signing parties and verifying the footprint *over the phone*. -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
This archive was generated by hypermail 2b30 : Wed Feb 13 2002 - 10:30:30 PST