Ok, a weekend late [ I forgot to send this]... once again, forcing a web of trust on the code we deploy anyways... so we can either take up Signature authorities for files on the net [Which I don't like... as this is only the first real case of poisoned files on a big distro] OR have MD5 Sums from multiple locations pulled and then an average presented to the user, assuming that these locations wouldn't be updated as fast [perhaps forcing a 1-2 day delay on updating any sums for a given mirror except for new entries?] we can increase the probability that a release can be trusted slightly... or perhaps, if I am mirror A have a watchdog script compare my md5 sum to every other md5 sum accross the mirrors, and take some action should the ratio of unmatching MD5's falls below a certain percentage... or something like that. Do scripts like that exist already? Cheers, nick ----- Original Message ----- From: <wozzat_private> To: "Eirik Seim" <defaultat_private> Cc: <vuln-devat_private>; "Steve Wright" <stevewat_private> Sent: Friday, August 02, 2002 1:20 PM Subject: Re: Re: ssh trojaned > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Of course, verifying checksums does you no good if the checksums have been replaced along with the binary. Be sure to aquire your checksums from some other, presumably safe, location. > > On Thu, 1 Aug 2002 22:41:39 +0200 (CEST), Eirik Seim <defaultat_private> wrote: > > > > >Oh, and the guys that inserted the trojan might easily had access to more > >on the same ftp site, and subsequently also its mirrors. If you don't > >usually verify checksums, now is a great time to start doing so. > > > > > >- Eirik > >-- > >New and exciting signature! > > > > > > > > -----BEGIN PGP SIGNATURE----- > Version: Hush 2.1 > Note: This signature can be verified at https://www.hushtools.com > > wlsEARECABsFAj1KzbEUHHdvenpAMHhkZWFkYmVlZi5vcmcACgkQ1vK8vFo3sjzZEQCf > YpqiXaafmDfMuhErWoaJ/u86csgAoLvBK8uxMoIDpfZdfOwBrwdnRRYD > =EoUt > -----END PGP SIGNATURE----- >
This archive was generated by hypermail 2b30 : Mon Aug 05 2002 - 08:04:15 PDT