Russell S/nillion42 wrote: >>Problem: >>Lack of file checksum in kazaa leads to the ability to >>spread corrupted files and corrupt the dowload of any file. >> >>Method: >>By deleting(replacing with hex 00) the data from a mp3 >>file and leaving the headers you can create a file >>which has identical filesize (kazaa checks filesize). >>When a kazaa user downloads a file, multiple download >>streams can be used, if a stream is created to the >>corrupted file, it will make the download useless once >>finished not readily appraent until download is complete. I haven't looked into why, but I can confirm that I've observed this. I had occasion to download some Red Hat ISOs from Kazaa recently, and the MD5 sums on 2 of the 5 didn't check out. On one, the bad section was 0's. On the other, it had a bunch of single-bit errors in one section, the same bit position each time. (Comparison done by using the signed MD5 file from RedHat, and downloading intact copies of the corrupted ISOs from a mirror site, and then using fc /b .) I had been under the impression that Kazaa DID use checksums, just that it had some sort of bug, or was trusting the peers, or something. I thought that was what the temp filename was. (I wouldn't mind someone pointing me to any good info about the protocol.) Of course, if someone intentionally or accidentally leaves a corrupted file lying around, you might download that one on accident. After all, you only get to decide based on name. For example, suppose I chose ISO 2 from the list, and the one I chose was corrupt, I will continue to correctly download the corrupt one. If 5 of the people out of the 50 who have a file with the same name and size have corrupt ones, and I've picked that one (because I can't tell them apart), Then I would proceed to get the corrupt one from up to 5 people, even if some sort of checksum is used. How could you tell the two situations apart? This also came up on this list a while ago in regards to the Kazaa program itself. The "Kazaa" you get from downloads.com, etc... is just a stub that downloads the real Kazaa from the Kazaa network itself. Naturally, this leads one to wonder if it's possible to slip in your own version. If there's a way to upload modified versions of Kazaa, then hilarity would ensue. BB
This archive was generated by hypermail 2b30 : Thu Mar 06 2003 - 14:30:46 PST