> Um, can you site a single *real world* example of where md5 sums > have been co-opted in any way? Yes, md5 now has a weakness, but > really, are there any cases of anyone having actually exploited it?
It's that kind of attitude that is responsible for probably more than half of the breaches that happen. "Show me someone who wants to attack _my_ company; there's nothing here worth getting!" Attackers don't care. They'll often exploit something for the sake of having done it. They don't see a company (usually). They see a machine they can gain control of and use for their own means. MD5 is proven weak. It's possible to take almost any file and its MD5 then create an identically sized file with the same hash in a reasonable time. This can be used to pass out an arbitrary CD image that completely trashes the contents of your hard disk. It doesn't even need to be OpenBSD on the CD. This isn't about IF the problem will occur, but WHEN! There is a known exploit and anybody who doesn't take steps to mitigate that now is just crazy (or lazy). The original point is that BitTorrent makes it easy to seed this kind of crap. Torrent not an official source, but you can easily create OpenBSD-4.1.torrent from your new file with a matching MD5 to the official and sit back and laugh as people start posting to the openbsd forums "j00 1337 BSD h4x0rz are w4nx0rz for 3r4z1ng my d15k5" > I'm not an expert on this, but I do read. Enlightenment is encouraged > if I'm missing something here. Explains the paragraph above :) Cheers, Adam
