That's really a nice idea by uid0, to have something like www.md5signatures.com/sigs.php?soft=fragroute or something like that, Like a large database of valid MD5 signatures for those opensource authors who want to take part in it. They can just add a link instead of the whole md5sum, which (can be modified by the intruder) , If md5signatures gets compromised, it's not necessary that the actual file location is compromised too. That sounds like a new Thread for discussion.
I would like people to comment on that. Regards, --------- Muhammad Faisal Rauf Danka Chief Technology Officer Gem Internet Services (Pvt) Ltd. web: www.gem.net.pk Vice President Pakistan Computer Emergency Responce Team (PakCERT) web: www.pakcert.org Chief Security Analyst Applied Technology Research Center (ATRC) web: www.atrc.net.pk --- [EMAIL PROTECTED] wrote: >On Fri, 2002-05-31 at 09:55:21 +0200, Anders Nordby wrote... > >; Although downloading it now seems safe, I think folks should know this. >; The changes done were similar to what happened to irssi, but with a >; different IP. >; >; MD5 sum of fragroute-1.2.tar.gz, downloaded from >; http://www.monkey.org/~dugsong/fragroute/ on may 27 (the contaminated >; version): 65edbfc51f8070517f14ceeb8f721075 >; >; MD5 sum of fragroute-1.2.tar.gz, downloaded from >; http://www.monkey.org/~dugsong/fragroute/ on may 30 (this is the current >; MD5 sum): 7e4de763fae35a50e871bdcd1ac8e23a > >This makes one wonder a question that would be best posed to the community; >the purpose of MD5/SHA/etc is to provide unequivocal evidence as to the >validity of a piece of data. More often than not, such files are kept in the >same, vulnerable, location as the actual data. Clearly one can see the >downfall of such a system. > >To what extent have the entities in this forum started to analyze methods >by which to use a "trusted" third party to house such signatures of data? >In my mind, it seems evident that a light system might take some of the >functionaility of the trusted CA model in SSL, and use it to provide >guaranteed (as much as one can) signatures. > >This might be a good discussion for another forum, but I'm curious to know >if anything as such is being done. > >-#0 _____________________________________________________________ --------------------------- [ATTITUDEX.COM] http://www.attitudex.com/ --------------------------- _____________________________________________________________ Promote your group and strengthen ties to your members with [EMAIL PROTECTED] by Everyone.net http://www.everyone.net/?btn=tag
