[TriLUG] Fwd: OpenSSH Security Advisory: Trojaned Distribution Files

Mike Mueller mjm-58 at mindspring.com
Thu Aug 1 18:04:14 EDT 2002


On Thursday 01 August 2002 17:48, Dan Chen reputedly wrote:
> On Thu, Aug 01, 2002 at 12:42:29PM -0400, John Broome wrote:
> > ----- Original Message -----
> > From: "Mike Mueller" <mjm-58 at mindspring.com>
> >
> > > On Thursday 01 August 2002 12:11, Brian Daniels reputedly wrote:
> > > Would the problem have been caught if the MD5s were checked, or were
> > > the checksums compromised as well?  If the checksums were compromised,
> > > then
> >
> > can
> >
> > > anything anywhere be trusted?
> >
> > From what I saw on slashdot today the MD5's were different.
>
> Yup. There are any number of methods that can alleviate but not
> altogether strongly ensure that nothing has been mucked with. I
> personally pour through the source of any daemon looking for such
> "compromises" prior to building and installing on my machines.

I vote for you as Security Czar.

What if MD5s were signed and sent to trusted people that published the MD5s?  
Then one could check for agreement amoungst 2 or more MD5s.  Multiple MD5 
locations would be harder to coordinate an attack on.  MD5 are small to 
download and would add negligible overhead to the entire process.  This is 
different from pulling MD5s from different mirror sites that would simply 
reflect the original compromised MD5.

-- 
m



More information about the TriLUG mailing list