Bugtraq mailing list archives
Re: trojans on ftp sites
From: peterd () bunyip com (Peter Deutsch)
Date: Sat, 14 May 1994 22:44:43 -0400
Hi Mike! [ Der Mouse wrote: ]
Christopher Klaus put out the idea about changing the archie daemon to detect tampered files [...]The problem is, how would the Archie servers determine the checksums?Easy. modify the 'ls' on each ftp site to automatically do a checksum. [...]
Somethin along these lines was actually done way back at the San Diego IETF when we suggested gathering MD5 checksums for archie as a form of prototypical URN. Someone (I'm really sorry, but I forget who) went straight to the terminal room and hacked up their "ls" to add a "-x" option, which returned the MD5 checksum for each file. Unfortunately, this proposal eventually got lost in the noise of the infamous URL wars, which held up work on URNs for some time, but we've been looking at dusting the idea off now that the URI group seems to have finally put the URL demon to rest and are finally back working on URNs. I don't think it would any big deal for us to gather them (provided the anonFTP sites agree to provide them) and we've even suggested to the Gopher guys that they look at it as another attribute in Gopher+ so we could gather them for the new gopher index, as well. It would mean a change in the archie internal database structure (since we'd have to add another field to store the checksum) but I think it's not a bad idea at all.
I'd much rather have something like an XCKS command. Proposed syntax: XCKS method pathname where "method" could be something like "CRC16", "MD5", etc, and "pathname" is of course the name of the file whose checksum is desired. I propose that the checksum method name be specced to be case-insensitive.
I see the value of having this as an option to individuals who wish to verify a checksum but I'm not sure the added complexity would help archie all that much. We usually use either an "ls -lR" or an "ls-lR" file to gather archie info, where available. For archie, I'd rather see agreement from the community on one (or perhaps a small set) of checksum standards and just gather those. Of course, we're open to suggestions on this and would be happy to add this to the "todo" list if enough people liked the idea. - peterd -- ----------------------------------------------------------------------------- "What do thay got, a whole lot of sand? We got a hot crustacean band! Each little clam here, know how to jam here! Under the Sea!" -----------------------------------------------------------------------------
Current thread:
- Re: trojans on ftp sites der Mouse (May 14)
- Re: trojans on ftp sites Peter Deutsch (May 14)
- <Possible follow-ups>
- Re: trojans on ftp sites Paul Robinson (May 14)
- Re: your mail Christopher Klaus (May 14)
- Re: trojans on ftp sites smb () research att com (May 14)
- Re: your mail John Macdonald (May 16)
- Re: your mail Steven C. Blair (May 16)
- Re: your mail John Macdonald (May 16)
- Re: your mail Christopher Klaus (May 16)
- Re: your mail Adam Shostack (May 16)
- Re: your mail John Macdonald (May 16)
- Checksums in FTP servers. Scott Northrop (May 16)