Bugtraq mailing list archives

Re: trojans on ftp sites

From: peterd () bunyip com (Peter Deutsch)
Date: Sat, 14 May 1994 22:44:43 -0400


Hi Mike!

[ Der Mouse wrote: ]

Christopher Klaus put out the idea about changing the archie daemon
to detect tampered files [...]

The problem is, how would the Archie servers determine the
checksums?

Easy.  modify the 'ls' on each ftp site to automatically do a
checksum.  [...]


Somethin along these lines was actually done way back at
the San Diego IETF when we suggested gathering MD5
checksums for archie as a form of prototypical URN.
Someone (I'm really sorry, but I forget who) went straight
to the terminal room and hacked up their "ls" to add a "-x"
option, which returned the MD5 checksum for each file.

Unfortunately, this proposal eventually got lost in the
noise of the infamous URL wars, which held up work on URNs
for some time, but we've been looking at dusting the idea
off now that the URI group seems to have finally put the
URL demon to rest and are finally back working on URNs.  I
don't think it would any big deal for us to gather them
(provided the anonFTP sites agree to provide them) and
we've even suggested to the Gopher guys that they look at
it as another attribute in Gopher+ so we could gather them
for the new gopher index, as well.  It would mean a change
in the archie internal database structure (since we'd have
to add another field to store the checksum) but I think it's
not a bad idea at all.

I'd much rather have something like an XCKS command.  Proposed syntax:

XCKS method pathname

where "method" could be something like "CRC16", "MD5", etc, and
"pathname" is of course the name of the file whose checksum is desired.
I propose that the checksum method name be specced to be
case-insensitive.


I see the value of having this as an option to individuals
who wish to verify a checksum but I'm not sure the added
complexity would help archie all that much. We usually use
either an "ls -lR" or an "ls-lR" file to gather archie
info, where available. For archie, I'd rather see
agreement from the community on one (or perhaps a small
set) of checksum standards and just gather those. Of
course, we're open to suggestions on this and would be
happy to add this to the "todo" list if enough people
liked the idea.

                                        - peterd

-- 
-----------------------------------------------------------------------------
   "What do thay got, a whole lot of sand? We got a hot crustacean band!
        Each little clam here, know how to jam here! Under the Sea!"
-----------------------------------------------------------------------------

Current thread:

Re: trojans on ftp sites der Mouse (May 14)
- Re: trojans on ftp sites Peter Deutsch (May 14)
- <Possible follow-ups>
- Re: trojans on ftp sites Paul Robinson (May 14)
  - Re: your mail Christopher Klaus (May 14)
- Re: trojans on ftp sites smb () research att com (May 14)
  - Re: your mail John Macdonald (May 16)
    - Re: your mail Steven C. Blair (May 16)
    - Re: your mail John Macdonald (May 16)
    - Re: your mail Christopher Klaus (May 16)
    - Re: your mail Adam Shostack (May 16)
    - Checksums in FTP servers. Scott Northrop (May 16)
- Re: trojans on ftp sites Gene Spafford (May 15)

(Thread continues...)