Bugtraq mailing list archives

Re: your mail

From: adam () bwh harvard edu (Adam Shostack)
Date: Mon, 16 May 94 19:21:01 EDT


| If FTP clients had automatical checksum checker that could compare with the
| FTP server, people would be able to easily test if the checksums have been
| messed with or not.  The intruder would need to modify all the copies kept
| on archie, etc.  By having this checksum ability, this will stop breaches or
| trojans that get entered into the public AFTER the author has released his
| program.  This will not stop breaches or trojans that get implemented into
| the author's own version and then gets distributed.  Atleast then, we would
| know where the trojan was 1st introduced.

        A better solution might be to localize the checksumming.
Encourage people to PGP sign the compressed archives of their software
before distributing it.  PGP 2.5 is legal for use in the US, and seems
to interact well with 2.3, which is legal everywhere else.

        Then the problem becomes one of key distribution, which is
being slowly addressed.  I expect webs of trust would spring up
relatively quickly, at least at larger sites.

Adam

-- 
Adam Shostack                                  adam () bwh harvard edu

Politics.  From the greek "poly," meaning many, and ticks, a small,
annoying bloodsucker.

Current thread:

Re: trojans on ftp sites der Mouse (May 14)
- Re: trojans on ftp sites Peter Deutsch (May 14)
- <Possible follow-ups>
- Re: trojans on ftp sites Paul Robinson (May 14)
  - Re: your mail Christopher Klaus (May 14)
- Re: trojans on ftp sites smb () research att com (May 14)
  - Re: your mail John Macdonald (May 16)
    - Re: your mail Steven C. Blair (May 16)
    - Re: your mail John Macdonald (May 16)
    - Re: your mail Christopher Klaus (May 16)
    - Re: your mail Adam Shostack (May 16)
    - Checksums in FTP servers. Scott Northrop (May 16)
- Re: trojans on ftp sites Gene Spafford (May 15)
- Re: trojans on ftp sites Ariel Faigon (May 17)