Re: Trojan/backdoor in fragroute 1.2 source distribution

[uid0 () catastrophe net]

On Fri, 2002-05-31 at 09:55:21 +0200, Anders Nordby wrote...

; Although downloading it now seems safe, I think folks should know this.
; The changes done were similar to what happened to irssi, but with a
; different IP.
; 
; MD5 sum of fragroute-1.2.tar.gz, downloaded from
; http://www.monkey.org/~dugsong/fragroute/ on may 27 (the contaminated
; version): 65edbfc51f8070517f14ceeb8f721075
; 
; MD5 sum of fragroute-1.2.tar.gz, downloaded from
; http://www.monkey.org/~dugsong/fragroute/ on may 30 (this is the current
; MD5 sum): 7e4de763fae35a50e871bdcd1ac8e23a

This makes one wonder a question that would be best posed to the community;
the purpose of MD5/SHA/etc is to provide unequivocal evidence as to the 
validity of a piece of data. More often than not, such files are kept in the 
same, vulnerable, location as the actual data. Clearly one can see the 
downfall of such a system.

To what extent have the entities in this forum started to analyze methods
by which to use a "trusted" third party to house such signatures of data?
In my mind, it seems evident that a light system might take some of the
functionaility of the trusted CA model in SSL, and use it to provide
guaranteed (as much as one can) signatures.

This might be a good discussion for another forum, but I'm curious to know
if anything as such is being done.

-#0