Vulnerability Development mailing list archives
RE: Re: ssh trojaned
From: "kevin () ktstone com" <kevin () ktstone com>
Date: Sat, 3 Aug 2002 13:26:00 -0400
Non-reputability is a definite improvement over digital signatures. Too bad tbad verifying the Checksum is also limited. Kevin Original Message: ----------------- From: Joe Harrison list-general () ntlworld com Date: Sat, 3 Aug 2002 09:28:59 +0100 To: vuln-dev () securityfocus com Subject: RE: Re: ssh trojaned
-----Original Message----- From: wozz () 0xdeadbeef org [mailto:wozz () 0xdeadbeef org] To: Eirik Seim Of course, verifying checksums does you no good if the checksums have been replaced along with the binary. Be sure to aquire your checksums from some other, presumably safe, location. On Thu, 1 Aug 2002 22:41:39 +0200 (CEST), Eirik Seim <default () stengt net> wrote:Oh, and the guys that inserted the trojan might easily had access to more on the same ftp site, and subsequently also its mirrors. If you don't usually verify checksums, now is a great time to start doing so.
This seems to me to be an important point. A couple weeks ago I did download and install openssh-3.4p1.tar.gz from a mirror. When I examined its GPG signature it checked out fine, I mean fine insofar that GPG considered that the signature hash did correctly match the download file. However, the only assurance I had at that point is that the download had indeed been signed by some unknown key. When I located this key on a public keyserver it claimed to belong to a particular individual, although this person was someone I never heard of before. There were no "web of trust" signatures on the key. I emailed the address indicated by the keyserver and I got a response from this guy like "yes you have a valid tarball, please stop worrying." At that point I had spent too much time on this so I made a judgement on the balance of probabilities, gave up, and installed the thing. But I still don't feel that I understand how to get a trusted (in the cryptographic sense) authoritative signing key for OpenSSH - which ultimately means that it's pointless to check download signatures. Considering that over the last few days we have seen how absolutely crucial it is to do this check I would suggest there is a problem here that needs to be solved. Joe -------------------------------------------------------------------- mail2web - Check your email from the web at http://mail2web.com/ .
Current thread:
- Re: ssh trojaned, (continued)
- Re: ssh trojaned Nick Lange (Aug 05)
- Re: ssh trojaned Joakim Andersson (Aug 05)
- Re: ssh trojaned Clemens 'Gullevek' Schwaighofer (Aug 06)
- Re: ssh trojaned Andreas Krennmair (Aug 06)
- Re: ssh trojaned Alex Lambert (Aug 06)
- Message not available
- Re: ssh trojaned Clemens 'Gullevek' Schwaighofer (Aug 07)
- Re: Re: ssh trojaned Jonas Anden (Aug 05)
- Re: Re: ssh trojaned Tan Wee Yeh (Aug 05)
- Re: Re: ssh trojaned Thomas Cannon (Aug 05)