Vulnerability Development mailing list archives

RE: Re: ssh trojaned

From: "kevin () ktstone com" <kevin () ktstone com>
Date: Sat, 3 Aug 2002 13:26:00 -0400

Non-reputability is a definite improvement over digital signatures.  Too
bad tbad verifying the Checksum is also limited.  

Kevin  
Original Message:
-----------------
From: Joe Harrison list-general () ntlworld com
Date: Sat, 3 Aug 2002 09:28:59 +0100
To: vuln-dev () securityfocus com
Subject: RE: Re: ssh trojaned

-----Original Message-----
From: wozz () 0xdeadbeef org [mailto:wozz () 0xdeadbeef org]
To: Eirik Seim

Of course, verifying checksums does you no good if the checksums
have been replaced along with the binary.  Be sure to aquire your
checksums from some other, presumably safe, location.

On Thu, 1 Aug 2002 22:41:39 +0200 (CEST), Eirik Seim
<default () stengt net> wrote:


Oh, and the guys that inserted the trojan might easily had access to more
on the same ftp site, and subsequently also its mirrors.  If you don't
usually verify checksums, now is a great time to start doing so.


This seems to me to be an important point.

A couple weeks ago I did download and install openssh-3.4p1.tar.gz from a
mirror. When I examined its GPG signature it checked out fine, I mean fine
insofar that GPG considered that the signature hash did correctly match the
download file.

However, the only assurance I had at that point is that the download had
indeed been signed by some unknown key. When I located this key on a public
keyserver it claimed to belong to a particular individual, although this
person was someone I never heard of before. There were no "web of trust"
signatures on the key. I emailed the address indicated by the keyserver and
I got a response from this guy like "yes you have a valid tarball, please
stop worrying."

At that point I had spent too much time on this so I made a judgement on the
balance of probabilities, gave up, and installed the thing. But I still
don't feel that I understand how to get a trusted (in the cryptographic
sense) authoritative signing key for OpenSSH - which ultimately means that
it's pointless to check download signatures. Considering that over the last
few days we have seen how absolutely crucial it is to do this check I would
suggest there is a problem here that needs to be solved.

Joe

--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .

Current thread:

Re: ssh trojaned, (continued)
- - - Re: ssh trojaned Nick Lange (Aug 05)
    - Re: ssh trojaned Joakim Andersson (Aug 05)
    - Re: ssh trojaned Clemens 'Gullevek' Schwaighofer (Aug 06)
    - Re: ssh trojaned Andreas Krennmair (Aug 06)
    - Re: ssh trojaned Alex Lambert (Aug 06)
    - Message not available
    - Re: ssh trojaned Clemens 'Gullevek' Schwaighofer (Aug 07)
    - Re: Re: ssh trojaned Jonas Anden (Aug 05)
    - Re: Re: ssh trojaned Tan Wee Yeh (Aug 05)
    - Re: Re: ssh trojaned Thomas Cannon (Aug 05)
- Re: ssh trojaned Grudge Mason (Aug 02)
- RE: Re: ssh trojaned kevin () ktstone com (Aug 03)