Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Infecting the KaZaA network? (moving here thread from 'traq)

From: Valdis.Kletnieks () vt edu
Date: Wed, 13 Feb 2002 11:29:34 -0500
On Tue, 12 Feb 2002 17:48:13 EST, Shoten <shoten () starpower net>  said:


Not to mention that in this case, the file with the same checksum would have
to be EXACTLY the same size as the KaZaA executable, AND be a functional
virus on top of that.  And even if you got all that, you'd have to worry
about it getting mixed with a valid client during download from multiple
sources.  For those who think this is possible, go ahead and try...good luck


This is all assuming, of course, that you have reason to trust the original
size and checksum, and that you have reasonable assurance that you *are*
in fact downloading from multiple sources, at least one of which is not in
collusion.

How do you know that you aren't the victim of a man-in-the-middle attack
on your download?  Before you say "That can't be", go read this:

http://www.securityfocus.com/archive/1/245693

Hint: That's why the PGP documentation suggests key signing parties and
verifying the footprint *over the phone*.
-- 
                                Valdis Kletnieks
                                Computer Systems Senior Engineer
                                Virginia Tech

Attachment: _bin
Description:

Previous By Date Next
Previous By Thread Next

Current thread: