Vulnerability Development mailing list archives
Re: Infecting the KaZaA network? (moving here thread from 'traq)
From: Valdis.Kletnieks () vt edu
Date: Thu, 14 Feb 2002 11:31:03 -0500
On Wed, 13 Feb 2002 19:52:33 EST, you said:
Correct me if I'm wrong, but isn't it the *client* that verifies the final MD5 of the assembled file?
Correct, but it needs something to compare it to..
In order for a MITM attack to be successful, the initial download of the stub from kazaa must be trojaned. This is done from the kazaa website
Also correct. Notice however that if the initial stub is compromised, it's "game over". The kazaa scheme *is* certainly much more secure than not doing anything at all, and *does* close down most of the vulnerabilities quite nicely - but it *is* still vulnerable to a number of fairly obvious attacks.
Trusting downloaded software is a difficult proposition. The MS code signing key debacle showed that even a trusted third party has "oops"es and undoubtedly is vulnerable to arm-twisting by <insert three-letter agency here>.
Also correct, and my point - simply saying "it *must* be safe because it made some attempt to protect itself" has its own vulnerabilities, and that there needs to be an out-of-band way to verify what's going on. I don't mind if people say "OK, kazaa's scheme is secure enough for me, my threat model doesn't include the sort of subterfuge required". It's just the implication that since kazaa does X, Y, and Z, that the download is guaranteed safe. Remember - just because Larry Ellison says Oracle is "unbreakable", doesn't mean it is so. ;) -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
Attachment:
_bin
Description:
Current thread:
- Re: Infecting the KaZaA network? (moving here thread from 'traq) Raistlin (Feb 08)
- Re: Infecting the KaZaA network? (moving here thread from 'traq) John Hall (Feb 10)
- <Possible follow-ups>
- Re: Infecting the KaZaA network? (moving here thread from 'traq) nestler (Feb 12)
- Re: Infecting the KaZaA network? (moving here thread from 'traq) Shoten (Feb 12)
- Re: Infecting the KaZaA network? (moving here thread from 'traq) Valdis . Kletnieks (Feb 13)
- RE: Infecting the KaZaA network? (moving here thread from 'traq) Benjamin P. Grubin (Feb 13)
- Re: Infecting the KaZaA network? (moving here thread from 'traq) Valdis . Kletnieks (Feb 14)
- Re: Infecting the KaZaA network? (moving here thread from 'traq) Shoten (Feb 12)
- RE: Infecting the KaZaA network? (moving here thread from 'traq) Benjamin P. Grubin (Feb 16)