RE: Instant Messaging hash values

["Nick Duda" <nduda () VistaPrint com>]

We do that already....we've let numerous people go for breaking the
"p2p" policy. I'm looking for just one smaller level of defense against
this. I know its not 100% but where I am implementing this I would be
surprised if anyone knew how to even find the installed binary itself.

My question still stands, is there a master list of original vendor
hashes?

- Nick

-----Original Message-----
From: Dave Aronson [mailto:sfbasics2dave () davearonson com] 
Sent: Saturday, August 06, 2005 10:38 AM
To: security-basics () securityfocus com
Subject: Re: Instant Messaging hash values

"Nick Duda" <nduda () VistaPrint com> wrote:

> I'm looking to create a software restriction policy via GPO to
> prevent different instant messenger services (AIM, MSN, Yahoo,
> Trillian..etc) from running based on the hash value. Short of
> gathering all know binaries for each client is there any way to
> obtain hash codes from past versions anywhere....perhaps a website
> with a repository of hash values for binaries?

All it would take to get around that, is for someone to compile it 
themselves.  Only if there's absolutely nothing in the binary that 
depends in any way on the time, or particular machine, or installed 
libraries detected, etc., will the hashes work out the same.  (Barring 
the occasional coincidental collision of course.)

Don't get too hung up on using technology to solve every problem.  How 
about prevention via deterrence: get caught running this stuff and you 
get, oh, say, something vague like "penalties to be decided in 
accordance with the severity of the case, ranging from verbal reprimand 
to immediate termination and, if applicable, required reimbursement of 
consequential damages" (like if you let in an IM-borne virus)?

-Dave