Re: Opinions on the security of antivirus software

[bill earley <bearley () houston rr com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Comments Inline

- ------Question---------

On Saturday 06 July 2002 01:45 am, you wrote:
> Of course there was a recent thread on pgp signatures and e-mail in which
> it was mentioned that few folks actually check the signature keys within

- -------answer--------------

This, just like every security issue, depends on how seriously the responsible 
parties take security. I can safely say that every signed email is checked at 
least to the point of knowing if it is a good or bad known sig or an unknown 
or untrusted sig. Then depending on how important it is that the unknown / 
untrusted sig be known and trusted then the key gets verified. An example 
would be this mailing list; I get several signed messaghes that show up as 
unknown / untrusted, but, since it is not critical info then there is no need 
to verify the sigs.  Business communications are all verified and if one 
shows up unknown or untrusted then flags go up all over the place. Sensitive 
or critical info is also encrypted not just signed.

- -------Question--------------

> those signed messages they get.  The quetion I pose here then is, how many
> actually check the pgp signatures, or even md5 checksums on all the code
> they scarf up off the net?  Of course, if I recall correctly also, when

- ------answer--------------

I can only offer the one vote for here, but, that is the royal "one" meaning 
everybody here.

- ------Question--------------

> monkey.org was compromised recently and trojaned ode placed there, were
> not the md5 checksums also altered to make the trojaned code appear valid?

- ------answer--------------

True, but, md5 checksums are a simple hash of file size and bit order meant to 
verify a "clean" transmission and not really meant to verify authenticity of 
the file, only that the file received is a binary duplicate of the original. 
Theoretically it could be used to verify the file if the files author 
provided a copy of the md5sum to you, when the file was authored, that you 
held seperate and used to verify against the target file. That would require 
knowing who would be accessing the file and providing them with the md5sum at 
the time the file was created. Much simpler to sign it with pgp or gpg.

- ------Question--------------

> If a site is compromised using pgp signatures, how much of an issue would
> it be to alter then also?

- ------answer----------------

Several orders of magnitude harder, because they would have to either get the 
authors "keys" to sign the file with (probably located on another box) or 
compromise my copies of the authors keys (definitely on another box.). As 
well as compromising the keyservers that I would use to verify the keys if 
anything showed as suspicious.

- -----free response-------

Long response I know, but, I hope it gives some insight.  As always it depends 
on the individual's attention to detail and how seriously security is taken. 
MUA's can be set to take advantage of encryption and sig.s and several 
companies now "sign" their software packages. It does involve a little more 
effort, but, in my opinion it's well worth it.
 
- ----- snipped --- old ---- text ------- 

Bill Earley

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9JwRGej43sadgu/sRAkLPAKClxbM89rBPAaXwAF6CopWzyXR5RwCbB7Pb
vcCh36Y305pJaHsXRt9kFWU=
=QCct
-----END PGP SIGNATURE-----

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards