Vulnerability Development mailing list archives
RE: Re: ssh trojaned
From: "Joe Harrison" <list-general () ntlworld com>
Date: Sat, 3 Aug 2002 09:28:59 +0100
-----Original Message----- From: wozz () 0xdeadbeef org [mailto:wozz () 0xdeadbeef org] To: Eirik Seim Of course, verifying checksums does you no good if the checksums have been replaced along with the binary. Be sure to aquire your checksums from some other, presumably safe, location. On Thu, 1 Aug 2002 22:41:39 +0200 (CEST), Eirik Seim <default () stengt net> wrote:Oh, and the guys that inserted the trojan might easily had access to more on the same ftp site, and subsequently also its mirrors. If you don't usually verify checksums, now is a great time to start doing so.
This seems to me to be an important point. A couple weeks ago I did download and install openssh-3.4p1.tar.gz from a mirror. When I examined its GPG signature it checked out fine, I mean fine insofar that GPG considered that the signature hash did correctly match the download file. However, the only assurance I had at that point is that the download had indeed been signed by some unknown key. When I located this key on a public keyserver it claimed to belong to a particular individual, although this person was someone I never heard of before. There were no "web of trust" signatures on the key. I emailed the address indicated by the keyserver and I got a response from this guy like "yes you have a valid tarball, please stop worrying." At that point I had spent too much time on this so I made a judgement on the balance of probabilities, gave up, and installed the thing. But I still don't feel that I understand how to get a trusted (in the cryptographic sense) authoritative signing key for OpenSSH - which ultimately means that it's pointless to check download signatures. Considering that over the last few days we have seen how absolutely crucial it is to do this check I would suggest there is a problem here that needs to be solved. Joe
Current thread:
- ssh trojaned Steve Wright (Aug 01)
- Re: ssh trojaned Ron DuFresne (Aug 02)
- Re: ssh trojaned Dan Cuthbert (Aug 02)
- <Possible follow-ups>
- Re: ssh trojaned Eirik Seim (Aug 02)
- RE: ssh trojaned Fabrizio Siciliano (Aug 02)
- RE: ssh trojaned Rory Savage (Aug 02)
- Re: Re: ssh trojaned wozz (Aug 02)
- RE: Re: ssh trojaned Joe Harrison (Aug 03)
- Re: Re: ssh trojaned Nick Lange (Aug 05)
- Re: ssh trojaned loki_ (Aug 05)
- Re: ssh trojaned Nick Lange (Aug 05)
- Re: ssh trojaned Joakim Andersson (Aug 05)
- Re: ssh trojaned Clemens 'Gullevek' Schwaighofer (Aug 06)
- Re: ssh trojaned Andreas Krennmair (Aug 06)
- Re: ssh trojaned Alex Lambert (Aug 06)
- Message not available
- Re: ssh trojaned Clemens 'Gullevek' Schwaighofer (Aug 07)
- Re: ssh trojaned Ron DuFresne (Aug 02)
- Re: Re: ssh trojaned Jonas Anden (Aug 05)
- Re: Re: ssh trojaned Tan Wee Yeh (Aug 05)