OpenSSH Trojan

Steve Bougerolle steveb at creek-and-cowley.com
Thu Aug 1 17:15:22 PDT 2002


On Fri, 2002-08-02 at 10:48, Bryan Breen wrote:
> Perhaps the real lesson is to double check those md5sum or validate them
> against a signing key. And in particular, use values that are not coming
> from the same server that you are obtaining the source from (and hopefully
> not a server that is just an identical mirror).

I agree.

It's frightening how many sites simply post MD5 sums in a file in the
same folder as the code you're downloading.  That's so easy to subvert
it's actually misleading and therefore dangerous to bother doing it at
all.  

Coders should be PGP signing these things, just like the kernel guys
do.  Once you get into it, verifying signatures is easy.

(Having said all that, isn't OpenSSH signed?)

-- 
Steve Bougerolle
Creek & Cowley Consulting

http://www.creek-and-cowley.com

-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe lfs-security' in the subject header of the message



More information about the lfs-security mailing list