[ale] ! Openssh package trojaned...

Jonathan Glass jonathan.glass at ibb.gatech.edu
Thu Aug 1 11:13:17 EDT 2002


At 10:32 AM 8/1/2002 -0500, John Wells wrote:
>This brings to mind a question I've had for awhile now.
>Many sites provide md5 files in addition to a tarball so you can run
>md5sum on the tarball and compare the hash.  What prevents some hax0r from
>posting a fake md5 file when they compromise a tarball, so the sums will
>match?

You don't apply the immutable flag to those files?


> >From what little I know about FreeBSD, it seems that ports allowed this
>bogus package to be spotted.  I assume this would not be the case on
>linux.  So what good is an md5 file anyway?  I'm probably missing
>something here...
>
>Thanks,
>
>John


Jonathan Glass, RHCE, Linux+, Network+, A+, MCP
Systems Support Specialist II
Institute for Bioengineering and Bioscience/BME
Georgia Institute of Technology
Voice: 404-385-0127
E-mail: jonathan.glass at ibb.gatech.edu


---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.






More information about the Ale mailing list