will lunar switch from md5sum's

Jon South striker at lunar-linux.org
Thu Aug 19 15:16:25 GMT 2004

Hendrik Visage wrote:
> To understand the ultimate risk, you'll have to understand the ease of
> generating a valid piece of code, still the same exact lenght as the original,
> and *that* to have the same hash value. Yes, these research papers showed it
> easier than we expected, but still they haven't shown it possible with
> multi megabyte files compressed files to be able to exploit the system and
> inject/remove valuable code.

Someone could theoretically remove certain files, such as docs, man 
pages, readme's, or even code comments and have plenty of room to insert 
a trojan that polls a website for more stuff to infect the system with.

> The risk is still not so big to worry about it if it's done properly, ie.
> you do the hash on the compressed data, and not the source code, as you add
> an extra layer of complexity, as the cracker needs to know find a valid
> gzip/bzip2 file that have a hash collision with the original, *and* that have
> a valid source code that have a backdoor in it. Not impossible, but in my
> opinion much less likely.

Someone who would even bother to attempt something like that could 
probably minimize that extra layer with some nice fast machines -- or 
perhaps, if they could compress the trojanized version smaller than the 
original archive (removing docs, etc), they could play with inserting 
extra junk data into the compressed archive.


The system requirements said "Windows 95 or better"
So I installed Linux.

Microsoft sells you Windows; Linux gives you the house.


Registered Linux User: 332618

More information about the Lunar mailing list