On May 13, 13:35, Christopher Klaus wrote:
> > Yeah, great ... when you can trust everybody who runs an archie server.
> > I don't know any of those people personally, so how can I trust them that
> > checksums they announce are real?
> That would be a big conspiracy for the archie server admins to correct
> their database after an intruder modified the programs. And if
> you tried different archie sites, all the admins at all the archie servers
> must be part of this conspiracy. Umm, Okay.
Let's assume that I am a bad guy who has managed to infiltrate a site that is
providing anonymous ftp services. I proceed to replace various popular programs
with modified versions that have various trojan horses or back doors or whatever.
Knowing that the various archie servers are going to request a checksum for my
files and then set off various alarms if my checksums do not match everybody
elses checksums, what makes you think I would not be smart enough to modify the
program that produces the checksums so that it reports the same value that all
the other sites are reporting? The only problem I now have is if someone gets
a copy of a modified program from me and then puts it up for anonymous ftp. When
they generate the checksum it would not match everybody else and eventually the
problem could be tracked down to the site that I compromised.
David H. Brierley; Raytheon Company, Submarine Signal Directorate
Work: dhb @
com Home: dave @