The simple solution to that, and what they probably do: is provide the MD5 sum of the latest binary from a central location. This is conciderably less costly to distribute then the entire binary, and unless someone comes up with a trojan'ed version with the same hash (rather unlikely) it is perfectly safe to download it from anywhere. Another solution that they might employ is a digital signature. The first version that you download comes from a trusted source and contains KaZaA's public key. They could then sign any binaries that they release with their private key. When you download the updates from an untrusted source, it is simply a matter of verifying the signature is from KaZaA. It seems rather unlikely that you could infect the network in this way, or it would have already happened through normal vectors (people with virii on their machines. But you could probably verify this behavior, by modifying a few bits in an upgrade and seeing if it will still work... Depending on where they place the authentication code, if any. Many projects face a similar problem with their mirror sites and many of them provide md5 sums for their files so that you can verify it is uncorrupted/altered. Adam Lydick On Wed, 2002-02-06 at 15:10, Andrew McClymont wrote: > I just found out a folder named "My shared folder" under the KaZaA > installation folder. > > Inside "My shared folder" there were various KaZaA installshield > packages (exe files). > > Now, the people at FastTrack promotes their engine as a distributed way > to send files to end users. This is seen whe you download KaZaA, you get > a little exe (500 k) that downloads the full KaZaA client from one of > its users, I would guess, from the "My shared folder". > > What happens if I infect the files under "My shared folder" with a virii > or some trojan, every user that gets their KaZaA client from my computer > gets screwed, right? And then, the victim himself will be sharing the > KaZaA client infected to new victims. > > Just wondering... Have a nice day!! > -Andrew McClymont
