On Fri, 2002-05-31 at 09:55:21 +0200, Anders Nordby wrote... ; Although downloading it now seems safe, I think folks should know this. ; The changes done were similar to what happened to irssi, but with a ; different IP. ; ; MD5 sum of fragroute-1.2.tar.gz, downloaded from ; http://www.monkey.org/~dugsong/fragroute/ on may 27 (the contaminated ; version): 65edbfc51f8070517f14ceeb8f721075 ; ; MD5 sum of fragroute-1.2.tar.gz, downloaded from ; http://www.monkey.org/~dugsong/fragroute/ on may 30 (this is the current ; MD5 sum): 7e4de763fae35a50e871bdcd1ac8e23a This makes one wonder a question that would be best posed to the community; the purpose of MD5/SHA/etc is to provide unequivocal evidence as to the validity of a piece of data. More often than not, such files are kept in the same, vulnerable, location as the actual data. Clearly one can see the downfall of such a system. To what extent have the entities in this forum started to analyze methods by which to use a "trusted" third party to house such signatures of data? In my mind, it seems evident that a light system might take some of the functionaility of the trusted CA model in SSL, and use it to provide guaranteed (as much as one can) signatures. This might be a good discussion for another forum, but I'm curious to know if anything as such is being done. -#0
