[H-GEN] Squid addon

Anthony Towns aj at azure.humbug.org.au
Thu Apr 29 09:58:51 EDT 1999 

On Thu, Apr 29, 1999 at 11:29:24PM +1000, Ben Fowler wrote:
> On Thu, 29 Apr 1999, Steve Thorne wrote:
> > whats the chance that there will be two tarballs of exactly the same
> > name and size, that wouldn't be the same file? 
> Non-zero. 

Obviously. OTOH, you need to ask yourself whether it *really* matters.

I'll first note that, in general, taking an md5 checksum (a 128 bit,
collision resistant hash) is pretty safe -- not only do you have to
have a *huge* sample of files to accidently get two files with the same
md5sum, but *constructing* a file with the same md5sum as another is
ridiculously hard.

> For example, assuming the proxy server I'm using distinguishes between
> files only by name/size, and if I had nothing better to do, I could find a
> file I would know would be popular (e.g. WinZip, for the sake of this
> discussion), create a file exactly the same size and name, but actually
> have it contain my porno collection, and somehow get the proxies to cache
> it.  

Some notes:

More likely, making WinZip a virus would be more entertaining. Ideally,
making it a trojan would be best, so people don't immediately notice, but
this would mean getting sizeof(virus + winzip) == sizeof(winzip), which
could be hard. You could throw out a README file or something maybe.

Making it the right size wouldn't be too hard though.

Getting at least some proxies to cache it wouldn't be too hard -- just
run "lynx", or get a friend to.

You could even get rid of the evidence -- once it's cached, you can rm
your copy and claim you've got no idea what anyone's talking about. If
you use geocities or similar, it's probably not even tracable.  If you
have access to a friend's machine, it's easy to incriminate them.

But again, getting an md5sum of a hacked binary to match a proper binary
is non-trivial. Significantly non-trivial.

> Another example: perhaps some script kiddy wants to backdoor your machine
> with BackOrifice or something?  Again assuming the proxy server is only
> using name/size info to compare files, and that said malicious cracker had
> a modicum of intelligence and devised a scheme like the above... that's
> one happy script kiddie :)

OTOH, said happy script kiddie could do a number of other things too.

S/he could crack the server the software's being distributed on. This
has happened to a couple of primary sources for some linux software,
for example.

S/he could, if s/he's on the same segment of the Internet as you are,
masquerade as the server/proxy and send you whatever s/he wants,
completely untracably. This works for telnet, NFS, www, ftp, and
essentially all common Internet services.

If you want to get this right, you need authenticated protocols, there's
just no way around it.

That said, doing something like this (with a poor identification scheme
like "file name and size" instead of "file md5sum") on a wide scale is
just asking for trouble.

Cheers,
aj

-- 
Anthony Towns <aj at humbug.org.au> <http://azure.humbug.org.au/~aj/>
I don't speak for anyone save myself. PGP encrypted mail preferred.

``Smart, sexy, single. Pick any two (you can't have all three).''
        -- RFC 1925, paraphrased: a guide to networking in the '90s
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 434 bytes
Desc: not available
URL: <http://lists.humbug.org.au/pipermail/general/attachments/19990429/e3862118/attachment.sig>

More information about the General mailing list