LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 05-08-2004, 09:21 AM   #1
lrt2003
Member
 
Registered: Mar 2004
Distribution: Fedora 10
Posts: 182

Rep: Reputation: 30
Proposed Cross-Reference Md5sum Project


Hello there!

In order to prevent malicious hackers compromising a huge mirror site (even main site itself), or whatnot, and tampering with rpms/binaries and altering the md5sums posted the site, I propose the following:

Individual contact with the creators to find out the correct md5sum, before public release.

Contact a series of host sites that are willing to host a text file of md5sums (and update it). Can be international, etc..

Then, a program that contacts all the host sites and cross-checks them with eachother, and lists non-matches, % correct matches, which ones are different, etc etc... You simply tell the program which rpm or binary you wish to check, and it goes out and cross-references them all.

This would make it very difficult for those wishing to alter the publically posted md5sums and binaries on a single host site.

It would be a fairly large list, even split up into different lists for faster access if it grows. It would contain all the most popular and important program binary md5sums..

Sites that are down, etc are ignored and left out... all the technical stuff is pretty simple.. I'm willing to program and maintain it if there's enough interest.

What do you people think?

Last edited by lrt2003; 05-08-2004 at 09:23 AM.
 
Old 05-09-2004, 03:28 AM   #2
iainr
Member
 
Registered: Nov 2002
Location: England
Distribution: Ubuntu 9.04
Posts: 631

Rep: Reputation: 30
Sounds like a good idea. I don't think it would be realistic to contact everyone realising ISOs to get the correct values though - it would require a lot of maintenance and would probably break down fairly soon. I think you need some automated way to figure out if an md5 is likely to be wrong and flag up if there is concern.
 
Old 05-10-2004, 01:09 PM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,519
Blog Entries: 51

Rep: Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598
What do you people think?
Maintaining it: Hell of a job.
How usefull?: vendors and 3rd party binaries wont be supported, own builds won't be supported.
Authentication?, how about fooling the process?

There's three apps I know of using it, "Knowngoods"' checker, Tiger and Rootkit Hunter. Knowngood shows the problem with maintenance, Tiger only supports Debian, and RKH shows what happen if your md5sums aren't listed (release not in db).

Other than that, if you think you've got this groundbreaking idea, and if you got an alpha out, post it here and I'll definately support it by testing it.
 
Old 05-12-2004, 02:18 AM   #4
lrt2003
Member
 
Registered: Mar 2004
Distribution: Fedora 10
Posts: 182

Original Poster
Rep: Reputation: 30
Thanks for the feedback guys..

I will let you know if I get something started.. I just got to do some thinking... efficiency and automation are on my mind.. and security of course
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
cross reference tool kpachopoulos Linux - General 0 10-08-2005 05:21 AM
Proposed Linuxquestions.org Tutorial for America's Army Configuration Linux24 Linux - Software 3 09-17-2004 02:18 PM
Beginning a big project - Need an Good Project Manager gamehack Programming 3 01-15-2004 11:49 AM
cross reference database Brain Drop LQ Suggestions & Feedback 2 09-01-2003 07:04 PM
Cannot see Open GL project in KDevelop project wizard SparceMatrix Programming 2 08-07-2002 11:14 PM


All times are GMT -5. The time now is 08:35 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration