----- Original Message ----- From: "Pat Moffitt" <[EMAIL PROTECTED]> To: <debian-security@lists.debian.org> Sent: Thursday, March 29, 2001 8:19 PM Subject: RE: MD5 sums of individual files?
> It is more than possible. There are people that have figured out how to pad > a file to make the checksums the same. They don't have to worry about the > fact that your checksums cannot be changed because they will fake theirs to > match. This is much more work and would require that the hacker have more > skills than the regular script kiddy. If you're using SHA / MD5 / RIPE this should be next to impossible, as these algorithms are designed to protect against exactly this sort of attack. With SHA, which produces a 160-bit hash, it should take you around 2^^80 messages before you find 2 that have the same hash, and about 2^^159 before you can find one which has the same hash as one of mine. Of course, if you're using CRC32 for your checksum, that's a much easier problem :) Dan > > Pat Moffitt > MIS Administrator > Western Recreational Vehicles, Inc. > > > > -----Original Message----- > > From: Don Laursen [mailto:[EMAIL PROTECTED] > > Sent: Thursday, March 29, 2001 10:40 AM > > To: debian-security@lists.debian.org > > Subject: RE: MD5 sums of individual files? > > > > > > Ok with that said, how feasable is it for a cracker to install their > > rootkit, and mimic the checksummed files to match the contents of the > > floppy? Wouldn't he/she just have to unmount the exising floppy drive, > > remount it to his/her pseudo check sums? > > > > I'm probably missing the howto detail where the alert is generated before > > rootkit is installed. > > > > > > > > Thanks, > > Don > > > > > > > Yes, sorry, I wasn't clear about that. The floppy is mounted RO, plus > > > the disk's tab is moved to the RO position. I agree... I > > > wouldn't feel > > > comfortable or safe if the floppy was just mounted RO. > > > > > > > >> Another way to do this is to install the AIDE package, that performs an > > checksum > > >> to certain files that you specify in the configuratio by the > > way tripwire > > do > > >> it... It's so easy to install and send you an e-mail notifying > > the daily > > results > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact > > [EMAIL PROTECTED] > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
