[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Making sure a program gets to the receiver intact
How can I insure a program, once put on FTP sites stays untampered with?
I have done the following, but I still find holes:
1: PGP signed each file with a seperate .sig file.
2: Made a MD5 list, using 2-3 seperate programs (making sure they agree),
PGP signing the list, and asking friends to sign the list, leaving
seperate .sigs in the directory.
3: Encrypting a copy of the MD5 list with a passphrase (if all keys are
fragged, then in front of trusted witnesses, I can decrypt the key,
show them that the MD5 list is authentic.)
4: PKZIPPING it using my AV key. (Yes, I am aware that this is a joke,
but since I am a registered user, why not use it?) (Side note, if
one uses PKZIP, please register it. I have seen so many unregistered
copies of this, that it makes my eyes water.)
The holes:
1: Someone hacking the keyservers, substituting a key for all the people
who signed, and modifing the archive to show that.
2: Someone breaking into my apt, sticking a keyboard monitor on, getting
my passphrase and key.
Most of this is theoritical, as it is hard to hack _all_ keyservers to
nuke my PGP key, then hack AOL, compuserve, and other FTP sites to
modify the binary, but I would like to make _sure_ this program gets
into user's hands without getting modified. (Not for paranoia reasons,
but just to see how well one can make a package resistant to tampering.)
Pardon the anonymous ID, as my reputation with my REAL user id is not
so great. (No, I am not Lance, but not that better off due to tons
of dumb mistakes with my regular ID on this list.)
-------------------------------------------------------------------------
To find out more about the anon service, send mail to [email protected].
Due to the double-blind, any mail replies to this message will be anonymized,
and an anonymous id will be allocated automatically. You have been warned.
Please report any problems, inappropriate use etc. to [email protected].