On Mon, 30 Aug 2004, Dan Hollis wrote:
On Mon, 30 Aug 2004, james edwards wrote:
Not true. For those of us who host Akamai servers, we could download SP2 with no problems. We did not need P2P, or MSDN. In fact, I would be very reluctant to trust a Windows update downloaded via P2P. Have you heard of MD5 sum ?
yep md5 made the news recently because it's been cracked:
http://techrepublic.com.com/5100-22-5314533.html http://www.rtfm.com/movabletype/archives/2004_08.html#001055
It hasn't actually but I guess the differences are to subtle some people to grasp. It is now possible to generate a collision [*] (ie two files with the same md5 hash) for a given hash. generating a file with a malicious payload that has the same hash as another file is left as an exercise to the reader. The implication of course is that it's time to switch hash Algorithms to sha-1 or sha-2(224,256,384,512), not that hash algorithms are a bad way to validate integrety of data. The other component of course is having the hash be signed in some fashion by a trusted third party, such at the package or ditribution maintainer or creator so you validate the hash then verfiy the file integrety. most linux distributions and freebsd images and macosX updates use such a scheme. * - http://eprint.iacr.org/2004/199.pdf
-Dan
-- -------------------------------------------------------------------------- Joel Jaeggli Unix Consulting joelja@darkwing.uoregon.edu GPG Key Fingerprint: 5C6E 0104 BAF0 40B0 5BD3 C38B F000 35AB B67F 56B2