1994-12-22 - Making sure a program gets to the receiver intact

Header Data

From: an169306@anon.penet.fi
To: cypherpunks@toad.com
Message Hash: 8dae2c4b5d21c2b661470e4d1e9dbb57d423dadf7e3c28547006a4b23d2d4c7b
Message ID: <9412220711.AA21268@anon.penet.fi>
Reply To: N/A
UTC Datetime: 1994-12-22 07:47:49 UTC
Raw Date: Wed, 21 Dec 94 23:47:49 PST

Raw message

From: an169306@anon.penet.fi
Date: Wed, 21 Dec 94 23:47:49 PST
To: cypherpunks@toad.com
Subject: Making sure a program gets to the receiver intact
Message-ID: <9412220711.AA21268@anon.penet.fi>
MIME-Version: 1.0
Content-Type: text/plain


How can I insure a program, once put on FTP sites stays untampered with?

I have done the following, but I still find holes:

1:  PGP signed each file with a seperate .sig file.
2:  Made a MD5 list, using 2-3 seperate programs (making sure they agree),
    PGP signing the list, and asking friends to sign the list, leaving
    seperate .sigs in the directory.
3:  Encrypting a copy of the MD5 list with a passphrase (if all keys are
    fragged, then in front of trusted witnesses, I can decrypt the key, 
    show them that the MD5 list is authentic.)
4:  PKZIPPING it using my AV key.  (Yes, I am aware that this is a joke,
    but since I am a registered user, why not use it?)  (Side note, if
    one uses PKZIP, please register it.  I have seen so many unregistered
    copies of this, that it makes my eyes water.)

The holes:

1:  Someone hacking the keyservers, substituting a key for all the people
    who signed, and modifing the archive to show that.
2:  Someone breaking into my apt, sticking a keyboard monitor on, getting
    my passphrase and key.

Most of this is theoritical, as it is hard to hack _all_ keyservers to
nuke my PGP key, then hack AOL, compuserve, and other FTP sites to
modify the binary, but I would like to make _sure_ this program gets
into user's hands without getting modified.  (Not for paranoia reasons,
but just to see how well one can make a package resistant to tampering.)

Pardon the anonymous ID, as my reputation with my REAL user id is not
so great.  (No, I am not Lance, but not that better off due to tons
of dumb mistakes with my regular ID on this list.)

-------------------------------------------------------------------------
To find out more about the anon service, send mail to help@anon.penet.fi.
Due to the double-blind, any mail replies to this message will be anonymized,
and an anonymous id will be allocated automatically. You have been warned.
Please report any problems, inappropriate use etc. to admin@anon.penet.fi.





Thread