Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security NTBugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: MD5 Hash for WindowsXP-KB835935-SP2-ENU.exe

from [Jason Coombs PivX Solutions] Network Security [Permanent Link]
Subject: Re: MD5 Hash for WindowsXP-KB835935-SP2-ENU.exe
Date: Thu, 12 Aug 2004 00:00:00 GMT 
-----Original Message-----
FROM: "Jason Coombs PivX Solutions" <jasoncoombs@tmo.blackberry.net>
Date: Wed, 11 Aug 2004 22:00:32
To:"Windows NTBugtraq Mailing List" <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>
Cc:PTCull@LBL.GOV
Subject: Re: MD5 Hash for WindowsXP-KB835935-SP2-ENU.exe

Pete Cull wrote:

Other companies are doing this.
 Should MS include md5 checksums?


Yes.

That having been said, I have debated this point for some time with Microsoft 
and others, and the real answer is both 1) no, and 2) they already do include 
hash codes for the software they publish.

You probably know that Microsoft uses digital signatures. Their view is that 
these signatures are better than a list of known/expected hashes ... check the 
digital signature on the file, the argument goes, and you *are* verifying its 
hash code. You do so under Windows Explorer by right-clicking on the file.

Never mind that we all have our favorite trusted hashing utility, and our 
favorite trusted source like PTCull@LBL.GOV and NTBugTraq to confirm for us 
that we know what hash code to expect. Obviously, because the NTBugTraq posting 
is not itself digitally signed, an attacker who has planted a bad binary on 
your system is going to also watch all your incoming mail and replace the real 
hash code supplied by NTBugTraq with the right one for the malware. Or, the 
attacker will just DOS your inbox to prevent you from receiving the NTBugTraq 
posting that supplies the correct hash code.

This is the general argument against publishing hashes, the way all good 
software vendors do, and I still cannot comprehend it. Some people look at 
hashes or signatures as solely an integrity check, and perhaps you consider 
yourself to be in this camp? A checksum that tells you that your download has 
completed successfully is helpful, particularly when our file transfer tools 
are so poorly designed as to tell you neither how large the file was supposed 
to be nor that the file did not download completely.

But more than an integrity check, keeping track of known good hashes is also a 
security measure. Receiving a hash code from a trusted source that you can 
verify with a tool of your choice offers superior practical security than does 
attempting to verify a digital signature with a tool provided by the software 
vendor.

Sincerely,

Jason Coombs
Director of Forensic Services
PivX Solutions, Inc.
http://www.PivX.com/forensics/

-----
NTBugtraq Editor's Note:

Want to reply to the person who sent this message? This list is configured such 
that just hitting reply is going to result in the message coming to the list, 
not to the individual who sent the message. This was done to help reduce the 
number of Out of Office messages posters received. So if you want to send a 
reply just to the poster, you'll have to copy their email address out of the 
message and place it in your TO: field.
-----
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Windows XP SP2: Hang on ASUS P4P800-E Deluxe with Intel with BIOS older than v1002, Jannie Hanekom
Next by Date:  Re: XP SP2 nmap incompatibility, Joe Doyle
Previous by Thread:  MD5 Hash for WindowsXP-KB835935-SP2-ENU.exe, Pete Cull x2315
Next by Thread:  Symantec XP SP2: More Information, David Luxford
Indexes:  [Date] [Thread] [Top] [All Lists]