"Trust is obsolete;
cryptography is truth;
source code is requisite for
security, but not sufficient
unless you can read it."
~Cypherpunk maxims
How many of us, honestly, verify checksums and crypto signatures?
(Few hands remaining up, eh?)
An article by Jon Lasser on the Security Focus site
(http://www.securityfocus.com/columnists/48) brings up a good reason to
get into the habit of checking the checksums of open source software. A
Slashdot poster claims to have demoed how to do switches of software in
transit.
One of the notes in the article is how so few WIndows software packages
are distributed with MD5 or other checksums to allow people to have one
method of seeing if the code was modified. (BTW, Windows, unlike many
other OSes doesn't even including anything like an MD5 util. Yeah, it's a
minor quibble but it hints of the mindset in the company.)
J.D. Abolins
Meyda Online -- Infosec & Privacy Studies
Web: http://www.meydaonline.com (My "holiday season" project: to get the
site online finally, before 2002.)
