Compiling a forge version with malicious code of Prime95/mprime and
distributing it is maybe the simples and possibly most devastating
attack. Since the complete source (save for the Primenet checksums but
these could either be reverse-engineered or the fake client could simply
connect to a fake server) is freely available, it would be extremely
easy to build a trojan Prime95 client that feels just like the real
thing. Right now there are few possibilities to verify the integrity of
a Prime95 package you get, other than downloading it from the original
ftp server - but that could be hacked, too.
I think it would be a good thing if George could get a certified public
key and issued signatures for the official Prime95 releases. That way a
forged Prime95 package could quickly be identified and counter measures
could be taken.
Ciao,
Alex.
_________________________________________________________________________
Unsubscribe & list info -- http://www.scruz.net/~luke/signup.htm
Mersenne Prime FAQ -- http://www.tasam.com/~lrwiman/FAQ-mers
