John Andersen wrote: > On Friday 06 April 2007, G.T.Smith wrote: > >> Checksums as it has been already pointed out provide no security, only >> a guarantee of the integrity of the source files, and as such are >> essential for technologies such as bittorrent to work. However, checksum >> + datasource checks can be gimmicked (though in the instance of >> bittorrent such gimmickry is unlikely to work). >> > > So which is it Graham ? > You seem to want to come down simultaneously on every side of the issue. > > If you cut/paste your checksums from the web page and they match > the bittorrent downloaded ISO, it proves that all of the contributing > servers from which your bittorrent was served, were secure enough for the job > at hand within the accuracy of the checkum methodology. > > Each packet (or what ever the data block is called) is check summed in the > bittorrent client, and the whole iso can (and should) be checked. > > There is virtually no opportunity to insert a rogue data block (with > a virus) that was not on the original iso and get away with it. > > John,
Why should there be sides? If in an intelligent discussion Limes become Limen (frontiers become walls) one would question whether the discussion is still intelligent! Both sides have valid points. and BTW have you ever heard of a dialectic.... ? The packet based checksum used by bittorrent is determined on publication and included in the initial download response, which also points to initial known mirrors. However, one can extract the contents without reference to the checksum (this seems to be implied on their website), and mirrors can point to mirrors of mirrors (and so on ad infinitum). This mechanism is possibly a bit vulnerable, not from bad guys injecting bad code into the image (initially) but bad guys inserting bad packets into mirror copies in a form of DOS attack. Such a checksum approach is only valuable it is usable, and if someone can render it unusable ...... BTW I did initially attempt to download with the SuSE images with bittorrent and abandoned the attempt when I discovered that I had something like 60 open connections to various locations and the data throughput was crawling with a completion estimate of a couple of days! This could be due to bad datalinks, bad data or bandwidth throttling by the ISP, but it was beginning to have an impact on using the machine for other purposes.
begin:vcard fn:Graham T. Smith n:Smith;Graham T. adr:Barton upon Humber;;90 Bowmandale;;North Lincs.;DN18 5EA;UK email;internet:[EMAIL PROTECTED] tel;cell:07876793607 version:2.1 end:vcard
