> Lisi Reisz wrote: >> On Saturday 02 August 2008 17:49:40 David B Teague wrote: >> >>> This is a very brief summary from this web site >>> >>> http://blogs.pcmag.com/securitywatch/2008/07/evilgrade_exploit_toolkit_atta >>> .php >>> >>> The article says the EvilGrade Exploit tool kit is able to attack >>> systems using the "man in the middle", attacking through the >>> installation mechanism. >>> >> >> It actually says "updates" not installation (my stars): >> <quote> >> infecting systems through the **update** mechanism, according to a >> ZDNet blog. The attackers claim, in the Readme for the kit, to have >> modules implemented to attack the following product **updates** >> </quote> >> >> >>> The attacker specifically mentions OO.o in the >>> kit "ReadMe". >>> >> >> No, it says:"OpenOffices" >> >> This is not the correct name of this program (or site) and OOo does >> not have updates as such. >> >> I doubt they have achieved what they claim, tho' that doesn't mean >> that we can all be complacent. >> >> >> > OK, they committed a spelling error, but if they HAVE compromised > OpenOffice.org as I think they are suggesting, the spelling error in > their "ReadMe" will not make any difference at all. We will have given > them access to our systems through the installer. > > I do not pretend to understand all this, but I do understand the idea > of threat. At present, to update OO.o, I download a Windows > installation file, and run it. I don't see any mechanism for > signature or do I see easy access to checksums. > > I assure you in the future, I will be looking for checksums. I would > prefer have digital signatures for installation files. If checksums > will assure me no one has fiddled with the installer, I'll gladly go > through the process of confirming check sums. > > > Now, would someone answer my questions? > > Is Lisi is right, there is no danger because of the difference between > "updates" and "installers"?
He did NOT say there was no danger. He did alude that HE is not too worried. He also said we can NOT be complacent about it. Get your quotes straight; this thread is one piece of misinformation after another! > > Is there any intent to introduce digital signatures? No idea; I'm just a user. > > Do checksums do the same thing as digital signatures? No, they are not the same thing in any way. Apples and oranges; they do not do the same thing. Using one does not negate using the other. One being OK has nothing to do with whether the other will get the same result. A signature is nothing more than having some company vouch for you in verifiable ways, that you are who you say you are. A checksum is simply a calculated number for code which can be checked after transport to see if the sum has remained identical to what was used as a source. They ARE the same in that, if you allow automagical operation, they can easily be forged to be what you want/expect to see. However, as long as you get the checksum (hash) from OO.o, and you use a legitimate hasher, there is a good chance you will discover anything untoward. In addition to that, I always check the MD5 or whatever is offered, simply to assure myself that I did not get a "broken"download where a bit or two slipped out into the ether. Whenever the sums are offered IMO, it makes sense to use them. Finally, I'm not aware that there is an auto-update mechanism in OO.o. And installing ANYTHING over the web is verboten on my equipment: It goes to disk where I can check/see it, or it doesn't go on. Hopefully, anyway. But like I said, I don't recall and update mechanism; If it's there I missed it some how, but I don't think it's there. Even with MS, who claims such things can't happen (famous last words), I do not allow them to do anything automagically. Instead it's set so that it notifies the they are available, I download them, and then I Custom Install them so that 1. I know what's being installed, and 2. I can tell things like SilverLight et al where to go, which is anywhere but on my drives. If one manually downloads directly from THE source, and keeps a reasonable eye on what's going on in their browser status window etc., and checks the sums, one has probably done a fair job of due diligence to see that his download was safe and what was offered. OTOH allowing automagic anything, IMO, is an invitation to a good screwing sooner or later. I do what I can to be as sure as I can that it will always be in a later category; NO auto-magic anythings. Do something covertly and/or automagically on my machine and you may never see me again unless it was my own laziness or lack of diligence that caused it. My 2 ยข anyway, Twayne > > > David Teague --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
