[Gllug] Bittorrent and security?

[Chris Bell]

On Mon 23 Aug, Richard Hall wrote:
> 
> Bittorrent will distribute the CD image using blocks of a fixed size 
> (usually 1 meg or something similar)  you will be  downloading from 
> different people, it is inderminate as to which block will be from who, 
> and the master torrent file has MD5 hash values for each block.   While 
> it is possible to generate a different block that would still match the 
> MD5 hash this block would be of nonsense data as the likelihood of being 
> able to generate different AND meaningful code which matched the MD5 
> hash of the original code is mathematically infeasible.   So someone 
> would be able to break a portion of the CD (which would then fail the 
> final MD5 check of the whole CD image)  I don't believe they would be 
> able to Trojan it without being able to access and change the original 
> torrent file, which you should download from a trusted source.
> 
   Thanks for the reply, I was worried by the lack of protagonists.

   I was considering how I might engineer a suitable system, perhaps with a
box sitting on the firewall DMZ. The preferred ports, 6881-6889, are not
privileged, so should be fairly safe to use with Linux, although I would not
trust a M$ box with anything.
   My main concern at present is that some boxes in the cluster could be
corrupted, and could be used to propogate unknown additional data. Users are
asked to obtain the Bittorrent package direct from the main site so as to
reduce the risk of tampering, but a drop in efficiency may not be noticed if
the software can be altered by an infection on some of the boxes. I still
see too many worm and virus attacks on my system, and would be very worried
if I was using another OS.

-- 
Chris Bell

-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug