9.04 Final == RC
Derek Broughton
derek at pointerstop.ca
Sun Apr 26 15:06:38 UTC 2009
Tommy Trussell wrote:
> On Fri, Apr 24, 2009 at 7:51 PM, Derek Broughton <derek at pointerstop.ca>
> wrote:
>> Steven Susbauer wrote:
>>
>>> The ISOs are also downloaded from an unsecure page, it must be a
>>> conspiracy!
>>
>> Well, as long as you can get your hashes from a secure source, it
>> shouldn't be necessary to get the ISO from one.
>
> sadly, that is no longer true, as md5 hashes have been shown to be
> exploitable.
>
> http://www.doxpara.com/md5_someday.pdf
_Everything_ is exploitable given sufficient computing resources, but
getting your ISO from a secure source wouldn't be noticeably more secure
than getting it from an insecure source with a secure(ish) hash. As I read
that, it seems that you can do things with a hash - but you still have to
get your payload onto that secure hash server. If you can do that, you
could just poison the ISO.
--
derek
More information about the ubuntu-users
mailing list