9.04 Final == RC

Derek Broughton derek at pointerstop.ca
Sun Apr 26 16:06:38 BST 2009


Tommy Trussell wrote:

> On Fri, Apr 24, 2009 at 7:51 PM, Derek Broughton <derek at pointerstop.ca>
> wrote:
>> Steven Susbauer wrote:
>>
>>> The ISOs are also downloaded from an unsecure page, it must be a
>>> conspiracy!
>>
>> Well, as long as you can get your hashes from a secure source, it
>> shouldn't be necessary to get the ISO from one.
> 
> sadly, that is no longer true, as md5 hashes have been shown to be
> exploitable.
> 
> http://www.doxpara.com/md5_someday.pdf
 
_Everything_ is exploitable given sufficient computing resources, but
getting your ISO from a secure source wouldn't be noticeably more secure
than getting it from an insecure source with a secure(ish) hash.  As I read
that, it seems that you can do things with a hash - but you still have to
get your payload onto that secure hash server.  If you can do that, you
could just poison the ISO.
-- 
derek





More information about the ubuntu-users mailing list