Re: How did they get behind my NAT?

Jim Watt <jimwatt@xxxxxxxxxx> writes:

On Tue, 16 Oct 2007 23:57:52 GMT, Unruh <unruh-spam@xxxxxxxxxxxxxx>
wrote:

<snippage>

You do not know where the actual chunks come from. YOu are supposed to know
what the true MD5 sum of the chunk is from the tracker which is supposed to
be at a trusted site.

That really is my point, and it is a security issue.

What is a "security issue"?

However, as this sort of network is mostly used to circulate

No it is not. It is mostly used to circulate computer programs, and other
legitimate traffic.

pirated software and to infringe copyright the checksum may
protect you against damage in transit, deliberate or accidental.
BUT does not protect you against someone inserting a trojan
into some commercial software, bypassing its registration codes
and posting the end product for the gullible masses sucking
it up.

???? No, nothing can do that. IF you use an untrusted site for the tracker
data, then you do not know what it is that you download. But there is
NOTHING that can protect against that. The issue was, given a legitimate
tracker, can one of the seeders insert rogue code into the program such
that it can subvert the security of the machine doing the downloading.

There are people who respond to the Nigerian letters you know?


Sebastian G is spot on. Unless the checksum comes from the
owner of the content, and you have some means of knowing that
it does not guarantee authenticity.

Duh!! Really? And do you also need air to stay alive?
That was never the issue. The claim was that, given a legitimate tracker
source, the downloaded material, which comes from many untrusted sites,
can be subverted. I do not believe the claim, although my recent use of
bittorrent has made me a bit worried about whether bittorrent works as I
believe it does.

Now that does not matter if its elvis_hits.mp3 or pictures of
the vatican but if its something executable it does.

IF a software company decides to distribute packages via
bittorrents and posts the MD5 on their website, then maybe
otherwise, you have no certainty or trust in whats on your
machine.

Uh, yes. And if you point a gun at your face and pull the trigger,
bad things could happen. The original claim was that because bittorrent
downloads from many anonymous untrusted sites, the downloaded material was
untrustworthy. It is not. IF the tracker is untrustworth you have trouble.
But only then.


.

Relevant Pages

  • Re: Distrituting Giant Files
    ... >I have been studying up on the latest BitTorrent. ... eDonkey protocol, and yet consistently outperforms the eDonkey protocol. ... referred to as a "tracker", and all the peers connect to the tracker to ... tracker can host multiple torrents at a time. ...
    (comp.lang.java.programmer)
  • Re: How did they get behind my NAT?
    ... what the true MD5 sum of the chunk is from the tracker which is supposed to ... You may download this from ... If you do not trust the source of the torrent file, ...
    (alt.computer.security)
  • Re: Top posting to any news group
    ... you need to find a tracker from somewhere else to get things you need. ... did grab from Usenet was the first season of Battlestar Galactica. ... guys often download them), but just goes to show: ...
    (alt.games.warcraft)
  • Re: Olympic 50 km mass start
    ... I've been downloading the Eurosport XC coverage from the BitTorrent ... tracker http://tracker.denness.net/ using uTorrent ... Janne G has been doing a great job of recording the Eurosport coverage ...
    (rec.skiing.nordic)
  • Re: Cmon, lets workaround NBC! Find an XC feed we can watch!
    ... I've been downloading the Eurosport XC coverage from the BitTorrent ... tracker http://tracker.denness.net/index.php using uTorrent ... Janne G has been doing a great job of recording the Eurosport coverage ...
    (rec.skiing.nordic)