Re: Open Source Developers Shun Micoshaft Corporation

 

"owl" <owl@rooftop.invalid> wrote in message

news:eweoi3.zep329x@rooftop.invalid...

> dennis@home <dennis@killspam.kicks-ass.net> wrote:

>>

>> "Anonymous Sender" <anonymous@remailer.metacolo.com> wrote in message

>> news:3e4be5540bb30f64dc0e0d781e773f8a@remailer.metacolo.com...

>>> dennis@home wrote:

>>>

>>>>

>>>> "Anonymous" <cripto@ecn.org> wrote in message

>>>> news:a74ba05b9abd63f5f9afc787b8be985c@ecn.org...

>>>> > dennis@home wrote:

>>>> >

>>>> >> There is *nothing* in Linux (or most OSes) to protect a user from

>>>> >> such

>>>> >> a

>>>> >> simple attack and yet you think I am paranoid for not listening to

>>>> >> some

>>>> >> troll posting download web sites in a news group. Do get a clue on

>>>> >> what

>>>> >> is

>>>> >> and isn't safe with the computer you are supposed to be in charge

>>>> >> of.

>>>> >

>>>> > Your state of clue-free is astounding. There's scores of ways to

>>>> > defeat

>>>> > evil package distributors from dolling out bogus packages.

>>>>

>>>> Name one way to defeat a rogue live CD put out on the Internet *other*

>>>> than

>>>> what I said about not downloading it just because someone shouts about

>>>> it

>>>> in

>>>

>>> I can name a dozen ways in a few different categories ya' ninny.

>>> Hashes, digital signatures, and transport layer certificates signed by

>>> trusted CA's are collectively the methods you're apparently oblivious

>>> to. That's part what those tools are designed to do ferChristsakes.

>>

>> How do they stop a begineer (or anyone else) downloading an image from

>> anywhere, putting it on a CD and booting it ferChristsakes?

>> There is nothing in a PC to stop it and there would be nothing on the CD

>> to

>> stop it so you are just dreaming.

>>

>> When you come up with a mechanism that stops someone putting a hacked

>> image

>> on P2P then maybe I will believe you untill then shut up.

>>

>>

>

> owl@laptop:~/iso$ cat pclinuxos-2007.md5sum

> cf31f44513c9b30caaa1f1d2c382c033 pclinuxos-2007.iso

> owl@laptop:~/iso$ md5sum pclinuxos-2007.iso

> cf31f44513c9b30caaa1f1d2c382c033 pclinuxos-2007.iso

> owl@laptop:~/iso$ md5sum evil_pclinuxos-2007.iso

> d41d8cd98f00b204e9800998ecf8427e evil_pclinuxos-2007.iso

> owl@laptop:~/iso$

>

 

Is that supposed to stop something?

At best that allows someone who is already running Linux to checksum the

iso/

It fails because:

 

the newbie is running windows

the newbie doesn't know about it

most users are too idle/stupid

newbies are immune to all attacks because Linux is secure

it still relies on the user knowing the site is valid so the checksum is

valid

and finally because it still doesn't stop someone posting a fake live CD and

there is always a fool about.

Re: Open Source Developers Shun Micoshaft Corporation

 

"Anonymous" <cripto@ecn.org> wrote in message

news:f297c1df9b5555bc336cd080f2b742b7@ecn.org...

> dennis@home wrote:

>

>>

>> "Anonymous Sender" <anonymous@remailer.metacolo.com> wrote in message

>> news:3e4be5540bb30f64dc0e0d781e773f8a@remailer.metacolo.com...

>> > dennis@home wrote:

>> >

>> >>

>> >> "Anonymous" <cripto@ecn.org> wrote in message

>> >> news:a74ba05b9abd63f5f9afc787b8be985c@ecn.org...

>> >> > dennis@home wrote:

>> >> >

>> >> >> There is *nothing* in Linux (or most OSes) to protect a user from

>> >> >> such

>> >> >> a

>> >> >> simple attack and yet you think I am paranoid for not listening to

>> >> >> some

>> >> >> troll posting download web sites in a news group. Do get a clue on

>> >> >> what

>> >> >> is

>> >> >> and isn't safe with the computer you are supposed to be in charge

>> >> >> of.

>> >> >

>> >> > Your state of clue-free is astounding. There's scores of ways to

>> >> > defeat

>> >> > evil package distributors from dolling out bogus packages.

>> >>

>> >> Name one way to defeat a rogue live CD put out on the Internet *other*

>> >> than

>> >> what I said about not downloading it just because someone shouts about

>> >> it

>> >> in

>> >

>> > I can name a dozen ways in a few different categories ya' ninny.

>> > Hashes, digital signatures, and transport layer certificates signed by

>> > trusted CA's are collectively the methods you're apparently oblivious

>> > to. That's part what those tools are designed to do ferChristsakes.

>>

>> How do they stop a begineer (or anyone else) downloading an image from

>> anywhere, putting it on a CD and booting it ferChristsakes?

>

> Ohhhh... pop ups, dialogs, and sometimes you even get to read <gasp!> a

> series of alphanumeric characters and compare them.

 

Now you are being really stupid.. just what are you going to compare?

 

Do you not understand anything about social engineering?

Just because you may know about checksums and know where to find them and

how to compare them doesn't mean everyone knows.

Even when they know do you really think everyone checks.

Also it is probably possible to engineer an iso to have the correct

checksum.

It shouldn't be too hard as you have the source code for the checksum

program so you can modify it to add padding to the iso somewhere to make the

checksum anything you like. Unless you have mathmatical proof this can't be

done

>

> Tough nut to crack for a windroid, I know.

 

So far not a single one of you that has responded has shown any proof it

wouldn't work so I stand by what I said " don't download live cds unless you

are certain of where they come from and don't listen to people like 7

posting in newsgroups". its not hard even for you.

 

BTW I can post this from Linux if it makes you feel warm and fuzzy or you

could just carry on peeing down you leg.

pus.boy99@gmail.com wrote:

> "Ms. Polly Ester" wrote:

>> http://news.yahoo.com/s/cmp/20070927/tc_cmp/202101921_ylt=AiieE0MGKY...

>>

>> Fearing the restrictions it places on their work, the majority of open

>> source software developers do not plan to publish code in the next

>> year under a controversial new license authored by the main governing

>> body for open source and free software, according to a survey released

>> Wednesday.

>>

>> In addition, more than 40% of those surveyed said they won't ever

>> publish their work under Version 3 of the General Public License,

>> which was released earlier this year by the Free Software Foundation.

>> "GPLv3 is controversial because it imposes restrictions on what you

>> can do with programs," said John Andrews, CEO of survey taker Evans

>> Data, in a statement.

>

> More fragmentation to put some more nails in the Linux coffin. At some

> point the Linux loons will figure out that all of these spin offs are

> not a good thing for Linux.

>

> With 700+ different versions of Linux and now new GPL3 it's just more

> confusion for the suits that make the decisions. Microsoft makes it easy

> for those types. Linux makes it a clusterfsck.

 

"Pus Boy" as a nym is about as apt as any troll gets. What started out as

a post in comp.os.linux.advocacy she/he/it cross posted to MPWVG,

indicating her/his/it's intent to troll.

 

Information regarding PB's IP:

 

http://www.projecthoneypot.org/i_164584f1f2b33c0507e9c13e9a01ef7d

 

IP Address Inspector

202.105.182.17

 

The Project Honey Pot system has detected behavior from the IP address

consistent with that of a comment spammer. Below we've reported some other

data associated with this IP. This interrelated data helps map spammers'

networks and aids in law enforcement efforts. If you know something about

this IP, please leave a comment.

 

Geographic Location [China] China

Spider First Seen approximately 2 weeks ago

Spider Last Seen within 1 week

Spider Sightings 16 visit(s)

First Post On approximately 2 weeks ago

Last Post On within 1 week

Form Posts 9 web post submission(s) sent from this IP

Re: Open Source Developers Shun Micoshaft Corporation

 

dennis@home <dennis@killspam.kicks-ass.net> wrote:

>

[...]

>

> Now you are being really stupid.. just what are you going to compare?

>

> Do you not understand anything about social engineering?

> Just because you may know about checksums and know where to find them and

> how to compare them doesn't mean everyone knows.

> Even when they know do you really think everyone checks.

> Also it is probably possible to engineer an iso to have the correct

> checksum.

 

Yeah, that should be easy. LOL.

 

> It shouldn't be too hard as you have the source code for the checksum

> program

 

 

So in order for this hack to work, you have to already 0wn the target?

Cool. Not sure that's ever been tried before.

 

> so you can modify it to add padding to the iso somewhere to make the

> checksum

 

You really are a cretin, aren't you? The md5sum program has

zero to do with the creation of the iso.

 

owl@laptop:~$ touch moron

owl@laptop:~$ echo "you are a moron" > moron

owl@laptop:~$ md5sum moron

1d9f934e45f34101e6841138eb12b5b5 moron

owl@laptop:~$ echo "now do you get it?" > moron

owl@laptop:~$ md5sum moron

c13c4f1d07170c78d1e508dcb606b06a moron

owl@laptop:~$

> anything you like. Unless you have mathmatical proof this can't be

> done

 

 

.

LOL

</proof>

Re: Open Source Developers Shun Micoshaft Corporation

 

dennis@home wrote:

>

> "Anonymous" <cripto@ecn.org> wrote in message

> news:f297c1df9b5555bc336cd080f2b742b7@ecn.org...

> > dennis@home wrote:

> >

> >>

> >> "Anonymous Sender" <anonymous@remailer.metacolo.com> wrote in

> >> message

> >> news:3e4be5540bb30f64dc0e0d781e773f8a@remailer.metacolo.com...

> >> > dennis@home wrote:

> >> >

> >> >>

> >> >> "Anonymous" <cripto@ecn.org> wrote in message

> >> >> news:a74ba05b9abd63f5f9afc787b8be985c@ecn.org...

> >> >> > dennis@home wrote:

> >> >> >

> >> >> >> There is *nothing* in Linux (or most OSes) to protect a user

> >> >> >> from such

> >> >> >> a

> >> >> >> simple attack and yet you think I am paranoid for not

> >> >> >> listening to some

> >> >> >> troll posting download web sites in a news group. Do get a

> >> >> >> clue on what

> >> >> >> is

> >> >> >> and isn't safe with the computer you are supposed to be in

> >> >> >> charge of.

> >> >> >

> >> >> > Your state of clue-free is astounding. There's scores of ways

> >> >> > to defeat

> >> >> > evil package distributors from dolling out bogus packages.

> >> >>

> >> >> Name one way to defeat a rogue live CD put out on the Internet

> >> >> *other* than

> >> >> what I said about not downloading it just because someone

> >> >> shouts about it

> >> >> in

> >> >

> >> > I can name a dozen ways in a few different categories ya' ninny.

> >> > Hashes, digital signatures, and transport layer certificates

> >> > signed by trusted CA's are collectively the methods you're

> >> > apparently oblivious to. That's part what those tools are

> >> > designed to do ferChristsakes.

> >>

> >> How do they stop a begineer (or anyone else) downloading an image

> >> from anywhere, putting it on a CD and booting it ferChristsakes?

> >

> > Ohhhh... pop ups, dialogs, and sometimes you even get to read

> > <gasp!> a series of alphanumeric characters and compare them.

>

> Now you are being really stupid.. just what are you going to compare?

 

What part of "a series of alphanumeric characters" is confusing you,

Wintard?

> Do you not understand anything about social engineering?

 

More than you'll ever understand. That's how I know integrity checking

works you ninny. :)

> Just because you may know about checksums and know where to find them

> and how to compare them doesn't mean everyone knows.

 

Doesn't matter. There's enough people in the world with an IQ larger

than a hat size that you're protected too.

 

You're welcome.

> Even when they know do you really think everyone checks.

> Also it is probably possible to engineer an iso to have the correct

> checksum.

 

ROTFL!!!

 

Not even with MD5 kid, and that's the weakest that's ever used.

> It shouldn't be too hard as you have the source code for the checksum

> program so you can modify it to add padding to the iso somewhere to

> make the checksum anything you like. Unless you have mathmatical

> proof this can't be done

 

Clueless. Absolutely, 100%, congenitally clueless.

> > Tough nut to crack for a windroid, I know.

>

> So far not a single one of you that has responded has shown any proof

> it wouldn't work so I stand by what I said " don't download live cds

 

No, everyone has proved you wrong. Your inability to accept that won't

change a thing.

> unless you are certain of where they come from and don't listen to

> people like 7 posting in newsgroups". its not hard even for you.

>

> BTW I can post this from Linux if it makes you feel warm and fuzzy or

> you could just carry on peeing down you leg.

 

I doubt you could even manage to convincingly forge the appropriate

headers Wintard. Might be interesting to watch though. :)

Re: Open Source Developers Shun Micoshaft Corporation

 

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

On Sun, 30 Sep 2007 00:22:23 +0100,

dennis@home <dennis@killspam.kicks-ass.net> wrote:

> Also it is probably possible to engineer an iso to have the correct

> checksum.

> It shouldn't be too hard as you have the source code for the checksum

> program so you can modify it to add padding to the iso somewhere to make the

> checksum anything you like. Unless you have mathmatical proof this can't be

> done

 

It's pretty obvious you have no clue on how the MD5 and SHA1 checksum

process works.

 

 

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.6 (GNU/Linux)

 

iD8DBQFG/yr1d90bcYOAWPYRAjq6AKDc62ps61DVnZulsvXkMR4LlVArYgCgpAef

7cS/Rr0fUWeLEzWouAr1rlU=

=+3wY

-----END PGP SIGNATURE-----

 

--

Jim Richardson http://www.eskimo.com/~warlock

Those who live by the sword are shot by those who don't.

Re: Open Source Developers Shun Micoshaft Corporation

 

dennis@home wrote:

> > owl@laptop:~/iso$ md5sum evil_pclinuxos-2007.iso

> > d41d8cd98f00b204e9800998ecf8427e evil_pclinuxos-2007.iso

> > owl@laptop:~/iso$

>

> Is that supposed to stop something?

 

Unless you're a total retard, yes.

> At best that allows someone who is already running Linux to checksum

> the iso/

 

ROTFL!

> It fails because:

>

> the newbie is running windows

 

My GOD you are one dumb son of a bitch.

 

http://en.wikipedia.org/wiki/Md5sum

 

http://www.microsoft.com/downloads/details.aspx?familyid=b3c93558-31b7-47e2-a663-7365c1686c08&displaylang=en

> the newbie doesn't know about it

 

Yeah, it's not like values and appropriate warnings/instructions aren't

in print everywhere you go or anything.

> most users are too idle/stupid

 

Hard core Wintards obviously are anyway. You just proved that beyond

doubt. Fortunately you don't represent "most users".

> newbies are immune to all attacks because Linux is secure

 

It is, but if you have the IQ of a garden slug or better so is

Winblows in this respect.

> it still relies on the user knowing the site is valid so the checksum

> is valid

 

Baloney. You're USDA certified clueless.

> and finally because it still doesn't stop someone posting a fake live

> CD and there is always a fool about.

 

But it does prevent even marginally intelligent people from using them,

and by proxy even Wintards like you because most people actually do

check things like this. And say something when anomalies are found.

 

You're free to thank us, your superiors, any time now. :)

Re: Open Source Developers Shun Micoshaft Corporation

 

"owl" <owl@rooftop.invalid> wrote in message

news:pzeoiw0049.s94@rooftop.invalid...

 

you are too stupid to argue with.

You can't even grasp the concept of changing an isos content to match a

checksum using the source code of the checksum program to make the fake data

needed.

If you can't understand even the basics there isn't much point in talking to

you.

Re: Open Source Developers Shun Micoshaft Corporation

 

"Jim Richardson" <warlock@eskimo.com> wrote in message

news:lgm3t4-5il.ln1@dragon.myth...

> -----BEGIN PGP SIGNED MESSAGE-----

> Hash: SHA1

>

> On Sun, 30 Sep 2007 00:22:23 +0100,

> dennis@home <dennis@killspam.kicks-ass.net> wrote:

>

>> Also it is probably possible to engineer an iso to have the correct

>> checksum.

>> It shouldn't be too hard as you have the source code for the checksum

>> program so you can modify it to add padding to the iso somewhere to make

>> the

>> checksum anything you like. Unless you have mathmatical proof this can't

>> be

>> done

>

> It's pretty obvious you have no clue on how the MD5 and SHA1 checksum

> process works.

 

So as I asked is there a mathematical proof that you can only end up with

one checksum for any set of data?

If there is then no you can't fake one, if there isn't then you probably

can.

I have not claimed to be a mathematician so I don't know.

Also it doesn't really matter as a social engineered hack doesn't need to

fool everyone so even if owl is wise enough to check the checksums not

everyone is.

 

There are an awful lot of people trying to put down perfectly good advice

for some reason.

It is enough to make you think they are trying to hide something.

When did it become good practice to download stuff from sites posted by

usenet users?

Re: Open Source Developers Shun Micoshaft Corporation

 

dennis@home wrote:

>

> "owl" <owl@rooftop.invalid> wrote in message

> news:pzeoiw0049.s94@rooftop.invalid...

>

> you are too stupid to argue with.

> You can't even grasp the concept of changing an isos content to match a

> checksum using the source code of the checksum program to make the fake

> data needed.

> If you can't understand even the basics there isn't much point in talking

> to you.

 

As it is you who claims that you can "pad" the contents to achieve

the "valid" checksum, you better prove your claim. Please take into

consideration that you are not allowed to put more data on that CD than it

could physically hold when you are in your "proof" phase. We certainly

can't await your long winded, boring and naturally utterly wrong "Proof"

 

As of now, you have simply posted extremely stupid FUD.

You are good windows user, atta boi. Certainly dumb enough

--

You're not my type. For that matter, you're not even my species

Re: Open Source Developers Shun Micoshaft Corporation

 

dennis@home <dennis@killspam.kicks-ass.net> espoused:

>

> "Jim Richardson" <warlock@eskimo.com> wrote in message

> news:lgm3t4-5il.ln1@dragon.myth...

>> -----BEGIN PGP SIGNED MESSAGE-----

>> Hash: SHA1

>>

>> On Sun, 30 Sep 2007 00:22:23 +0100,

>> dennis@home <dennis@killspam.kicks-ass.net> wrote:

>>

>>> Also it is probably possible to engineer an iso to have the correct

>>> checksum.

>>> It shouldn't be too hard as you have the source code for the checksum

>>> program so you can modify it to add padding to the iso somewhere to make

>>> the

>>> checksum anything you like. Unless you have mathmatical proof this can't

>>> be

>>> done

>>

>> It's pretty obvious you have no clue on how the MD5 and SHA1 checksum

>> process works.

>

> So as I asked is there a mathematical proof that you can only end up with

> one checksum for any set of data?

 

Why don't you investigate md5, sha1 and so on, and find out? Then,

instead of spreading misinformation, you might actually have some facts.

 

You could start with looking at CRC checks used to prevent false framing

in TDM transport systems. You'll find that they are amazingly robust,

even though they work with relatively small numbers.

 

Then, consider just how large a binary or decimal number it could be

possible to express using all 700Mbytes of a CD.

 

--

| Mark Kent -- mark at ellandroad dot demon dot co dot uk |

| Cola faq: http://www.faqs.org/faqs/linux/advocacy/faq-and-primer/ |

| Cola trolls: http://colatrolls.blogspot.com/ |

| My (new) blog: http://www.thereisnomagic.org |

Re: Open Source Developers Shun Micoshaft Corporation

 

"Mark Kent" <mark.kent@demon.co.uk> wrote in message

news:48c4t4-nq9.ln1@ellandroad.demon.co.uk...

> dennis@home <dennis@killspam.kicks-ass.net> espoused:

>>

>> "Jim Richardson" <warlock@eskimo.com> wrote in message

>> news:lgm3t4-5il.ln1@dragon.myth...

>>> -----BEGIN PGP SIGNED MESSAGE-----

>>> Hash: SHA1

>>>

>>> On Sun, 30 Sep 2007 00:22:23 +0100,

>>> dennis@home <dennis@killspam.kicks-ass.net> wrote:

>>>

>>>> Also it is probably possible to engineer an iso to have the correct

>>>> checksum.

>>>> It shouldn't be too hard as you have the source code for the checksum

>>>> program so you can modify it to add padding to the iso somewhere to

>>>> make

>>>> the

>>>> checksum anything you like. Unless you have mathematical proof this

>>>> can't

>>>> be

>>>> done

>>>

>>> It's pretty obvious you have no clue on how the MD5 and SHA1 checksum

>>> process works.

>>

>> So as I asked is there a mathematical proof that you can only end up with

>> one checksum for any set of data?

>

> Why don't you investigate md5, sha1 and so on, and find out? Then,

> instead of spreading misinformation, you might actually have some facts.

 

I haven't claimed I need to beat md5 to pass off a fake cd.

I said it was irrelevant as its not going to stop an attack as it will be

ignored.

 

It was thrown in to fuzz the picture by owl.

>

> You could start with looking at CRC checks used to prevent false framing

> in TDM transport systems. You'll find that they are amazingly robust,

> even though they work with relatively small numbers.

 

That is a poor example as I know you can get errors that still have correct

checksums.

(I did write some X25 protocol software when I was a lad.)

The checksums aren't really designed to stop someone faking packets at all.

 

If that is the best evidence then it shows I am correct and that md5 was

designed for the wrong thing, which I doubt.

Its a bit like me telling you how to build a hydrogen bomb when you asked

about fitting a new turbine blade to a jet engine.

Both over the top of your head and no relevance at all.

It still takes a mathematician to examine md5 and I am not, so your advice

wasn't much use to anyone really.

>

> Then, consider just how large a binary or decimal number it could be

> possible to express using all 700Mbytes of a CD.

 

A user is more likely to ignore a key that is large than one that is small

so it doesn't really help.

Md5 is really good if you are exchanging data with someone you trust but

don't trust the transmission path.

They are totally useless if you trust both which a significant number of

people will.

 

There are a significant number here that think I was wrong to say you

shouldn't download stuff from a site posted by user "7" in this newsgroup..

they obviously trust both him and the delivery path and don't like someone

saying anyone shouldn't.

Sounds like a recipe for trouble to me.

Re: Open Source Developers Shun Micoshaft Corporation

 

"Non scrivetemi" <nonscrivetemi@pboxmix.winstonsmith.info> wrote in message

news:239830bd33694c83356cb21f4deb7469@pboxmix.winstonsmith.info...

>> Do you not understand anything about social engineering?

>

> More than you'll ever understand. That's how I know integrity checking

> works you ninny. :)

 

If you think all users are going to compare two strings to see if the disk

they have downloaded matches then you obviously know nothing about what you

are saying so we can ignore it from here.

Re: Open Source Developers Shun Micoshaft Corporation

 

"Jim Richardson" <warlock@eskimo.com> wrote in message

news:lgm3t4-5il.ln1@dragon.myth...

 

> It's pretty obvious you have no clue on how the MD5 and SHA1 checksum

> process works.

 

Having done a quick check.

Its pretty obvious that few people here know how md5 works.

 

quote for wiki for those that think they know

>>>>>>>>>>

md5sum is a computer program which calculates and verifies MD5 hashes, as

described in RFC 1321. The MD5 hash (or checksum) functions as a compact

digital fingerprint of a file. It is extremely unlikely that any two

non-identical files will have the same MD5 hash (although it is certainly

possible).

 

<<<<<<<<<<

 

Note the bit about being possible.

Now that is just from random files and not from an engineered attempt to

make them the same.

As I said if someone has proof that it can't be done I am all ears.

As it stands I think it is quite possible to fake the md5 checksum and you

are wrong.

AFAICS it is easier to fake on large files like isos than on small files

like these posts.

It looks like the algorithm gets less secure the larger the file to me but

as I said I am not a mathematician.

Re: Open Source Developers Shun Micoshaft Corporation

 

On Sun, 30 Sep 2007 15:04:00 +0100, dennis@home wrote:

> "Jim Richardson" <warlock@eskimo.com> wrote in message

> news:lgm3t4-5il.ln1@dragon.myth...

>

>

>> It's pretty obvious you have no clue on how the MD5 and SHA1 checksum

>> process works.

>

> Having done a quick check.

> Its pretty obvious that few people here know how md5 works.

>

> quote for wiki for those that think they know

>

>

> md5sum is a computer program which calculates and verifies MD5 hashes,

> as described in RFC 1321. The MD5 hash (or checksum) functions as a

> compact digital fingerprint of a file. It is extremely unlikely that any

> two non-identical files will have the same MD5 hash (although it is

> certainly possible).

>

> <<<<<<<<<<

>

> Note the bit about being possible.

> Now that is just from random files and not from an engineered attempt to

> make them the same.

> As I said if someone has proof that it can't be done I am all ears. As

> it stands I think it is quite possible to fake the md5 checksum and you

> are wrong.

> AFAICS it is easier to fake on large files like isos than on small files

> like these posts.

> It looks like the algorithm gets less secure the larger the file to me

> but as I said I am not a mathematician.

 

Of course it's not impossible. The only thing that's impossible is for it

to not be impossible.

 

Any algorithm that has a fixed hash length has collisions. Simple reason

being that if MD5 has 2^128 different hashes, then if one has (2^128)+1

datasets there has to be at least one collision as the number of datasets

now exceeds the number of possible keys. So yes, it's possible.

 

Thing is though is that the computational effort required to do so just

makes it unfeasible. This is the same when you go trust a "HTTPS"

website. The only thing really protecting your precious credit card data

you just entered is the fact that decrypting it is computationally

unfeasible without such a huge effort that the costs would be far greater

than any possible gains.

 

So everytime you go order something online, it is *possible* for someone

to decrypt your credit card information...you better stop buying things

online now (if you do that is) by your logic.

 

On the same lines, it is possible to modify a Binary image to contain

malicious code and the same MD5 sum. It could be done in theory. But

realistically speaking, the effort that this would take makes it not

feasible to actually do.

 

Even if someone succeeded at doing that, the malicious image would be

discovered by users and the information made available about it

everywhere on the net before it ever could have any significant impact.

You don't actually believe that someone can could put up a malicious

LiveCD without *someone* noticing and it being announced all over the

news right?

 

And honestly, who the hell would download a operating system from a P2P

file sharing program? Anyone in their right mind that wants to download

an OS is going to go to the OS' website, inform themselves about the OS

and then download it if they want to from there.

 

And if someone is an idiot enough to use some P2P software to download

binaries and gets their system toasted as a result then they probably

didn't deserve much better in the first place.

 

--

Stephan

2003 Yamaha R6

 

å›ã®ã“ã¨æ€ã„出ã™æ—¥ãªã‚“ã¦ãªã„ã®ã¯

å›ã®ã“ã¨å¿˜ã‚ŒãŸã¨ããŒãªã„ã‹ã‚‰

Re: Open Source Developers Shun Micoshaft Corporation

 

dennis@home <dennis@killspam.kicks-ass.net> espoused:

>

> "Mark Kent" <mark.kent@demon.co.uk> wrote in message

> news:48c4t4-nq9.ln1@ellandroad.demon.co.uk...

>> dennis@home <dennis@killspam.kicks-ass.net> espoused:

>>>

>>> "Jim Richardson" <warlock@eskimo.com> wrote in message

>>> news:lgm3t4-5il.ln1@dragon.myth...

>>>> -----BEGIN PGP SIGNED MESSAGE-----

>>>> Hash: SHA1

>>>>

>>>> On Sun, 30 Sep 2007 00:22:23 +0100,

>>>> dennis@home <dennis@killspam.kicks-ass.net> wrote:

>>>>

>>>>> Also it is probably possible to engineer an iso to have the correct

>>>>> checksum.

>>>>> It shouldn't be too hard as you have the source code for the checksum

>>>>> program so you can modify it to add padding to the iso somewhere to

>>>>> make

>>>>> the

>>>>> checksum anything you like. Unless you have mathematical proof this

>>>>> can't

>>>>> be

>>>>> done

>>>>

>>>> It's pretty obvious you have no clue on how the MD5 and SHA1 checksum

>>>> process works.

>>>

>>> So as I asked is there a mathematical proof that you can only end up with

>>> one checksum for any set of data?

>>

>> Why don't you investigate md5, sha1 and so on, and find out? Then,

>> instead of spreading misinformation, you might actually have some facts.

>

> I haven't claimed I need to beat md5 to pass off a fake cd.

> I said it was irrelevant as its not going to stop an attack as it will be

> ignored.

>

 

Clearly you're trolling, as just above here, you quite directly state:

"it is probably possible to engineer an iso to have the correct

checksum."

 

.... which indicates that you have limited if not zero comprehension of

how md5 and sha1 and so on work. This leaves you less than qualified to

remark on security issues.

 

--

| Mark Kent -- mark at ellandroad dot demon dot co dot uk |

| Cola faq: http://www.faqs.org/faqs/linux/advocacy/faq-and-primer/ |

| Cola trolls: http://colatrolls.blogspot.com/ |

| My (new) blog: http://www.thereisnomagic.org |

Re: Open Source Developers Shun Micoshaft Corporation

 

"Stephan Rose" <nospam@spammer.com> wrote in message

news:prqdneuQOOnbJmLbnZ2dnUVZ8sbinZ2d@giganews.com...

> On Sun, 30 Sep 2007 15:04:00 +0100, dennis@home wrote:

>

>> "Jim Richardson" <warlock@eskimo.com> wrote in message

>> news:lgm3t4-5il.ln1@dragon.myth...

>>

>>

>>> It's pretty obvious you have no clue on how the MD5 and SHA1 checksum

>>> process works.

>>

>> Having done a quick check.

>> Its pretty obvious that few people here know how md5 works.

>>

>> quote for wiki for those that think they know

>>

>>

>> md5sum is a computer program which calculates and verifies MD5 hashes,

>> as described in RFC 1321. The MD5 hash (or checksum) functions as a

>> compact digital fingerprint of a file. It is extremely unlikely that any

>> two non-identical files will have the same MD5 hash (although it is

>> certainly possible).

>>

>> <<<<<<<<<<

>>

>> Note the bit about being possible.

>> Now that is just from random files and not from an engineered attempt to

>> make them the same.

>> As I said if someone has proof that it can't be done I am all ears. As

>> it stands I think it is quite possible to fake the md5 checksum and you

>> are wrong.

>> AFAICS it is easier to fake on large files like isos than on small files

>> like these posts.

>> It looks like the algorithm gets less secure the larger the file to me

>> but as I said I am not a mathematician.

>

> Of course it's not impossible. The only thing that's impossible is for it

> to not be impossible.

>

> Any algorithm that has a fixed hash length has collisions. Simple reason

> being that if MD5 has 2^128 different hashes, then if one has (2^128)+1

> datasets there has to be at least one collision as the number of datasets

> now exceeds the number of possible keys. So yes, it's possible.

>

> Thing is though is that the computational effort required to do so just

> makes it unfeasible. This is the same when you go trust a "HTTPS"

> website. The only thing really protecting your precious credit card data

> you just entered is the fact that decrypting it is computationally

> unfeasible without such a huge effort that the costs would be far greater

> than any possible gains.

 

No it isn't the only thing protecting my card.

To start with you have to intercept the data which is not easy.

Then you have to crack the key using the small amout of data you have.

And it doesn't use md5 either as md5 has known faults that make it easier to

attack using brute force.

And you forget its Iwouldn't be trying to decode any encryption I would be

trying to encode some data to make the same checksum. The two tasks are by

no means the same. All I have to do is end up with a file the same size and

same checksum while only changing a few files that the user is unlikely to

use, lets say the drivers for some obscure hardware, probably a few tens of

megabytes to play with.

>

> So everytime you go order something online, it is *possible* for someone

> to decrypt your credit card information...you better stop buying things

> online now (if you do that is) by your logic.

>

> On the same lines, it is possible to modify a Binary image to contain

> malicious code and the same MD5 sum. It could be done in theory. But

> realistically speaking, the effort that this would take makes it not

> feasible to actually do.

>

> Even if someone succeeded at doing that, the malicious image would be

> discovered by users and the information made available about it

> everywhere on the net before it ever could have any significant impact.

> You don't actually believe that someone can could put up a malicious

> LiveCD without *someone* noticing and it being announced all over the

> news right?

 

Yes I do think it is quite possible.

When was the last time you checked the contents of a cd other than the

checksum?

Why would someone else?

>

> And honestly, who the hell would download a operating system from a P2P

> file sharing program? Anyone in their right mind that wants to download

> an OS is going to go to the OS' website, inform themselves about the OS

> and then download it if they want to from there.

 

At least one person here that says it can't happen has said they do so I

guess you know at least one.

I guess my warning was just too much for them and they joined the attack to

convince themselves that they hadn't been a complete idiot.

(You know who you are.)

> And if someone is an idiot enough to use some P2P software to download

> binaries and gets their system toasted as a result then they probably

> didn't deserve much better in the first place.

 

Their system probably wouldn't be toasted.. it would sit there controlling

bots sending spam to you and I and they would be oblivious.

Re: Open Source Developers Shun Micoshaft Corporation

 

"Mark Kent" <mark.kent@demon.co.uk> wrote in message

news:qp65t4-v3e.ln1@ellandroad.demon.co.uk...

> dennis@home <dennis@killspam.kicks-ass.net> espoused:

>>

>> "Mark Kent" <mark.kent@demon.co.uk> wrote in message

>> news:48c4t4-nq9.ln1@ellandroad.demon.co.uk...

>>> dennis@home <dennis@killspam.kicks-ass.net> espoused:

>>>>

>>>> "Jim Richardson" <warlock@eskimo.com> wrote in message

>>>> news:lgm3t4-5il.ln1@dragon.myth...

>>>>> -----BEGIN PGP SIGNED MESSAGE-----

>>>>> Hash: SHA1

>>>>>

>>>>> On Sun, 30 Sep 2007 00:22:23 +0100,

>>>>> dennis@home <dennis@killspam.kicks-ass.net> wrote:

>>>>>

>>>>>> Also it is probably possible to engineer an iso to have the correct

>>>>>> checksum.

>>>>>> It shouldn't be too hard as you have the source code for the checksum

>>>>>> program so you can modify it to add padding to the iso somewhere to

>>>>>> make

>>>>>> the

>>>>>> checksum anything you like. Unless you have mathematical proof this

>>>>>> can't

>>>>>> be

>>>>>> done

>>>>>

>>>>> It's pretty obvious you have no clue on how the MD5 and SHA1 checksum

>>>>> process works.

>>>>

>>>> So as I asked is there a mathematical proof that you can only end up

>>>> with

>>>> one checksum for any set of data?

>>>

>>> Why don't you investigate md5, sha1 and so on, and find out? Then,

>>> instead of spreading misinformation, you might actually have some facts.

>>

>> I haven't claimed I need to beat md5 to pass off a fake cd.

>> I said it was irrelevant as its not going to stop an attack as it will be

>> ignored.

>>

>

> Clearly you're trolling, as just above here, you quite directly state:

> "it is probably possible to engineer an iso to have the correct

> checksum."

>

> ... which indicates that you have limited if not zero comprehension of

> how md5 and sha1 and so on work. This leaves you less than qualified to

> remark on security issues.

 

Just because I am commenting on what others have said in their attacks

doesn't make me a troll especially as I appear to be correct ATM.

You have not provided any evidence that I am wrong just the usual response

when they don't have any real arguments.

 

BTW I have made no comment on sha1 so could you stop saying I have.

Re: Open Source Developers Shun Micoshaft Corporation

 

On Sun, 30 Sep 2007 19:47:49 +0100, dennis@home wrote:

<snip>

>>>

>>> Note the bit about being possible.

>>> Now that is just from random files and not from an engineered attempt

>>> to make them the same.

>>> As I said if someone has proof that it can't be done I am all ears. As

>>> it stands I think it is quite possible to fake the md5 checksum and

>>> you are wrong.

>>> AFAICS it is easier to fake on large files like isos than on small

>>> files like these posts.

>>> It looks like the algorithm gets less secure the larger the file to me

>>> but as I said I am not a mathematician.

>>

>> Of course it's not impossible. The only thing that's impossible is for

>> it to not be impossible.

>>

>> Any algorithm that has a fixed hash length has collisions. Simple

>> reason being that if MD5 has 2^128 different hashes, then if one has

>> (2^128)+1 datasets there has to be at least one collision as the number

>> of datasets now exceeds the number of possible keys. So yes, it's

>> possible.

>>

>> Thing is though is that the computational effort required to do so just

>> makes it unfeasible. This is the same when you go trust a "HTTPS"

>> website. The only thing really protecting your precious credit card

>> data you just entered is the fact that decrypting it is computationally

>> unfeasible without such a huge effort that the costs would be far

>> greater than any possible gains.

>

> No it isn't the only thing protecting my card. To start with you have to

> intercept the data which is not easy. Then you have to crack the key

> using the small amout of data you have. And it doesn't use md5 either as

> md5 has known faults that make it easier to attack using brute force.

> And you forget its Iwouldn't be trying to decode any encryption I would

> be trying to encode some data to make the same checksum. The two tasks

> are by no means the same. All I have to do is end up with a file the

> same size and same checksum while only changing a few files that the

> user is unlikely to use, lets say the drivers for some obscure hardware,

> probably a few tens of megabytes to play with.

 

I didn't say it would be easy. I only said it would be possible.

>

>

>> So everytime you go order something online, it is *possible* for

>> someone to decrypt your credit card information...you better stop

>> buying things online now (if you do that is) by your logic.

>>

>> On the same lines, it is possible to modify a Binary image to contain

>> malicious code and the same MD5 sum. It could be done in theory. But

>> realistically speaking, the effort that this would take makes it not

>> feasible to actually do.

>>

>> Even if someone succeeded at doing that, the malicious image would be

>> discovered by users and the information made available about it

>> everywhere on the net before it ever could have any significant impact.

>> You don't actually believe that someone can could put up a malicious

>> LiveCD without *someone* noticing and it being announced all over the

>> news right?

>

> Yes I do think it is quite possible.

> When was the last time you checked the contents of a cd other than the

> checksum?

 

Seeing how http://www.ubuntu.com is the only place I'm willing to download

Ubuntu from, I don't need to worry about it.

> Why would someone else?

>

>

>> And honestly, who the hell would download a operating system from a P2P

>> file sharing program? Anyone in their right mind that wants to download

>> an OS is going to go to the OS' website, inform themselves about the OS

>> and then download it if they want to from there.

>

> At least one person here that says it can't happen has said they do so I

> guess you know at least one.

 

It's nobody I know. =)

 

 

--

Stephan

2003 Yamaha R6

 

å›ã®ã“ã¨æ€ã„出ã™æ—¥ãªã‚“ã¦ãªã„ã®ã¯

å›ã®ã“ã¨å¿˜ã‚ŒãŸã¨ããŒãªã„ã‹ã‚‰

Re: Open Source Developers Shun Micoshaft Corporation

 

Stephan Rose wrote:

> ...And if someone is an idiot enough to use some P2P software to download

> binaries and gets their system toasted as a result then they probably

> didn't deserve much better in the first place.

>

---------------------------------------------------------------

 

I thought that was exactly what dennis was referring to, right?

Frank

Re: Open Source Developers Shun Micoshaft Corporation

 

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

On Sun, 30 Sep 2007 10:39:24 +0100,

dennis@home <dennis@killspam.kicks-ass.net> wrote:

>

> "owl" <owl@rooftop.invalid> wrote in message

> news:pzeoiw0049.s94@rooftop.invalid...

>

> you are too stupid to argue with.

> You can't even grasp the concept of changing an isos content to match a

> checksum using the source code of the checksum program to make the fake data

> needed.

 

It doesn't work that way.

You are not using the checksum program from the LiveCD to check the

checksum of the LiveCD.

 

> If you can't understand even the basics there isn't much point in talking to

> you.

>

 

The irony is palpable.

 

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.6 (GNU/Linux)

 

iD8DBQFHAAd7d90bcYOAWPYRAgkRAJ93ZldKK3d6Pod88eimkfbhyje35QCgvj/0

yqDYVNAFS1ehccSV5F+VIQw=

=juVf

-----END PGP SIGNATURE-----

 

--

Jim Richardson http://www.eskimo.com/~warlock

I am a figment of my own imagination.

Re: Open Source Developers Shun Micoshaft Corporation

 

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

On Sun, 30 Sep 2007 10:52:19 +0100,

dennis@home <dennis@killspam.kicks-ass.net> wrote:

>

> "Jim Richardson" <warlock@eskimo.com> wrote in message

> news:lgm3t4-5il.ln1@dragon.myth...

>> -----BEGIN PGP SIGNED MESSAGE-----

>> Hash: SHA1

>>

>> On Sun, 30 Sep 2007 00:22:23 +0100,

>> dennis@home <dennis@killspam.kicks-ass.net> wrote:

>>

>>> Also it is probably possible to engineer an iso to have the correct

>>> checksum.

>>> It shouldn't be too hard as you have the source code for the checksum

>>> program so you can modify it to add padding to the iso somewhere to make

>>> the

>>> checksum anything you like. Unless you have mathmatical proof this can't

>>> be

>>> done

>>

>> It's pretty obvious you have no clue on how the MD5 and SHA1 checksum

>> process works.

>

> So as I asked is there a mathematical proof that you can only end up with

> one checksum for any set of data?

> If there is then no you can't fake one, if there isn't then you probably

> can.

 

You are confused (again) The non-presence of a proof, does not mean that

something is or is not possible. Basic logic.

> I have not claimed to be a mathematician so I don't know.

> Also it doesn't really matter as a social engineered hack doesn't need to

> fool everyone so even if owl is wise enough to check the checksums not

> everyone is.

>

 

not relevent to you original claims.

> There are an awful lot of people trying to put down perfectly good advice

> for some reason.

 

probably because it's not "perfectly good advice"

> It is enough to make you think they are trying to hide something.

> When did it become good practice to download stuff from sites posted by

> usenet users?

>

 

that's why you check the site out, and distrowatch checks out. It's not

some flyby night wackjobs site, furthermore, distrowatch doesn't even

offer the isos for download, they link to the official download sites.

 

 

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.6 (GNU/Linux)

 

iD8DBQFHAAkqd90bcYOAWPYRAkx4AKDo1o4s+4Fn8P8whQN4Tm07tpfYpACgzo/4

59/L+2ayQlGtqNFd/I7Jlqw=

=lCIX

-----END PGP SIGNATURE-----

 

--

Jim Richardson http://www.eskimo.com/~warlock

"We have to go forth and crush every world view that doesn't believe in

tolerance and free speech," - David Brin

Re: Open Source Developers Shun Micoshaft Corporation

 

dennis@home wrote:

> Having done a quick check.

> Its pretty obvious that few people here know how md5 works.

>

> quote for wiki for those that think they know

 

You believe Wikipedia is some sort of "authority"?

 

Typical Wintard.

>

> >>>>>>>>>>

> md5sum is a computer program which calculates and verifies MD5

> hashes, as described in RFC 1321. The MD5 hash (or checksum)

 

MD5 hases and checksums are two completely different things regardles

of what some WikiTard decided to bang out on his keyboard some evening

after a couple too many puffs on a doobie.

> functions as a compact digital fingerprint of a file. It is extremely

> unlikely that any two non-identical files will have the same MD5 hash

> (although it is certainly possible).

 

If you define "possible" as "spend the next trillion years or so

working on it", then you have a point.

 

What you're talking about my clueless friend is "collisions". And even

using MD5 it's impossible to craft usable data that produces the same

hash value as existing usable data in any sort of time frame that could

be regarded as anything but ridiculously.

 

IOW, Wintard, it IS impossible.

>

> <<<<<<<<<<

>

> Note the bit about being possible.

 

Note the bit about you being so all around clueless you don't even know

how to go to legitimate sources to FIND clues.

 

<laugh>

> Now that is just from random files and not from an engineered attempt

> to make them the same.

 

You're so clue free you don't even realize that the "engineered"

problem is a tougher one to solve. If you can use any random file of

your choosing it's considerably easier to find two files that collide.

> As I said if someone has proof that it can't be done I am all ears.

 

There's hoards of proof out there. I suggest you start reading anything

written by a fellow named Claude Shannon.

> As it stands I think it is quite possible to fake the md5 checksum

> and you are wrong.

 

It's not possible, and YOU are wrong.

> AFAICS it is easier to fake on large files like isos than on small

> files like these posts.

 

Even more clueless spew. It's actually harder in theory to find

collisions among larger files.

> It looks like the algorithm gets less secure the larger the file to

> me but as I said I am not a mathematician.

 

You have it completely backwards, as usual.

Re: Open Source Developers Shun Micoshaft Corporation

 

Frank wrote:

> Stephan Rose wrote:

>

> > ...And if someone is an idiot enough to use some P2P software to

> > download binaries and gets their system toasted as a result then

> > they probably didn't deserve much better in the first place.

> >

> ---------------------------------------------------------------

>

> I thought that was exactly what dennis was referring to, right?

> Frank

 

There's numerous distributions that are solely available through P2P and

"cloud" networks like bittorrent due to bandwidth issues, and many

mainstream distributions disseminate that way in addition to the more

"traditional" methods like HTTP and FTP. See torrent.ubuntu.com for an

example, and a list of SHA1 "info" has values.

 

It's every bit as safe to download your ISO's that way as it is to type

http://www.mydistro.com/foo.bar.iso into a browser. You verify the resulting

file with hashes or digital signatures either way, and you're golden.

Re: Open Source Developers Shun Micoshaft Corporation

 

dennis@home wrote:

>

> "Stephan Rose" <nospam@spammer.com> wrote in message

> news:prqdneuQOOnbJmLbnZ2dnUVZ8sbinZ2d@giganews.com...

> > On Sun, 30 Sep 2007 15:04:00 +0100, dennis@home wrote:

> >

> >> "Jim Richardson" <warlock@eskimo.com> wrote in message

> >> news:lgm3t4-5il.ln1@dragon.myth...

> >>

> >>

> >>> It's pretty obvious you have no clue on how the MD5 and SHA1

> >>> checksum process works.

> >>

> >> Having done a quick check.

> >> Its pretty obvious that few people here know how md5 works.

> >>

> >> quote for wiki for those that think they know

> >>

> >>

> >> md5sum is a computer program which calculates and verifies MD5

> >> hashes, as described in RFC 1321. The MD5 hash (or checksum)

> >> functions as a compact digital fingerprint of a file. It is

> >> extremely unlikely that any two non-identical files will have the

> >> same MD5 hash (although it is certainly possible).

> >>

> >> <<<<<<<<<<

> >>

> >> Note the bit about being possible.

> >> Now that is just from random files and not from an engineered

> >> attempt to make them the same.

> >> As I said if someone has proof that it can't be done I am all

> >> ears. As it stands I think it is quite possible to fake the md5

> >> checksum and you are wrong.

> >> AFAICS it is easier to fake on large files like isos than on small

> >> files like these posts.

> >> It looks like the algorithm gets less secure the larger the file

> >> to me but as I said I am not a mathematician.

> >

> > Of course it's not impossible. The only thing that's impossible is

> > for it to not be impossible.

> >

> > Any algorithm that has a fixed hash length has collisions. Simple

> > reason being that if MD5 has 2^128 different hashes, then if one

> > has (2^128)+1 datasets there has to be at least one collision as

> > the number of datasets now exceeds the number of possible keys. So

> > yes, it's possible.

> >

> > Thing is though is that the computational effort required to do so

> > just makes it unfeasible. This is the same when you go trust a

> > "HTTPS" website. The only thing really protecting your precious

> > credit card data you just entered is the fact that decrypting it is

> > computationally unfeasible without such a huge effort that the

> > costs would be far greater than any possible gains.

>

> No it isn't the only thing protecting my card.

> To start with you have to intercept the data which is not easy.

 

ROTFLMAO!!

 

You really are that stump stupid, aren't you? You actually believe

this, don't you??

 

There's actually a trivial attack against SSL that not only involves

intercepting that traffic but modifying it.

> Then you have to crack the key using the small amout of data you have.

> And it doesn't use md5 either as md5 has known faults that make it

> easier to attack using brute force.

 

Easier, yes. But still impractical, and therefor impossible in this

scenario. It would take you far longer to "crack" and MD5 signature

than the data you're "cracking" would be useful. By the time you

managed to develop an evil copy of Fedora Core 7, Fedora would be up to

Core 1,678,371,740.

> And you forget its Iwouldn't be trying to decode any encryption I

> would be trying to encode some data to make the same checksum. The

 

Not checksum, hash. Two different things.

> two tasks are by no means the same. All I have to do is end up with a

 

In fact they are nearly identical because the best known attack for

either is a brute force attack.

> file the same size and same checksum while only changing a few files

> that the user is unlikely to use, lets say the drivers for some

> obscure hardware, probably a few tens of megabytes to play with.

 

Can't be done. Not even against MD5.

> > impact. You don't actually believe that someone can could put up a

> > malicious LiveCD without *someone* noticing and it being announced

> > all over the news right?

>

> Yes I do think it is quite possible.

 

Yes, but you think Wikipeddia is a source of accurate and useful

information too. <laugh>

> When was the last time you checked the contents of a cd other than

> the checksum?

 

Today. About an hour ago.

> > And honestly, who the hell would download a operating system from a

> > P2P file sharing program? Anyone in their right mind that wants to

> > download an OS is going to go to the OS' website, inform themselves

> > about the OS and then download it if they want to from there.

>

> At least one person here that says it can't happen has said they do

> so I guess you know at least one.

 

There's nothign wrong with downloading your ISO's via bittorrent or the

like. The hash/signature is verifiable regardless. The method of

distribution is irrelevant.

> > And if someone is an idiot enough to use some P2P software to

> > download binaries and gets their system toasted as a result then

> > they probably didn't deserve much better in the first place.

>

> Their system probably wouldn't be toasted.. it would sit there

> controlling bots sending spam to you and I and they would be

> oblivious.

 

Like your average Wintard, then... :)