You are missing our premiere tool bar navigation system! Register and use it for FREE!

NukeCops  
•  Home •  Downloads •  Gallery •  Your Account •  Forums • 
Readme First
- Readme First! -

Read and follow the rules, otherwise your posts will be closed
Modules
· Home
· FAQ
· Buy a Theme
· Advertising
· AvantGo
· Bookmarks
· Columbia
· Community
· Donations
· Downloads
· Feedback
· Forums
· PHP-Nuke HOWTO
· Private Messages
· Search
· Statistics
· Stories Archive
· Submit News
· Surveys
· Theme Gallery
· Top
· Topics
· Your Account
Who's Online
There are currently, 304 guest(s) and 0 member(s) that are online.

You are Anonymous user. You can register for free by clicking here
Nuke Cops :: View topic - Alert - Altered nuke.sql file being circulated gives admin [ ]
 Forum FAQ  •  Search  •   •  Memberlist  •  Usergroups   •  Register  •  Profile •    •  Log in to check your private messages  •  Log in

 
Post new topic  Reply to topicprinter-friendly view
View previous topic Log in to check your private messages View next topic
Author Message
MikeMiles
Lieutenant
Lieutenant


Joined: May 29, 2003
Posts: 231


PostPosted: Sun Jul 27, 2003 9:11 pm Reply with quoteBack to top

MD5 and PGP are way too messy and complicated for the average user. I believe they only work on character strings and can be applied to the contents of each file but not to a compressed tarball as a whole. Anyone could still tamper with the files and use these same schemes and pass it off his product as the original. A checksum is much easier and tells exactly whether the contents of the tarball have been changed. That is the only thing the user needs to know.

None of this ever occurred before FB started charging for releases which then sparked tainted blackmarket copies. You don't see this type of activity in any other open source projects. Then again they don't charge $120/year to stay current on releases.
Find all posts by MikeMilesView user's profileSend private message
Zhen-Xjell
Nuke Cops Founder
Nuke Cops Founder


Joined: Nov 14, 2002
Posts: 5939


PostPosted: Mon Jul 28, 2003 4:52 am Reply with quoteBack to top

Hi, actually, MD5 is a message digest cryptographic hash function with a 128 bit output. SHA-1 is outputs at 160 bit. SUM computes a 16 bit checksum.

You can see the reason why MD5 or SHA-1 would be used over SUM. It is far more difficult to keep the same hash value for an MD5 or SHA-1 than it is for a SUM.

The above are not to be considered encryption programs. They are one way hash values. So creating a hash value for a tarball is the right way to go. If any contents change within the tarball, the resulting hash output should vary. The greater the output bit, the less chances the value would not change.

_________________
Paul Laudanski, Microsoft MVP Windows-Security
CastleCops: [de] [en] [wiki]
Find all posts by Zhen-XjellView user's profileSend private messageSend e-mailVisit poster's website
bwcbwc
Nuke Soldier
Nuke Soldier


Joined: Jul 25, 2003
Posts: 34

Location: FL

PostPosted: Mon Jul 28, 2003 11:54 am Reply with quoteBack to top

RE: Joining the club to get versions > 6.5.

Nobody seems to be answering this question on phpnuke.org (They seem to be horribly behind on maintaining the website, I hope everything is OK.), but the terms of the Club indicate that you get 30 days advance access to PHPNuke releases before they are released to the public. Versions 6.6 and 6.7 have both been out for more than 30 days, so does anybody know why they haven't been released to the public? Is this a permanent change in policy to a pay-to-play format?

Also, while I appreciate your respect to the author in not publishing external web links, his license agreement is the GPL, at least up to version 6.5. Assuming this is still true for later versions of PHPNuke. there is nothing illegal or unethical about posting external links to version 6.6 or 6.7. You could complain about the ethicality of posting links to version 6.8, since that is still within the 30 day limit before public access to non Club members, but the GPL says you cannot do anything to restrict the redistribution of code that you distribute under the GPL, so try not to be so hard on the people posting those links (assuming they aren't trojanized versions).

-BWC
Find all posts by bwcbwcView user's profileSend private message
JG
Sergeant
Sergeant


Joined: Jul 26, 2003
Posts: 124

Location: Cherry Hill, N.J.

PostPosted: Mon Jul 28, 2003 1:54 pm Reply with quoteBack to top

My...seems like a real can of night crawlers have been opened on this subject.

I'm getting the impression, that even though the raw code is open source, that anything different or unique created out of it, does not belong as intellectual property to the creator???

his issue has been around the bend thousands of times, all the way back to PKzip and PKarc, both swearing up and down, that the code belonged to them. We know, or a few of us do....who won that battle.


While I agree that the 120/yr for updates is out of line, I can see the reasoning behind it, Wish List or no Wish List.

Seems everyone..(with exceptions) expect...no demand...that whatever is created is open season in freebie land.

Also, support takes many forms, and money is just one "trade" item.

_________________
Galt
Find all posts by JGView user's profileSend private messageSend e-mailVisit poster's websiteYahoo Messenger
Zhen-Xjell
Nuke Cops Founder
Nuke Cops Founder


Joined: Nov 14, 2002
Posts: 5939


PostPosted: Mon Jul 28, 2003 2:24 pm Reply with quoteBack to top

The GPL, if you read the FAQ on Version 2, says the author can change the license at will. No one under the author is allowed to do this. Anything released as GPL'd stays GPL'd even if modifications are made by other developers. Any code released that uses such a GPL program is by default GPL itself. This is a known fact in the GPL.

Also what is listed in the GPL FAQ is that a charge can be assessed in distributing the GPL software. This is legal. What the GPL states is that when the code is distributed for free or by fee, the source code must accompany it. This does happen when a member downloads 6.6, 6.7, or 6.8 from the club. So, again, the author is in-line with the license.

Here is the problem I see... the problem is no longer running with the rules of the GPL, its running with the ethical respect of the author. If one person buys into the club and distributes the files for free off his site, the income the author was hoping for has now evaporated. This means his only source of survival is now gone. The next step is to get another job, and shut down the phpnuke project. All this comes to an end.

Do you really want that to happen?

I don't care to discuss the validity of fees in place, what I'm trying to convey is the GPL is being followed correctly by the author and those that provide the club files for free. No one is in contempt -- legally.

And if all one cares about is business over humanity, then that's good for them. I personally care about humanity over business. Humans drive business, not the other way around. At the end of the day I like to think I have kept my friends close, and made new ones instead of creating enemies.

_________________
Paul Laudanski, Microsoft MVP Windows-Security
CastleCops: [de] [en] [wiki]
Find all posts by Zhen-XjellView user's profileSend private messageSend e-mailVisit poster's website
JG
Sergeant
Sergeant


Joined: Jul 26, 2003
Posts: 124

Location: Cherry Hill, N.J.

PostPosted: Mon Jul 28, 2003 6:03 pm Reply with quoteBack to top

Quote:
Here is the problem I see... the problem is no longer running with the rules of the GPL, its running with the ethical respect of the author. If one person buys into the club and distributes the files for free off his site, the income the author was hoping for has now evaporated. This means his only source of survival is now gone. The next step is to get another job, and shut down the phpnuke project. All this comes to an end.

Do you really want that to happen?


That is (almost) exactly the issue, and since I've joined I'd like to see it continue. It's not really a Club in a social sense, but more a traders method of exchanging "value for value."

You're also dead on correct regarding the GPL license.

The issue is Copyright's and what that protects is not the physical object as such, but the idea which it embodies. By forbidding an unauthorized reproduction of the object, the law declares, in effect, that the physical labor of copying is not the source of the object's value, that the value is created by the originator of the idea and may not be used without his/her consent; thus the law establishes the property right of a mind to that which it has brought into existence.

Also remember that the government does not "grant" a copyright, in the sense of a gift, privilege, or favor; the government merely secures it--i.e., the government certifies the origination of an idea and protects its owner's exclusive right of use and disposal.

Now if you take away a man's property rights, then you take away his individual rights, and make him a slave....who is to bow, agree and obey the wishes and whims of those who are "not traders" but are even less than thieves, then what exactly have you accomplished? Simple; the destruction of a mind.

I regret, that the destruction has become a favorite pastime, and in a country, whose citizens should know better..

A final note about the copy that is obtainable elsewhere which was posted earlier. While the Sum's match, the extracted files do NOT. So use at your own risk, and remember what in essence you are.[/b]

_________________
Galt
Find all posts by JGView user's profileSend private messageSend e-mailVisit poster's websiteYahoo Messenger
Zhen-Xjell
Nuke Cops Founder
Nuke Cops Founder


Joined: Nov 14, 2002
Posts: 5939


PostPosted: Mon Jul 28, 2003 6:24 pm Reply with quoteBack to top

I don't know about your final comment, but I can re-iterate that using a SUM is risky business as it calculates a 16 bit hash output. Now, to put things into perspective, the man page for des states:

Single-key DES is insecure due to its short key size.

And its bigger than SUM. Now DES wouldn't be used here for hashing, but its an analogy of sorts.

Use MD5, and forget SUM.

_________________
Paul Laudanski, Microsoft MVP Windows-Security
CastleCops: [de] [en] [wiki]
Find all posts by Zhen-XjellView user's profileSend private messageSend e-mailVisit poster's website
CanuckKev
Lieutenant
Lieutenant


Joined: Jun 02, 2003
Posts: 194

Location: Canada

PostPosted: Mon Jul 28, 2003 7:04 pm Reply with quoteBack to top

My two cents on this subject is to use MD5.

It has been used successfully to check for problems with downloaded files for a while now. Many Linux distrubutions post the MD5 hash for thier ISO images to ensure that you got the download properly. There is a windows based MD5 as well as Linux and OSX.

Why not post the MD5 checksums for the official distrobutions. It wouldn't hard and it would provide us (the users) with a little security.

Even slightly modified (take 6.5 secfix3 for example) could be posted from the source (in this case, NC). Its real quick on a 6-10 MB file (hell, its not that long on a decent machine on a 650MB ISO...)

_________________
-CanuckKev
PRESS F5 AND ALL WILL BE CLEAR...
RidersClub
Find all posts by CanuckKevView user's profileSend private messageVisit poster's websiteAIM AddressMSN MessengerICQ Number
Raven
General
General


Joined: Mar 22, 2003
Posts: 5233

Location: USA

PostPosted: Mon Jul 28, 2003 7:13 pm Reply with quoteBack to top

bwcbwc wrote:
Versions 6.6 and 6.7 have both been out for more than 30 days, so does anybody know why they haven't been released to the public? Is this a permanent change in policy to a pay-to-play format?
I and others have answered this many times already, but I will again. FB announced in a thread that is buried deep in the archives now, that he no longer would release interim releases after 6.5 to the public. Only Club members would get those. His only exception would be if an interim release was for major security issues. He will release 7.0 publicly when it is ready, 30 days after clib members receive it.

Now, that is where we come in (NC). We supply most of the security fixes to FB. We also make them available to the public here. So the only thing you miss by not joining the club are the few interim enhancements.

_________________
Those who hear not the music think the dancers mad.
Raven Web Hosting|My Scripts & Stuff
Find all posts by RavenView user's profileSend private messageVisit poster's website
JG
Sergeant
Sergeant


Joined: Jul 26, 2003
Posts: 124

Location: Cherry Hill, N.J.

PostPosted: Mon Jul 28, 2003 7:27 pm Reply with quoteBack to top

Zhen-Xjell wrote:
I don't know about your final comment, but I can re-iterate that using a SUM is risky business as it calculates a 16 bit hash output. Now, to put things into perspective, the man page for des states:

Use MD5, and forget SUM


In reference to the two seeming identical files (ck-sum matched) I un-tar'd them, then did a cross file compare, they did not match. In the old days of my hacking youth, it was simple to install a worm or trojan and get the check sums to match. That means it's also simple to make file changes as was done. The details aren't important.

I would say you could put up a Poll, however I don't think it's for the users to decide as to how to provide some protection to the authors work, and give the user some assurance that he is working with what he paid for.

I also agree MD5 is the way to go, just get with FB, and implement it.

_________________
Galt
Find all posts by JGView user's profileSend private messageSend e-mailVisit poster's websiteYahoo Messenger
JG
Sergeant
Sergeant


Joined: Jul 26, 2003
Posts: 124

Location: Cherry Hill, N.J.

PostPosted: Mon Jul 28, 2003 7:45 pm Reply with quoteBack to top

Quote:
Now, that is where we come in (NC). We supply most of the security fixes to FB. We also make them available to the public here. So the only thing you miss by not joining the club are the few interim enhancements


Let me agree to disagree. Smile

I think you miss far more than a "few interim enhancements." For one, if you look just at 6.5 and compare what changes were made to 6.8 (and the 6.8 is nearly twice the size of 6.5) you're getting an enhanced program, with some mods implemented in the structure you don't have to install (work) not to mention a better de-bugged program.

The other thing is, you're more inclined to get support for problems your having. (although I've seen answers not related to the same version offered as well)

The only other place I've seen the kind of support, and timely responses is with the Yabbs community (but their Admin functions leave much to be desired)

Also, if you're dirt poor, and need to dig into the borrow bag, you can still get the software for 10 bucks, and just join for a month. Hell, I've paid more for some shareware programs. Very Happy

_________________
Galt
Find all posts by JGView user's profileSend private messageSend e-mailVisit poster's websiteYahoo Messenger
Raven
General
General


Joined: Mar 22, 2003
Posts: 5233

Location: USA

PostPosted: Tue Jul 29, 2003 2:28 am Reply with quoteBack to top

Quote:
I think you miss far more than a "few interim enhancements." For one, if you look just at 6.5 and compare what changes were made to 6.8 (and the 6.8 is nearly twice the size of 6.5) you're getting an enhanced program, with some mods implemented in the structure you don't have to install (work) not to mention a better de-bugged program.
Laughing The reason for the size is that he didn't gzip the file (.tar.gz). He only tar'd it (.tar). It's just a packaging thing. Really, he's fixed only a few bugs and added a subcategory to news posts and a few other minor enhancements (imo). I don't have anything to agree or disagree about Wink

_________________
Those who hear not the music think the dancers mad.
Raven Web Hosting|My Scripts & Stuff
Find all posts by RavenView user's profileSend private messageVisit poster's website
Zhen-Xjell
Nuke Cops Founder
Nuke Cops Founder


Joined: Nov 14, 2002
Posts: 5939


PostPosted: Tue Jul 29, 2003 5:44 am Reply with quoteBack to top

The whole notion of club downloads is now moot since this morning's news. It pays to believe and stand behind the author. Smile Shows loyalty and trust.

_________________
Paul Laudanski, Microsoft MVP Windows-Security
CastleCops: [de] [en] [wiki]
Find all posts by Zhen-XjellView user's profileSend private messageSend e-mailVisit poster's website
JG
Sergeant
Sergeant


Joined: Jul 26, 2003
Posts: 124

Location: Cherry Hill, N.J.

PostPosted: Tue Jul 29, 2003 9:04 am Reply with quoteBack to top

Raven wrote:
Quote:
I think you miss far more than a "few interim enhancements." For one, if you look just at 6.5 and compare what changes were made to 6.8 (and the 6.8 is nearly twice the size of 6.5) you're getting an enhanced program, with some mods implemented in the structure you don't have to install (work) not to mention a better de-bugged program.
Laughing The reason for the size is that he didn't gzip the file (.tar.gz). He only tar'd it (.tar). It's just a packaging thing. Really, he's fixed only a few bugs and added a subcategory to news posts and a few other minor enhancements (imo). I don't have anything to agree or disagree about Wink


Ok Raven, I'll say you certainly know better than I. I suppose if I were in those pair of shoes though. I would be making it more clear for idiot newbies like myself, that it's not the OFFICIAL version, but an enhanced one.
When I did the file compare by the way, I had both versions sitting on my server, not just on my HD. I installed them both. Smile

_________________
Galt
Find all posts by JGView user's profileSend private messageSend e-mailVisit poster's websiteYahoo Messenger
Raven
General
General


Joined: Mar 22, 2003
Posts: 5233

Location: USA

PostPosted: Tue Jul 29, 2003 9:08 am Reply with quoteBack to top

As ZX said, it's all moot now because FB is now releasing ALL versions after the 30 days. See, public opinion does matter. Thanks to everyone for expressing their views with passion, but also with courtesy!

_________________
Those who hear not the music think the dancers mad.
Raven Web Hosting|My Scripts & Stuff
Find all posts by RavenView user's profileSend private messageVisit poster's website
Display posts from previous:      
Post new topic  Reply to topicprinter-friendly view
View previous topic Log in to check your private messages View next topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



Powered by phpBB © 2001, 2005 phpBB Group

Ported by Nuke Cops © 2003 www.nukecops.com
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::
Powered by TOGETHER TEAM srl ITALY http://www.togetherteam.it - DONDELEO E-COMMERCE http://www.DonDeLeo.com - TUTTISU E-COMMERCE http://www.tuttisu.it
Web site engine's code is Copyright © 2002 by PHP-Nuke. All Rights Reserved. PHP-Nuke is Free Software released under the GNU/GPL license.
Page Generation: 0.057 Seconds - 193 pages served in past 5 minutes. Nuke Cops Founded by Paul Laudanski (Zhen-Xjell)
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::