Alert - Altered nuke.sql file being circulated gives admin

Lieutenant Joined: May 29, 2003 Posts: 231

MD5 and PGP are way too messy and complicated for the average user. I believe they only work on character strings and can be applied to the contents of each file but not to a compressed tarball as a whole. Anyone could still tamper with the files and use these same schemes and pass it off his product as the original. A checksum is much easier and tells exactly whether the contents of the tarball have been changed. That is the only thing the user needs to know.

None of this ever occurred before FB started charging for releases which then sparked tainted blackmarket copies. You don't see this type of activity in any other open source projects. Then again they don't charge $120/year to stay current on releases.

Nuke Cops Founder Joined: Nov 14, 2002 Posts: 5939

Hi, actually, MD5 is a message digest cryptographic hash function with a 128 bit output. SHA-1 is outputs at 160 bit. SUM computes a 16 bit checksum.

You can see the reason why MD5 or SHA-1 would be used over SUM. It is far more difficult to keep the same hash value for an MD5 or SHA-1 than it is for a SUM.

The above are not to be considered encryption programs. They are one way hash values. So creating a hash value for a tarball is the right way to go. If any contents change within the tarball, the resulting hash output should vary. The greater the output bit, the less chances the value would not change.

Nuke Soldier Joined: Jul 25, 2003 Posts: 34 Location: FL

RE: Joining the club to get versions > 6.5.

Nobody seems to be answering this question on phpnuke.org (They seem to be horribly behind on maintaining the website, I hope everything is OK.), but the terms of the Club indicate that you get 30 days advance access to PHPNuke releases before they are released to the public. Versions 6.6 and 6.7 have both been out for more than 30 days, so does anybody know why they haven't been released to the public? Is this a permanent change in policy to a pay-to-play format?

Also, while I appreciate your respect to the author in not publishing external web links, his license agreement is the GPL, at least up to version 6.5. Assuming this is still true for later versions of PHPNuke. there is nothing illegal or unethical about posting external links to version 6.6 or 6.7. You could complain about the ethicality of posting links to version 6.8, since that is still within the 30 day limit before public access to non Club members, but the GPL says you cannot do anything to restrict the redistribution of code that you distribute under the GPL, so try not to be so hard on the people posting those links (assuming they aren't trojanized versions).

-BWC

Posted: Mon Jul 28, 2003 1:54 pm

My...seems like a real can of night crawlers have been opened on this subject.

I'm getting the impression, that even though the raw code is open source, that anything different or unique created out of it, does not belong as intellectual property to the creator???

his issue has been around the bend thousands of times, all the way back to PKzip and PKarc, both swearing up and down, that the code belonged to them. We know, or a few of us do....who won that battle.

While I agree that the 120/yr for updates is out of line, I can see the reasoning behind it, Wish List or no Wish List.

Seems everyone..(with exceptions) expect...no demand...that whatever is created is open season in freebie land.

Also, support takes many forms, and money is just one "trade" item.

Nuke Cops Founder Joined: Nov 14, 2002 Posts: 5939

The GPL, if you read the FAQ on Version 2, says the author can change the license at will. No one under the author is allowed to do this. Anything released as GPL'd stays GPL'd even if modifications are made by other developers. Any code released that uses such a GPL program is by default GPL itself. This is a known fact in the GPL.

Also what is listed in the GPL FAQ is that a charge can be assessed in distributing the GPL software. This is legal. What the GPL states is that when the code is distributed for free or by fee, the source code must accompany it. This does happen when a member downloads 6.6, 6.7, or 6.8 from the club. So, again, the author is in-line with the license.

Here is the problem I see... the problem is no longer running with the rules of the GPL, its running with the ethical respect of the author. If one person buys into the club and distributes the files for free off his site, the income the author was hoping for has now evaporated. This means his only source of survival is now gone. The next step is to get another job, and shut down the phpnuke project. All this comes to an end.

Do you really want that to happen?

I don't care to discuss the validity of fees in place, what I'm trying to convey is the GPL is being followed correctly by the author and those that provide the club files for free. No one is in contempt -- legally.

And if all one cares about is business over humanity, then that's good for them. I personally care about humanity over business. Humans drive business, not the other way around. At the end of the day I like to think I have kept my friends close, and made new ones instead of creating enemies.

Posted: Mon Jul 28, 2003 6:03 pm

Quote:

Here is the problem I see... the problem is no longer running with the rules of the GPL, its running with the ethical respect of the author. If one person buys into the club and distributes the files for free off his site, the income the author was hoping for has now evaporated. This means his only source of survival is now gone. The next step is to get another job, and shut down the phpnuke project. All this comes to an end.

Do you really want that to happen?

That is (almost) exactly the issue, and since I've joined I'd like to see it continue. It's not really a Club in a social sense, but more a traders method of exchanging "value for value."

You're also dead on correct regarding the GPL license.

The issue is Copyright's and what that protects is not the physical object as such, but the idea which it embodies. By forbidding an unauthorized reproduction of the object, the law declares, in effect, that the physical labor of copying is not the source of the object's value, that the value is created by the originator of the idea and may not be used without his/her consent; thus the law establishes the property right of a mind to that which it has brought into existence.

Also remember that the government does not "grant" a copyright, in the sense of a gift, privilege, or favor; the government merely secures it--i.e., the government certifies the origination of an idea and protects its owner's exclusive right of use and disposal.

Now if you take away a man's property rights, then you take away his individual rights, and make him a slave....who is to bow, agree and obey the wishes and whims of those who are "not traders" but are even less than thieves, then what exactly have you accomplished? Simple; the destruction of a mind.

I regret, that the destruction has become a favorite pastime, and in a country, whose citizens should know better..

A final note about the copy that is obtainable elsewhere which was posted earlier. While the Sum's match, the extracted files do NOT. So use at your own risk, and remember what in essence you are.[/b]

Nuke Cops Founder Joined: Nov 14, 2002 Posts: 5939

I don't know about your final comment, but I can re-iterate that using a SUM is risky business as it calculates a 16 bit hash output. Now, to put things into perspective, the man page for des states:

Single-key DES is insecure due to its short key size.

And its bigger than SUM. Now DES wouldn't be used here for hashing, but its an analogy of sorts.

Use MD5, and forget SUM.

Posted: Mon Jul 28, 2003 7:04 pm

My two cents on this subject is to use MD5.

It has been used successfully to check for problems with downloaded files for a while now. Many Linux distrubutions post the MD5 hash for thier ISO images to ensure that you got the download properly. There is a windows based MD5 as well as Linux and OSX.

Why not post the MD5 checksums for the official distrobutions. It wouldn't hard and it would provide us (the users) with a little security.

Even slightly modified (take 6.5 secfix3 for example) could be posted from the source (in this case, NC). Its real quick on a 6-10 MB file (hell, its not that long on a decent machine on a 650MB ISO...)

General Joined: Mar 22, 2003 Posts: 5233 Location: USA

bwcbwc wrote:

Versions 6.6 and 6.7 have both been out for more than 30 days, so does anybody know why they haven't been released to the public? Is this a permanent change in policy to a pay-to-play format?

I and others have answered this many times already, but I will again. FB announced in a thread that is buried deep in the archives now, that he no longer would release interim releases after 6.5 to the public. Only Club members would get those. His only exception would be if an interim release was for major security issues. He will release 7.0 publicly when it is ready, 30 days after clib members receive it.

Now, that is where we come in (NC). We supply most of the security fixes to FB. We also make them available to the public here. So the only thing you miss by not joining the club are the few interim enhancements.

Posted: Mon Jul 28, 2003 7:27 pm

Zhen-Xjell wrote:

I don't know about your final comment, but I can re-iterate that using a SUM is risky business as it calculates a 16 bit hash output. Now, to put things into perspective, the man page for des states:

Use MD5, and forget SUM

In reference to the two seeming identical files (ck-sum matched) I un-tar'd them, then did a cross file compare, they did not match. In the old days of my hacking youth, it was simple to install a worm or trojan and get the check sums to match. That means it's also simple to make file changes as was done. The details aren't important.

I would say you could put up a Poll, however I don't think it's for the users to decide as to how to provide some protection to the authors work, and give the user some assurance that he is working with what he paid for.

I also agree MD5 is the way to go, just get with FB, and implement it.

Posted: Mon Jul 28, 2003 7:45 pm

Quote:

Now, that is where we come in (NC). We supply most of the security fixes to FB. We also make them available to the public here. So the only thing you miss by not joining the club are the few interim enhancements

Let me agree to disagree. Smile

I think you miss far more than a "few interim enhancements." For one, if you look just at 6.5 and compare what changes were made to 6.8 (and the 6.8 is nearly twice the size of 6.5) you're getting an enhanced program, with some mods implemented in the structure you don't have to install (work) not to mention a better de-bugged program.

The other thing is, you're more inclined to get support for problems your having. (although I've seen answers not related to the same version offered as well)

The only other place I've seen the kind of support, and timely responses is with the Yabbs community (but their Admin functions leave much to be desired)

Also, if you're dirt poor, and need to dig into the borrow bag, you can still get the software for 10 bucks, and just join for a month. Hell, I've paid more for some shareware programs. Very Happy

General Joined: Mar 22, 2003 Posts: 5233 Location: USA

Quote:

I think you miss far more than a "few interim enhancements." For one, if you look just at 6.5 and compare what changes were made to 6.8 (and the 6.8 is nearly twice the size of 6.5) you're getting an enhanced program, with some mods implemented in the structure you don't have to install (work) not to mention a better de-bugged program.

The reason for the size is that he didn't gzip the file (.tar.gz). He only tar'd it (.tar). It's just a packaging thing. Really, he's fixed only a few bugs and added a subcategory to news posts and a few other minor enhancements (imo). I don't have anything to agree or disagree about Wink

Nuke Cops Founder Joined: Nov 14, 2002 Posts: 5939

The whole notion of club downloads is now moot since this morning's news. It pays to believe and stand behind the author. Smile

Shows loyalty and trust.

Posted: Tue Jul 29, 2003 9:04 am

Raven wrote:

Quote:

I think you miss far more than a "few interim enhancements." For one, if you look just at 6.5 and compare what changes were made to 6.8 (and the 6.8 is nearly twice the size of 6.5) you're getting an enhanced program, with some mods implemented in the structure you don't have to install (work) not to mention a better de-bugged program.

The reason for the size is that he didn't gzip the file (.tar.gz). He only tar'd it (.tar). It's just a packaging thing. Really, he's fixed only a few bugs and added a subcategory to news posts and a few other minor enhancements (imo). I don't have anything to agree or disagree about Wink

Ok Raven, I'll say you certainly know better than I. I suppose if I were in those pair of shoes though. I would be making it more clear for idiot newbies like myself, that it's not the OFFICIAL version, but an enhanced one.
When I did the file compare by the way, I had both versions sitting on my server, not just on my HD. I installed them both. Smile

General Joined: Mar 22, 2003 Posts: 5233 Location: USA

As ZX said, it's all moot now because FB is now releasing ALL versions after the 30 days. See, public opinion does matter. Thanks to everyone for expressing their views with passion, but also with courtesy!