Invalid signature on SANS alert (was Re: [svlug] FW: Fwd: ALERT - A DANGEROUS NEW WORM IS SPREADING ON THEINTERNET)

Karsten M. Self kmself at
Fri Mar 23 11:23:02 PST 2001

on Fri, Mar 23, 2001 at 01:07:21PM -0500, mike rock (mrock at wrote:
> Just apeared on one of the other lugs that I subscribe to,,
> Michael C. Rock
> From: "The SANS Institute" <securityalert at>
> To: "William Morris (SD102811)" <bill_morris at>
> Date: Fri, 23 Mar 2001 10:43:05 -0500
> X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300
> Hash: SHA1

Note that, at least for me, the signature on this alert is invalid.
While this doesn't mean the message isn't legit -- I've seen the same
alert in several places, and a PGP/GPG signature hash is very fragile, a
single character delta will invalidate it -- it would be helpful for
those who are forwarding signed material to:

  - Verify the signature on the document prior to forwarding it.
  - Use a method for forwarding the message which preserves the signed
    data unchanged.  MIME attachments are probably justified in this
  - Point to a canonical or central source for the information.
  - Mention specifically what _your_ initial source of contact was (what
    LUG, I wonder).

It's also generally a very *bad* idea to forward content you've seen
posted to another mailing list / weblog / website without at least
taking cursory attempts to verify the source material.  If _you_ don't
have the time to verify an alert, you're compounding the problem for
each of your recipients.  In short, the rule is:  verify, or don't
forward.  You're otherwise largely in the same class as chain letter and
Internet hoax dupes.

In the case of the current alert, a quick check of the SANS website
(itself subject to spoofing, DNS hacks, or MitM attacks), shows:


Karsten M. Self <kmself at>
 What part of "Gestalt" don't you understand?       There is no K5 cabal
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url :

More information about the svlug mailing list