You are here

file tampering ? digital certificates ? files hash ?

9 posts / 0 new
Last post
PORT-APTS
Offline
Last seen: 15 years 2 months ago
Joined: 2008-01-03 19:56
file tampering ? digital certificates ? files hash ?

file tampering ? digital certificates ? file hash ?

how can I' tell if a setup install program from a developer wasn't tampered with by someone else,if theres no digital certificate or hash info provied for the setup install file ?

how do I' tell if the file has been tampered with ? without a digital security certificate or the files hash ?

signed
curious GEORGE

digitxp
digitxp's picture
Offline
Last seen: 13 years 2 months ago
Joined: 2007-11-03 18:33
Good Question

Scarily enough, I'm a pretty paranoid person already and I've never thought to look at that. In that case, the best idea is to run everything in separate Windows virtual machines, and backup/restore/wipe the data every usage.

Or not care.

(Sorry if that sounded sarcastic, but I was serious.)

Insert original signature here with Greasemonkey Script.

PORT-APTS
Offline
Last seen: 15 years 2 months ago
Joined: 2008-01-03 19:56
I' guess no sec certificate

I' guess no sec certificate or hash info with setup file means no quarantee the file is safe ?

I' do run a virus scanner thou on setup programs

OliverK
OliverK's picture
Offline
Last seen: 3 years 5 months ago
Developer
Joined: 2007-03-27 15:21
I usually provide a MD5 sum

I usually provide a MD5 sum for my setup packages. Else it works on trust. So far the people that usually release app (Myself, wraithdu, ZachThibeau, JohnTHaller, and man, many many more) haven't gotten in trouble for doing that. We take pride in what we do and providing good clean software for all who whish it.

And by the way, it is a good thing to scan it. Do you use virus total and jotti?

Too many lonely hearts in the real world
Too many bridges you can burn
Too many tables you can't turn
Don't wanna live my life in the real world

PORT-APTS
Offline
Last seen: 15 years 2 months ago
Joined: 2008-01-03 19:56
I' use AVAST AV to scan my

I' use AVAST AV to scan my apps...it hopefully nows malware ?

I' guess thats what it's all about,trust...although I' don't no what crackers think think of unsigned code ? open and seek ? u-ha-ha-humm ?

OliverK
OliverK's picture
Offline
Last seen: 3 years 5 months ago
Developer
Joined: 2007-03-27 15:21
virus total and jotti are

virus total and jotti are online sites that allow you to upload a file and have it scanned by probably 25 scanners between the two of them.

Too many lonely hearts in the real world
Too many bridges you can burn
Too many tables you can't turn
Don't wanna live my life in the real world

digitxp
digitxp's picture
Offline
Last seen: 13 years 2 months ago
Joined: 2007-11-03 18:33
VirusTotal has 41.

VirusTotal has 41.

Insert original signature here with Greasemonkey Script.

PORT-APTS
Offline
Last seen: 15 years 2 months ago
Joined: 2008-01-03 19:56
cool pic of ur self

cool pic of ur self http://www.simplexitynetwork.com/mr.soup12/me.jpg
a ha ha cool pic man...

Tim Clark
Tim Clark's picture
Offline
Last seen: 13 years 8 months ago
Joined: 2006-06-18 13:55
There are risks involved.

There are risks involved.

I for one would never download a file from a new comer signed/hashed or whatever until he has proven himself over time, unless others who have good security procedures in effect have commented already.

Even with known folks, I scan all downloads thru Virus Total.

The problem with signing is that if the program had malicious content signing would not tell you that, and even if the program were not malicious, if the signer signed it without realizing it was infected with a virus that he did not know he had, it would have a valid signature, but still be infected.

Checksums/hashes only tell you if the download was successfully completed.
Signatures are only as trustworthy as the person who signed them.

If you are truly concerned I would say don't download apps from this site until they are Officially Released and signed.

And all of our Official Releases come from our servers on sourceforge , I would never download a version from MakeShift.com Shock

Tim

Things have got to get better, they can't get worse, or can they?

Log in or register to post comments