Black hats have become more and more clever, what once seemed the stuff of hollywood movies, is now reality; good software is being packaged with malware. A quick google search will reveal that major software repositories (even the likes of sourceforge) have been compromised and unwanted payloads have often been passed off as the regular code that users of the site were looking to download. This is not a new issue, but it is becoming more prevelant and wide spread. As time consuming as it sounds, we have no choice but to verify that the package is what the publishers intended it to be. The problem is that the programs used for checksum verification cost more than most budgets are equipped for (usually $1.00 past free).
Once again I have to plead poverty, and by I, I mean my organization. It may seem trivial to some, but spending $25-30.00 on a "security tool" is unconscionable. For that reason that I had to forgo a lot of very reliable tools, until I found verifier. I had almost given up hope, when finally the right combination of search terms brought me to this amazing tool, found here http://sourceforge.net/projects/verifier/
Verifier works on 63 hashing algorithms including MD5, SHA-1, Ripemd, etc. It is an impressive list. Overall it is a great piece of open source software, but their is one major drawback...it's old. The next version was due out Sept. 6, 2004 but apparently that wasn't to be. I am using it with cautious optimism, hopefully some of you will take the plunge as well.