September 23, 2007 at 2:58 am #1687
Black hats have become more and more clever, what once seemed the stuff of hollywood movies, is now reality; good software is being packaged with malware. A quick google search will reveal that major software repositories (even the likes of sourceforge) have been compromised and unwanted payloads have often been passed off as the regular code that users of the site were looking to download. This is not a new issue, but it is becoming more prevelant and wide spread. As time consuming as it sounds, we have no choice but to verify that the package is what the publishers intended it to be. The problem is that the programs used for checksum verification cost more than most budgets are equipped for (usually $1.00 past free).
Once again I have to plead poverty, and by I, I mean my organization. It may seem trivial to some, but spending $25-30.00 on a “security tool” is unconscionable. For that reason that I had to forgo a lot of very reliable tools, until I found verifier. I had almost given up hope, when finally the right combination of search terms brought me to this amazing tool, found here http://sourceforge.net/projects/verifier/ Verifier works on 63 hashing algorithms including MD5, SHA-1, Ripemd, etc. It is an impressive list. Overall it is a great piece of open source software, but their is one major drawback…it’s old. The next version was due out Sept. 6, 2004 but apparently that wasn’t to be. I am using it with cautious optimism, hopefully some of you will take the plunge as well.
September 24, 2007 at 8:46 am #142060blivi0nParticipant
looks quite interesting….i’ll give it a try!
thanx for the info!!
September 24, 2007 at 8:11 pm #14207AnonymousParticipant
The problem is that the programs used for checksum verification cost more than most budgets are equipped for (usually $1.00 past free).
There are plenty of free tools to check all manner of checksums. I can think of cksum, md5sum and sha1sum off the top of my head.
Once again I have to plead poverty, and by I, I mean my organization. It may seem trivial to some, but spending $25-30.00 on a “security tool” is unconscionable. For that reason that I had to forgo a lot of very reliable tools, until I found verifier.
Most sites publish the MD5 and/or SHA1 sums for files they want to distribute, so a tool supporting 63 different checksums may seem overkill. It’s good to have a tool that does all these checksums though, you never know when you might want it.
Better than checksums for verifying package integrity is cryptographic signing with a public/private key system like GPG. RPM for example has support for signed packages so you can verify their integrity without spending undue time on the process.
September 25, 2007 at 2:16 am #14208
I can appreciate the tools you mentioned, but they mostly are singular in nature. I like the idea of having one tool that can do it all.
Also, I agree PGP is the way to go, but most vendors barely provide md5 or SHA1 hashes; I think we are a few years away from PGP becoming the norm for the average vendor.
September 28, 2007 at 5:22 pm #14209
September 29, 2007 at 3:47 am #14210
Ummm, well yeah…I guess that is why you are the editor 🙂
I honestly searched up and down for a freeware checksum verification tool, and Verifier was all I found. Clearly I need to brush up on my google hacking skills, b/c what you found is more recent (and most importantly relevant).
I have never claimed to know everything, and based on this thread I am not going to start now 😉 I have not d/l this prog yet but it is on my short list of to do items.
- You must be logged in to reply to this topic.