.

Verifier - free open source checksum verification

<<

linuxstarved

EH-Net Columnist
EH-Net Columnist

Posts: 49

Joined: Sat Sep 23, 2006 9:55 am

Post Sat Sep 22, 2007 9:58 pm

Verifier - free open source checksum verification

Black hats have become more and more clever, what once seemed the stuff of hollywood movies, is now reality; good software is being packaged with malware.  A quick google search will reveal that major software repositories (even the likes of sourceforge) have been compromised and unwanted payloads have often been passed off as the regular code that users of the site were looking to download. This is not a new issue, but it is becoming more prevelant and wide spread. As time consuming as it sounds, we have no choice but to verify that the package is what the publishers intended it to be.  The problem is that the programs used for checksum verification cost more than most budgets are equipped for (usually $1.00 past free).

Once again I have to plead poverty, and by I, I mean my organization.  It may seem trivial to some, but spending $25-30.00 on a "security tool" is unconscionable. For that reason that I had to forgo a lot of very reliable tools, until I found verifier.  I had almost given up hope, when finally the right combination of search terms brought me to this amazing tool, found here http://sourceforge.net/projects/verifier/ Verifier works on 63 hashing algorithms including MD5, SHA-1, Ripemd, etc.  It is an impressive list.  Overall it is a great piece of open source software, but their is one major drawback...it's old.  The next version was due out Sept. 6, 2004 but apparently that wasn't to be. I am using it with cautious optimism, hopefully some of you will take the plunge as well.
<<

0blivi0n

Newbie
Newbie

Posts: 11

Joined: Mon Sep 17, 2007 1:27 am

Post Mon Sep 24, 2007 3:46 am

Re: Verifier - free open source checksum verification

looks quite interesting....i'll give it a try!
thanx for the info!!
<<

jimbob

Post Mon Sep 24, 2007 3:11 pm

Re: Verifier - free open source checksum verification

RichM wrote:The problem is that the programs used for checksum verification cost more than most budgets are equipped for (usually $1.00 past free).

There are plenty of free tools to check all manner of checksums. I can think of cksum, md5sum and sha1sum off the top of my head.
RichM wrote:Once again I have to plead poverty, and by I, I mean my organization.  It may seem trivial to some, but spending $25-30.00 on a "security tool" is unconscionable. For that reason that I had to forgo a lot of very reliable tools, until I found verifier.

Most sites publish the MD5 and/or SHA1 sums for files they want to distribute, so a tool supporting 63 different checksums may seem overkill. It's good to have a tool that does all these checksums though, you never know when you might want it.

Better than checksums for verifying package integrity is cryptographic signing with a public/private key system like GPG. RPM for example has support for signed packages so you can verify their integrity without spending undue time on the process.

Regards,
Jimbob
<<

linuxstarved

EH-Net Columnist
EH-Net Columnist

Posts: 49

Joined: Sat Sep 23, 2006 9:55 am

Post Mon Sep 24, 2007 9:16 pm

Re: Verifier - free open source checksum verification

Jimbob,

I can appreciate the tools you mentioned, but they mostly are singular in nature.  I like the idea of having one tool that can do it all. 

Also, I agree PGP is the way to go, but most vendors barely provide md5 or SHA1 hashes; I think we are a few years away from PGP becoming the norm for the average vendor.
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Fri Sep 28, 2007 12:22 pm

Re: Verifier - free open source checksum verification

CISSP, MCSE, CSTA, Security+ SME
<<

linuxstarved

EH-Net Columnist
EH-Net Columnist

Posts: 49

Joined: Sat Sep 23, 2006 9:55 am

Post Fri Sep 28, 2007 10:47 pm

Re: Verifier - free open source checksum verification

Ummm, well yeah...I guess that is why you are the editor :) 

I honestly searched up and down for a freeware checksum verification tool, and Verifier was all I found.  Clearly I need to brush up on my google hacking skills, b/c what you found is more recent (and most importantly relevant). 

I have never claimed to know everything, and based on this thread I am not going to start now ;) I have not d/l this prog yet but it is on my short list of to do items.

Return to RichM

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software