A bit OT: software security question for coders

[RayLopez99]

I'm thinking to release a C# .NET 4 Framework freeware program executable to Usenet. I will run the executable through one of those MD5 hash functiongenerators to generate a checksum.

Some questions

1/ nothwithstanding http://en.wikipedia.org/wiki/MD5 and apparently the MD5checksum is broken, I think for most small scale non-commercial routine freeware purposes the MD5 method is 'good enough' to guarantee security for asimple program like mine, which is nothing commercial and will simply calculate some chess scores. It's unlikely a sophisticated hacker will try andgenerate the same file signature with a virus attached. Agree?

2/ as it will be a C# program, I will run it through the 'Community Obfuscator' in Visual Studio 2010, but is there any way that somebody can reverse engineer the code and figure out what machine, or worse, which author, produced it? Because I also code with this same version of VS other commercialquality code under my real name? Does VS leave a serial number embedded in the IL (see: NET Framework intermediate language, http://www.dotnetperls.com/il)? But even if it does, I don't see how they would link this released freeware to my other stuff easily, though I'd hate for somebody to attacha virus to it then have people irate at the real me, thinking I did it.

3/ A good free site for anonymous public FTP and for attaching screenshots is? I know of a few places already but want others opinions. I wish to upload the program, with screenshots and a page of instructions. It's not a big program, so space is not an issue.

Thanks to all who reply. I will post this in another forum as well.

RL

 

[Astropher]

I'm thinking to release a C# .NET 4 Framework freeware program
executable to Usenet. I will run the executable through one of those
MD5 hash function generators to generate a checksum.

Some questions

1/ nothwithstanding http://en.wikipedia.org/wiki/MD5 and apparently the
MD5 checksum is broken, I think for most small scale non-commercial
routine freeware purposes the MD5 method is 'good enough' to guarantee
security for a simple program like mine, which is nothing commercial
and will simply calculate some chess scores. It's unlikely a
sophisticated hacker will try and generate the same file signature with
a virus attached. Agree?

MD5 is pretty useless and cannot verify the bona fides of software
author, nor can it guarantee security . It might pick up download
corruptions and some forms of tampering. However since your software is
non-commercial it probably doesn't matter.

2/ as it will be a C# program, I will run it through the 'Community
Obfuscator' in Visual Studio 2010, but is there any way that somebody
can reverseengineer the code and figure out what machine, or worse,
which author, produced it? Because I also code with this same version
of VS other commercial quality code under my real name? Does VS leave
a serial number embedded in the IL (see: NET Framework intermediate
language, http://www.dotnetperls.com/il)? But even if it does, I don't
see how they would link this released freeware to my other stuff
easily, though I'd hate for somebody to attach a virus to it then have
people irate at the real me, thinking I did it.

I don't think VS leaves a signature. If there were a signature is it
unlikely that code obfuscation would hide that kind of information very
well. Obfuscaton just makes it harder to understand the structure of
the code.

If you are are really paranoid, compile it with Mono (however this
depends on how extensively you have sipped from the Microsoft Kool-Aid
fountain).

3/ A good free site for anonymous public FTP and for attaching
screenshotsis? I know of a few places already but want others
opinions. I wish to upload the program, with screenshots and a page of
instructions. It's not abig program, so space is not an issue.

It sounds like you just need a web hosting account. HTTP downloads
would be just as good.

 

[RayLopez99]

On 2012-10-14 21:20:45 +1100, RayLopez99 said:



MD5 is pretty useless and cannot verify the bona fides of software

author, nor can it guarantee security . It might pick up download

corruptions and some forms of tampering. However since your software is

non-commercial it probably doesn't matter.

Yes, if I can find a SHA-1 whatever freeware program to do checksum (if you know of a freeware version please let me know) I'll use that instead. But the reason I said MD5 is that I have a freeware program to generate MD5 checksums.

I don't think VS leaves a signature. If there were a signature is it

unlikely that code obfuscation would hide that kind of information very

well. Obfuscaton just makes it harder to understand the structure of

the code.

Right. Another poster said the same thing--probably no serial number. I'll pass on Mono, having drunk the Kool-Aid on VS. ;-)

It sounds like you just need a web hosting account. HTTP downloads

would be just as good.

Can you click on a zip file on a HTTP URL, and it will download? I guess so, now that I think about it. So I guess I need a free anonymous web hosting account... failing to find one I'll use FileSend.

RL

 

[Paul]

Yes, if I can find a SHA-1 whatever freeware program to do
checksum (if you know of a freeware version please let me know)
I'll use that instead. But the reason I said MD5 is that I
have a freeware program to generate MD5 checksums.

fciv.exe can do sha1.

http://www.microsoft.com/en-us/download/details.aspx?id=11533

Paul

 

[Astropher]

Yes, if I can find a SHA-1 whatever freeware program to do checksum (if
you know of a freeware version please let me know) I'll use that
instead. But the reason I said MD5 is that I have a freeware program
to generate MD5 checksums.

There are loads of SHA-1 implementations floating around. The place
to go is github.com. Type SHA-1 into the search box, select C# as the
language and hit ENTER.

Because C# is so close to Java, you could search for Java
implementations as well. It is usually trivial to hand massage Java
code into C#.

Right. Another poster said the same thing--probably no serial number.
I'll pass on Mono, having drunk the Kool-Aid on VS. ;-)

Mono has a very good compiler. It should be able to compile a vanilla
VS code without any problems. The issue is if you have used specific to
Microsoft classes.

 

[Loren Pechtel]

Can you click on a zip file on a HTTP URL, and it will download? I guess so, now that I think about it. So I guess I need a free anonymous web hosting account... failing to find one I'll use FileSend.

Yeah, I've written a website that did this. (Admittedly, only under
IIS on my own machine, it's not ready for deployment anywhere yet. The
zip file was built in memory and sent in response to a webpage
request. The browser downloaded it fine.)

 

[RayLopez99]

There are loads of SHA-1 implementations floating around. The place

to go is github.com. Type SHA-1 into the search box, select C# as the

language and hit ENTER.

I see. But I think you have something else in mind, something more complex.I was going to just say to the user "This executable has SHA-1 hash code:[asdasfasfaw whatever]" and let the user run it through their own checker to verify. But maybe that's too much work for a lazy user? In which case,is it possible for a program to check it's own hash signature, and if it'sbeen modified not run? I guess so...but it sounds like a catch 22--how doyou know what the hash is, if you've not written the program? The addition of an extra line of code will alter the signature... I'm not talking about installing a program, that would be trivial to check hash and not installif hash is not the same... anyway, not a big deal since for me I'll just warn the user that the hash is so-and-so and if they want they can check it themselves.

Thanks to Paul too for the freeware link to the SHA-1 program.

RL