C# .NET 4 Framework freeware program security question

[RayLopez99]

I'm thinking to release a C# .NET 4 Framework freeware program executable to Usenet. I will run the executable through one of those MD5 hash functiongenerators to generate a checksum.

Some questions:

1/ nothwithstanding http://en.wikipedia.org/wiki/MD5 and apparently the MD5checksum is broken, I think for most small scale non-commercial routine freeware purposes the MD5 method is 'good enough' to guarantee security for asimple program like mine, which is nothing commercial and will simply calculate some chess scores. It's unlikely a sophisticated hacker will try andgenerate the same file signature with a virus attached. Agree?

2/ as it will be a C# program, I will run it through the 'Community Obfuscator' in Visual Studio 2010, but is there any way that somebody can reverse engineer the code and figure out what machine, or worse, which author, produced it? Because I also code with this same version of VS other commercialquality code under my real name? Does VS leave a serial number embedded in the IL (see: NET Framework intermediate language, http://www.dotnetperls.com/il)? But even if it does, I don't see how they would link this released freeware to my other stuff easily, though I'd hate for somebody to attacha virus to it then have people irate at the real me, thinking I did it.

3/ A good free site for anonymous public FTP and for attaching screenshots is? I know of a few places already but want others opinions. I wish to upload the program, with screenshots and a page of instructions. It's not a big program, so space is not an issue.

Thanks to all who reply.

RL

 

[Arne Vajhoej]

I'm thinking to release a C# .NET 4 Framework freeware program
executable to Usenet. I will run the executable through one of those
MD5 hash function generators to generate a checksum.

Use SHA-256 instead.

Some questions:

1/ nothwithstanding http://en.wikipedia.org/wiki/MD5 and apparently
the MD5 checksum is broken, I think for most small scale
non-commercial routine freeware purposes the MD5 method is 'good
enough' to guarantee security for a simple program like mine, which
is nothing commercial and will simply calculate some chess scores.
It's unlikely a sophisticated hacker will try and generate the same
file signature with a virus attached. Agree?

No.

It does not cost you anything to use a hash algorithm that does not have
known collision attacks.

There are some risk and even though it may be small, then it is greater
than zero.

Never use MD5. Unless you have a legacy compatibility problem to solve.

2/ as it will be a C# program, I will run it through the 'Community
Obfuscator' in Visual Studio 2010, but is there any way that somebody
can reverse engineer the code and figure out what machine, or worse,
which author, produced it? Because I also code with this same
version of VS other commercial quality code under my real name? Does
VS leave a serial number embedded in the IL (see: NET Framework
intermediate language, http://www.dotnetperls.com/il)? But even if
it does, I don't see how they would link this released freeware to my
other stuff easily, though I'd hate for somebody to attach a virus to
it then have people irate at the real me, thinking I did it.

I don't think the C# compiler leaves a serial number in the binary. That
would be a big privacy issue.

3/ A good free site for anonymous public FTP and for attaching
screenshots is? I know of a few places already but want others
opinions. I wish to upload the program, with screenshots and a page
of instructions. It's not a big program, so space is not an issue.

Anonymous FTP is a bit oldfashioned.

SourceForge, Google Code or CodePlex was more obvious today.

Of course those assume source code, but who would run a binary from
someone they do not know today.

Arne

 

[RayLopez99]

SourceForge, Google Code or CodePlex was more obvious today.



Of course those assume source code, but who would run a binary from

someone they do not know today.

Arne, thanks for those tips. SourceForge, Google Code or CodePlex: do theyallow uploads of executables? I was thinking of Filesend. Anyway, a usercan run the executable past those online virus scanning services if they think it's a virus--they are reliable, no?

Anyway how would a casual user compile source code, and what advantage would compiling have over a binary anyway? if it's a virus, it will compile into a virus.

I might do a text table as well, since you're right most people won't run the executable, so I'll just output the results of the executable. It's the results that are important in this program.

RL

 

[Arne Vajhoej]

Arne, thanks for those tips. SourceForge, Google Code or CodePlex:
do they allow uploads of executables?

You will need to check ToS.

But typical you can download both binary and source.

Anyway, a user can run the executable past those online virus
scanning services if they think it's a virus--they are reliable, no?

Yes, but that is not really an efficient check.

Anyway how would a casual user compile source code, and what
advantage would compiling have over a binary anyway? if it's a
virus, it will compile into a virus.

Most users will just take the binary.

But some users will take the source and look at it.

Arne