A tad off topic.MD5 and DLs.

[Michael Butler]

Hi everybody,

I'm a mere novice at these "Freeware" opportunities, so please be gentle
with me. I'm interested in using a registry backup facility and I've chosen
the following:

Backup-Registry, Emergency Recovery Utility NT (ERUNT)
(Donationware).

Description: Erunt allows a complete backup and restore of the Registry for
Windows NT 4.0 and all following versions based on the NT kernel (2000, XP)

http://www.larshederer.homepage.t-online.de/erunt

My PC is a 'Packard Bell Xtreme, AMD Athlon, 2.5 GHz, 1 GB RAM and 120 GB
Hard drive, about 20% used. I'm running 'Windows' XP Home edition with SP2.

My question is: As in the past I've been zapped with a nasty PC virus and
then, had to do a complete software re-build, I feel very cautious about
running/un-packing a downloaded file. So in an attempt to minimise this
risk, I now use an 'MD5' Hash calc' for downloaded file integrity checking
and I'm careful about what site I'm downloading from. The only problem is,
is that I can't find the MD5 value at the above web site. Am I missing
something? Surely it's imperative that the code remains pristine, between
the author and the user, and not fiddled with, in-between. Is it that,
perhaps, the MD5 value is placed in the downloaded file and my Xp will then
automatically extract this value and do a MD5 check? Or, perhaps I can
extract this value for my MD5 calc' to read? Is it also that there is a list
of platinum web sites, that you feel 100% confident about, that I'm not
aware of yet, please tell me?

Many thanks for your wisdom folks.

 

[Will McGugan]

Hi everybody,

I'm a mere novice at these "Freeware" opportunities, so please be gentle
with me. I'm interested in using a registry backup facility and I've chosen
the following:

Backup-Registry, Emergency Recovery Utility NT (ERUNT)
(Donationware).

Description: Erunt allows a complete backup and restore of the Registry for
Windows NT 4.0 and all following versions based on the NT kernel (2000, XP)

http://www.larshederer.homepage.t-online.de/erunt

My PC is a 'Packard Bell Xtreme, AMD Athlon, 2.5 GHz, 1 GB RAM and 120 GB
Hard drive, about 20% used. I'm running 'Windows' XP Home edition with SP2.

My question is: As in the past I've been zapped with a nasty PC virus and
then, had to do a complete software re-build, I feel very cautious about
running/un-packing a downloaded file. So in an attempt to minimise this
risk, I now use an 'MD5' Hash calc' for downloaded file integrity checking
and I'm careful about what site I'm downloading from. The only problem is,
is that I can't find the MD5 value at the above web site. Am I missing
something? Surely it's imperative that the code remains pristine, between
the author and the user, and not fiddled with, in-between. Is it that,
perhaps, the MD5 value is placed in the downloaded file and my Xp will then
automatically extract this value and do a MD5 check? Or, perhaps I can
extract this value for my MD5 calc' to read? Is it also that there is a list
of platinum web sites, that you feel 100% confident about, that I'm not
aware of yet, please tell me?

Many thanks for your wisdom folks.

The site doesn't give an MD5 hash for the installers. Putting the hash
inside the installer would be pretty pointless because an attacker would
create a new hash after fiddling with it.

The best you can do is scan the file for viruses. Frankly most virii
dont get on to your machine this way. Nowadays they tend to use email,
or browser / OS flaws to infect PCs.

Will McGugan

 

[me]

Hi everybody,

I'm a mere novice at these "Freeware" opportunities, so
please be gentle with me. I'm interested in using a
registry backup facility and I've chosen the following:

Backup-Registry, Emergency Recovery Utility NT (ERUNT)
(Donationware).

Description: Erunt allows a complete backup and restore of
the Registry for Windows NT 4.0 and all following versions
based on the NT kernel (2000, XP)

http://www.larshederer.homepage.t-online.de/erunt

My PC is a 'Packard Bell Xtreme, AMD Athlon, 2.5 GHz, 1 GB
RAM and 120 GB Hard drive, about 20% used. I'm running
'Windows' XP Home edition with SP2.

My question is: As in the past I've been zapped with a
nasty PC virus and then, had to do a complete software
re-build, I feel very cautious about running/un-packing a
downloaded file. So in an attempt to minimise this risk, I
now use an 'MD5' Hash calc' for downloaded file integrity
checking and I'm careful about what site I'm downloading
from. The only problem is, is that I can't find the MD5
value at the above web site. Am I missing something? Surely
it's imperative that the code remains pristine, between the
author and the user, and not fiddled with, in-between. Is
it that, perhaps, the MD5 value is placed in the downloaded
file and my Xp will then automatically extract this value
and do a MD5 check? Or, perhaps I can extract this value
for my MD5 calc' to read? Is it also that there is a list
of platinum web sites, that you feel 100% confident about,
that I'm not aware of yet, please tell me?

Many thanks for your wisdom folks.

Hi,

MD5 is not used by all sites/authors. The absence of MD5 all by
itself is "neutral" -- all it means that the "author" of the
file did not make one, or that the site did not make it
available for download.

The presence of a MD5 helps but it's not a 100% guarantee the
corresponding file is "clean" (free of malware).
Let's say, for example, that a "white hat" make a program and
its MD5 available for d/l on site "A." There is nothing to
prevent a "black hat" from infecting that program, generating a
new MD5, and releasing it on site "B."

In practice, it reasonable to assume that
- a download verified by its corresponding MD5 was not damaged
in transmission.
- a download from trusted sites, say openoffice.org, verified
by its corresponding MD5 it wat that site claims it's supposed
to be.

It is, indeed, prudent to use MD5 whenever posssible. However, a
valid MD5 should not be the sole verification of "goodness"
(authenticity).

J

 

[d4uAdmin]

I don't know how much this will help or not but why don'y you create a
System Restore point before you install the software you want to
install?

XP comes with it, I haven't used it personally because I have another
way of doing things that is not too effective, but it works for me so
far.

If you are technically inclined or are interested in pursuing it
further let me know....

Regards,
Chris
==========================================================================
http://www.Download4U.net is my personal short list of quality business
software

 

[Al Klein]

Is it also that there is a list
of platinum web sites, that you feel 100% confident about, that I'm not
aware of yet, please tell me?

It's usually safe to download from the author's own site.

 

[Michael Butler]

"Putting the hash inside the installer would be pretty pointless because an
attacker would create a new hash after fiddling with it". Your right, I hadn't
thought of that, I've got a lot to learn!

"The best you can do is scan the file for viruses". I do, once I've
downloaded a file, I scan it with 'Norton AV', but does 'Norton' scan just
the single DL zipped file or does it de-compress this file and then scan all
the contents? I suppose a zipped virus image can be identified just as an
un-zipped virus image! What a complicated, but engrossing subject this PC
stuff is.

Thanks for thoughts, Michael.

 

[Michael Butler]

“There is nothing to prevent a "black hat" from infecting that program,
generating a new MD5, and releasing it on site "B."“ and “In practice, it
reasonable to assume that - a download verified by its corresponding MD5 was
not damaged in transmission”. My confidence in MD5 has just taken a dive,
but I can now see that it’s usefulness is in the fidelity of the DL
transmission and not in the authentication of the original code work. This
has added to my knowledge, many thanks, Michael.

 

[Michael Butler]

I've had a number issues with XP 'Restore', basically you can't rely on it
to restore, anything! Quotes like "Unable to make a full restore, sorry" isn't
unusual or good enough, so you go back to the next 'restore' point, only to
be greeted with the same! This doesn't breed much confidence, but I still do
'Restore' points just before a new bit of software install, because I'm
basically an optimist or a fool, there're very close.

"XP comes with it, I haven't used it personally because I have another way
of doing things that is not too effective, but it works for me so far. If
you are technically inclined or are interested in pursuing it further let me
know..". Thanks for this, I'll take you up on your offer, if I may, I'll
Email you directly for this info, but I'll wait/watch for your permission
for me to do this. Many thanks, Michael.

 

[Michael Butler]

"It's usually safe to download from the author's own site". The concern I
have is that when you go to DL, you can be routed through to a number of DL
servers and mirror options, some of which are pretty junky and full adverts
and 'pop ups' that are rejected of course by XP,SP2. I've personally found
author's own sites, that you can DL from, not very common. Many thanks for
your thoughts, Michael.

 

[Al Klein]

"It's usually safe to download from the author's own site". The concern I
have is that when you go to DL, you can be routed through to a number of DL
servers and mirror options, some of which are pretty junky and full adverts
and 'pop ups' that are rejected of course by XP,SP2.

It's up to you to know what site you're downloading from. Watch what
your browser is telling you. If it's still not clear, view the source
of the page that has the link. (You may have to learn how to read
html, but learning is never a bad thing.)

 

[Lordy]

“There is nothing to prevent a "black hat" from infecting that program,
generating a new MD5, and releasing it on site "B."“ and “In practice, it
reasonable to assume that - a download verified by its corresponding MD5 was
not damaged in transmission”. My confidence in MD5 has just taken a dive,
but I can now see that it’s usefulness is in the fidelity of the DL
transmission and not in the authentication of the original code work. This
has added to my knowledge, many thanks, Michael.

Thats why one should get the md5 sums from the authors site. Regardless of
where the download comes from. If an author goes to the effort of
publishing md5sums they should (and usually do) have the sums directly on
their website even if the download isn't. As previous poster pointed out,
downloading the sums from the same mirror site is fairly redundant thing
to do as far as authenticity is concerned. But still very useful to verify
a download was not damaged in transmission. (ie I downloaded this
unauthenticated bit of software successfully ).

Checking against the sums from the Authors site allows you to
additionally say - And its sum is the same as on the authors site

Lordy

 

[Michael Butler]

That's a very good point you make, thank you. Trying though to keep up with
all this ever spawning computer wizardry, with it's myriad of technological
applications is just gob smacking, particularly if your like me, possessing
only 1 brain cell and even that I'm in fear of losing with old age. ;~0
Thanks folks for all your comments.

(Snip) you can be routed through to a number of DL

 

[Al Klein]

That's a very good point you make, thank you. Trying though to keep up with
all this ever spawning computer wizardry, with it's myriad of technological
applications is just gob smacking, particularly if your like me, possessing
only 1 brain cell and even that I'm in fear of losing with old age. ;~0
Thanks folks for all your comments.

At least this thread accomplished one thing:

I downloaded a MD5 program and I now have the MD5 checksum of each of
my programs listed on my web site. along with the file date and time.