[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Spyware in Octave
From: |
Rob Mahurin |
Subject: |
Re: Spyware in Octave |
Date: |
Fri, 19 Sep 2008 09:54:56 -0400 |
On Sep 19, 2008, at 3:34 AM, David Bateman wrote:
Rob Mahurin wrote:
I agree the most likely explanation is a false detection. But I
haven't seen in this discussion any way to verify that
1. the octave-forge installer is the same file uploaded in May
(Bruce installed his version a week or so after the upload)
2. the "suspicious" binaries are the same binaries carried by
the installer
If both of these are true, and the false detection is on a file
from the Octave project, it would be good PR to try and avoid the
problem in the windows release of 3.0.2.
This all comes down to a question of trust, and in the end you have
to trust someone.. Imagine that we put the MD5 sum of the binary on
the octave-forge pages so that they might be check. ... The website
and the above file are both hosted by sourceforge. The binary is as
well. Therefore saying that the binary is the same as uploaded at
such and such a date as the MD5 sum agrees is problematic as
someone who is able to alter the binary is also capable of altering
the webpage or file with the MD5 sums as well.
This is true: a malicious and omnipotent attacker could replace the
binary, and its checksum on sourceforge, and the archives of the
mailing list announcement, and the developer's own records. Or
replace the installer with a file with the same checksum, see http://
www.win.tue.nl/hashclash/SoftIntCodeSign/. I think these scenarios
are unlikely.
So yes it gives a bit more protection. However that protection is
largely illusory. If it makes people happier then sure why not
publish the MD5 sums.
This is sort of like saying that a deadbolt provides illusory
protection for your house. A burglar could just knock down the door,
or copy your housekey, or drill out the lock and replace it with a
new one from the hardware store (locking you! out of your own house!
heavens!).
I'm not suggesting cryptographically signed installer, or trying to
raise epistemological questions about trust. But published checksums
would be useful.
Cheers,
Rob
--
Rob Mahurin
Dept. of Physics & Astronomy
University of Tennessee phone: 865 207 2594
Knoxville, TN 37996 email: address@hidden
- Spyware in Octave, (continued)
- Spyware in Octave, Thomas L. Scofield, 2008/09/16
- Re: Spyware in Octave, dbateman, 2008/09/17
- RE: Spyware in Octave, Labitt, Bruce, 2008/09/17
- RE: Spyware in Octave, dbateman, 2008/09/17
- RE: Spyware in Octave, Labitt, Bruce, 2008/09/17
- Re: Spyware in Octave, Michael Goffioul, 2008/09/18
- Re: Spyware in Octave, dbateman, 2008/09/18
Re: Spyware in Octave, Michael Goffioul, 2008/09/18