Re: Spyware in Octave

help-octave

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Spyware in Octave

From:	Rob Mahurin
Subject:	Re: Spyware in Octave
Date:	Fri, 19 Sep 2008 09:54:56 -0400

On Sep 19, 2008, at 3:34 AM, David Bateman wrote:

Rob Mahurin wrote:
I agree the most likely explanation is a false detection. But Ihaven't seen in this discussion any way to verify that
1. the octave-forge installer is the same file uploaded in May(Bruce installed his version a week or so after the upload)
2. the "suspicious" binaries are the same binaries carried bythe installer
If both of these are true, and the false detection is on a filefrom the Octave project, it would be good PR to try and avoid theproblem in the windows release of 3.0.2.
This all comes down to a question of trust, and in the end you haveto trust someone.. Imagine that we put the MD5 sum of the binary onthe octave-forge pages so that they might be check. ... The websiteand the above file are both hosted by sourceforge. The binary is aswell. Therefore saying that the binary is the same as uploaded atsuch and such a date as the MD5 sum agrees is problematic assomeone who is able to alter the binary is also capable of alteringthe webpage or file with the MD5 sums as well.

This is true: a malicious and omnipotent attacker could replace thebinary, and its checksum on sourceforge, and the archives of themailing list announcement, and the developer's own records. Orreplace the installer with a file with the same checksum, see http://www.win.tue.nl/hashclash/SoftIntCodeSign/. I think these scenariosare unlikely.

So yes it gives a bit more protection. However that protection islargely illusory. If it makes people happier then sure why notpublish the MD5 sums.

This is sort of like saying that a deadbolt provides illusoryprotection for your house. A burglar could just knock down the door,or copy your housekey, or drill out the lock and replace it with anew one from the hardware store (locking you! out of your own house!heavens!).

I'm not suggesting cryptographically signed installer, or trying toraise epistemological questions about trust. But published checksumswould be useful.


Cheers,
Rob

--
Rob Mahurin
Dept. of Physics & Astronomy
University of Tennessee         phone: 865 207 2594
Knoxville, TN 37996             email: address@hidden

[Prev in Thread]

Current Thread

[Next in Thread]

Spyware in Octave, (continued)
- Spyware in Octave, Thomas L. Scofield, 2008/09/16
  - Re: Spyware in Octave, dbateman, 2008/09/17
    - RE: Spyware in Octave, Labitt, Bruce, 2008/09/17
    - RE: Spyware in Octave, dbateman, 2008/09/17
    - RE: Spyware in Octave, Labitt, Bruce, 2008/09/17
    - Re: Spyware in Octave, Michael Goffioul, 2008/09/18
    - Re: Spyware in Octave, dbateman, 2008/09/18
  - Re: Spyware in Octave, Michael Goffioul, 2008/09/18
    - Re: Spyware in Octave, Rob Mahurin, 2008/09/18
    - Re: Spyware in Octave, David Bateman, 2008/09/19
    - Re: Spyware in Octave, Rob Mahurin <=

Prev by Date: Re: Displaying an animation / "movie"
Next by Date: RE: Help-octave Digest, Vol 30, Issue 49
Previous by thread: Re: Spyware in Octave
Next by thread: Added 3D graphics card - do I need to recompile Octave?
Index(es):
- Date
- Thread