On 05/02/15 22:17, Michael Schwingen wrote: > On 05.02.2015 21:59, Freddie Chopin wrote: >> On 02/05/2015 08:49 PM, Michael Schwingen wrote: >>> For this to be true, the checksums would have to come from a different >>> source. If someone can modify the binary on your webserver, he could >>> also modify the md5sum files. cu Michael >> The MD5 checksums are visible on the website and I verified that they >> match the files I have backed up "locally" - these files are "originals" >> which I uploaded to the website. Of course someone could have hacked my >> personal computer, ... > They are now (unless a MITM modifies my download), but are they still > unmodified when I download the files next week? >> Lets not pursue this "false positive" madness any further (; This is >> just a case of heuristics trying to be too smart, the files are clean. > I am convinced the files are clean, I am just saying that verifying the > MD5-sums from the same source as the download is nearly useless to make > sure the files are original.
MD5 sums on the same source are not entirely useless - it is quite believable that automated hacks, script kiddies, and amateur crackers would change the binary files but not the text md5 sums. Someone more serious making a directed attack would, of course, change the sums to cover their tracks. Of course, the main point of the sums is to help people with unreliable downloaders (there are still people in the world that use internet explorer!) to ensure that the file transfer is correct. > > Now if you had included the MD5-sums of the files in your mail, we would > have had an independent channel for verification. > Good idea. ------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ OpenOCD-devel mailing list OpenOCD-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openocd-devel
