> On 03/08/2008 00:42, Twayne wrote:
>>
>>> Do checksums do the same thing as digital signatures?
>>>
>>
>> No, they are not the same thing in any way. Apples and oranges;
>> they do not do the same thing. Using one does not negate using the
>> other. One being OK has nothing to do with whether the other will
>> get the same result.
>> A signature is nothing more than having some company vouch for
>> you in verifiable ways, that you are who you say you are. A
>> checksum is simply a calculated number for code which can be checked
>> after transport to see if the sum has remained identical to what was
>> used as a source. They ARE the same in that, if you allow
>> automagical operation, they can easily be forged to be what you
>> want/expect to see.
>>
>
> This is a half truth. A digital signature is no more and no less than
> an encrypted hash. Several digital signature systems use MD5 as the
> hash. The difference is the [imputed] trustworthiness of the result. A
> published hash is easier to fake than is the digital certificate on
> which the digital signature is based. That's because the certificate
> used to check the signature is *usually* taken from an extremely
> trustworthy and unhackable place whereas a straight hash is *normally*
> taken from the same (relatively easy to hack) place as the file was
> taken from. This in turn means that the signature is *much* more
> likely to belong to the putative author of the file and this means
> that if the signature checks out then the file is much more likely to
> be genuine.
Well, I don't know about a "half truth" but everything you said is
perfectly fine and correct. I was mainly trying to boil it down to more
layman's terms is all. Your attention to detail is laudible.
>> However, as long as you get the checksum (hash) from OO.o, and you
>> use a legitimate hasher, there is a good chance you will discover
>> anything untoward.
>> In addition to that, I always check the MD5 or whatever is
>> offered, simply to assure myself that I did not get a
>> "broken"download where a bit or two slipped out into the ether.
>> Whenever the sums are offered IMO, it makes sense to use them.
>>
> Trusting the MD5 is only a good idea if you are certain you got the
> file and the MD5 from the right place.
That's what I said when I suggested getting same from OO.o.
If the attacker can lure you
> to his web site and you download his file and check his hash then
> he's won. As I said, the advantage of using a signature is that the
> chances are that even if you download the file from the wrong place,
> the certificate you use to check the signature will be genuine and
> thus the attacker's file will fail the signature test.
Right.
>> Finally, I'm not aware that there is an auto-update mechanism in
>> OO.o.
>
> Sorry but the fact that you are not aware of it doesn't mean it
> doesn't exist. In fact it does. Modern versions of OOo on Windows
> offer automatic update. I can't comment on Linux or Mac but I doubt
> they are different. I quote from the Help:
Why would you say you're "sorry"?
Actually, turns out I DO have it turned on. I guess it has just never
downloaded anything.
Also as I now recall, and tried again, manually requesting an update
check always results in:
-------------
Could not establish Internet connection to
update24.services.openoffice.org.
-------------
and I suspect that might be why I came to think there wasn't any update;
an aberration of my memory, so to speak. A check of my firewall logs
and my NAT router logs shows that the request was allowed to go out but
there was nothing incoming in either case. Yes, my logs are set to
verbose.
I wonder if that's still my issue of if there is a problem at oo.o?
Q Here:
In fact, I _thought_ I read here that updates weren't sent out but
rather things of that sort would be a download of a new version of the
entire application? It almost sounds as though I've been missing out on
updates?? Or is, for example, 2.4.2 going to be an "update" to 2.4.1?
>
> ==== begin quote ===
> Online Update
> Specifies some options for the automatic notification and downloading
> of online updates to OpenOffice.org.
> To access this command...
> Choose Tools - Options - OpenOffice.org - Online Update
>
> Check for updates automatically
> Mark to check for online updates periodically, then select the time
> interval how often OpenOffice.org will check for online updates.
> OpenOffice.org will check once a day, week, or month, as soon as a
> working Internet connection is detected. If you connect to the
> Internet by a proxy server, set the proxy on Tools - Options -
> Internet - Proxy. When an update is available, an icon in the menu
> bar displays some explaining text. Click the icon to proceed.
> If you disable the check, the icon is removed from the menu bar.
>
> Online Update is a module that can be selected or deselected to be
> installed. Choose the customized installation in the Setup of
> OpenOffice.org.
>
> Every Day
> A check will be performed once a day.
> Every Week
> A check will be performed once a week. This is the default setting.
> Every Month
> A check will be performed once a month.
> ==== end quote ===
It's also available in Tools; Options.
>
> If I remember correctly this is the default setting. I can easily
> imagine that most users, although not necessarily most users
> subscribed to this list (who are clearly more sophisticated ;-) ),
> will allow automatic updates in the same way they do for Windows, for
> Adobe PDF Reader, for iTunes and so on and so forth.
Wellll, even for MS, I don't allow auto updates; only auto download. I
do the installs using Custom Install because I want to see when they're
trying to push a Silverlight or whatever as an update, things like that.
Plus it's immediately apparent what each update is that way without
having to go and read about them separately. Besides that, when I
choose when to install the update, things like the lastest firewalls
fiasco show up more connected to the udate; saves some wondering later
on.
Anyway, you provided good info; now to go read a little more on the
update stuff in OO.
Regards,
Twayne
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
