Hacker News new | past | comments | ask | show | jobs | submit login

I also encountered some nastiness looking for 30 year old x86 drivers for a project.

If you can't find the CD hash signature, than all bets are off.

Not Archive.org fault either, as most issues were on the original CDs too. =)




> CD hash signature

How do you know the CD Hash Sig is genuine though? I see this with hash values on websites next to ISO and other files.

Its like a really blatant confidence trick when you can pull one of those off!


> How do you know the CD Hash Sig is genuine though?

You don't, unless you trust the source of it, or supply your own.

> I see this with hash values on websites next to ISO and other files.

This doesn't solve the problem you have in mind - verifying the file is genuine; it solves the problem of verifying that what you got is what you expected, i.e. what the site promised. The hash is there so you can detect download errors (used to be a much more frequent thing than it is now). Secondarily, because the files usually sit on a different server than the site itself, the hash lets you detect some cases of your download being tampered with in-flight, or the file itself altered on the server. Not all of such cases, just those where the attacker could affect the download, but couldn't modify the website itself.


> This doesn't solve the problem you have in mind - verifying the file is genuine; it solves the problem of verifying that what you got is what you expected

Exactly.

> Secondarily, because the files usually sit on a different server than the site itself, the hash lets you detect some cases of your download being tampered with in-flight, or the file itself altered on the server.

That assumes the download file is on a different webserver, but if they can gain access to one server, its not beyond the realms of possibility they can alter the hash values on another webserver.

I just find all this crypto stuff to be misleading whilst it overstates its effectiveness.


Those cryptographic hashes that sit on the same sever or are under control of the same group that publish the file itself really came about so you could verify untrusted copies like mirrors and CDs, not data integrity or hacks on the trusted source or a connection to the trusted source.


Actually, the signed hashes tend to only provide a out-of-band chain of accountability.

The old Microsoft signed drivers and Application publishers certs were not perfect. This was because the chain of trust eventually breaks down in time (insufficient strength, leaked signing key re-pack, and most people didn't check installer signatures).

FOSS projects can also suffer integrity rot on rare occasion, but it tends to be individuals feigning ignorance as their BS is reverted.

Archive.org allows one to often search for the CD hash and files of interest in the Wayback Machines snapshot copy of the publishers website. This method does still require the publishers cert or known hash to verify contents are valid. =)




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: