Hacker News new | past | comments | ask | show | jobs | submit login

Trojaned installers by download.com were rampant back in the day. They would take your program and wrap it up in a nice little installer wizard and then also stuff a bunch of adware and spyware in there with it



I don't understand what's the harm of having a releases page with a binary and its md5 hash, or how that keeps anyone from just compiling an unofficial binary themselves and adding malware to it.

Anyone not technical enough to compile a binary has to give up trying to use it or risk some unnoficially distributed executable .


An md5 can be created for the trojaned binary and be posted along with it.

Not to mention that the md5 checksum is a very poor choice for this purpose because of the ease of creating md5 collisions.


But not on the official page, right? And there's nothing stopping someone from doing that now is there? I don't see how the original authors providing binaries is less secure than anything else.


The official page can be hacked, and both malware and md5 of the malware can be placed there.

That's the whole point of using a cryptographic signature backed by a web of trust instead of a mere hash.


Where would the hash be advertised?


Yeah but still hackers can abuse SEO and direct visits to their pages. If you are not careful you might accidentally download a malicious binary.


Sure, but what does that have to do with distributing binaries off Github? Maybe if Bonzie Buddy and IE6 make a comeback but I don't see that happening.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: