Hacker News new | past | comments | ask | show | jobs | submit login

An md5 can be created for the trojaned binary and be posted along with it.

Not to mention that the md5 checksum is a very poor choice for this purpose because of the ease of creating md5 collisions.




But not on the official page, right? And there's nothing stopping someone from doing that now is there? I don't see how the original authors providing binaries is less secure than anything else.


The official page can be hacked, and both malware and md5 of the malware can be placed there.

That's the whole point of using a cryptographic signature backed by a web of trust instead of a mere hash.


Where would the hash be advertised?


Yeah but still hackers can abuse SEO and direct visits to their pages. If you are not careful you might accidentally download a malicious binary.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: