librelist archives

« back to archive

Hashes or signatures available for downloadable binaries?

Hashes or signatures available for downloadable binaries?

From:
Seth
Date:
2015-05-11 @ 14:31
Are there any SHA256 hashes or PGP signature available for the  
downloadable binaries linked to in the "Free Download" section of the main  
web page?

http://mempko.com/firestr/build/0.9/firestr_0.9_amd64.deb
http://mempko.com/firestr/build/0.9/firestr_0.9.dmg
http://mempko.com/firestr/build/0.9/firestr_0.9_win64.zip

None are shown in the directory listing here:  
http://mempko.com/firestr/build/0.9/

Re: [firestr] Hashes or signatures available for downloadable binaries?

From:
mempko
Date:
2015-05-12 @ 02:42
Seth wrote:
> Are there any SHA256 hashes or PGP signature available for the
> downloadable binaries linked to in the "Free Download" section of the main
> web page?
>
> http://mempko.com/firestr/build/0.9/firestr_0.9_amd64.deb
> http://mempko.com/firestr/build/0.9/firestr_0.9.dmg
> http://mempko.com/firestr/build/0.9/firestr_0.9_win64.zip
>
> None are shown in the directory listing here:
> http://mempko.com/firestr/build/0.9/
Seth,

Thanks for pointing this out.

I uploaded md5 hash and PGP signatures here:

     http://mempko.com/firestr/build/0.9/

I uploaded my public key to http://pool.sks-keyservers.net/

     Name: "Maxim Noah Khailo"
     Key ID: D8A20536

Cheers!
Maxim Khailo

Re: [firestr] Hashes or signatures available for downloadable binaries?

From:
mempko
Date:
2015-05-12 @ 02:46
Seth wrote:
> Are there any SHA256 hashes or PGP signature available for the
> downloadable binaries linked to in the "Free Download" section of the main
> web page?
>
> http://mempko.com/firestr/build/0.9/firestr_0.9_amd64.deb
> http://mempko.com/firestr/build/0.9/firestr_0.9.dmg
> http://mempko.com/firestr/build/0.9/firestr_0.9_win64.zip
>
> None are shown in the directory listing here:
> http://mempko.com/firestr/build/0.9/
Seth,

I forgot to mention my public key fingerprint is

     575D 00CA 3ABB 4879 2480
     A096 7231 8516 D8A2 0536


Max

Re: [firestr] Hashes or signatures available for downloadable binaries?

From:
Seth
Date:
2015-05-13 @ 04:56
On Mon, 11 May 2015 19:46:00 -0700, mempko <mempko@gmail.com> wrote:

> Seth wrote:
>> Are there any SHA256 hashes or PGP signature available for the
>> downloadable binaries linked to in the "Free Download" section of the  
>> main
>> web page?
>>
>> http://mempko.com/firestr/build/0.9/firestr_0.9_amd64.deb
>> http://mempko.com/firestr/build/0.9/firestr_0.9.dmg
>> http://mempko.com/firestr/build/0.9/firestr_0.9_win64.zip
>>
>> None are shown in the directory listing here:
>> http://mempko.com/firestr/build/0.9/
> Seth,
>
> I forgot to mention my public key fingerprint is
>
>      575D 00CA 3ABB 4879 2480
>      A096 7231 8516 D8A2 0536

Thank you for putting up the PGP signatures.

It's my understanding that making both the downloads and hashes available  
only over HTTP is a code signing fail.

"If an attacker is in a position to tamper with downloads, they are in  
just as good a position to tamper with a web-page displaying the expected  
hash for that download." [1]

Using the deprecated 1990s throwback MD5 algorithm is also code signing  
fail.

"Windows security division initiated an MD5 deprecation effort around  
2005, complete with a dedicated “MD5 program manager” role to oversee that  
project across different parts of the codebase." [1]

Please consider offering SHA256 or better file hashes, along with an  
encrypted download option for both the binaries and hashes, or alternately  
post the hashes via a separate secured channel such as twitter. I

[1]  

https://randomoracle.wordpress.com/2014/05/05/how-to-fail-at-authenticating-downloads-the-microsoft-edition/

Re: [firestr] Hashes or signatures available for downloadable binaries?

From:
mempko
Date:
2015-05-13 @ 05:51
Seth wrote:
> On Mon, 11 May 2015 19:46:00 -0700, mempko <mempko@gmail.com> wrote:
>
>> Seth wrote:
>>> Are there any SHA256 hashes or PGP signature available for the
>>> downloadable binaries linked to in the "Free Download" section of the
>>> main
>>> web page?
>>>
>>> http://mempko.com/firestr/build/0.9/firestr_0.9_amd64.deb
>>> http://mempko.com/firestr/build/0.9/firestr_0.9.dmg
>>> http://mempko.com/firestr/build/0.9/firestr_0.9_win64.zip
>>>
>>> None are shown in the directory listing here:
>>> http://mempko.com/firestr/build/0.9/
>> Seth,
>>
>> I forgot to mention my public key fingerprint is
>>
>>       575D 00CA 3ABB 4879 2480
>>       A096 7231 8516 D8A2 0536
> Thank you for putting up the PGP signatures.
>
> It's my understanding that making both the downloads and hashes available
> only over HTTP is a code signing fail.
>
> "If an attacker is in a position to tamper with downloads, they are in
> just as good a position to tamper with a web-page displaying the expected
> hash for that download." [1]
>
> Using the deprecated 1990s throwback MD5 algorithm is also code signing
> fail.
>
> "Windows security division initiated an MD5 deprecation effort around
> 2005, complete with a dedicated “MD5 program manager” role to oversee that
> project across different parts of the codebase." [1]
>
> Please consider offering SHA256 or better file hashes, along with an
> encrypted download option for both the binaries and hashes, or alternately
> post the hashes via a separate secured channel such as twitter. I
>
> [1]
> 
https://randomoracle.wordpress.com/2014/05/05/how-to-fail-at-authenticating-downloads-the-microsoft-edition/

Seth,

Thanks for your response! And I agree that using md5 is a silly silly 
thing. I removed the md5 hashes.

I figured the best bet is to just leave the PGP signatures, since they 
should be sufficient to verify the binary.

Also, my understanding is that the PGP signature is going to be 
sufficient even over HTTP and SSL in this case
is overkill.

The only argument to use SSL here that I can see is that it is more 
"user friendly" to use since the browser verifies
certs via trusted authorities automatically.

Do you think a self signed SSL is worth it over just doing the PGP 
signatures?

Cheers,
Max

P.S.

This reminds me of a philosophical question. HTTPS to me does two 
things, trusted identity and encryption. In the real world this is 
equivalent of having a private conversation with someone in person with 
the window shades open (vs say, sending a letter). HTTP is more like 
going to the park and having a public conversation with a stranger.

The philosophical question to you is, should downloading Firestr be like 
you and me having a private conversation, where someone can see we are 
having it but not hear, or is it more like having a public conversation 
at the park, where I hand you a box with an official seal?
















Re: [firestr] Hashes or signatures available for downloadable binaries?

From:
Seth
Date:
2015-05-13 @ 15:09
On Tue, 12 May 2015 22:51:29 -0700, mempko <mempko@gmail.com> wrote:
> Also, my understanding is that the PGP signature is going to be
> sufficient even over HTTP and SSL in this case
> is overkill.

Well to be honest, I don't think anyone running a website in 2015 should  
be doing it over clear-text HTTP as it leaves visitors vulnerable to  
network injection attacks and dragnet surveillance.

That said, I don't believe PGP signatures are vulnerable over clear-text  
in the way that hashes are.

> The only argument to use SSL here that I can see is that it is more
> "user friendly" to use since the browser verifies
> certs via trusted authorities automatically.

Disagree for reasons above ^

> Do you think a self signed SSL is worth it over just doing the PGP
> signatures?

I would prefer having the option of connecting via HTTPS with a  
self-signed cert and published fingerprint over running naked. (Wilder's  
Security uses this approach)

> Cheers,
> Max
>
> P.S.
>
> This reminds me of a philosophical question. HTTPS to me does two
> things, trusted identity and encryption. In the real world this is
> equivalent of having a private conversation with someone in person with
> the window shades open (vs say, sending a letter). HTTP is more like
> going to the park and having a public conversation with a stranger.

I don't think Certificate Authority system can be ultimately trusted (like  
the proper use of PGP can be) therefore I don't think HTTPS fulfills the  
trusted identity role.

In my view HTTPS makes the network injection attacks much harder and foils  
dragnet surveillance of web site visitor activities while using a given  
site. It also protects Tor users who unknowingly connection to your web  
site from a hostile exit node.

> The philosophical question to you is, should downloading Firestr be like
> you and me having a private conversation, where someone can see we are
> having it but not hear, or is it more like having a public conversation
> at the park, where I hand you a box with an official seal?

How about, "you forgot the 'dead-drop' in the park!"

My first choice for visiting a web site today is via a .onion hidden  
address. That currently offers the highest levels protection against  
surveillance and targeted attacks.

Then for the private conversation level, convert mempko.com to use HTTPS  
by default (with HSTS enabled and redirects from HTTP connections).

And toss out the HTTP clear-text entirely along with any other  
embarrassing artifacts from the 1990s like MD5 and Chumbawumba CDs.

Re: [firestr] Hashes or signatures available for downloadable binaries?

From:
Seth
Date:
2015-05-14 @ 18:42
On Wed, 13 May 2015 21:18:38 -0700, mempko <mempko@gmail.com> wrote:
> Now, the reason I did all this is not because I believe in a HTTPS only  
> world as a value in and of itself. I obviously care about privacy  
> considering the fact that I built a private p2p communication platform.
>
> I added HTTPS because you are right, it slows down the machine and makes  
> dragnet surveillance much more expensive.
>
> However, I believe we can live in a world where our digital lives can  
> have a public side just like our normal lives do. I don't see any  
> inherent issue with visiting HTTP plain text site if you meant for your  
> visiting that site to be public.

> An HTTPS only world is actually a dystopia. An HTTPS only world is a  
> failure of society to fight fascism, and it is a deep failure of society  
> to bring about democratic forms of government.
>
> I view HTTPS at the current moment a tool that is nessasary, because in  
> some ways we already live in that dystopia. But what we should really  
> fight for is an HTTP world, where it is safe to do things in public  
> again.

I don't think the world where people consider clear-text 'OK' for digital  
communications is ever coming back, nor was it a good idea to begin with.  
At least not until there are community owned networks spanning the globe  
that do not rely on government granted privilege like the telecom  
oligopolies do.

Telecom oligopolies have been in bed with the state since day one and  
therefore will continue to sell out the people and happily outsource their  
part of the state's surveillance and control apparatus so long as they  
enjoy state protection from market competitors. If you know of any case  
studies where democracy was able to sever this cozy relationship I'd be  
interested to know.

One thing that's always fascinated me about the psychology of surveillance  
is that people are absolutely terrified of their neighbors, their friends,  
their family members, their work, their school etc being able to monitor  
their communications.

Swap in a megacorp in bed with the state spy agencies like Google or  
Microsoft however and suddenly it's all good. Bizarre to me, but that  
seems to be the paradigm.

Re: [firestr] Hashes or signatures available for downloadable binaries?

From:
mempko
Date:
2015-05-15 @ 04:24
Seth wrote:
> On Wed, 13 May 2015 21:18:38 -0700, mempko <mempko@gmail.com> wrote:
>> Now, the reason I did all this is not because I believe in a HTTPS only
>> world as a value in and of itself. I obviously care about privacy
>> considering the fact that I built a private p2p communication platform.
>>
>> I added HTTPS because you are right, it slows down the machine and makes
>> dragnet surveillance much more expensive.
>>
>> However, I believe we can live in a world where our digital lives can
>> have a public side just like our normal lives do. I don't see any
>> inherent issue with visiting HTTP plain text site if you meant for your
>> visiting that site to be public.
>> An HTTPS only world is actually a dystopia. An HTTPS only world is a
>> failure of society to fight fascism, and it is a deep failure of society
>> to bring about democratic forms of government.
>>
>> I view HTTPS at the current moment a tool that is nessasary, because in
>> some ways we already live in that dystopia. But what we should really
>> fight for is an HTTP world, where it is safe to do things in public
>> again.
> I don't think the world where people consider clear-text 'OK' for digital
> communications is ever coming back, nor was it a good idea to begin with.
> At least not until there are community owned networks spanning the globe
> that do not rely on government granted privilege like the telecom
> oligopolies do.
>
> Telecom oligopolies have been in bed with the state since day one and
> therefore will continue to sell out the people and happily outsource their
> part of the state's surveillance and control apparatus so long as they
> enjoy state protection from market competitors. If you know of any case
> studies where democracy was able to sever this cozy relationship I'd be
> interested to know.
>
> One thing that's always fascinated me about the psychology of surveillance
> is that people are absolutely terrified of their neighbors, their friends,
> their family members, their work, their school etc being able to monitor
> their communications.
>
> Swap in a megacorp in bed with the state spy agencies like Google or
> Microsoft however and suddenly it's all good. Bizarre to me, but that
> seems to be the paradigm.

I can't say if that world will ever come back, but I do feel that it was 
a fine idea.
The creators of TCP/IP and even HTTP were not stupid. It was a perfectly 
fine idea
when they worked on those systems. Remember, the world they lived in was a
decentralized world, not the centralized world we live in today.

This is one aspect of the short but important history of the internet 
that is forgotten.
Most of the technology in the beginning was decentralized, and then in 
the late nighties,
Corporations bought up the internet infrastructure and centralized 
everything.

I truly believe we would not have a world of mass surveillance if the 
internet stayed in the
hands of the public instead of being privatized as it has been. It is 
the mass centralization
that corporations have conducted in the last 25 years that allows the 
NSA to function
the way it does.

You make the point very clearly when you talk about the telecom 
oligopolies.
People seem to trust corporations, even as that very trust was betrayed 
from day one.

I think events like the almost collapse of capitalism that happened in 
2008 has shaken
people's trust in the capitalist system. As more events like that occur, 
there will be a moment
when we can decide towards more democratic institutions.

That small window maybe a way of having something that resembled the past.
Maybe I am a fool for feeling hopeful. I feel we mostly agree on the 
state the world is in,
but you have a more cynical view. People have a hard time imagining an 
end to capitalism,
but I know it is coming. Slavery took thousands of years to disappear as 
the dominant
economic system, Feudalism a thousand. This too shall pass.

I built Firestr as a small window into the past. The world of lisp, 
smalltalk, hypercard, and BASIC,
but with the power of ubiquitous networking.

Cheers,
Max











Re: [firestr] Hashes or signatures available for downloadable binaries?

From:
Benjohn Barnes
Date:
2015-05-15 @ 09:00
> On 15 May 2015, at 05:24, mempko <mempko@gmail.com> wrote:

> I built Firestr as a small window into the past. The world of lisp, 
> smalltalk, hypercard, and BASIC,
> but with the power of ubiquitous networking.

God that’s cool.

… how’s Firestr with graphics ’n stuff?

Cheers,
	B

-- 
benjohn@fysh.org - Twitter @benjohnbarnes - Skype (sometimes) 
benjohnbarnes - Mobile +44 (0) 7968 851 636

Re: [firestr] Hashes or signatures available for downloadable binaries?

From:
Date:
2015-05-15 @ 12:47
Firestr is ok for 2D graphics, but no 3D support yet. Check out my silly 
pong example.

Max

On Fri May 15 04:00:39 2015 GMT-0500, Benjohn Barnes wrote:
> 
> > On 15 May 2015, at 05:24, mempko <mempko@gmail.com> wrote:
> 
> > I built Firestr as a small window into the past. The world of lisp, 
> > smalltalk, hypercard, and BASIC,
> > but with the power of ubiquitous networking.
> 
> God that’s cool.
> 
> … how’s Firestr with graphics ’n stuff?
> 
> Cheers,
> 	B
> 
> -- 
> benjohn@fysh.org - Twitter @benjohnbarnes - Skype (sometimes) 
benjohnbarnes - Mobile +44 (0) 7968 851 636
> 
>

-- 
Sent from my Jolla