back to article Parallels: Purveyors of decent virtualization software... and occasionally iffy checksums

For some, an MD5 checksum is the sequence of letters and numbers that shows up next to the file they want to download. For others, it's a handy pointer that the file you've downloaded is the one you were expecting. A Register reader got in touch after noticing something a bit odd on the Parallels downloads page. The company …

  1. Anonymous Coward
    Anonymous Coward

    Were they hacked...

    ... and now covering it up?

    1. Anonymous Coward
      Anonymous Coward

      Re: Were they hacked...

      Unlikely. Probably just lazy.

      1. David 132 Silver badge

        Re: Were they hacked...

        "Ech, recalculating the checksum and updating the website every time we post a new version is too much hassle. Just stick a random hexadecimal string up there and call it good. Or better yet, post the MD5 checksum for the string "PARALLELS DESKTOP FOR MAC", that won't change ever, makes life nice and easy... sorted."

  2. sw guy
    FAIL

    md5 !

    Or they know that md5 hash is broken and should no longer be used for that purpose

    1. chuBb.

      Re: md5 !

      Damned if they do damned if they dont.

      If they didnt publish an md5 hash or used a better hash some old fart (like my dad, must have precisely 2 capitals 3 numerals and 1 whitespace, even though xkcd style password would be infinitely better for him) clinging on to outdated knowledge would complain that there wasnt an emm dee five,

  3. Anonymous Coward
    Facepalm

    Unless

    "Unless, of course, nobody is bothering to check their downloads before gleefully installing... ®"

    I think you've hit the nail on the head.

  4. gnasher729 Silver badge

    Probably something stupid

    Maybe the md5 checksum displayed is the checksum of the download link or something stupid like that. Or that of the previous version, and not updated.

    Keep in mind that the md5 has to be calculated independently from what is stored as the file to be downloaded, to make it impossible to modify the downloaded file AND update the checksum to match.

  5. Anonymous Coward
    Anonymous Coward

    Sigh. FFS, the weberverse is wibbling on about "Meta"

    And no one has the fucking nous to tweak the browser download (or curl/wget ) to look for (or require) a valid MD5 hash before running.

    See also: a bit of code to look for >20 address in the "to:" field

  6. Norman Nescio

    Inadequate processes/procedures

    I've had the same problem downloading SOHO router firmware from the UK distributor's website. A emailed enquiry, and shortly (for 'low numbers of days' values of shortly) afterwards, the checksums were magically updated to match the checksums of the firmware files available for download.

    Ideally, as well as checksums (MD5 | SHA256 | Favoured contemporary checksum algorithm) the checksums should be signed by with a trusted signing key. Websites can be compromised in many ways, but hopefully organisations will keep reasonably good control of their signing keys.

    So for me, downloading some popular alternative SOHO router firmware, I get the files, the file of checksums and the signature file, then at the command line

    $gpg --verify sha256sums.asc sha256sums

    Assuming the output checks out i.e. the signature is good, I then do

    $sha256sum --ignore-missing --check sha256sums

    which automatically calculates the checksum of each file listed in the signed sha256sums file and tells me if the checksum matches with the signed one. If so, I'm good to go.

    I know I'm in a minority for doing this.

    But if you are distributing software, I would have thought you would provide correct checksums and a verification signature as a matter of course. Whether people use them of not is up to them.

  7. Anonymous Coward
    Anonymous Coward

    Why not just compromise both?

    I've never understood using an md5sum from the same site you downloaded the file to verify it. If I compromise a box and put up my infected installer, I'm surely going to update the md5sum sitting next to it as well.

    For it to have any value as a security precaution, the md5s need to come from a different trusted source than the download itself...

  8. -v(o.o)v-

    The Cisco AnyConnect checksums on the Cisco download site are commonly mixed up too.

    Usually there's a checksum that is incorrectly duplicated on 2 different files. Happened like 3-4 times last year. It usually gets fixed a few weeks after a new version was released.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like