Were they hacked...
... and now covering it up?
For some, an MD5 checksum is the sequence of letters and numbers that shows up next to the file they want to download. For others, it's a handy pointer that the file you've downloaded is the one you were expecting. A Register reader got in touch after noticing something a bit odd on the Parallels downloads page. The company …
"Ech, recalculating the checksum and updating the website every time we post a new version is too much hassle. Just stick a random hexadecimal string up there and call it good. Or better yet, post the MD5 checksum for the string "PARALLELS DESKTOP FOR MAC", that won't change ever, makes life nice and easy... sorted."
Damned if they do damned if they dont.
If they didnt publish an md5 hash or used a better hash some old fart (like my dad, must have precisely 2 capitals 3 numerals and 1 whitespace, even though xkcd style password would be infinitely better for him) clinging on to outdated knowledge would complain that there wasnt an emm dee five,
Maybe the md5 checksum displayed is the checksum of the download link or something stupid like that. Or that of the previous version, and not updated.
Keep in mind that the md5 has to be calculated independently from what is stored as the file to be downloaded, to make it impossible to modify the downloaded file AND update the checksum to match.
I've had the same problem downloading SOHO router firmware from the UK distributor's website. A emailed enquiry, and shortly (for 'low numbers of days' values of shortly) afterwards, the checksums were magically updated to match the checksums of the firmware files available for download.
Ideally, as well as checksums (MD5 | SHA256 | Favoured contemporary checksum algorithm) the checksums should be signed by with a trusted signing key. Websites can be compromised in many ways, but hopefully organisations will keep reasonably good control of their signing keys.
So for me, downloading some popular alternative SOHO router firmware, I get the files, the file of checksums and the signature file, then at the command line
$gpg --verify sha256sums.asc sha256sums
Assuming the output checks out i.e. the signature is good, I then do
$sha256sum --ignore-missing --check sha256sums
which automatically calculates the checksum of each file listed in the signed sha256sums file and tells me if the checksum matches with the signed one. If so, I'm good to go.
I know I'm in a minority for doing this.
But if you are distributing software, I would have thought you would provide correct checksums and a verification signature as a matter of course. Whether people use them of not is up to them.
I've never understood using an md5sum from the same site you downloaded the file to verify it. If I compromise a box and put up my infected installer, I'm surely going to update the md5sum sitting next to it as well.
For it to have any value as a security precaution, the md5s need to come from a different trusted source than the download itself...