Shirt Pocket Discussions  
    Home netTunes launchTunes SuperDuper! Buy Now Support Discussions About Shirt Pocket    

Go Back   Shirt Pocket Discussions > SuperDuper! > General

Reply
 
Thread Tools Rate Thread Display Modes
  #1  
Old 06-19-2007, 07:50 PM
ReddSmith ReddSmith is offline
Registered User
 
Join Date: May 2007
Posts: 10
Possibly provide a checksum for the SuperDuper download?

Can Shirt-Pocket possibly provide a checksum, such as a SHA-1 digest, for the SuperDuper! download disk image file? This would be for individuals who want to verify the authenticity of the file, so that they can be reasonably sure the file was "not fooled around with" either on your server, or in-transit, or on their own computer. I notice Apple provides a SHA-1 digest for some support downloads.
Reply With Quote
  #2  
Old 06-19-2007, 08:55 PM
dnanian's Avatar
dnanian dnanian is offline
Administrator
 
Join Date: Apr 2001
Location: Weston, MA
Posts: 14,818
Send a message via AIM to dnanian
I'll see what I can do, Redd. In general, though, our users wouldn't have any idea how to use a checksum...
__________________
--Dave Nanian
Reply With Quote
  #3  
Old 06-19-2007, 10:56 PM
ReddSmith ReddSmith is offline
Registered User
 
Join Date: May 2007
Posts: 10
Checksum...

The type of folks who have discovered and are considering SuperDuper! may be more knowledgeable than you think, but yes, not everyone would appreciate the value of a checksum. The fact that Apple supplies a SHA-1 digest for public downloads indicates they appreciate it, so maybe we should too. At least it appeals to me, as someone who has spent too many years using Winders, where the security vendors scare us into a spyware/malware mindset. Regarding the presentation of the info, here is a cut-and-paste example from an Apple update. Perhaps you could include the same references/links for the "About..." and "How to Verify..." to satisfy the educational and instructional requirements:

Security Update 2007-005 v1.1 (Universal) SHA1 Digest:
SecUpd2007-005Univ.dmg=
539f872ac444dc707d73991a914c58ed32d51677

25490: "Mac OS X: About SHA-1 Digest and Software Downloads"
http://www.info.apple.com/kbnum/n25490

75510: "Mac OS X: How to Verify a SHA-1 Digest"
http://www.info.apple.com/kbnum/n75510
Reply With Quote
  #4  
Old 06-20-2007, 07:19 AM
dnanian's Avatar
dnanian dnanian is offline
Administrator
 
Join Date: Apr 2001
Location: Weston, MA
Posts: 14,818
Send a message via AIM to dnanian
I'll consider it, Redd. Thanks again for the suggestion.
__________________
--Dave Nanian
Reply With Quote
  #5  
Old 06-23-2007, 12:30 PM
Timmy Timmy is offline
Registered User
 
Join Date: Feb 2005
Posts: 98
Smile

One thing that I never understood about providing a hash for software distribution verification is: If an attacker is able to gain access to the distribution servers and modify the application distribution, then doesn't it stand to reason that they could also replace the webpage or file that gives the hash sting with a modified hash of the altered distribution...?

What am I missing here?
Reply With Quote
  #6  
Old 06-23-2007, 12:37 PM
dnanian's Avatar
dnanian dnanian is offline
Administrator
 
Join Date: Apr 2001
Location: Weston, MA
Posts: 14,818
Send a message via AIM to dnanian
You're absolutely right, Timmy: it's something I've wondered about myself.
__________________
--Dave Nanian
Reply With Quote
  #7  
Old 06-25-2007, 11:04 AM
ReddSmith ReddSmith is offline
Registered User
 
Join Date: May 2007
Posts: 10
Checksum...

Posting the checksum might also require a note/disclaimer that this method provides a "reasonable" (or even a "high probability") means of verification, but is not a guarantee. I don't know that you could quantify the terms "reasonable" or "high probability", other than that they mean "better than nothing".

Any further steps would add to the Shirt-Pocket personnel task list. For example, they check their web site at least daily to verify the posted checksums. Or develop a process where the user optionally supplies his email address at the time of download; this will cause a checksum to be dynamically generated from the production library authentic copy of the file and sent to the user, bypassing problems from web page hacking.
Reply With Quote
  #8  
Old 06-25-2007, 04:44 PM
Timmy Timmy is offline
Registered User
 
Join Date: Feb 2005
Posts: 98
ReddSmith, you mentioned having experience with Windows.
Is there an app like SuperDuper that you can recommend for copying an entire volume (Windows system files, application files, user files, etc.)

SuperDuper lets us make a 'bootable' clone to an external drive which can actually be used to boot the system.
Does this concept exist for XP/Vista?
Reply With Quote
  #9  
Old 06-25-2007, 07:34 PM
ReddSmith ReddSmith is offline
Registered User
 
Join Date: May 2007
Posts: 10
Your question is a little off-topic from checksums, but for your info, I use Norton Ghost from Symantec Corporation. Among the many features is the ability to "copy a drive" (think "volume" in Mac terminology) which will create a bootable clone. One site from which you might start your Ghost education is http://nortonghost.radified.com/ . Now, I hope we won't be banned from the SuperDuper! board.
Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
SuperDuper! and massive download problems Rasheed General 1 06-19-2007 04:58 PM
SuperDuper stops in download LingScot General 5 02-17-2007 02:45 PM
A word of praise for SuperDuper! MMM General 3 06-21-2006 10:08 PM


All times are GMT -4. The time now is 09:24 PM.


Powered by vBulletin® Version 3.8.9
Copyright ©2000 - 2022, vBulletin Solutions, Inc.