CCP should release MD5 hashes

martinoc

I've mentioned this in the official forum, but I think that CCP should release an MD5 hash for full client and all major patches at least.
This would allow players to download the client/patches from 3rd party sources, obtain the official MD5 hash and compare using the MD5SUM calculator.

I know that the client installer has crc checking in-built, but its not sufficient to ensure 3rd party trust due to virus infections and hacked versions/trojans of the client, in which the crc code can be circumvented.

Since players only need to download a few bytes, EVE servers should get choked up, and since we know the MD5SUM came from the official EVE website, we can be certain that any client that passes the check will not have been altered in any way.

If enough people mention it, maybe the devs will sit up and take notice.

zekiel

I dont think is relevant anymore as they had an extended downtime today which seems to have resolved the lag issue, plus they have also got a mirror advertised on the site which can be used and is relatively fast as well.
I've been playing for several hours today with no probs at all, so hats off to CCP for dealing with the issue V.promptly.

martinoc

zekiel wrote:

I dont think is relevant anymore as they had an extended downtime today which seems to have resolved the lag issue, plus they have also got a mirror advertised on the site which can be used and is relatively fast as well.
I've been playing for several hours today with no probs at all, so hats off to CCP for dealing with the issue V.promptly.

I agree that the issue was dealt with promptly

But I disagree that its not an issue anymore,as I think it is. It might be the same in future. Id like to think that any 3rd party mirror could host the client/patch files and be allow them to be used with assurance that they are original files.

It would especially be usefull for those who do not/can not use BitTorrent.

It does not take five seconds to generate an md5 hash and less than two mins to put it live on the site. I refuse to believe that CCP are that lazy.

Moriarty

Why not just do it yourself and create a post in the forums that keeps track of each patch? If anyone actually cares about it, then ccp might see that and 'officalise' it.

martinoc

Moriarty wrote:

Why not just do it yourself and create a post in the forums that keeps track of each patch? If anyone actually cares about it, then ccp might see that and 'officalise' it.

It HAS to be done by CCP, otherwise people will not TRUST it. You don't know what my intentions might be. I could release a hash of a hacked version. It will be no good for anyone unless they trust it. It will only be trusted if it comes from an official source like the CCP website.

Moriarty

It'd be pretty obvious pretty quickly to anyone that was paying attention if you were listing spiked checksums. Vica versa, aswell.

martinoc

Moriarty wrote:

It'd be pretty obvious pretty quickly to anyone that was paying attention if you were listing spiked checksums. Vica versa, aswell.

The only way to verify a spiked checksum would be to download the official game and run the check, but that would be against the whole point of having official checksums so we take the load OFF the official CCP server.

Put it this way: If you set up a site right now and made checksums available along side the eve client, I wouldnt use them and I wouldnt trust them.

If, however, you made a mirror of the eve client and I could get an official checksum from the CCP website, I'd use your mirrored client if it passed the official checksum.

I can safely say that this would be the attitude of the general public.

Drakar

I can safely say that the general public wouldn't know an MD5 checksum if it came up and bit them in the .....

martinoc

Drakar wrote:

I can safely say that the general public wouldn't know an MD5 checksum if it came up and bit them in the .....

Maybe not, but it could be easily explained at the website.
I can't believe I'm finding resistance to such an easy and beneficial measure. Is it too much to ask?

Drakar

People have websites explaining that you need to have a virus checker, and that you should keep your machine patched, and that you shouldn't double click on the file that says clickHereToWinFreePr0nPSthisAlsoDeletesYourHarddrive.exe, and yet people do that.
Seriously though, the reason you might perceive that people may be reluctant to do this, is that many people just want to download something, without having to have a separate application, then download it, then find the checksum on a website, then validate it. When people are used to clicking on a file on a webpage and it getting downloaded, the extra steps seem fiddly. People don't like fiddles or any stringed instrument. To the best of my knowledge, nefarious people posting modified files isn't a widespread issue at the moment. I'd imagine we won't see any action on fronts like this till the horse has left the stable.

martinoc

Drakar wrote:

People have websites explaining that you need to have a virus checker, and that you should keep your machine patched, and that you shouldn't double click on the file that says clickHereToWinFreePr0nPSthisAlsoDeletesYourHarddrive.exe, and yet people do that.

That is an issue about security and education and so is this to a point!

Drakar wrote:

Seriously though, the reason you might perceive that people may be reluctant to do this, is that many people just want to download something, without having to have a separate application, then download it, then find the checksum on a website, then validate it.

That is complete and utter bull****! Anyone who downloads free software and especially anyone who downloads open source software will be familiar with the procedure or at least with the existance of it.

Drakar wrote:

When people are used to clicking on a file on a webpage and it getting downloaded, the extra steps seem fiddly. People don't like fiddles or any stringed instrument.

Thats exactly the kind of attitude the security sites you mentioned want to prevent. People should be more aware of the security implications.

Drakar wrote:

To the best of my knowledge, nefarious people posting modified files isn't a widespread issue at the moment. I'd imagine we won't see any action on fronts like this till the horse has left the stable.

Oh, it happens!!! It just hasn't happened too widely with EVE yet. That is because for the most part, the only download that is widely used is the EVE website. Mirror sites don't find the need to host the EVE client because people will not trust 3rd party mirrors. The result of this is that CCP servers take pretty much all the load of distributing the client, with which on patch days it cannot cope too well.

It would be far easier for them if 12000 users downloaded a file a few bytes long and the main load was spread accross as many mirror sites as possible. Its a simple matter, and open source software have been doing it for ever.

Drakar

martindoc,

What I may not have been making clear is, although md5 hashes are great, unless people perceive the likely risk to be worth the extra effort, people won't bother doing anything. People are lazy. Shock horror.

People should definately be more aware of security implications, but until they see the problems, they don't see the reward (safety) for the extra effort.

I don't normally do this, but ...

That is complete and utter bull****! Anyone who downloads free software and especially anyone who downloads open source software will be familiar with the procedure or at least with the existance of it.

I'd imagine everyone downloads free software. Everyone. I don't think it would be an exageration to say less than 10% of people who download software know how to use a checksum. It's not difficult, but too many users know nothing about technology. That's the flipside to things becoming populist. I'll go so far as to say in fact, that I don't know anyone who uses winblows who uses checksums. Obviously people who use linux who do. The proportion of linux users vs windows users is a little sad at the moment however. So as for my statement being bul poopie, I respectfully express my disagreement.

Moving on, if we wanted to look at this from a design standpoint, I'd be suggesting that the .torrent format be changed so that the .torrent file could contain the checksum. Since this is the file people should actually download from the official site, one can be relatively confident that it's correct. Clients should then be modified to incorporate checksum checking when they download. This would all be automatic and invisible to the user. Like Woo. Take that noobz! You're secured whether you like it or not.

Then again, I'm sure there's a reason it's not in there already ....

martinoc

Drakar wrote:

Moving on, if we wanted to look at this from a design standpoint, I'd be suggesting that the .torrent format be changed so that the .torrent file could contain the checksum. Since this is the file people should actually download from the official site, one can be relatively confident that it's correct. Clients should then be modified to incorporate checksum checking when they download. This would all be automatic and invisible to the user. Like Woo. Take that noobz! You're secured whether you like it or not.

Bit Torrent has already got automatic md5 checksums built in to the protocol, so we are not worried too much about bit torrent, so I'll discuss this from the point of view of someone who cannot/will not use the bit torrent.
Clients already have a checksum built in. The installer runs it before doing anything else. While this is sufficient to confirm the reliablility of the download, it does nothing to address the issues of trust.
Firstly, a third party "hacker", if you will, could modify the client AND the installer so that the automatic checksum still passes, and now the client does its evil masters bidding in secret. Secondly, a trojan could be injected into the installer. The installer WOULD indeed report a crc failure, but alas, the trojan has now been unleashed on your system. Anti-Virus software might not be able to defend against this if it's a very new trojan or if not up to date etc.

Now, for the people who know about checksums and want to use them, should they not be made available?
For the people who don't know about them, CCP could post a small article explaining what they are and why they are important. Of course, most people will never use them as it is and should be a voluntary measure, but they should still be provided as a means of encouraging security conciousness.

To summerise, I would like to see CCP do the following:
1) Provide MD5 checksums for all major downloads beside the download links
2) Provide a copy of md5sum.exe with instructions on how to use it
3) Provide a short article explaining the checksum and the security implications
4) Allow 3rd party mirrors to host the client but not the checksums

zekiel

Can this be moved to the security thread as its got nothing to do with Massively multiplayer anymore.

Prior Of Taize

i am aware that eve has its problems now and again but i think its safe foe me to say that is flawless....

Any server or game errors are met with patches or fixes within 24 hours...

As someone else said above hats off to CCP for dealing with problems very promptly

martinoc

Prior Of Taize wrote:

i am aware that eve has its problems now and again but i think its safe foe me to say that is flawless....

Any server or game errors are met with patches or fixes within 24 hours...

As someone else said above hats off to CCP for dealing with problems very promptly

Did you even READ the thread?
I am not disputing CCPs commitment to fixing bugs etc.
I am requesting an aditional feature!

steve-hosting36

Eve Rocks!!!!