Always Check This When You Download Software!

Some points to add:
• Doing this is just one additional layer of security, but not an absolute guarantee. It is possible that the website is compromised, in which case the hacker could simply change the link to a malicious file and the hash too.
• But it still helps if the files and hashes are stored separately on different hosts. Like if the files are stored on AWS and the hacker gets access to that only, if they replaced the file it wouldn't match the hash on the site.
• Checking hashes is especially useful if you are downloading a file from a mirror instead of the original, which many websites offer. It's very possible a mirror might be compromised but not the main site.

ThioJoe

my main problem with hashes on the website is that if a malicious actor has access to the servers hosting the file to put malware there, they might also have access to the front-end where they could put their malicious hash. (or alternatively, if you happened to click on a malicious website pretending to be another website, like those OBS copycats we saw a while back, then obviously the hacker can put whatever they want there.)
that's why a signing certificate is much more preferable in my opinion, because those are a lot harder to attack.

yuvalne

Didn't realize 7z had hashing! Super helpful, much easier then pulling up a terminal every time I want to install something

nWestie

To be honest, the reason I never bother to check hashes is because I feel that if someone goes to the effort of compromising some trusted software vendor, they would probably just update the relevant hashes on the website. Of course I understand there are many scenarios where an attacker would have access to the file but not the site, but I feel they're few and far in-between.

xntumrfoivrnwf

Nothing more reassurring than knowing how easily it is to make a small mistake that will cause a hack, thank you for your service

HeisenbergFam

You are not a real hacker if you ain't wearing a hoodie 😎

_SJ

You're getting close to 3M subscribers! Hope you make it. Well deserved. It's a comfort knowing you're out there looking out for us and I can always come to your channel to learn the latest to stay safe.

wot_hog

Super interesting video!! I really like how you explain in easy terms what everything is and not just tell the solution. Hats off!!

prof.code-dude

I know it's good practice to check the Hash and Certs before installing or running a program. But to be honest with you, I've never really seen anyone do it.
I feel this is equivalent to reading manuals or Reading the ToS. No one does that, but it's recommended they do.
90% of the time, I'm just trying to get something working, and cant be bothered to check the hash and stuff, but I guess this would be useful to prevent accidently running malicious software.

IsfarTausif

This was great video, and learned a lot more about hashes! You explained hashes very well and made them easy to understand. I liked how you showed some examples of how to check hashes and checking the Signatures was great, and I didn't know Hash Collisions was even possible.
Thanks for making this video and sharing your knowledge with us.

You are awesome!😎

anonymousinternational

It's worth mentioning that just because a file is signed, does not mean the file itself has been vetted. It just means the the person or company has been verified by the CA. Verification just means the company is who they say they are. There are countless potentially unwanted programs that can get signed.

aquatrax

Two items:

1)
If a bad actor was able to gain access and upload a malicious file (to replace the real file), then it stands to reason that the bad actor would also change the site to display a hash matching his uploaded file.

So other than checking if a download is corrupted, I do not see the benefit of checking the hash.

2)
The "certutil.exe" command will generate hashes.

Example:
certutil -hashfile filename (will use SHA1 by default)

certutil -hashfile filename SHA256 (will use SHA256, and must be upper case).

I do not know if it will generate hashes for all existing algorithms, but it worked with all of the ones that I tried.

NoEggu

I think one interesting point would be to add, that if you provide multiple hashes, like CRC32, MD5, SHA1, SHA256
even if some attacker find collision to one of them, when you actually check file, only collision for that one hash would be matched, but wouldn't for other algorithms.

XCanG

I didn't know you could drag a file into powershell (or the plain command prompt/dos) and it would put the path info into the command prompt - Wow, that would have saved me SOOOO much time and agro.
To me that's the best part of this vid.

paulstubbs

I knew what the hashes were, but I'm always too lazy to search up how to actually check the file hash, thanks for this tutorial! 😅

Dracolmao_

this vide having multiple audios and subs is awesome.
this needs to be the norm for most if not all youtube videos. or at least educational stuff.

Ali-Sensei

I usually just check for signatures. But the HashTab feature is pretty neat. Must have it!

testdrive

Clonezilla uses MD5 and SHA1 for file integrity check which is perfectly fine for internal use. Anything I get from the net will use SHA-256 or higher. Blake hashing is pretty new to me so will have to check it out.

Darkk

Checks hashes: "OK I downloaded the correct virus"

alexbridenbaker

I'm a tad lazy here, I don't bother with the hashes, I more concentrate on downloading from a legit site, as a hacked site will probably also contain hacked hashes so when you download and check, all looks good.
Years ago I was editing the data in a two way radio, I didn't have the official software to allow me to edit the channels, so I did it the hard way with a hex editor, trouble was it had a checksum, so I figured out the difference and put that into an unused channel spot and all was well. Now this leads me to the thought that it should be possible to add some extra data to the end of a file so the hash would now match that of the official file, ouch, which leads me to the idea that you should also verify the file size down to the byte level, to make sure.

paulstubbs