RuneApps forums

Nadya

Member

Registered: 2015-08-28

Posts: 11

How do I know you're still you?

If your account is compromised and a malicious program is bundled with the Alt1 installer or replaces it there is currently no safety net for users. This is remediable in a few steps - and I'd be willing to help.

1) There is no way to verify that the Alt1 I am downloading is the Alt1 you released. A MITM (man in the middle) attack or you losing control over the Alt1 website (even temporarily) is enough to put everyone at risk.

2) There is no way to verify that you are still you, in case your account has been compromised.

My suggestions:

Create an account at keybase.io (I can send you an invite) and use GPG to verify your Reddit identity (and Twitter if you have it). As long as your private key is not compromised - you can confirm your identity.

Release a SHA256 or MD5 hash of the installer. The most recent setup.exe has a SHA256 of 4e09d9006a6b4d57933df47e3b586859b8b790e8cade3869e8ed1eee8ca40ce1 and an MD5 of 64114d2eeef70df310f2ea1fc34c232f.

Using GPG I can sign the SHA256 with my private key (only I have access to this). This will look like:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

4e09d9006a6b4d57933df47e3b586859b8b790e8cade3869e8ed1eee8ca40ce1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBAgAGBQJV8st6AAoJEK5pUA+bZCjJt0AH/ArzeIpZUO5ZCqli3zPio1Oq
kLLRE+hrjxHCtBLxllcDxVMROfNLW06KXni3/KjBLNv0zjlfwwmAhoJnfTWAYfpw
NZMmZTceiW24LRqmOXRizkvsZ82FucO4GEfU93CrmDJ+w/Gc9gLxuHrbi4uTSuc4
LFtwEWko7a0JTadiUX5crz4Dh03RPLJKFouG9KexqHfeRDqL9G5GgfJ9wC4lINXE
zkNgNsYzlEcUcy67V9jvDAD8ICZX/n3V6yNs9oxuepJalm99rwOrpmVCUIZcPsaj
N8FPTKAfUu+DWKHmjHuM3bPv622v0eMvTKqRlBs2YgqlcyCqNghS1nJK1Q4QB5I=
=EmwH
-----END PGP SIGNATURE-----

This can be verified to be me using my public key.

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2

mQENBFSOQKABCAC/gePMNK84pCsfgk1YLRLivv/aPKpSBlOo59XhRiia7mkKEGK8
xDp0Fk26XanLa6bpkVgmAViTqgK0W0jOoyIB39HsBHGqLVYEcc60AOpwmzj0+mul
GjIcM6wm9/q5kdqZ2TpiTbXxdyx21EVOuCahTTAjTrABANrNR3j4glt6/Oi+/uRb
juU1ujJ4x6KGiTxrnzJzGahvd/CO4g3+WSD7ZDxPF0vlOzJiq7dHf9twyycUIauW
Oop1zEClQIYAIlvQ14olUCJ4cn4ORLAFrwphq1dzfIbPJ2iGzhN7bHrI8TcEhBtp
BEzKWf0oybJwkVlIeUJaRT9/J8xYgJPRO5JXABEBAAG0LlRoaWdoaGlnaHMgPENv
bXBsZXRlbHlGYWtlRW1haWxAc2hpdGZha2VyLm5ldD6JATkEEwECACMFAlSOQKAC
GwMHCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRCuaVAPm2QoyeB1B/0XhxFG
hELNJDyIlO/JHWl+VDT28xziU6emk8TOKeJ7/1+t/P5Izdvz4P9E1PKP7A3A+60E
tJ7P3clxS8GDQ0DowT4WQh9HTVqoy2p4I92NDy90GSzdDhP2uLCVoYGW9MJHtU1V
odzt4Gr28SZS5fwrr5ASwCzS00zjRWHcEMqn1FcA/6l1I5Uaa+SMQVpkL6e7rS3Q
eYS2gvOIlC5zqyVc6gWNnAnejHXfLFsxcTqDRQJbvLSWBjcJogt53jeR+9Og/8PJ
m04mjr/MGFbN+STSZE3iibBiFHddq72by0cBYrhrP+qaDR/6DoBuHU6Cf9xSqVSW
M3ptvVa8mq5LV0QOtCNrZXliYXNlLmlvL25hZHlhIDxuYWR5YUBrZXliYXNlLmlv
PokBNAQTAQoAHgUCVI5AoAIbAwMLCQcDFQoIAh4BAheAAxYCAQIZAQAKCRCuaVAP
m2QoyZogB/9tphK9+/wjTcEnBrskL8VWiWfuqrD4opdDxFsfdFXxwPdQCMyGzb2W
Uzx6t/x6CQPCWs2UdPdNkknA2cBa0E0Nz4MIlYVrwxJGvvfxugfzJRNY2ltptzt0
FxrZxGfiNVayWgdaVSo5urQhAshR6UkPsJcoPGlwaHbHGVfhRcZCEFvsiwxU/7Ih
fAmcJJ5YSzmlkTd6ybnICO7U+RszV/2Zog4SCOa9BbU4YBkjGGoe1g4aLjCAL7ga
rLzTAKBOMnYuiFdIWJHJGRhDoTJwvSpKbuhfLFD5nCoyOrZ5/paBradiGKiFz3ft
w8JXuF+HVbPOLyrUNFwXRjjHf/ZE3izFuQENBFSOQKABCADEhhk/rOZD7xH/H51C
EKDeILHIOtdzCeF/K87W6DtGVJiyjyv/t4yb/syJaY4kOGTPgK5ahRRZptCr3juS
I1afMI/8TKyYgkwSJzUPlv19S3NNbXk9IDp5CGiSIXFj5HM7CnUK2VBKBQ6lcEM5
fxekOtRjwcol0Ox0vIRvE89SdbOOTkC3p9LUd0SK0PihJa1XhZJStFYrF47DNebr
zt01WrCl/2ZObMoLNVSOXm62m6+RiEurXB+PEL9KWwKgO8P3Ciy4E7YTRXsTL762
1Lv1eX0Lk2xfaiQl53Z/v9LlifcHy5wbuUaZNv6aqLS8Uwsq5b2/o49F6jLCMnlM
ebThABEBAAGJAR8EGAECAAkFAlSOQKACGwwACgkQrmlQD5tkKMlD1wgAvzVE8Bhd
DqlI3GcjwhDFs9z4l1FDzeMpS1B7hp2qaq51ITBs2v3DUAi43zlwoNRDGXoNZIZH
HaYs7yTJr2QTQ4TskBU8bJdgo43a60xmW3DkTkQDlLBWR+t52zocvm7/kLakbZA/
KLiwERLFC+HFTFUji/6F69NRdyKn9ckMeSS1UHwO13UiaNQcBpDpuvmcP/VdFV77
z5BmQM9pq6+BWV3EcerxAbhaJbDDpxjr3PRlBZn7jlEiQcA2RmfrSey4h5Qxc1uA
NTzI6hw3197Ab3ZagB1NffjahJQvU5nCi4Ld9zsx7q314YleeiGig0P6v1uXgyAT
LKRypchMrGW3QQ==
=ci/Q
-----END PGP PUBLIC KEY BLOCK-----

Users can then be assured that 4e09d9006a6b4d57933df47e3b586859b8b790e8cade3869e8ed1eee8ca40ce1 is the valid key as I have said it was and I can be verified to be me.

Now - not every user will do the above. The more people that do, the better, but doing the above allows some users to act as a safety net for other users. If you do the above - I can confirm to others that I have verified the information and that it is correct, the download is currently safe (matches the hash) and that you are actually you.

It takes a small amount of time to setup (creating a GPG key and having a Hashing program installed) and creating the hash/signing the hash takes under a minute each time.

If you have any questions - feel free to ask.

Jon_L

Member

Registered: 2016-01-01

Posts: 2

Re: How do I know you're still you?

Bump - this is a really important best-practices approach ; toss a checksum in the mix too

=]]]

Skillbert

Administrator

Registered: 2014-12-30

Posts: 1,058

Re: How do I know you're still you?

I don't think i will be using this approach, for several reasons.
There will only be a hand full of people checking this for every release. By the time anyone can ring the alarm it's already to late.
I will have to do this for every file in the assembly, there are currently about 20 executable files and probably around 100 resources.

There is a proper way to do this which is also supported by the installer that i'm using. However it involves a digital certificate. These things cost 100$/yr to have one that is trusted by your computer. I could also self sign it however i'm not sure if that would help.