Integrity check of Prime95 archive?

[WaiCeeh]

I want to stress test my new computer to ensure it is working properly and I have read that Prime95 is great for that.

I have downloaded p95v2810.linux64.tar.gz and now I want to verify the integrity of the tar archive, but I'm unable to find any signed or non-signed checksums on the site.

Can anyone provide the verified SHA-256 or SHA-512 hash of p95v2810.linux64.tar.gz?

Thanks.

[GP2]

Quote:

Originally Posted by WaiCeeh

Can anyone provide the verified SHA-256 or SHA-512 hash of p95v2810.linux64.tar.gz?

The problem is, George sometimes releases different builds with the same filename.

From the copy I downloaded last October (build 1), I get SHA-256:

Code:

ed5a8b94fdd65436e98e57ea0838035fd44c62492009d00f5fba508cb85481c7  p95v2810.linux64.tar.gz

[WaiCeeh]

Quote:

Originally Posted by GP2

From the copy I downloaded last October (build 1), I get SHA-256:

Code:

ed5a8b94fdd65436e98e57ea0838035fd44c62492009d00f5fba508cb85481c7  p95v2810.linux64.tar.gz

Thanks. This is the same SHA-256 hash as my copy so now I know that I haven't been victim of a MITM attack while downloading. However, we can't be sure that the download server hasn't been compromised and is serving a malicious version of the archive.

[Dubslow]

Quote:

Originally Posted by WaiCeeh

Thanks. This is the same SHA-256 hash as my copy so now I know that I haven't been victim of a MITM attack while downloading. However, we can't be sure that the download server hasn't been compromised and is serving a malicious version of the archive.

The assumption is that if it wasn't the legitimate hash, if that wasn't the legitimate computational software that GP2's been using for months (i.e. ruling out the server being compromised), then he wouldn't have posted it. Of course that relies on the web of trust amongst the forum members here, as well as the lack of https on mersenneforum.org -- theoretically, every single one of these posts could be fabricated by a MITM attack on you, though of course that's not actually happening -- but I think the web of trust among people here and non-https are very minimal risks, both on an absolute scale and relative to the risk that your copy was different/malformed from GP2's (which it seems it wasn't).

[WaiCeeh]

Quote:

Originally Posted by Dubslow

The assumption is that if it wasn't the legitimate hash, if that wasn't the legitimate computational software that GP2's been using for months (i.e. ruling out the server being compromised), then he wouldn't have posted it. Of course that relies on the web of trust amongst the forum members here, as well as the lack of https on mersenneforum.org -- theoretically, every single one of these posts could be fabricated by a MITM attack on you, though of course that's not actually happening -- but I think the web of trust among people here and non-https are very minimal risks, both on an absolute scale and relative to the risk that your copy was different/malformed from GP2's (which it seems it wasn't).

That is correct, but my main concern was an automated MITM attack which is easy to do without https. I find it extremely unlikely that I would be victim of a non-automated attack which involved humans creating fabricated posts.

I always try to verify the integrity of binaries I'm running on my system to ensure they have not been modified after being compiled by the developer. Of course this is not enough as many other things could be a threat, security holes in the software, malicious developer, developers system compromised etc. but to realistically use a computer today, you have to blindly trust at some point, and for me it's enough to be sure that the binary has not changed since being compiled by the developer.

[Dubslow]

Quote:

Originally Posted by WaiCeeh

That is correct, but my main concern was an automated MITM attack which is easy to do without https. I find it extremely unlikely that I would be victim of a non-automated attack which involved humans creating fabricated posts.

I believe we are in violent agreement.

Quote:

Originally Posted by WaiCeeh

I always try to verify the integrity of binaries I'm running on my system to ensure they have not been modified after being compiled by the developer. Of course this is not enough as many other things could be a threat, security holes in the software, malicious developer, developers system compromised etc. but to realistically use a computer today, you have to blindly trust at some point, and for me it's enough to be sure that the binary has not changed since being compiled by the developer.

You may always compile (the important parts of) Prime95 yourself, or if you prefer completely and utterly open source, Mlucas has recently returned to competitiveness on Intel hardware. In this particular case, no need to trust any downloaded binaries whatsoever. It wouldn't remove all of the attack vectors you mention, but it would remove many of them.

[GP2]

Quote:

Originally Posted by WaiCeeh

That is correct, but my main concern was an automated MITM attack which is easy to do without https.

You raise a good point. The download page provides HTTP links to the tar files and zip files, even though the server is capable of doing HTTPS.

I tried just now using

Code:

wget https://www.mersenne.org/ftp_root/gimps/p95v2810.linux64.tar.gz

and it worked, at least to the extent that it connected over port 443 instead of port 80 and successfully downloaded the file.

So perhaps the download page could be fixed?

[GP2]

Quote:

Originally Posted by Dubslow

Mlucas has recently returned to competitiveness on Intel hardware.

... if you have a Skylake Xeon.

[Madpoo]

Quote:

Originally Posted by GP2

You raise a good point. The download page provides HTTP links to the tar files and zip files, even though the server is capable of doing HTTPS.

I tried just now using

Code:

wget https://www.mersenne.org/ftp_root/gimps/p95v2810.linux64.tar.gz

and it worked, at least to the extent that it connected over port 443 instead of port 80 and successfully downloaded the file.

So perhaps the download page could be fixed?

I deliberately set the downloads to be http because it didn't make much sense to encrypt them (to me anyway).

As you saw though, you can use https to grab them if you're really worried about MITM.

The server itself has a 3rd party AV installed (I won't mention which one in case there's a missing definition or something, people won't try to target it) It does real time scanning and scheduled full scans (one running right now in fact).

I say all that to try and reassure people that we do try to keep the server itself taken care of. As usual though it's always a good idea to run your own AV and take whatever precautions necessary when downloading and running any software from somewhere else.

Perhaps it's a good idea to include fingerprints of the "official" archives that George generates and put them on the server itself (on the download page, because people do also mirror those on other servers) but maybe also here on the forum. After all, if someone hacked the official ZIP they probably also had the chance to alter the page and change the fingerprint to match the altered version (people would probably notice that though).

[Dubslow]

Quote:

Originally Posted by Madpoo

I deliberately set the downloads to be http because it didn't make much sense to encrypt them (to me anyway).

As you saw though, you can use https to grab them if you're really worried about MITM.

All internet traffic should be encrypted by default. There is utterly no reason to prefer http over https (computational loads on either end and transmission size loads are all negligible these days).

Quote:

Originally Posted by Madpoo

Perhaps it's a good idea to include fingerprints of the "official" archives that George generates and put them on the server itself (on the download page, because people do also mirror those on other servers) but maybe also here on the forum.

That would be a very good idea, both fingerprints and duplicated fingerprints. Nearly all software that's organized in any way has means by which to verify its integrity, no reason besides Human Problems that GIMPS/Prime95 shouldn't do the same.

[Madpoo]

Quote:

Originally Posted by Dubslow

That would be a very good idea, both fingerprints and duplicated fingerprints. Nearly all software that's organized in any way has means by which to verify its integrity, no reason besides Human Problems that GIMPS/Prime95 shouldn't do the same.

Try this on for size... I don't know if people generally prefer SHA1 or MD5 so I added both, but I don't know if it makes the table too busy. I also cleaned up the OS descriptions a bit... I figured a general "Windows XP and up" for the 64-bit and "Windows 95 and up" for 32-bit would suffice... no reason to specify each and every Windows iteration unless it actually didn't work on any of them for some reason.

Download page - TEST version