WriteLog
[Top] [All Lists]

[WriteLog] Security warning for any downloaded software

To: writelog@contesting.com
Subject: [WriteLog] Security warning for any downloaded software
From: "Wayne, W5XD" <w5xd@writelog.com>
Date: Sun, 2 Oct 2016 21:37:27 +0000
List-post: <writelog@contesting.com">mailto:writelog@contesting.com>
All WriteLog users.

The security issues involving downloaded software not new, but the
intensity of hacker attacks has grown over the years since we first
started providing WriteLog downloads. A serious security incident
happened in August with Audacity--a sound package that I happen to
highly recommend, and whose download procedures has some similarity with
WriteLog's. That incident is described here:

    http://www.audacityteam.org/compromised-download-partner/

We at Writelog cannot absolutely guarantee that what happened to
audacity--hackers replacing a popular download with malware--cannot also
happen at writelog.com. We--and the hosting service we purchase from,
qth.com--make our best efforts to secure the site. But, as described
above, hackers are working continuously to find holes.

The WriteLog team provides a second line of defense against such an
attack, and we have provided this digital signing for many years (at
least since 2012.) It is described here:

    http://writelog.com/notes/about-pgp-sigs

The second line of defense is NOT automatic. You have to learn how to
verify the integrity of downloads using a tool (and I recommend the one
at https://gnupg.org/) If you do not know what I am talking about, then
you need to read the whole page at
http://writelog.com/notes/about-pgp-sigs, you need to install gnupg,
download WriteLog's public certificate, and get in the habit of checking
the .sig file that WriteLog provides when you download an installer.

Windows does provide built-in automatic methods to verify digital
signatures (i.e. that don't require you to manually run a public key
verification), but we don't currently have them. That is because
Microsoft does not give those certificates away, we're on a budget, and
we think our users are technically inclined ham radio operators that
know how to handle technology and they like their software to be low
cost (gnupg is free).

We cannot prevent WriteLog users from ignoring that second line of
defense. If you do ignore it, then you're depending solely on the
integrity of the web security at writelog.com.

Wayne


_______________________________________________
WriteLog mailing list
WriteLog@contesting.com
http://lists.contesting.com/mailman/listinfo/writelog
WriteLog on the web:  http://www.writelog.com/

<Prev in Thread] Current Thread [Next in Thread>