• MD5?

    From Davey@21:1/5 to All on Wed Feb 8 08:56:31 2023
    I downloaded an update file for my car's Satnav, size 30GB, it was done overnight, using the Download Manager via Wine on my Ubuntu OS, but the
    Manager reports that the Download Check (MD5) fails, and
    repeatedly does so.

    Wikipedia reports that the MD5 algorithm is broken.

    Should I just install this new file anyway?

    TIA.

    --
    Davey.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Pancho@21:1/5 to Davey on Wed Feb 8 09:57:32 2023
    On 08/02/2023 08:56, Davey wrote:
    I downloaded an update file for my car's Satnav, size 30GB, it was done overnight, using the Download Manager via Wine on my Ubuntu OS, but the Manager reports that the Download Check (MD5) fails, and
    repeatedly does so.

    Wikipedia reports that the MD5 algorithm is broken.

    Should I just install this new file anyway?

    TIA.


    In practice, the MD5 is a quick way to check if the download process has corrupted the file.

    The MD5 check is pointing to the fact that your 30 GB downloaded file is different from the one at the download site, and hence may be corrupt.

    It is quite possible the site you downloaded it from messed up their
    package, but I would download it again, possibly wait for the download
    site to change their files.

    The Wiki stuff is irrelevant, that is about a false positive, two
    different files generating the same MD5 hash.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Marco Moock@21:1/5 to All on Wed Feb 8 11:06:06 2023
    Am 08.02.2023 um 09:57:32 Uhr schrieb Pancho:

    The Wiki stuff is irrelevant, that is about a false positive, two
    different files generating the same MD5 hash.

    There will always be multiple different inputs in a hash function like
    MD5 that cause the same output. The question is just how fast these can
    be found.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Davey@21:1/5 to Marco Moock on Wed Feb 8 11:42:56 2023
    On Wed, 8 Feb 2023 11:06:06 +0100
    Marco Moock <mo01@posteo.de> wrote:

    Am 08.02.2023 um 09:57:32 Uhr schrieb Pancho:

    It is quite possible the site you downloaded it from messed up
    their package, but I would download it again, possibly wait for the download site to change their files.

    The Wiki stuff is irrelevant, that is about a false positive, two
    different files generating the same MD5 hash.

    There will always be multiple different inputs in a hash function like
    MD5 that cause the same output. The question is just how fast these
    can be found.


    Thanks for replies.
    This was in fact the second attempt at downloading the file. The first
    time, my laptop was using WiFi, so in case that had caused a problem, I
    tried again using a wired connection, but with with the same result.
    The original file has been on the website since mid-2022, so is
    probably good, it is the download that is failing if anything is. 30 GB
    is, for me, quite a large file, and I am on ADSL.

    --
    Davey.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Andy Burns@21:1/5 to Davey on Wed Feb 8 12:32:53 2023
    Davey wrote:

    Manager reports that the Download Check (MD5) fails
    [snip]
    Wikipedia reports that the MD5 algorithm is broken.

    What wikipedia means by "broken" is that somebody malicious can take a
    bogus file, modify it to appear genuine.

    What your satname means by "broken" is that the download has likely been corrupted during download (or maybe someone *is* trying to get you drive
    over a cliff in mysterious circumstances!)

    In general if something says an MD5sum doesn't match you should probably
    take notice, but if it says it *does* match you can no longer be sure
    it's actually genuine.
    Should I just install this new file anyway?

    At the risk of corrupting the satnav firmware.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Davey@21:1/5 to Andy Burns on Wed Feb 8 12:49:27 2023
    On Wed, 8 Feb 2023 12:32:53 +0000
    Andy Burns <usenet@andyburns.uk> wrote:

    Davey wrote:

    Manager reports that the Download Check (MD5) fails
    [snip]
    Wikipedia reports that the MD5 algorithm is broken.

    What wikipedia means by "broken" is that somebody malicious can take
    a bogus file, modify it to appear genuine.

    What your satname means by "broken" is that the download has likely
    been corrupted during download (or maybe someone *is* trying to get
    you drive over a cliff in mysterious circumstances!)

    In general if something says an MD5sum doesn't match you should
    probably take notice, but if it says it *does* match you can no
    longer be sure it's actually genuine.
    Should I just install this new file anyway?

    At the risk of corrupting the satnav firmware.


    In that case, no thanks!

    Cheers,

    --
    Davey.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Richard Kettlewell@21:1/5 to Andy Burns on Wed Feb 8 13:35:09 2023
    Andy Burns <usenet@andyburns.uk> writes:
    Davey wrote:

    Manager reports that the Download Check (MD5) fails
    [snip]
    Wikipedia reports that the MD5 algorithm is broken.

    What wikipedia means by "broken" is that somebody malicious can take a
    bogus file, modify it to appear genuine.

    No, it doesn’t mean that in this case. It means that the originator of a
    file can create two distinct versions with identical hashes. That is
    quite different to an attacker constructing a modified file with the
    same hash as a pre-existing legitimate one.

    --
    https://www.greenend.org.uk/rjk/

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Richard Kettlewell@21:1/5 to Marco Moock on Wed Feb 8 13:28:20 2023
    Marco Moock <mo01@posteo.de> writes:
    Am 08.02.2023 um 09:57:32 Uhr schrieb Pancho:
    The Wiki stuff is irrelevant, that is about a false positive, two
    different files generating the same MD5 hash.

    There will always be multiple different inputs in a hash function like
    MD5 that cause the same output. The question is just how fast these can
    be found.

    MD5 collisions can be constructed in a handful of seconds, and that
    that’s the sense in which MD5 is broken. But it’s not really relevant
    to the use case here.

    Second preimage search would be relevant (i.e. an attacker construcing a compromised ISO with the same hash as a legitimate one). But that’s
    still completely impractical for MD5.

    --
    https://www.greenend.org.uk/rjk/

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Davey@21:1/5 to Pancho on Wed Feb 8 14:00:34 2023
    On Wed, 8 Feb 2023 13:51:48 +0000
    Pancho <Pancho.Jones@proton.me> wrote:

    On 08/02/2023 11:42, Davey wrote:
    On Wed, 8 Feb 2023 11:06:06 +0100
    Marco Moock <mo01@posteo.de> wrote:

    Am 08.02.2023 um 09:57:32 Uhr schrieb Pancho:

    It is quite possible the site you downloaded it from messed up
    their package, but I would download it again, possibly wait for
    the download site to change their files.

    The Wiki stuff is irrelevant, that is about a false positive, two
    different files generating the same MD5 hash.

    There will always be multiple different inputs in a hash function
    like MD5 that cause the same output. The question is just how fast
    these can be found.


    Thanks for replies.
    This was in fact the second attempt at downloading the file. The
    first time, my laptop was using WiFi, so in case that had caused a
    problem, I tried again using a wired connection, but with with the
    same result. The original file has been on the website since
    mid-2022, so is probably good, it is the download that is failing
    if anything is. 30 GB is, for me, quite a large file, and I am on
    ADSL.

    I don't really know what I'm talking about, but...

    I just noticed that you said you were using Wine, AIUI that suggests
    using Windows and Linux. I, vaguely, remember a problem downloading
    text files, related to different end of line characters (eol). Some
    download managers would replace the Windows eol with the Linux eol,
    or vice versa, which is harmless in terms of the actual text, but
    would mess up an MD5 check.


    That could very well be, it would explain the repeated faiure. 30GB is
    a heck of a file to download via ADSL, to my way of thinking. I also
    have a Win7 PC, but it is deliberately disconnected from the internet,
    as I only use it for a couple of programmes that need Windows, and every
    time I used to connect it, it would then spend half a day catching up
    with months' worth of updates.
    So I didn't even consider using it for this.
    I am now in the process of booking a visit to my local dealer for the
    free download, hopefully this Friday.
    --
    Davey.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Pancho@21:1/5 to Davey on Wed Feb 8 13:51:48 2023
    On 08/02/2023 11:42, Davey wrote:
    On Wed, 8 Feb 2023 11:06:06 +0100
    Marco Moock <mo01@posteo.de> wrote:

    Am 08.02.2023 um 09:57:32 Uhr schrieb Pancho:

    It is quite possible the site you downloaded it from messed up
    their package, but I would download it again, possibly wait for the
    download site to change their files.

    The Wiki stuff is irrelevant, that is about a false positive, two
    different files generating the same MD5 hash.

    There will always be multiple different inputs in a hash function like
    MD5 that cause the same output. The question is just how fast these
    can be found.


    Thanks for replies.
    This was in fact the second attempt at downloading the file. The first
    time, my laptop was using WiFi, so in case that had caused a problem, I
    tried again using a wired connection, but with with the same result.
    The original file has been on the website since mid-2022, so is
    probably good, it is the download that is failing if anything is. 30 GB
    is, for me, quite a large file, and I am on ADSL.


    I don't really know what I'm talking about, but...

    I just noticed that you said you were using Wine, AIUI that suggests
    using Windows and Linux. I, vaguely, remember a problem downloading text
    files, related to different end of line characters (eol). Some download managers would replace the Windows eol with the Linux eol, or vice
    versa, which is harmless in terms of the actual text, but would mess up
    an MD5 check.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Adrian Caspersz@21:1/5 to Davey on Fri Feb 10 10:26:33 2023
    On 08/02/2023 08:56, Davey wrote:
    I downloaded an update file for my car's Satnav, size 30GB, it was done overnight, using the Download Manager via Wine on my Ubuntu OS, but the Manager reports that the Download Check (MD5) fails, and
    repeatedly does so.

    Wikipedia reports that the MD5 algorithm is broken.

    Should I just install this new file anyway?

    No. It likely has been compromised, and what you have downloaded will
    certainly be malware of some sort. Very common with satnav files, there
    is a large exploited market for sharing them freely rather than paying.

    --
    Adrian C

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Theo@21:1/5 to Adrian Caspersz on Fri Feb 10 14:13:31 2023
    Adrian Caspersz <email@here.invalid> wrote:
    On 08/02/2023 08:56, Davey wrote:
    I downloaded an update file for my car's Satnav, size 30GB, it was done overnight, using the Download Manager via Wine on my Ubuntu OS, but the Manager reports that the Download Check (MD5) fails, and
    repeatedly does so.

    Wikipedia reports that the MD5 algorithm is broken.

    Should I just install this new file anyway?

    No. It likely has been compromised, and what you have downloaded will certainly be malware of some sort. Very common with satnav files, there
    is a large exploited market for sharing them freely rather than paying.

    That depends where the MD5 hash you are comparing with came from. If it
    came from some authoritative source (like the manufacturer), then maybe a download from a different site is hosting a file that's been changed in some way (either maliciously or a corrupted download)

    If the MD5 is on the same site as the download, then any hacker worth their salt would change the hash to match the compromised version. So the
    likelihood is it's a corrupted download.

    If it's useful some manufacturer tool to do the download and the hashing, it sounds more like the latter case. The manufacturer tool wouldn't be downloading from dodgy sites.

    Theo

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Davey@21:1/5 to Theo on Fri Feb 10 17:08:25 2023
    On 10 Feb 2023 14:13:31 +0000 (GMT)
    Theo <theom+news@chiark.greenend.org.uk> wrote:

    Adrian Caspersz <email@here.invalid> wrote:
    On 08/02/2023 08:56, Davey wrote:
    I downloaded an update file for my car's Satnav, size 30GB, it
    was done overnight, using the Download Manager via Wine on my
    Ubuntu OS, but the Manager reports that the Download Check (MD5)
    fails, and repeatedly does so.

    Wikipedia reports that the MD5 algorithm is broken.

    Should I just install this new file anyway?

    No. It likely has been compromised, and what you have downloaded
    will certainly be malware of some sort. Very common with satnav
    files, there is a large exploited market for sharing them freely
    rather than paying.

    That depends where the MD5 hash you are comparing with came from. If
    it came from some authoritative source (like the manufacturer), then
    maybe a download from a different site is hosting a file that's been
    changed in some way (either maliciously or a corrupted download)

    If the MD5 is on the same site as the download, then any hacker worth
    their salt would change the hash to match the compromised version.
    So the likelihood is it's a corrupted download.

    If it's useful some manufacturer tool to do the download and the
    hashing, it sounds more like the latter case. The manufacturer tool
    wouldn't be downloading from dodgy sites.

    Theo

    I have gone to a main dealer, and it is downloading the file to my
    stick. That should work!
    --
    Davey.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Adrian Caspersz@21:1/5 to Davey on Sun Feb 12 14:06:36 2023
    On 10/02/2023 17:08, Davey wrote:
    On 10 Feb 2023 14:13:31 +0000 (GMT)
    Theo <theom+news@chiark.greenend.org.uk> wrote:

    Adrian Caspersz <email@here.invalid> wrote:

    No. It likely has been compromised, and what you have downloaded
    will certainly be malware of some sort. Very common with satnav
    files, there is a large exploited market for sharing them freely
    rather than paying.

    That depends where the MD5 hash you are comparing with came from. If
    it came from some authoritative source (like the manufacturer), then
    maybe a download from a different site is hosting a file that's been
    changed in some way (either maliciously or a corrupted download)

    If the MD5 is on the same site as the download, then any hacker worth
    their salt would change the hash to match the compromised version.

    So the likelihood is it's a corrupted download.

    Yeah, agreed :)


    If it's useful some manufacturer tool to do the download and the
    hashing, it sounds more like the latter case. The manufacturer tool
    wouldn't be downloading from dodgy sites.

    Theo

    I have gone to a main dealer, and it is downloading the file to my
    stick. That should work!

    Hmmm... So, on a similar whim I've just tried a maps download from
    Skoda's website, and on the 27GB download for my 'Columbus' navigation,
    they don't show anything as fancy as an MD5 for customers to verify
    anything.

    The file is zipped, and they want it unzipped then installed from a 64GB Class-10 SD card which I currently don't have, neither spare disc space
    on this here PC.

    I was originally planning to download it over the car's own Wi-Fi
    connection, or tethered to the mobile phone, me parked near to a mobile
    phone mast. But, seems I will have more luck winning the lottery than transferring 27 billion+ bytes without error wirelessly.

    A job for another day me thinks, Columbus can wait...

    --
    Adrian C

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Gordon@21:1/5 to Theo on Mon Mar 20 06:45:30 2023
    On 2023-02-10, Theo <theom+news@chiark.greenend.org.uk> wrote:
    Adrian Caspersz <email@here.invalid> wrote:
    On 08/02/2023 08:56, Davey wrote:
    I downloaded an update file for my car's Satnav, size 30GB, it was done
    overnight, using the Download Manager via Wine on my Ubuntu OS, but the
    Manager reports that the Download Check (MD5) fails, and
    repeatedly does so.

    Wikipedia reports that the MD5 algorithm is broken.

    Should I just install this new file anyway?

    No. It likely has been compromised, and what you have downloaded will
    certainly be malware of some sort. Very common with satnav files, there
    is a large exploited market for sharing them freely rather than paying.

    That depends where the MD5 hash you are comparing with came from. If it
    came from some authoritative source (like the manufacturer), then maybe a download from a different site is hosting a file that's been changed in some way (either maliciously or a corrupted download)

    The point of MD5 is that you need to be complete sure of the MD5 value. If
    not all bets are off. As you gernerate a MD5 for the downloaded file you
    need to be sure of the MD5 which you compare it to the one you have
    calculated.

    If the MD5 is on the same site as the download, then any hacker worth their salt would change the hash to match the compromised version. So the likelihood is it's a corrupted download.

    If it's useful some manufacturer tool to do the download and the hashing, it sounds more like the latter case. The manufacturer tool wouldn't be downloading from dodgy sites.

    Theo

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)