info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
MD5?
3 views
Skip to first unread message
Davey
Feb 8, 2023, 3:56:34 AM2/8/23
to
I downloaded an update file for my car's Satnav, size 30GB, it was done
overnight, using the Download Manager via Wine on my Ubuntu OS, but the
Manager reports that the Download Check (MD5) fails, and
repeatedly does so.
Wikipedia reports that the MD5 algorithm is broken.
Should I just install this new file anyway?
TIA.
--
Davey.
overnight, using the Download Manager via Wine on my Ubuntu OS, but the
Manager reports that the Download Check (MD5) fails, and
repeatedly does so.
Wikipedia reports that the MD5 algorithm is broken.
Should I just install this new file anyway?
TIA.
--
Davey.
Pancho
Feb 8, 2023, 4:57:34 AM2/8/23
to
corrupted the file.
The MD5 check is pointing to the fact that your 30 GB downloaded file is
different from the one at the download site, and hence may be corrupt.
It is quite possible the site you downloaded it from messed up their
package, but I would download it again, possibly wait for the download
site to change their files.
The Wiki stuff is irrelevant, that is about a false positive, two
different files generating the same MD5 hash.
Marco Moock
Feb 8, 2023, 5:06:07 AM2/8/23
to
Am 08.02.2023 um 09:57:32 Uhr schrieb Pancho:
> The Wiki stuff is irrelevant, that is about a false positive, two
> different files generating the same MD5 hash.
There will always be multiple different inputs in a hash function like
> The Wiki stuff is irrelevant, that is about a false positive, two
> different files generating the same MD5 hash.
MD5 that cause the same output. The question is just how fast these can
be found.
Davey
Feb 8, 2023, 6:42:58 AM2/8/23
to
On Wed, 8 Feb 2023 11:06:06 +0100
Marco Moock <mo...@posteo.de> wrote:
> Am 08.02.2023 um 09:57:32 Uhr schrieb Pancho:
Marco Moock <mo...@posteo.de> wrote:
> Am 08.02.2023 um 09:57:32 Uhr schrieb Pancho:
> > It is quite possible the site you downloaded it from messed up
> > their package, but I would download it again, possibly wait for the
> > download site to change their files.
> >
> > their package, but I would download it again, possibly wait for the
> > download site to change their files.
> >
> > The Wiki stuff is irrelevant, that is about a false positive, two
> > different files generating the same MD5 hash.
>
> There will always be multiple different inputs in a hash function like
> MD5 that cause the same output. The question is just how fast these
> can be found.
>
Thanks for replies.
> > different files generating the same MD5 hash.
>
> There will always be multiple different inputs in a hash function like
> MD5 that cause the same output. The question is just how fast these
> can be found.
>
This was in fact the second attempt at downloading the file. The first
time, my laptop was using WiFi, so in case that had caused a problem, I
tried again using a wired connection, but with with the same result.
The original file has been on the website since mid-2022, so is
probably good, it is the download that is failing if anything is. 30 GB
is, for me, quite a large file, and I am on ADSL.
--
Davey.
Andy Burns
Feb 8, 2023, 7:32:57 AM2/8/23
to
Davey wrote:
> Manager reports that the Download Check (MD5) fails
[snip]
> Manager reports that the Download Check (MD5) fails
> Wikipedia reports that the MD5 algorithm is broken.
What wikipedia means by "broken" is that somebody malicious can take a
bogus file, modify it to appear genuine.
What your satname means by "broken" is that the download has likely been
corrupted during download (or maybe someone *is* trying to get you drive
over a cliff in mysterious circumstances!)
In general if something says an MD5sum doesn't match you should probably
take notice, but if it says it *does* match you can no longer be sure
it's actually genuine.
> Should I just install this new file anyway?
At the risk of corrupting the satnav firmware.
Davey
Feb 8, 2023, 7:49:29 AM2/8/23
to
Cheers,
--
Davey.
Richard Kettlewell
Feb 8, 2023, 8:28:22 AM2/8/23
to
that’s the sense in which MD5 is broken. But it’s not really relevant
to the use case here.
Second preimage search would be relevant (i.e. an attacker construcing a
compromised ISO with the same hash as a legitimate one). But that’s
still completely impractical for MD5.
--
https://www.greenend.org.uk/rjk/
Richard Kettlewell
Feb 8, 2023, 8:35:10 AM2/8/23
to
Andy Burns <use...@andyburns.uk> writes:
> Davey wrote:
>
>> Manager reports that the Download Check (MD5) fails
> [snip]
>> Wikipedia reports that the MD5 algorithm is broken.
>
> What wikipedia means by "broken" is that somebody malicious can take a
> bogus file, modify it to appear genuine.
No, it doesn’t mean that in this case. It means that the originator of a
> Davey wrote:
>
>> Manager reports that the Download Check (MD5) fails
> [snip]
>> Wikipedia reports that the MD5 algorithm is broken.
>
> What wikipedia means by "broken" is that somebody malicious can take a
> bogus file, modify it to appear genuine.
file can create two distinct versions with identical hashes. That is
quite different to an attacker constructing a modified file with the
same hash as a pre-existing legitimate one.
--
https://www.greenend.org.uk/rjk/
Pancho
Feb 8, 2023, 8:51:49 AM2/8/23
to
I just noticed that you said you were using Wine, AIUI that suggests
using Windows and Linux. I, vaguely, remember a problem downloading text
files, related to different end of line characters (eol). Some download
managers would replace the Windows eol with the Linux eol, or vice
versa, which is harmless in terms of the actual text, but would mess up
an MD5 check.
Davey
Feb 8, 2023, 9:00:35 AM2/8/23
to
a heck of a file to download via ADSL, to my way of thinking. I also
have a Win7 PC, but it is deliberately disconnected from the internet,
as I only use it for a couple of programmes that need Windows, and every
time I used to connect it, it would then spend half a day catching up
with months' worth of updates.
So I didn't even consider using it for this.
I am now in the process of booking a visit to my local dealer for the
free download, hopefully this Friday.
--
Davey.
Adrian Caspersz
Feb 10, 2023, 5:26:36 AM2/10/23
to
On 08/02/2023 08:56, Davey wrote:
certainly be malware of some sort. Very common with satnav files, there
is a large exploited market for sharing them freely rather than paying.
--
Adrian C
Theo
Feb 10, 2023, 9:13:35 AM2/10/23
to
came from some authoritative source (like the manufacturer), then maybe a
download from a different site is hosting a file that's been changed in some
way (either maliciously or a corrupted download)
If the MD5 is on the same site as the download, then any hacker worth their
salt would change the hash to match the compromised version. So the
likelihood is it's a corrupted download.
If it's useful some manufacturer tool to do the download and the hashing, it
sounds more like the latter case. The manufacturer tool wouldn't be
downloading from dodgy sites.
Theo
Davey
Feb 10, 2023, 12:08:26 PM2/10/23
to
On 10 Feb 2023 14:13:31 +0000 (GMT)
I have gone to a main dealer, and it is downloading the file to my
stick. That should work!
--
Davey.
stick. That should work!
--
Davey.
Adrian Caspersz
Feb 12, 2023, 9:06:38 AM2/12/23
to
On 10/02/2023 17:08, Davey wrote:
> On 10 Feb 2023 14:13:31 +0000 (GMT)
> Theo <theom...@chiark.greenend.org.uk> wrote:
>
>> Adrian Caspersz <em...@here.invalid> wrote:
>>>
>>> No. It likely has been compromised, and what you have downloaded
>>> will certainly be malware of some sort. Very common with satnav
>>> files, there is a large exploited market for sharing them freely
>>> rather than paying.
>>
>> That depends where the MD5 hash you are comparing with came from. If
>> it came from some authoritative source (like the manufacturer), then
>> maybe a download from a different site is hosting a file that's been
>> changed in some way (either maliciously or a corrupted download)
>>
>> If the MD5 is on the same site as the download, then any hacker worth
>> their salt would change the hash to match the compromised version.
>> So the likelihood is it's a corrupted download.
Yeah, agreed :)
> On 10 Feb 2023 14:13:31 +0000 (GMT)
> Theo <theom...@chiark.greenend.org.uk> wrote:
>
>> Adrian Caspersz <em...@here.invalid> wrote:
>>>
>>> No. It likely has been compromised, and what you have downloaded
>>> will certainly be malware of some sort. Very common with satnav
>>> files, there is a large exploited market for sharing them freely
>>> rather than paying.
>>
>> That depends where the MD5 hash you are comparing with came from. If
>> it came from some authoritative source (like the manufacturer), then
>> maybe a download from a different site is hosting a file that's been
>> changed in some way (either maliciously or a corrupted download)
>>
>> If the MD5 is on the same site as the download, then any hacker worth
>> their salt would change the hash to match the compromised version.
>> So the likelihood is it's a corrupted download.
>>
>> If it's useful some manufacturer tool to do the download and the
>> hashing, it sounds more like the latter case. The manufacturer tool
>> wouldn't be downloading from dodgy sites.
>>
>> Theo
>
> I have gone to a main dealer, and it is downloading the file to my
> stick. That should work!
Skoda's website, and on the 27GB download for my 'Columbus' navigation,
they don't show anything as fancy as an MD5 for customers to verify
anything.
The file is zipped, and they want it unzipped then installed from a 64GB
Class-10 SD card which I currently don't have, neither spare disc space
on this here PC.
I was originally planning to download it over the car's own Wi-Fi
connection, or tethered to the mobile phone, me parked near to a mobile
phone mast. But, seems I will have more luck winning the lottery than
transferring 27 billion+ bytes without error wirelessly.
A job for another day me thinks, Columbus can wait...
--
Adrian C
Gordon
Mar 20, 2023, 2:45:32 AM3/20/23
to
On 2023-02-10, Theo <theom...@chiark.greenend.org.uk> wrote:
> Adrian Caspersz <em...@here.invalid> wrote:
>> On 08/02/2023 08:56, Davey wrote:
>> > I downloaded an update file for my car's Satnav, size 30GB, it was done
>> > overnight, using the Download Manager via Wine on my Ubuntu OS, but the
>> > Manager reports that the Download Check (MD5) fails, and
>> > repeatedly does so.
>> >
>> > Wikipedia reports that the MD5 algorithm is broken.
>> >
>> > Should I just install this new file anyway?
>>
>> No. It likely has been compromised, and what you have downloaded will
>> certainly be malware of some sort. Very common with satnav files, there
>> is a large exploited market for sharing them freely rather than paying.
>
> That depends where the MD5 hash you are comparing with came from. If it
> came from some authoritative source (like the manufacturer), then maybe a
> download from a different site is hosting a file that's been changed in some
> way (either maliciously or a corrupted download)
The point of MD5 is that you need to be complete sure of the MD5 value. If
> Adrian Caspersz <em...@here.invalid> wrote:
>> On 08/02/2023 08:56, Davey wrote:
>> > I downloaded an update file for my car's Satnav, size 30GB, it was done
>> > overnight, using the Download Manager via Wine on my Ubuntu OS, but the
>> > Manager reports that the Download Check (MD5) fails, and
>> > repeatedly does so.
>> >
>> > Wikipedia reports that the MD5 algorithm is broken.
>> >
>> > Should I just install this new file anyway?
>>
>> No. It likely has been compromised, and what you have downloaded will
>> certainly be malware of some sort. Very common with satnav files, there
>> is a large exploited market for sharing them freely rather than paying.
>
> That depends where the MD5 hash you are comparing with came from. If it
> came from some authoritative source (like the manufacturer), then maybe a
> download from a different site is hosting a file that's been changed in some
> way (either maliciously or a corrupted download)
not all bets are off. As you gernerate a MD5 for the downloaded file you
need to be sure of the MD5 which you compare it to the one you have
calculated.
0 new messages