My feedback regarding the latest episode of Security Now:
To whomever Gibsons and Laportes this may concern,
I'm not Bill Kurtis.
I thought I'd just throw a message over to you guys to clarify one point that was raised on Security Now Episode 181 "Crypto Rehash".
Steve, you commented that you failed to see the point of putting MD5 or SHA hashes on websites that offered downloads given that if a website was compromised the hash could easily be changed as well. I must admit I had never thought of it that way myself either; I had a hearty chuckle on the train along with you guys much to the bewilderment of my fellow commuters!
I would comment though that I was under the impression that hashes under download links are not provided for the purposes of verifying a file hasn't been tampered with for security reasons, but was instead provided so you could verify that the downloaded file had been received intact. As a FreeBSD user I download ISO images and regularly use the hashes to verify that the finished download wasn't corrupted while downloading before I burn a coaster with one. Not sure if this is really necessary, but it has alerted me to a couple of failed downloads in the past.
Thanks for the great show and all the effort and preparation you put into each one.
Most humbly and securely yours,
Ruben Schade in A Little Street in Singapore
THIS MESSAGE HAS BEEN SCANNED WITH SUPER AWESOME VIRUS SCANNER 2009. IT WILL SELF DESTRUCT IF DELETED.