In our "trustless" world, I am writing a post this morning on what I have learned to do to add an additional layer of security to my downloading and installation of software. Particularly open-source software, which we encounter a lot of when choosing to invest in blockchain technology and the resulting "digital asset" class.
As an older man, with a lot of experience in life, I have always enjoyed a good quote. The older I get, the more I like them ... 😊
Here is one which might be applied to our topic this morning:
"Eternal vigilance is the price of liberty"
So ... Let's talk about being prudent in taking some pretty simple steps to add some protection to our use of downloaded open-source software.
Checking Validity of Downloaded Software
While making no claim to being a "technical wizard" when it comes to this topic, I am well enough aware of the potential for any software to be a potential threat to my home network, that I take the following steps, when downloading and installing open-source software.
- Note: When downloading from large corporations, e.g. Microsoft, Apple, Google, etc., we typically don't even think about this, as we assume our protection is "built in" to their services to us. Hopefully right, but not the topic of this post.
This post is specifically about software accessible through open-source channels, e.g. "digital asset" wallets, as in the example which follows:
Well, this morning I was following up and getting this installed, as I like to stay on top of ensuring I have the "latest, greatest" version of any software I use. Here are the steps I followed, which will provide you an outline for what I always do, no matter what the specific software may be.
- Step 1: Opened the link I maintain in a database, to the GitHub repositiory for the ArkEcosystem's software, and downloaded into the subfolder on my computer where I store ARK wallet sofware.
Note: If you are not already familiar with it, GitHub is the largest repository in the world for software code writers. If you choose, you can open an account there easily, so you can communicate with them.
Image 1: Click on Software Link and Download
- Step 2: Opened the ReadMe file stored in the subfolder into which the file above was downloaded, and updated it with information from this latest download, as shown below.
Image 2: Update CertUtil Specs in ReadMe.txt File
- Step 3: In the subfolder storing the downloaded file, hold down the Shift key the right click with your mouse, anywhere on the screen. This opens an instance of Windows PowerShell, as shown below. Copy and paste the CertUtil string stored in the ReadMe file into PowerShell and execute.
Note: If you are not already familiar with it, CertUtil is a Windows utility which has a number of uses ...
Image 3: Execute CertUtil Command in Windows PowerShell
- Step 4: Copy and paste the SHA256 hash generated in Step 3 into a spreadsheet designed to compare this string, with the one provided on the webpage from which the software was originally downloaded. See Image 1 above.
Note: Sadly, not all web sites provide the hash info needed. I have myself written to the software authors, when I have found this valuable info missing, and have been generally pleased at their responsive in providing it for future releases.
Image 4: Compare SHA256 Hashes in Spreadsheet
As most of us have already experienced, the cryptographic strings found in this new "digital asset" class universe are bewilderingly complex. Rather than take the time and trouble, all while risking the chance of error, to compare them manually, I built a spreadsheet to "automate" the process.
The spreadsheet shown above is comparatively simple. The key is the formula shown in the B10 cell. It strips any leading or trailing "white space" and compares the two strings - one from the PowerShell command and one from the website. The formula returns TRUE if the strings match. FALSE if they don't.
So ... What just happened?! 😉
The SHA256 hash value is a sophisticated store of a number representing the file you just downloaded. By comparing it to the value generated by a copy of the software now downloaded on to your computer, you are checking to ensure that you are not working with a tampered version of the file.
Hackers and those with nothing better to do with their lives than cause us trouble can be very sneaky in what they can embed in these files. Unbeknownst to you. The SHA256 hash value is one common way of testing for this.
Disclaimer: While not bulletproof, these steps provide just what this post says - "added security." For just a bit more peace of mind ...
So ... Safe to install the newly downloaded sofware now right? Yeah ... Well no ... Not entirely ...
- Step 5: You may, as I commonly have, experience the following dialog, when you begin to install your newly downloaded software. If you want to proceed, this illustration shows you how to do it - click on the "More Info" hyperlink, then on the "Run anyway" button.
Note: Again, far from an expert, but my understanding is Windows Defender (if you have it activated, as I do ...) is checking to see if there is a Microsoft certificate for the software publisher on file in their security systems.
Image 5: Getting Past Windows Security Check?
While this may initially be alarming, keep in mind that many, many code writers in the open-source community produce what they do in their "off hours," when they are not working at their "day jobs." Many elect, for various reasons not to take the time to register for these certificates. Perhaps as a philosophical "statement," perhaps due to a lack of time, etc.
After researching this issue and reading up on what it represents, I have always done what I show above and, so far, have not lived to regret it. You will have to decide for yourself whether this is a risk worth taking.
These are the steps I successfully followed a short time ago. Along with taking the time to capture the screenshots above for this post.
Wrapping up, while never a fan of being paranoid, I have long been an advocate for being prudent. Keeping at least "one eye" on your digital security is highly recommended.
I hope this will be of some help to you dear reader.
Just this morning, I was writing to my good Steemian friend, @insight-out, about writing whatever is on your heart. "Practicing what I preach" I have long written on a number of topics on the Steem blockchain. And organized them into what I typically refer to as "series."
So ... Here you have my latest contribution to my "technical aide" series. I’d love to hear any feedback you may be inspired to provide.
Until "next time," all the best to you for an even better tomorrow, as we all work together to build our Steem Community! 👍 😊
Posted using SteemPeak and “immutably enshrined in the blockchain” on Thursday, 21 March 2019!
P.S. If anyone reading this would have any tips for me on better tags / channels to use for posts like this one, I would be very appreciative of any help provided!
Interested to read more of my “technical aide” posts? Great!
- Welcome to the Steemisphere! Getting Off to a "Flying Start," Version 1.0 – Covers the full spectrum of what a new Steemian needs to know to get off to a “flying start.”
- User's Guide to the Steemisphere, Version 1.0 – Covers the recommended apps and tools a new Steemian needs as they begin to engage with our Steem blockchain.
- Tech Aide: Investing in the Steem Blockchain on Binance and Bittrex - Covers investing in STEEM and SBD on these popular exchanges.