[liberationtech] The unbearable lightness [and abundance] of gaza care packages
Uncle Zzzen
unclezzzen at gmail.com
Sat Nov 17 12:28:38 PST 2012
I've seen so far 2 different forks of the zip called Gaza Care Package:
One fork is by @Crypt0nymous
https://twitter.com/Crypt0nymous/status/269749439550328832
File:
http://bayfiles.com/file/rPjj/a7ehrr/Op_Israel_Care_Package_For_Gaza.zip
Sha1: e9f6de4fc3619c97d953e943605906f48eabfe67
Authenticity: retweeted by @BiellaColeman
It contains 2 PDF files (potential vulnerability).
The other fork is maintained by anonrelations:
http://anonrelations.net/opisrael-95/ and already has 2 versions
v1:
https://bayfiles.com/file/rVfF/vRRtdV/Op_Israel_Care_Package_For_Gaza.zip
Sha1: 204ba3a73fe0864618163b130c39d4f58c5f3dbf
v2: http://www.mediafire.com/?hpnne29xvx1ceuv
Sha1: a9681e67bcf67a42cb859bef981ea373eeaa9419
Authenticity: @AnonyOps
https://twitter.com/AnonyOps/status/269872081125134336 (v2 link is in the
pastebin)
Now *this* contains the windows vidalia .exe (in both versions).
I've verified it against the sig at
https://www.torproject.org/dist/vidalia-bundles/vidalia-bundle-0.2.2.39-0.2.20.exe.ascand
it's "kosher" but there are 2 questions here:
1) Why vidalia and not torbrowser? Thee's a good reason why torproject
makes it hard to download anything but torbrowser. "Barefoot Vidalia" is
enough rope for beginners to hang themselves with.
2) Why distribute a .exe (or even .pdf) without means to verify its
authenticity?
The 2nd question is more critical, because now there are [at least] 3 zips
called "gaza care package" going around Gaza on memory sticks, and people
get used to the fact that not all of them are the same but "don't worry.
it's got an anonymous logo png on it". Spooky.
IMHO, It's easy to create an ad-hock trusted distribution system:
You can have a wrapper zip containing the payload zip, and a README.txt
(maybe call it IMPORTANT.txt) explaining how to verify it with a clause "if
you don't understand how to do this, ask someone who does".
How to verify? Easiest would be to write "the sha1sum of the zip can be
found on the bios of @anonythis and @anonythat. we hope that you already
know and trust at least one of them". You could also do that with gpg
fingerprints but sha1 is easier to teach people (the geek who verifies the
file for you can easily teach you how to verify future versions).
Does it make sense?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20121118/d022f843/attachment.html>
More information about the liberationtech
mailing list