Hacker News new | past | comments | ask | show | jobs | submit login

There's no completely secure way, except for getting the public key directly from the developer over a trusted channel (or in person). And even that won't protect you in case the developer's keys gets compromised.

But there are a number of things that can be done:

- always verify the checksum (if available), in case the download mirror (but not the web site itself) got compromised.

- check for strange strings in the binary (use "strings" and "grep"). E.g. URLs

- scan the downloaded file on Jotti or VirusTotal.

- unpack the binary manually with 7-zip or similar if it's a self-extracting file.

- check installation scripts, build files, etc. (if applicable).

- if downloading source code, check a couple of files at random. Will most likely not protect you, but if everyone does it, it helps detecting embedded malware (or bugs) early.

- run "strace" (Linux/Unix) or "FileMon" (Windows) or similar software and log what the software does when you install and run it for the first time.

- and check Hacker New regularly ;)




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: