Question / Help Suggestion to avoid a nightmare scenario

[dscotese]

I doubt this has happened, but I worry about it. I'm downloading the installer directly right now to reassure myself. Here's the nightmare scenario:

A hacker sees that OBS has made the software available through torrent and decides to use it to infest victims. He spins up several virtual machines at various IP addresses and deploys a malware version of OBS to them. Perhaps he overloads existing file sharers to knock them offline. If he is successful, anyone who then chooses to download OBS via bittorrent gets infected.

I looked around a little bit for the cryptographic hash of the installer file but couldn't find it. That would have been faster for me and less taxing on bandwidth both for me and for OBS.

I suggest that the hashes be created and signed by the owner of this website (Rich Stanway, hence the update domain name, io.r1ch.net). That would save bandwidth for paranoid folks such as myself.

There may already be a simpler way to do what I will be able to do in 15 minutes when my download finished - to verify the integrity of the torrent - but I couldn't find it. I'd very much appreciate if someone explained an easier way.

 

[Harold]

Except that it's nowhere near that simple to actually deploy a virus version of OBS through the official torrent.

Torrent clients can't be overloaded the way you think they can.

 

[R1CH]

The .torrent file itself contains hashes of every chunk. So long as you downloaded the .torrent from a trusted site like https://obsproject.com/, no one in the P2P network associated with the torrent can send you data which doesn't match the hashes in the .torrent file.

We take security very seriously and wouldn't use a distribution mechanism that's vulnerable in the way you describe. In addition to secure distribution methods and updates, all OBS executables (including the installer) on Windows are digitally signed with an authenticode signature that can be checked before executing them.

 

[dscotese]

Thanks guys, it makes more sense now. It sounds like the button on the download page actually delivers the hashes that I thought I should find myself, but for every chunk of the torrent. Very cool. Sorry for being the boy who cried wolf!

 

[R1CH]

Yep, the .torrent file itself has all the hashes (which is why it's so large relative to what it does). You can read up more about the bittorrent distribution mechanism at https://en.wikipedia.org/wiki/BitTorrent#Description

As long as you're on our official website, it's exceedingly hard for anyone to give you a bad copy of OBS.