1
00:00:00,210 --> 00:00:02,820
Welcome to part seven of this module.

2
00:00:02,820 --> 00:00:08,310
In this video we're going to be looking at how to verify the authenticity of the files that we download

3
00:00:08,670 --> 00:00:11,100
using G.P.S. for windows.

4
00:00:11,100 --> 00:00:17,370
We'll also be covering how to get the various check sums for files using shots on checker.

5
00:00:17,370 --> 00:00:22,350
And this will be crucially important for the next few classes in this module.

6
00:00:22,350 --> 00:00:28,380
If you haven't watched the previous video you may need to go back and do so before proceeding because

7
00:00:28,380 --> 00:00:32,430
you will need GP G for Windows installed on your computer.

8
00:00:32,550 --> 00:00:37,390
The next video right after this one will be covering the Tor anonymity project.

9
00:00:37,470 --> 00:00:45,930
We'll be going into detail about what Tor is what it is not and how to use it and how it is used.

10
00:00:46,230 --> 00:00:53,190
Will then be looking at the tables operating system which fully employs tor for all of these entries.

11
00:00:53,190 --> 00:00:59,630
It will be important to know how to verify the authenticity of the files that we're using.

12
00:00:59,670 --> 00:01:06,240
It is possible to falsify a web page or in some other way trick someone into downloading a malicious

13
00:01:06,240 --> 00:01:09,870
file with with both Tor and tails.

14
00:01:09,870 --> 00:01:14,520
It is imperative that we know that we're using a trusted copy.

15
00:01:14,730 --> 00:01:22,380
If the Tor installer or the Thales iso file were to be in some way compromised then we might lose all

16
00:01:22,470 --> 00:01:29,550
and anonymity while believing ourselves to be anonymous and such tiny changes to these files would not

17
00:01:29,550 --> 00:01:33,630
be detected by an antivirus or malware scanner.

18
00:01:33,630 --> 00:01:40,770
So what we're going to do is we're going to navigate over to the Tor Project dot org and once again

19
00:01:40,770 --> 00:01:43,490
we will be covering Tor in the next video.

20
00:01:43,530 --> 00:01:49,500
But for right now let's go ahead and download a copy of the browser bundle by clicking the download

21
00:01:49,500 --> 00:01:55,920
link and notice that there is a 32 bit version of Tor available for older machines.

22
00:01:55,950 --> 00:02:00,400
Go ahead and click download and grab the version that is right for your operating system.

23
00:02:00,420 --> 00:02:04,380
Most of you will probably be using 64 bit by now.

24
00:02:04,380 --> 00:02:12,510
The file will download normally with the file now downloaded the next thing we do is check the TGP signature.

25
00:02:12,510 --> 00:02:18,490
So we're going to come over here and it's right underneath the file download option.

26
00:02:18,590 --> 00:02:21,690
And if you downloaded 32 bit it's going to be down here.

27
00:02:21,810 --> 00:02:28,070
When I click on Sig in parentheses hopefully this looks familiar to you by now.

28
00:02:28,200 --> 00:02:31,870
We'll want to highlight this P.G. peaky the whole thing.

29
00:02:32,050 --> 00:02:34,600
We're going to copy it to the clipboard.

30
00:02:34,620 --> 00:02:38,450
This is going to be our signing file in addition to this.

31
00:02:38,460 --> 00:02:44,880
We're going to need the installer which we've already downloaded as well as the signing key from the

32
00:02:44,880 --> 00:02:46,230
developers.

33
00:02:46,230 --> 00:02:53,010
Now if you recall from the last video we want to paste this block of text here that is our key into

34
00:02:53,010 --> 00:02:54,690
a text file.

35
00:02:54,780 --> 00:03:06,130
So let's go ahead and open up notepad pasted in there and we're gonna save the file to the desktop as

36
00:03:06,500 --> 00:03:16,140
Tor key dot ASIC and we'll go ahead and save it to the desktop with the AFC extension we could also

37
00:03:16,140 --> 00:03:20,380
use the PDP extension if we wanted to.

38
00:03:20,410 --> 00:03:24,940
Next we're going to grab the Tor developers signing key.

39
00:03:24,940 --> 00:03:31,750
Unfortunately the Web site doesn't make it immediately obvious how to do this which I personally think

40
00:03:31,750 --> 00:03:35,260
is a little frustrating for a security project.

41
00:03:35,320 --> 00:03:42,300
We need to start out by clicking on this tiny link right here next to the sig that we just clicked on.

42
00:03:42,310 --> 00:03:44,800
What's this in tiny text.

43
00:03:44,800 --> 00:03:48,780
And now we're going to scroll down to where it says.

44
00:03:48,790 --> 00:03:52,680
Where do I get the signatures and the keys that made them.

45
00:03:52,700 --> 00:03:56,380
I'm we're gonna click on the link for the signing keys page.

46
00:03:56,380 --> 00:03:59,410
Here we have a list of keys from the developers.

47
00:03:59,410 --> 00:04:07,830
Let's go ahead and highlight the Tor Browser development key which is the string of text right here.

48
00:04:07,840 --> 00:04:12,130
The Tor Browser developers we're going to click copy.

49
00:04:12,250 --> 00:04:16,560
Now notice that the zero and the X are not highlighted.

50
00:04:16,570 --> 00:04:22,720
Those are not part of the key and the parentheses isn't supposed to be there but it's very hard to highlight

51
00:04:22,720 --> 00:04:24,820
this link.

52
00:04:24,820 --> 00:04:32,730
So what you really just want is everything after the X and before the closing parentheses we're going

53
00:04:32,730 --> 00:04:39,340
to go ahead and we're going to open up or GPA key manager and we're going to go up to server select

54
00:04:39,340 --> 00:04:47,750
retrieve keys and we're going to post the key I.D. paste excuse me and I'm going to get rid of the little

55
00:04:47,810 --> 00:04:49,930
closing parentheses.

56
00:04:50,030 --> 00:04:56,880
So it's just the string of numbers and letters and we're going to click Okay.

57
00:04:56,980 --> 00:04:57,910
There we go.

58
00:04:57,910 --> 00:05:04,660
You should see that the Toure browser developers public key has now been added to our key manager.

59
00:05:04,660 --> 00:05:10,540
If for some reason you get an error message make sure that your firewall is not blocking your key manager

60
00:05:10,930 --> 00:05:14,170
since it's pulling down the key from the server.

61
00:05:14,170 --> 00:05:14,950
OK great.

62
00:05:14,950 --> 00:05:16,770
Everything is setup.

63
00:05:16,780 --> 00:05:21,620
So what we're going to do is going to enter some commands into the command line.

64
00:05:21,670 --> 00:05:23,760
I'm sure everybody is comfortable with that.

65
00:05:23,800 --> 00:05:25,570
If they're taking this class.

66
00:05:25,810 --> 00:05:29,860
So for older Windows we're going to load up CMT

67
00:05:32,810 --> 00:05:38,680
and for Windows 10 we would just right click on the appropriate directory and select windows power shell.

68
00:05:38,690 --> 00:05:46,410
So we're going to navigate over to the directory if we need to and we're going to enter the command

69
00:05:46,620 --> 00:05:54,970
G P G Tac tac verify or dash dash if you prefer.

70
00:05:55,040 --> 00:06:06,470
We're going to put in our key which is the text file that we just saved and then we're gonna do a space

71
00:06:06,980 --> 00:06:14,950
and we're going to drag in the installer file that we wish to verify and press enter.

72
00:06:14,950 --> 00:06:17,150
This may take a few moments.

73
00:06:17,170 --> 00:06:26,130
Lo and behold GP G reports good signature from the tour browser developers.

74
00:06:26,140 --> 00:06:34,630
That being said we also get this warning telling us that the key is not certified with a trusted signature.

75
00:06:34,630 --> 00:06:41,650
If you remember back to the previous video you may recall that newly imported keys have an unknown level

76
00:06:41,650 --> 00:06:42,250
of trust.

77
00:06:42,250 --> 00:06:50,710
By default the first P GP key verifies that the installer we just downloaded has a good signature but

78
00:06:50,710 --> 00:06:56,950
the key was signed by the developer citing key and how do we know if that is real.

79
00:06:56,950 --> 00:07:05,590
The truth is we can never be 100 percent sure unless we know the developers and he or she is able to

80
00:07:05,590 --> 00:07:07,880
personally verify for us.

81
00:07:07,930 --> 00:07:14,200
One thing that will be covered more as we go into the deep web a.k.a. the darknet is what are called

82
00:07:14,380 --> 00:07:22,810
webs of trust individuals who know each other and are very into encryption will often exchange keys

83
00:07:22,960 --> 00:07:25,720
in which case they can in fact be trusted.

84
00:07:25,720 --> 00:07:30,510
If you're getting it directly from the source they can give you the fingerprint.

85
00:07:30,520 --> 00:07:36,850
Now of course the fingerprints are located right down here for these keys but we're getting them from

86
00:07:36,850 --> 00:07:38,680
the same source as the key itself.

87
00:07:38,680 --> 00:07:41,610
So do we really trust them.

88
00:07:41,620 --> 00:07:46,790
So the best practice here of course is going to be to use your own judgment.

89
00:07:46,810 --> 00:07:53,080
But we do have a second method of verifying that this file is what we think it is.

90
00:07:53,110 --> 00:08:00,210
But first I just want to show that if we go back to our key manager and if we right click on the key

91
00:08:00,210 --> 00:08:08,930
and set owner trust and signify that we do in fact trust this key because remember it's not trusted

92
00:08:08,930 --> 00:08:10,200
by default.

93
00:08:10,460 --> 00:08:16,820
And if we run the check again this time there will be no warning the signature will come back good and

94
00:08:16,850 --> 00:08:18,040
everything is golden.

95
00:08:18,920 --> 00:08:22,860
So this was one way of verifying the file.

96
00:08:22,910 --> 00:08:28,850
There is one other step we can take beyond verifying the key provided we can use a short sum checker

97
00:08:32,070 --> 00:08:35,340
to look at the check some values of the file in question.

98
00:08:35,340 --> 00:08:42,210
There are in fact many different ways to do this but the easiest is to just go ahead and download the

99
00:08:42,210 --> 00:08:45,550
shore some checker utility which is free.

100
00:08:45,600 --> 00:08:52,060
So we're going to navigate over to this web page Raymond's word press empty five and shore check some

101
00:08:52,060 --> 00:08:53,050
utility.

102
00:08:53,050 --> 00:08:55,450
Of course you can purchase that if you wish.

103
00:08:55,450 --> 00:09:00,550
I'm going to download from the mirror download from soft PDA and click download now

104
00:09:03,170 --> 00:09:05,050
installation is very straightforward.

105
00:09:05,060 --> 00:09:13,280
We'll just open the installer then we'll select the Tor installation file and open it.

106
00:09:13,280 --> 00:09:17,750
And after a moment it will calculate all of the different hash values of the file.

107
00:09:17,840 --> 00:09:21,410
Then we're just going to go ahead and we're going to highlight the name of this file

108
00:09:24,570 --> 00:09:26,420
copy it to the clipboard.

109
00:09:26,490 --> 00:09:37,140
We'll come back over here and this is a list of all of the Shah 256 values of all of the different distributions

110
00:09:37,170 --> 00:09:41,280
of the Torah installer and rather than search through this list by hand.

111
00:09:41,280 --> 00:09:47,170
We're going to use control F to find and in the Find box we're going to paste in the name of the file.

112
00:09:47,310 --> 00:09:48,660
And here it is.

113
00:09:48,660 --> 00:09:58,360
This is the appropriate file that we're looking for and we're going to copy this SHA 256 hash COME RIGHT

114
00:09:58,360 --> 00:10:00,370
DOWN HERE TO OUR checker.

115
00:10:00,370 --> 00:10:10,750
Paste it into the hash box and click VERIFY AND WE CAN SEE THAT THE SHA 256 hash does in fact match.

116
00:10:10,750 --> 00:10:12,750
And that's kind of all there is to it.

117
00:10:12,760 --> 00:10:19,180
There are often multiple places online where you can find the values for any file that you download.

118
00:10:19,180 --> 00:10:25,390
If the file has been tampered with in any way after the original was created these hash values will

119
00:10:25,390 --> 00:10:29,460
be altered and the verification will not match.

120
00:10:29,470 --> 00:10:36,430
So even if the signing keying is in question there is a second way to verify and make sure that you're

121
00:10:36,430 --> 00:10:43,150
downloading what you think you're downloading and that it's actually what it seems an altered version

122
00:10:43,150 --> 00:10:50,800
of Tor or an installer with a payload attached isn't going to match up this method of verification is

123
00:10:50,800 --> 00:10:59,380
particularly handy for larger files such as ISOs that you can't easily upload a virus total or otherwise

124
00:10:59,380 --> 00:11:02,560
scan and look over in a timely manner.

125
00:11:02,560 --> 00:11:08,140
The more sources of verification that you use the better as they tend to support each other.

126
00:11:08,230 --> 00:11:13,930
If one or the other does not verify that you have reason to be suspicious and might consider further

127
00:11:13,930 --> 00:11:21,200
checking the file before you go ahead and install it it is not enough to rely on antivirus to check

128
00:11:21,200 --> 00:11:30,140
things like Tor and tales because their nature is such that if they were even suddenly tampered with

129
00:11:30,470 --> 00:11:36,020
the privacy that they offer could be compromised in a way that no scanning tool would ever detect or

130
00:11:36,030 --> 00:11:43,510
recognize even something as simple as changing whether or not javascript is allowed by default can compromised

131
00:11:43,520 --> 00:11:45,230
tor security.

132
00:11:45,230 --> 00:11:47,370
All of this will be covered at greater length.

133
00:11:47,390 --> 00:11:52,760
The next video when we dive into tor entails a final example that I wish to throw in.

134
00:11:52,760 --> 00:11:55,940
Ah the true crypt seven point one a hashes.

135
00:11:56,030 --> 00:12:02,120
And that's because it was pointed out to me that some people were having a hard time finding them.

136
00:12:02,120 --> 00:12:03,830
Well here they are.

137
00:12:03,830 --> 00:12:13,660
And what we're going to do is going to grab the seven point one a setup hash

138
00:12:16,160 --> 00:12:26,060
copy it and then we're going to add it into the checksum manager and it calculated immediately delete

139
00:12:26,060 --> 00:12:34,420
the old loops or delete the old hash and replace it with the one that we just copied pasted in there

140
00:12:35,650 --> 00:12:37,360
and it verifies just fine.

141
00:12:37,360 --> 00:12:38,830
And there we go.

142
00:12:38,830 --> 00:12:45,870
It is always a wise policy to research and check out any piece of software that pertains to privacy.

143
00:12:46,000 --> 00:12:50,620
The chances of it containing a payload or a virus are probably pretty low.

144
00:12:50,830 --> 00:12:58,240
But hackers and even intelligence agencies do like to put compromised copies out there into circulation

145
00:12:59,170 --> 00:13:05,650
antivirus will not detect tiny alterations in the code that make the programs not function quite as

146
00:13:05,650 --> 00:13:06,570
desired.

147
00:13:06,970 --> 00:13:13,180
Introducing a weakness into the encryption or tweaking a setting that exposes you when you think you're

148
00:13:13,180 --> 00:13:17,300
anonymous doesn't really qualify as malware as false.

149
00:13:17,380 --> 00:13:19,870
As far as most scanners are concerned.

150
00:13:19,870 --> 00:13:22,680
So it's always good to check.

151
00:13:22,720 --> 00:13:23,890
Thank you for your attention.