forum.wdlxtv.com

[michaelON]

I do not see any place where can I find the MD5 or SHA checksum for the zip file containing firmware.
Given that the sites the firmware are not very trustworthy (uploaded.to clearly lies about 'exceeded' capacity to trick you to register), it would be very helpful to have the md5 posted when new firmware is released.
I am a little concerned about flashing it in to WD and getting it running on my network, not to mention putting in my Netflix/ file server credentials.

[mad_ady]

Though it isn't too difficult to build your own homebrew version of wdlxtv (which is homebrew in the first place) and add malicious code to it, very few people have actually created a flashable version of wdlxtv.
The firmware itself begins with an md5 checksum of the firmware, and without it being correct you can't flash the file (so it solves the risk of accidently breaking your wdtv because of a corrupt file).

Anywone trying to mess with a flashable version without knowing what he is doing will just trigger that checksum failure. And the people who can sneak in malicious code in can be counted on my fingers...

Anyway, as a precaution, flash the firmware on a non-networked device. Then, when connecting to the network set up a sniffer (either on the wdtv via tcpdump, or on your router) and see if it "calls home". As far as I know, there is a hit on the wdlxtv site checking for new firmwares on startup, and some UMSP plugins call home to count the user base, but other than that, it's pretty safe.

While security isn't the main design goal of wdlxtv, the code is open and you can inspect it (even the UMSP plugins) and see for your self if it is safe or not. If there were privacy violations (such as private data would be copied out without the user's consent), the violators would be banned from the community.

[michaelON]

Thanks for the quick reply mad_ady!

Unfortunately the workarounds you are suggesting will not work for me, md5 is included inside download can of course be very easily spoofed. To work checksum must come from trusted source. There is also no way to know when malicious code will call home, maybe after one day maybe on first Friday 13 ... who knows. I know it might sound paranoid, but I still remember electronic attack on Estonia, when country was essentially cut off the internet by the attack which was orchestrated from Russia, but executed using thousands of hijacked PCs and devices all over the world. Owners of most of PCs and devices that were used in that attack are probably still unaware that they played part in that ... I believe most of the traffic came from South America.

When I will have some time I will see if I can build from source and post md5sum.

In the mean time I had played around with the stock firmware, upgraded it and it seems to work good enough with streaming TV recordings from mythtv I will probably keep it.

Again, thanks for quick reply!
Michael

[mad_ady]

Well, md5 checksum or not, the only guarantee you have is that piece of software wasn't modified by anyone in transit, but it can't guarantee it doesn't have malicious code inside. The same is true for UMSP plugins which are outside of the firmware and are downloaded at every reboot. And us UMSP plugin developers never took an oath to guarantee user data protection.

But every community is self-regulating. If somebody messes things up intentionally, he would probably get kicked out.

So, unless your netflix credentials are the same as your bank account, I think you can bring yourself to trust us with your data...

[michaelON]

Ok, thanks!
I did not want it to came acros as not trusting the DEVs. Of course the I trust you guys, the whole open source model is based on trust to the developers and the credibility they had build through commits. Do not trust the download sites though ... all the open source projects are doing it so the need for checksum is not a new thing.
As I explained earlier there is much more at stake then Netflix credentials, WD is just a linux box, can be used to do anything that is possible to do on internet ... it is trivial to add code for a proxy which could be controlled remotely for DoS attacks or worse child porn downloads. I do not want the police banging on my door ... it is difficult to explain that it was not you if the traffic is coming from your IP.

If I download ubuntu packages, Android ROM, router firmware ...all those projects publish checksums, I hope you consider it, it takes less then a minute to get md5 on the zip file and add it to the post.

[mad_ady]

Your points are valid, and I hope b-rad will add them to the download page, but still, it doesn't offer much of a protection.

Of course the I trust you guys, the whole open source model is based on trust to the developers

This is your mistake. You shouldn't trust us! The open source model is built specifically so that you don't have to trust anybody and you can review the code yourself, and trust the code! We won't go rogue and slip backdoors or child porn downloaders in the next firmware, but only the actual code will guarantee it. Of course, trusting the devs gives you time not to review the code

Oh, by the way, the UMSP plugins are not covered by any integrity checks. The development group that handles UMSP is larger than the core developers of WDLXTV so the trust model begins to break there. I'm starting to feel a little paranoid myself, seeing that those plugins have root access to the device, but they are harmless (for now)...