Groups | Search | Server Info | Login | Register

Groups > alt.os.linux.mint > #19940

Re: 2/20/16 Linux Mint downloads compromised

From Paul <nospam@needed.com>
Newsgroups alt.os.linux.mint, comp.os.linux.security
Subject Re: 2/20/16 Linux Mint downloads compromised
Date 2016-02-21 09:37 -0500
Organization A noiseless patient Spider
Message-ID <nachtt$oai$1@dont-email.me> (permalink)
References <nnd$1d3e6689$238e4bd5@695a3fabb9aa8c3c> <naceo1$bl4$1@dont-email.me> <871t86ma3c.fsf@mantic.terraraq.uk>

Cross-posted to 2 groups.

Show all headers | View raw

Richard Kettlewell wrote:
> Paul <nospam@needed.com> writes:
>> http://www.ghacks.net/2016/02/21/linux-mint-hacked-iso-images-compromised/
>>
>>    "If you run Linux, use the command md5sum nameofiso.iso, e..g
>>
>>        md5sum linuxmint-17.3-cinnamon-64bit.iso
>>
>>     The ISO image is clean if the signature matches
>>     one of those listed below..."
>>
>> Well, don't do that. It takes 60 seconds on a Pentium 4
>> computer, to "fix" an ISO so it has the correct MD5SUM.
> 
> Go on then, produce a second well-formed ISO image that hashes to
> e71a2aad8b58605e906dbea444dc4983.
> 
> Or if you’d prefer to work with a smaller first preimage:
> 
>     $ cat /etc/motd
> 
>     The programs included with the Debian GNU/Linux system are free software;
>     the exact distribution terms for each program are described in the
>     individual files in /usr/share/doc/*/copyright.
> 
>     Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
>     permitted by applicable law.
>     $ md5sum /etc/motd
>     9830e3dbb6a828f2cc824db8db0ceaf7  /etc/motd
> 
> Clock’s ticking!
> 
>> MD5 is compromised, and is no good for this purpose.
> 
> MD5’s collision resistance is well known to be completely broken, but
> this application does not depend on collision resistance.  
> 
> It’s certainly somewhat disappointing to see it still used in 2016, but
> that’s no excuse for spreading FUD.
> 

So you're saying, if I take the Mint ISO, modify it,
then adjust a portion of the ISO that doesn't matter
to the function of the installation or operation,
so the MD5 is the same as the official release,
it doesn't matter ?

Perhaps I misunderstand what a checksum is for ?

    Paul

Back to alt.os.linux.mint | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

2/20/16 Linux Mint downloads compromised bleak_fire_ <penachew@yomomma.hot.invalid> - 2016-02-21 05:48 +0100
  Re: 2/20/16 Linux Mint downloads compromised Johnny <johnny@invalid.net> - 2016-02-21 06:14 -0600
    Re: 2/20/16 Linux Mint downloads compromised Yrrah <Yrrah-aolm@aolm.invalid> - 2016-02-21 14:19 +0100
      Re: 2/20/16 Linux Mint downloads compromised Johnny <johnny@invalid.net> - 2016-02-21 10:22 -0600
        Re: 2/20/16 Linux Mint downloads compromised Yrrah <Yrrah-aolm@aolm.invalid> - 2016-02-21 17:44 +0100
          Re: 2/20/16 Linux Mint downloads compromised Caver1 <caver1@inthemud.org> - 2016-02-21 11:58 -0500
    Re: 2/20/16 Linux Mint downloads compromised stepore <linshine@here.now> - 2016-02-21 21:08 -0800
      Re: 2/20/16 Linux Mint downloads compromised Bud Frede <frede@mouse-potato.com> - 2016-02-22 06:46 -0500
        Re: 2/20/16 Linux Mint downloads compromised William Poaster <wp@dev.null> - 2016-02-22 12:47 +0000
  Re: 2/20/16 Linux Mint downloads compromised Paul <nospam@needed.com> - 2016-02-21 08:43 -0500
    Re: 2/20/16 Linux Mint downloads compromised Richard Kettlewell <rjk@greenend.org.uk> - 2016-02-21 14:06 +0000
      Re: 2/20/16 Linux Mint downloads compromised Paul <nospam@needed.com> - 2016-02-21 09:37 -0500
        Re: 2/20/16 Linux Mint downloads compromised Richard Kettlewell <rjk@greenend.org.uk> - 2016-02-21 16:06 +0000
  Re: 2/20/16 Linux Mint downloads compromised Yrrah <Yrrah-aolm@aolm.invalid> - 2016-02-21 17:40 +0100
  Re: 2/20/16 Linux Mint downloads compromised buzz^bomb <doodlebug@Peenemunde.net> - 2016-02-21 10:18 -0800
    Re: 2/20/16 Linux Mint downloads compromised Yrrah <Yrrah-aolm@aolm.invalid> - 2016-02-22 16:28 +0100
      Re: 2/20/16 Linux Mint downloads compromised stepore <linshine@here.now> - 2016-02-22 20:22 -0800
        Re: 2/20/16 Linux Mint downloads compromised Poutnik <poutnik4nntp@gmail.com> - 2016-02-23 07:56 +0100
        Re: 2/20/16 Linux Mint downloads compromised "Cybe R. Wizard" <cybe_r_wizard@WizardsTower.invalid> - 2016-02-23 05:24 -0600
        Re: 2/20/16 Linux Mint downloads compromised Marek Novotny <marek.novotny@marspolar.com> - 2016-02-23 07:43 -0800
          Re: 2/20/16 Linux Mint downloads compromised Yrrah <Yrrah-aolm@aolm.invalid> - 2016-02-23 18:53 +0100
            Re: 2/20/16 Linux Mint downloads compromised Marek Novotny <marek.novotny@marspolar.com> - 2016-02-23 09:56 -0800
              Re: 2/20/16 Linux Mint downloads compromised stepore <linshine@here.now> - 2016-02-23 20:30 -0800
            Re: 2/20/16 Linux Mint downloads compromised FredW <fredw@ninmule.invalid> - 2016-02-23 20:22 +0100
            Re: 2/20/16 Linux Mint downloads compromised stepore <linshine@here.now> - 2016-02-23 20:50 -0800
      Re: 2/20/16 Linux Mint downloads compromised buzz^bomb <doodlebug@Peenemunde.net> - 2016-02-24 21:04 -0800

csiph-web