Groups | Search | Server Info | Login | Register
Groups > comp.os.linux.security > #688
| From | Richard Kettlewell <rjk@greenend.org.uk> |
|---|---|
| Newsgroups | alt.os.linux.mint, comp.os.linux.security |
| Subject | Re: 2/20/16 Linux Mint downloads compromised |
| Date | 2016-02-21 16:06 +0000 |
| Organization | terraraq NNTP server |
| Message-ID | <87vb5ikpz4.fsf@mantic.terraraq.uk> (permalink) |
| References | <nnd$1d3e6689$238e4bd5@695a3fabb9aa8c3c> <naceo1$bl4$1@dont-email.me> <871t86ma3c.fsf@mantic.terraraq.uk> <nachtt$oai$1@dont-email.me> |
Cross-posted to 2 groups.
Paul <nospam@needed.com> writes: > Richard Kettlewell wrote: >> Paul <nospam@needed.com> writes: >>> http://www.ghacks.net/2016/02/21/linux-mint-hacked-iso-images-compromised/ >>> >>> "If you run Linux, use the command md5sum nameofiso.iso, e..g >>> >>> md5sum linuxmint-17.3-cinnamon-64bit.iso >>> >>> The ISO image is clean if the signature matches >>> one of those listed below..." >>> >>> Well, don't do that. It takes 60 seconds on a Pentium 4 >>> computer, to "fix" an ISO so it has the correct MD5SUM. >> >> Go on then, produce a second well-formed ISO image that hashes to >> e71a2aad8b58605e906dbea444dc4983. >> >> Or if you’d prefer to work with a smaller first preimage: >> >> $ cat /etc/motd >> >> The programs included with the Debian GNU/Linux system are free software; >> the exact distribution terms for each program are described in the >> individual files in /usr/share/doc/*/copyright. >> >> Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent >> permitted by applicable law. >> $ md5sum /etc/motd >> 9830e3dbb6a828f2cc824db8db0ceaf7 /etc/motd >> >> Clock’s ticking! >> >>> MD5 is compromised, and is no good for this purpose. >> >> MD5’s collision resistance is well known to be completely broken, but >> this application does not depend on collision resistance. >> >> It’s certainly somewhat disappointing to see it still used in 2016, but >> that’s no excuse for spreading FUD. > > So you're saying, if I take the Mint ISO, modify it, > then adjust a portion of the ISO that doesn't matter > to the function of the installation or operation, > so the MD5 is the same as the official release, > it doesn't matter ? No, I’m not saying that. > Perhaps I misunderstand what a checksum is for ? You’ve misunderstood what is wrong with MD5. -- http://www.greenend.org.uk/rjk/
Back to comp.os.linux.security | Previous | Next — Previous in thread | Next in thread | Find similar
2/20/16 Linux Mint downloads compromised bleak_fire_ <penachew@yomomma.hot.invalid> - 2016-02-21 05:48 +0100
Re: 2/20/16 Linux Mint downloads compromised Johnny <johnny@invalid.net> - 2016-02-21 06:14 -0600
Re: 2/20/16 Linux Mint downloads compromised Yrrah <Yrrah-aolm@aolm.invalid> - 2016-02-21 14:19 +0100
Re: 2/20/16 Linux Mint downloads compromised Johnny <johnny@invalid.net> - 2016-02-21 10:22 -0600
Re: 2/20/16 Linux Mint downloads compromised Yrrah <Yrrah-aolm@aolm.invalid> - 2016-02-21 17:44 +0100
Re: 2/20/16 Linux Mint downloads compromised Caver1 <caver1@inthemud.org> - 2016-02-21 11:58 -0500
Re: 2/20/16 Linux Mint downloads compromised Paul <nospam@needed.com> - 2016-02-21 08:43 -0500
Re: 2/20/16 Linux Mint downloads compromised Richard Kettlewell <rjk@greenend.org.uk> - 2016-02-21 14:06 +0000
Re: 2/20/16 Linux Mint downloads compromised Paul <nospam@needed.com> - 2016-02-21 09:37 -0500
Re: 2/20/16 Linux Mint downloads compromised Richard Kettlewell <rjk@greenend.org.uk> - 2016-02-21 16:06 +0000
Re: 2/20/16 Linux Mint downloads compromised Yrrah <Yrrah-aolm@aolm.invalid> - 2016-02-21 17:40 +0100
csiph-web