Groups | Search | Server Info | Login | Register
Groups > comp.os.linux.security > #685
| From | Paul <nospam@needed.com> |
|---|---|
| Newsgroups | alt.os.linux.mint, comp.os.linux.security |
| Subject | Re: 2/20/16 Linux Mint downloads compromised |
| Date | 2016-02-21 08:43 -0500 |
| Organization | A noiseless patient Spider |
| Message-ID | <naceo1$bl4$1@dont-email.me> (permalink) |
| References | <nnd$1d3e6689$238e4bd5@695a3fabb9aa8c3c> |
Cross-posted to 2 groups.
bleak_fire_ wrote:
> http://blog.linuxmint.com/?p=2994
>
> Quotes:
>
> "Beware of hacked ISOs if you downloaded Linux Mint on February 20th!"
http://www.ghacks.net/2016/02/21/linux-mint-hacked-iso-images-compromised/
"If you run Linux, use the command md5sum nameofiso.iso, e..g
md5sum linuxmint-17.3-cinnamon-64bit.iso
The ISO image is clean if the signature matches
one of those listed below..."
Well, don't do that. It takes 60 seconds on a Pentium 4
computer, to "fix" an ISO so it has the correct MD5SUM.
MD5 is compromised, and is no good for this purpose.
SHA1 is better than MD5, in that if a compromise exists,
it can't be done on a P4 in 60 seconds.
This article reviews the usefulness of MD5.
https://en.wikipedia.org/wiki/Md5
SHA1 has a security rating of "yellow". MD5 has
a security rating of "red". The change-over to SHA-2
(SHA256) for https certificates, has a rating
of "green". If a mirror of the Mint site provides
a SHA1 checksum file, that might be good enough for
detecting script kiddie changes, but a nation state
with a supercomputer might be able to fake a correct
SHA1 as well.
https://en.wikipedia.org/wiki/Sha1
It might be better to just throw the ISO image away,
and download again, when a safe source is known.
*******
http://mirror.csclub.uwaterloo.ca/linuxmint//stable/17.3/
linuxmint-17.3-cinnamon-32bit.iso 30-Nov-2015 10:14 1G
linuxmint-17.3-cinnamon-64bit.iso 28-Nov-2015 18:18 1G
linuxmint-17.3-cinnamon-nocodecs-32bit.iso 30-Nov-2015 21:06 1G
linuxmint-17.3-cinnamon-nocodecs-64bit.iso 30-Nov-2015 18:10 1G
linuxmint-17.3-cinnamon-oem-64bit.iso 01-Dec-2015 09:31 2G
linuxmint-17.3-kde-32bit.iso 05-Jan-2016 22:57 2G
linuxmint-17.3-kde-64bit.iso 05-Jan-2016 21:26 2G
linuxmint-17.3-mate-32bit.iso 30-Nov-2015 10:31 1G
linuxmint-17.3-mate-64bit.iso 28-Nov-2015 18:19 2G
linuxmint-17.3-mate-nocodecs-32bit.iso 01-Dec-2015 02:43 1G
linuxmint-17.3-mate-nocodecs-64bit.iso 01-Dec-2015 01:01 2G
linuxmint-17.3-mate-oem-64bit.iso 01-Dec-2015 10:42 2G
linuxmint-17.3-xfce-32bit.iso 05-Jan-2016 16:41 1G
linuxmint-17.3-xfce-64bit.iso 05-Jan-2016 15:48 1G
md5sum.txt 06-Jan-2016 16:00 958
sha256sum.txt 06-Jan-2016 16:03 1406 <---
sha256sum.txt.gpg 06-Jan-2016 16:09 181
So some SHA256 checksums are available.
Now, try and find a working utility to do that :-)
I usually end up collecting source code for these
checksum programs, just because of the deficiencies
I find in some of them. One "suite" I downloaded,
it actually failed some test cases I ran against it,
which didn't exactly build my confidence in publicly
available code. Failing a test case isn't the worst
thing in the world, since it means the program isn't
going to be validating any downloads on you and effectively
claiming they are good downloads. It would basically
reject everything you'd downloaded.
46b8a14826a53f4cacf56d1132a5184c2132f274aef8103e5e8e8cae9e1cfde0 linuxmint-17.3-cinnamon-32bit.iso
854d0cfaa9139a898c2a22aa505b919ddde34f93b04a831b3f030ffe4e25a8e3 linuxmint-17.3-cinnamon-64bit.iso
506a8e88c83cddc7fadd2b7c5bf25b7e6a15f028e1628004dcd6470084430f17 linuxmint-17.3-mate-32bit.iso
d02bfaae749db966778276a8ae364843c1ffb37b3e1990c205f938bda367ad2a linuxmint-17.3-mate-64bit.iso
e61ed8f5df9283e86926fb7c414f36f7649ce716517093807a193aaf7d396bb8 linuxmint-17.3-cinnamon-nocodecs-32bit.iso
c149f3f57275e5d64bf0401d12eff5d021b92688dbd21cdbb4111cb3415eda17 linuxmint-17.3-cinnamon-nocodecs-64bit.iso
ba6c4f3e70929f3e90d03fb3063892085b7a0e829579dc0f48723e94a2bc6570 linuxmint-17.3-mate-nocodecs-32bit.iso
71604ef7479855213ae044e4c896f38249ea4bc567f0013bd0157080f3130941 linuxmint-17.3-mate-nocodecs-64bit.iso
48d82518a73962f9b5d9d61383a90132b64ee6fa489a67547468c136c8a27bfd linuxmint-17.3-cinnamon-oem-64bit.iso
694bf952d68eb5a69560a756e578d85531be1498b08dd30aee6919c9139a7434 linuxmint-17.3-mate-oem-64bit.iso
be64bf240a47df03fedca1b8aeb9357896e3dedd55446a0f87eca4f638c9d28c linuxmint-17.3-kde-32bit.iso
aa33bf286e92556163c335b258fe5cbd9f65f4ab8490e277fed94cf20d3920e4 linuxmint-17.3-kde-64bit.iso
cebff34e99b071d7237d2cfd2e24719f5a72e9e499a82d424007e850befc755b linuxmint-17.3-xfce-32bit.iso
83c1796a37582bdea74117193cef369582d72093fd0b5278ae03016bd8685b04 linuxmint-17.3-xfce-64bit.iso
And if you haven't "embraced the hex", it's 2016, say hello
to the hexadecimal number system :-)
Have fun,
Paul
Back to comp.os.linux.security | Previous | Next — Previous in thread | Next in thread | Find similar
2/20/16 Linux Mint downloads compromised bleak_fire_ <penachew@yomomma.hot.invalid> - 2016-02-21 05:48 +0100
Re: 2/20/16 Linux Mint downloads compromised Johnny <johnny@invalid.net> - 2016-02-21 06:14 -0600
Re: 2/20/16 Linux Mint downloads compromised Yrrah <Yrrah-aolm@aolm.invalid> - 2016-02-21 14:19 +0100
Re: 2/20/16 Linux Mint downloads compromised Johnny <johnny@invalid.net> - 2016-02-21 10:22 -0600
Re: 2/20/16 Linux Mint downloads compromised Yrrah <Yrrah-aolm@aolm.invalid> - 2016-02-21 17:44 +0100
Re: 2/20/16 Linux Mint downloads compromised Caver1 <caver1@inthemud.org> - 2016-02-21 11:58 -0500
Re: 2/20/16 Linux Mint downloads compromised Paul <nospam@needed.com> - 2016-02-21 08:43 -0500
Re: 2/20/16 Linux Mint downloads compromised Richard Kettlewell <rjk@greenend.org.uk> - 2016-02-21 14:06 +0000
Re: 2/20/16 Linux Mint downloads compromised Paul <nospam@needed.com> - 2016-02-21 09:37 -0500
Re: 2/20/16 Linux Mint downloads compromised Richard Kettlewell <rjk@greenend.org.uk> - 2016-02-21 16:06 +0000
Re: 2/20/16 Linux Mint downloads compromised Yrrah <Yrrah-aolm@aolm.invalid> - 2016-02-21 17:40 +0100
csiph-web