Path: csiph.com!eternal-september.org!feeder.eternal-september.org!mx02.eternal-september.org!.POSTED!not-for-mail From: Paul Newsgroups: alt.os.linux.mint,comp.os.linux.security Subject: Re: 2/20/16 Linux Mint downloads compromised Date: Sun, 21 Feb 2016 08:43:15 -0500 Organization: A noiseless patient Spider Lines: 96 Message-ID: References: Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Injection-Date: Sun, 21 Feb 2016 13:40:17 -0000 (UTC) Injection-Info: mx02.eternal-september.org; posting-host="caa93ecb0b30023476901b03fc64e06e"; logging-data="11940"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/Omo+9u3/lXNhtCDUvgU85vmi0Lanfu3I=" User-Agent: Ratcatcher/2.0.0.25 (Windows/20130802) In-Reply-To: Cancel-Lock: sha1:8yzGpuz/1Uj2PzjOhOgYX1FO9T0= Xref: csiph.com alt.os.linux.mint:19938 comp.os.linux.security:685 bleak_fire_ wrote: > http://blog.linuxmint.com/?p=2994 > > Quotes: > > "Beware of hacked ISOs if you downloaded Linux Mint on February 20th!" http://www.ghacks.net/2016/02/21/linux-mint-hacked-iso-images-compromised/ "If you run Linux, use the command md5sum nameofiso.iso, e..g md5sum linuxmint-17.3-cinnamon-64bit.iso The ISO image is clean if the signature matches one of those listed below..." Well, don't do that. It takes 60 seconds on a Pentium 4 computer, to "fix" an ISO so it has the correct MD5SUM. MD5 is compromised, and is no good for this purpose. SHA1 is better than MD5, in that if a compromise exists, it can't be done on a P4 in 60 seconds. This article reviews the usefulness of MD5. https://en.wikipedia.org/wiki/Md5 SHA1 has a security rating of "yellow". MD5 has a security rating of "red". The change-over to SHA-2 (SHA256) for https certificates, has a rating of "green". If a mirror of the Mint site provides a SHA1 checksum file, that might be good enough for detecting script kiddie changes, but a nation state with a supercomputer might be able to fake a correct SHA1 as well. https://en.wikipedia.org/wiki/Sha1 It might be better to just throw the ISO image away, and download again, when a safe source is known. ******* http://mirror.csclub.uwaterloo.ca/linuxmint//stable/17.3/ linuxmint-17.3-cinnamon-32bit.iso 30-Nov-2015 10:14 1G linuxmint-17.3-cinnamon-64bit.iso 28-Nov-2015 18:18 1G linuxmint-17.3-cinnamon-nocodecs-32bit.iso 30-Nov-2015 21:06 1G linuxmint-17.3-cinnamon-nocodecs-64bit.iso 30-Nov-2015 18:10 1G linuxmint-17.3-cinnamon-oem-64bit.iso 01-Dec-2015 09:31 2G linuxmint-17.3-kde-32bit.iso 05-Jan-2016 22:57 2G linuxmint-17.3-kde-64bit.iso 05-Jan-2016 21:26 2G linuxmint-17.3-mate-32bit.iso 30-Nov-2015 10:31 1G linuxmint-17.3-mate-64bit.iso 28-Nov-2015 18:19 2G linuxmint-17.3-mate-nocodecs-32bit.iso 01-Dec-2015 02:43 1G linuxmint-17.3-mate-nocodecs-64bit.iso 01-Dec-2015 01:01 2G linuxmint-17.3-mate-oem-64bit.iso 01-Dec-2015 10:42 2G linuxmint-17.3-xfce-32bit.iso 05-Jan-2016 16:41 1G linuxmint-17.3-xfce-64bit.iso 05-Jan-2016 15:48 1G md5sum.txt 06-Jan-2016 16:00 958 sha256sum.txt 06-Jan-2016 16:03 1406 <--- sha256sum.txt.gpg 06-Jan-2016 16:09 181 So some SHA256 checksums are available. Now, try and find a working utility to do that :-) I usually end up collecting source code for these checksum programs, just because of the deficiencies I find in some of them. One "suite" I downloaded, it actually failed some test cases I ran against it, which didn't exactly build my confidence in publicly available code. Failing a test case isn't the worst thing in the world, since it means the program isn't going to be validating any downloads on you and effectively claiming they are good downloads. It would basically reject everything you'd downloaded. 46b8a14826a53f4cacf56d1132a5184c2132f274aef8103e5e8e8cae9e1cfde0 linuxmint-17.3-cinnamon-32bit.iso 854d0cfaa9139a898c2a22aa505b919ddde34f93b04a831b3f030ffe4e25a8e3 linuxmint-17.3-cinnamon-64bit.iso 506a8e88c83cddc7fadd2b7c5bf25b7e6a15f028e1628004dcd6470084430f17 linuxmint-17.3-mate-32bit.iso d02bfaae749db966778276a8ae364843c1ffb37b3e1990c205f938bda367ad2a linuxmint-17.3-mate-64bit.iso e61ed8f5df9283e86926fb7c414f36f7649ce716517093807a193aaf7d396bb8 linuxmint-17.3-cinnamon-nocodecs-32bit.iso c149f3f57275e5d64bf0401d12eff5d021b92688dbd21cdbb4111cb3415eda17 linuxmint-17.3-cinnamon-nocodecs-64bit.iso ba6c4f3e70929f3e90d03fb3063892085b7a0e829579dc0f48723e94a2bc6570 linuxmint-17.3-mate-nocodecs-32bit.iso 71604ef7479855213ae044e4c896f38249ea4bc567f0013bd0157080f3130941 linuxmint-17.3-mate-nocodecs-64bit.iso 48d82518a73962f9b5d9d61383a90132b64ee6fa489a67547468c136c8a27bfd linuxmint-17.3-cinnamon-oem-64bit.iso 694bf952d68eb5a69560a756e578d85531be1498b08dd30aee6919c9139a7434 linuxmint-17.3-mate-oem-64bit.iso be64bf240a47df03fedca1b8aeb9357896e3dedd55446a0f87eca4f638c9d28c linuxmint-17.3-kde-32bit.iso aa33bf286e92556163c335b258fe5cbd9f65f4ab8490e277fed94cf20d3920e4 linuxmint-17.3-kde-64bit.iso cebff34e99b071d7237d2cfd2e24719f5a72e9e499a82d424007e850befc755b linuxmint-17.3-xfce-32bit.iso 83c1796a37582bdea74117193cef369582d72093fd0b5278ae03016bd8685b04 linuxmint-17.3-xfce-64bit.iso And if you haven't "embraced the hex", it's 2016, say hello to the hexadecimal number system :-) Have fun, Paul