Groups | Search | Server Info | Login | Register
Groups > comp.os.linux.security > #687
| From | Paul <nospam@needed.com> |
|---|---|
| Newsgroups | alt.os.linux.mint, comp.os.linux.security |
| Subject | Re: 2/20/16 Linux Mint downloads compromised |
| Date | 2016-02-21 09:37 -0500 |
| Organization | A noiseless patient Spider |
| Message-ID | <nachtt$oai$1@dont-email.me> (permalink) |
| References | <nnd$1d3e6689$238e4bd5@695a3fabb9aa8c3c> <naceo1$bl4$1@dont-email.me> <871t86ma3c.fsf@mantic.terraraq.uk> |
Cross-posted to 2 groups.
Richard Kettlewell wrote:
> Paul <nospam@needed.com> writes:
>> http://www.ghacks.net/2016/02/21/linux-mint-hacked-iso-images-compromised/
>>
>> "If you run Linux, use the command md5sum nameofiso.iso, e..g
>>
>> md5sum linuxmint-17.3-cinnamon-64bit.iso
>>
>> The ISO image is clean if the signature matches
>> one of those listed below..."
>>
>> Well, don't do that. It takes 60 seconds on a Pentium 4
>> computer, to "fix" an ISO so it has the correct MD5SUM.
>
> Go on then, produce a second well-formed ISO image that hashes to
> e71a2aad8b58605e906dbea444dc4983.
>
> Or if you’d prefer to work with a smaller first preimage:
>
> $ cat /etc/motd
>
> The programs included with the Debian GNU/Linux system are free software;
> the exact distribution terms for each program are described in the
> individual files in /usr/share/doc/*/copyright.
>
> Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
> permitted by applicable law.
> $ md5sum /etc/motd
> 9830e3dbb6a828f2cc824db8db0ceaf7 /etc/motd
>
> Clock’s ticking!
>
>> MD5 is compromised, and is no good for this purpose.
>
> MD5’s collision resistance is well known to be completely broken, but
> this application does not depend on collision resistance.
>
> It’s certainly somewhat disappointing to see it still used in 2016, but
> that’s no excuse for spreading FUD.
>
So you're saying, if I take the Mint ISO, modify it,
then adjust a portion of the ISO that doesn't matter
to the function of the installation or operation,
so the MD5 is the same as the official release,
it doesn't matter ?
Perhaps I misunderstand what a checksum is for ?
Paul
Back to comp.os.linux.security | Previous | Next — Previous in thread | Next in thread | Find similar
2/20/16 Linux Mint downloads compromised bleak_fire_ <penachew@yomomma.hot.invalid> - 2016-02-21 05:48 +0100
Re: 2/20/16 Linux Mint downloads compromised Johnny <johnny@invalid.net> - 2016-02-21 06:14 -0600
Re: 2/20/16 Linux Mint downloads compromised Yrrah <Yrrah-aolm@aolm.invalid> - 2016-02-21 14:19 +0100
Re: 2/20/16 Linux Mint downloads compromised Johnny <johnny@invalid.net> - 2016-02-21 10:22 -0600
Re: 2/20/16 Linux Mint downloads compromised Yrrah <Yrrah-aolm@aolm.invalid> - 2016-02-21 17:44 +0100
Re: 2/20/16 Linux Mint downloads compromised Caver1 <caver1@inthemud.org> - 2016-02-21 11:58 -0500
Re: 2/20/16 Linux Mint downloads compromised Paul <nospam@needed.com> - 2016-02-21 08:43 -0500
Re: 2/20/16 Linux Mint downloads compromised Richard Kettlewell <rjk@greenend.org.uk> - 2016-02-21 14:06 +0000
Re: 2/20/16 Linux Mint downloads compromised Paul <nospam@needed.com> - 2016-02-21 09:37 -0500
Re: 2/20/16 Linux Mint downloads compromised Richard Kettlewell <rjk@greenend.org.uk> - 2016-02-21 16:06 +0000
Re: 2/20/16 Linux Mint downloads compromised Yrrah <Yrrah-aolm@aolm.invalid> - 2016-02-21 17:40 +0100
csiph-web