Groups | Search | Server Info | Login | Register

Groups > alt.os.linux.mint > #19941

Re: 2/20/16 Linux Mint downloads compromised

From Richard Kettlewell <rjk@greenend.org.uk>
Newsgroups alt.os.linux.mint, comp.os.linux.security
Subject Re: 2/20/16 Linux Mint downloads compromised
Date 2016-02-21 16:06 +0000
Organization terraraq NNTP server
Message-ID <87vb5ikpz4.fsf@mantic.terraraq.uk> (permalink)
References <nnd$1d3e6689$238e4bd5@695a3fabb9aa8c3c> <naceo1$bl4$1@dont-email.me> <871t86ma3c.fsf@mantic.terraraq.uk> <nachtt$oai$1@dont-email.me>

Cross-posted to 2 groups.

Show all headers | View raw

Paul <nospam@needed.com> writes:
> Richard Kettlewell wrote:
>> Paul <nospam@needed.com> writes:
>>> http://www.ghacks.net/2016/02/21/linux-mint-hacked-iso-images-compromised/
>>>
>>>    "If you run Linux, use the command md5sum nameofiso.iso, e..g
>>>
>>>        md5sum linuxmint-17.3-cinnamon-64bit.iso
>>>
>>>     The ISO image is clean if the signature matches
>>>     one of those listed below..."
>>>
>>> Well, don't do that. It takes 60 seconds on a Pentium 4
>>> computer, to "fix" an ISO so it has the correct MD5SUM.
>>
>> Go on then, produce a second well-formed ISO image that hashes to
>> e71a2aad8b58605e906dbea444dc4983.
>>
>> Or if you’d prefer to work with a smaller first preimage:
>>
>>     $ cat /etc/motd
>>
>>     The programs included with the Debian GNU/Linux system are free software;
>>     the exact distribution terms for each program are described in the
>>     individual files in /usr/share/doc/*/copyright.
>>
>>     Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
>>     permitted by applicable law.
>>     $ md5sum /etc/motd
>>     9830e3dbb6a828f2cc824db8db0ceaf7  /etc/motd
>>
>> Clock’s ticking!
>>
>>> MD5 is compromised, and is no good for this purpose.
>>
>> MD5’s collision resistance is well known to be completely broken, but
>> this application does not depend on collision resistance.  
>>
>> It’s certainly somewhat disappointing to see it still used in 2016, but
>> that’s no excuse for spreading FUD.
>
> So you're saying, if I take the Mint ISO, modify it,
> then adjust a portion of the ISO that doesn't matter
> to the function of the installation or operation,
> so the MD5 is the same as the official release,
> it doesn't matter ?

No, I’m not saying that.

> Perhaps I misunderstand what a checksum is for ?

You’ve misunderstood what is wrong with MD5.

-- 
http://www.greenend.org.uk/rjk/

Back to alt.os.linux.mint | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

2/20/16 Linux Mint downloads compromised bleak_fire_ <penachew@yomomma.hot.invalid> - 2016-02-21 05:48 +0100
  Re: 2/20/16 Linux Mint downloads compromised Johnny <johnny@invalid.net> - 2016-02-21 06:14 -0600
    Re: 2/20/16 Linux Mint downloads compromised Yrrah <Yrrah-aolm@aolm.invalid> - 2016-02-21 14:19 +0100
      Re: 2/20/16 Linux Mint downloads compromised Johnny <johnny@invalid.net> - 2016-02-21 10:22 -0600
        Re: 2/20/16 Linux Mint downloads compromised Yrrah <Yrrah-aolm@aolm.invalid> - 2016-02-21 17:44 +0100
          Re: 2/20/16 Linux Mint downloads compromised Caver1 <caver1@inthemud.org> - 2016-02-21 11:58 -0500
    Re: 2/20/16 Linux Mint downloads compromised stepore <linshine@here.now> - 2016-02-21 21:08 -0800
      Re: 2/20/16 Linux Mint downloads compromised Bud Frede <frede@mouse-potato.com> - 2016-02-22 06:46 -0500
        Re: 2/20/16 Linux Mint downloads compromised William Poaster <wp@dev.null> - 2016-02-22 12:47 +0000
  Re: 2/20/16 Linux Mint downloads compromised Paul <nospam@needed.com> - 2016-02-21 08:43 -0500
    Re: 2/20/16 Linux Mint downloads compromised Richard Kettlewell <rjk@greenend.org.uk> - 2016-02-21 14:06 +0000
      Re: 2/20/16 Linux Mint downloads compromised Paul <nospam@needed.com> - 2016-02-21 09:37 -0500
        Re: 2/20/16 Linux Mint downloads compromised Richard Kettlewell <rjk@greenend.org.uk> - 2016-02-21 16:06 +0000
  Re: 2/20/16 Linux Mint downloads compromised Yrrah <Yrrah-aolm@aolm.invalid> - 2016-02-21 17:40 +0100
  Re: 2/20/16 Linux Mint downloads compromised buzz^bomb <doodlebug@Peenemunde.net> - 2016-02-21 10:18 -0800
    Re: 2/20/16 Linux Mint downloads compromised Yrrah <Yrrah-aolm@aolm.invalid> - 2016-02-22 16:28 +0100
      Re: 2/20/16 Linux Mint downloads compromised stepore <linshine@here.now> - 2016-02-22 20:22 -0800
        Re: 2/20/16 Linux Mint downloads compromised Poutnik <poutnik4nntp@gmail.com> - 2016-02-23 07:56 +0100
        Re: 2/20/16 Linux Mint downloads compromised "Cybe R. Wizard" <cybe_r_wizard@WizardsTower.invalid> - 2016-02-23 05:24 -0600
        Re: 2/20/16 Linux Mint downloads compromised Marek Novotny <marek.novotny@marspolar.com> - 2016-02-23 07:43 -0800
          Re: 2/20/16 Linux Mint downloads compromised Yrrah <Yrrah-aolm@aolm.invalid> - 2016-02-23 18:53 +0100
            Re: 2/20/16 Linux Mint downloads compromised Marek Novotny <marek.novotny@marspolar.com> - 2016-02-23 09:56 -0800
              Re: 2/20/16 Linux Mint downloads compromised stepore <linshine@here.now> - 2016-02-23 20:30 -0800
            Re: 2/20/16 Linux Mint downloads compromised FredW <fredw@ninmule.invalid> - 2016-02-23 20:22 +0100
            Re: 2/20/16 Linux Mint downloads compromised stepore <linshine@here.now> - 2016-02-23 20:50 -0800
      Re: 2/20/16 Linux Mint downloads compromised buzz^bomb <doodlebug@Peenemunde.net> - 2016-02-24 21:04 -0800

csiph-web