My Journey to Becoming a Linux End User on Linux Mint
-
@scottalanmiller as per the Linux Mint blog "As far as we know, the only compromised edition was Linux Mint 17.3 Cinnamon edition." You have this version rite?
-
Not good news for open source software.
-
@Breffni-Potter said:
Not good news for open source software.
Not really bad news for OSS in general. Highly embarrassing for Mint. (forking it up
) -
yeah, not an OSS problem, people had the exactly same thing happen to closed source Apple apps. It's a universal problem
-
I did not install from ISO, so probably not impacted.
-
I guess I picked a bad time to try out Mint.
-
Actually, it appears it was just on the 20th, so it looks like I am OK.
-
@BRRABill said:
Actually, it appears it was just on the 20th, so it looks like I am OK.
Or AM I????????????????????????????
-
@BRRABill said:
@BRRABill said:
Actually, it appears it was just on the 20th, so it looks like I am OK.
Or AM I????????????????????????????
As per their post:
How to check if your ISO is compromised?
If you still have the ISO file, check its MD5 signature with the command “md5sum yourfile.iso” (where yourfile.iso is the name of the ISO).
The valid signatures are below:
6e7f7e03500747c6c3bfece2c9c8394f linuxmint-17.3-cinnamon-32bit.iso
e71a2aad8b58605e906dbea444dc4983 linuxmint-17.3-cinnamon-64bit.iso
30fef1aa1134c5f3778c77c4417f7238 linuxmint-17.3-cinnamon-nocodecs-32bit.iso
3406350a87c201cdca0927b1bc7c2ccd linuxmint-17.3-cinnamon-nocodecs-64bit.iso
df38af96e99726bb0a1ef3e5cd47563d linuxmint-17.3-cinnamon-oem-64bit.iso
If you still have the burnt DVD or USB stick, boot a computer or a virtual machine offline (turn off your router if in doubt) with it and let it load the live session.Once in the live session, if there is a file in /var/lib/man.cy, then this is an infected ISO.
-
In a "do what I say, not what I do" mode, remember it is always good to do an MD5 check of your downloads. Protects against most cases of this kind of thing.
-
@scottalanmiller said:
In a "do what I say, not what I do" mode, remember it is always good to do an MD5 check of your downloads. Protects against most cases of this kind of thing.
They also hacked that on the website, didn't they?
-
I don't have the ISO anymore. Plus, after weeks of learning about never feeling safe with malware here, not sure how anyone could feel 100% safe it was only on the 20th.
If you read further down in their comments, even they say there's no way of 100% knowing.
-
@BRRABill said:
@scottalanmiller said:
In a "do what I say, not what I do" mode, remember it is always good to do an MD5 check of your downloads. Protects against most cases of this kind of thing.
They also hacked that on the website, didn't they?
They might have, can't recall the exact working, on the WordPress site (one more reason I'm scared to death of standing up a WP site). But there were many other sources of the MD5 hash on other pages that were unaffected. Granted that wouldn't help most - why would you ever go out of your way to verify the MD5 has to more than one site.
I saw a question - why not move to a signed ISO, you check the cert signature and you're golden - the Mint guys said they were looking into that.
-
@Dashrender said:
I saw a question - why not move to a signed ISO, you check the cert signature and you're golden - the Mint guys said they were looking into that.
From the comments on that page, it seems a lot of the stuff the Mint guys were doing were not 100% secure.
Hopefully they can learn from this and move on.
I said to @scottalanmiller it's almost ridiculous how you can't be secure anywhere.
-
@BRRABill said:
@Dashrender said:
I saw a question - why not move to a signed ISO, you check the cert signature and you're golden - the Mint guys said they were looking into that.
From the comments on that page, it seems a lot of the stuff the Mint guys were doing were not 100% secure.
Hopefully they can learn from this and move on.
I said to @scottalanmiller it's almost ridiculous how you can't be secure anywhere.
Does anyone sign their ISOs today?
-
@Dashrender said:
@BRRABill said:
@Dashrender said:
I saw a question - why not move to a signed ISO, you check the cert signature and you're golden - the Mint guys said they were looking into that.
From the comments on that page, it seems a lot of the stuff the Mint guys were doing were not 100% secure.
Hopefully they can learn from this and move on.
I said to @scottalanmiller it's almost ridiculous how you can't be secure anywhere.
Does anyone sign their ISOs today?
Pretty much all places offer MD5 hashes.
But if I was trying to hijack a distro, I would post an updated hash too.
-
Even the hacker agrees (from an article on ZDNET)...
The hacker then used their access to the site to change the legitimate checksum -- used to verify the integrity of a file -- on the download page with the checksum of the backdoored version.
"Who the f**k checks those anyway?" the hacker said.
-
@BRRABill said:
Even the hacker agrees (from an article on ZDNET)...
The hacker then used their access to the site to change the legitimate checksum -- used to verify the integrity of a file -- on the download page with the checksum of the backdoored version.
"Who the f**k checks those anyway?" the hacker said.
Maybe people who use Linux Mint don't, but people who install things regularly do. Figuring out your ISO doesn't work by trying to install and it failing is a waste of time.
Plus it may install, but packages could be missing or other strange things.
-
@johnhooks
No I meant that he changed the legitimate checksum.
-
@BRRABill said:
@johnhooks
No I meant that he changed the legitimate checksum.
Right, but he asked who checks them anyway. I was answering that part.
