ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    My Journey to Becoming a Linux End User on Linux Mint

    Scheduled Pinned Locked Moved IT Discussion
    linuxlinux desktoplinux mint
    116 Posts 15 Posters 38.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller
      last edited by

      yeah, not an OSS problem, people had the exactly same thing happen to closed source Apple apps. It's a universal problem

      1 Reply Last reply Reply Quote 0
      • scottalanmillerS
        scottalanmiller
        last edited by

        I did not install from ISO, so probably not impacted.

        1 Reply Last reply Reply Quote 0
        • BRRABillB
          BRRABill
          last edited by

          I guess I picked a bad time to try out Mint.

          1 Reply Last reply Reply Quote 0
          • BRRABillB
            BRRABill
            last edited by

            Actually, it appears it was just on the 20th, so it looks like I am OK.

            BRRABillB 1 Reply Last reply Reply Quote 1
            • BRRABillB
              BRRABill @BRRABill
              last edited by

              @BRRABill said:

              Actually, it appears it was just on the 20th, so it looks like I am OK.

              Or AM I????????????????????????????

              AmbarishrhA 1 Reply Last reply Reply Quote 1
              • AmbarishrhA
                Ambarishrh @BRRABill
                last edited by

                @BRRABill said:

                @BRRABill said:

                Actually, it appears it was just on the 20th, so it looks like I am OK.

                Or AM I????????????????????????????

                As per their post:

                How to check if your ISO is compromised?

                If you still have the ISO file, check its MD5 signature with the command “md5sum yourfile.iso” (where yourfile.iso is the name of the ISO).

                The valid signatures are below:

                6e7f7e03500747c6c3bfece2c9c8394f linuxmint-17.3-cinnamon-32bit.iso
                e71a2aad8b58605e906dbea444dc4983 linuxmint-17.3-cinnamon-64bit.iso
                30fef1aa1134c5f3778c77c4417f7238 linuxmint-17.3-cinnamon-nocodecs-32bit.iso
                3406350a87c201cdca0927b1bc7c2ccd linuxmint-17.3-cinnamon-nocodecs-64bit.iso
                df38af96e99726bb0a1ef3e5cd47563d linuxmint-17.3-cinnamon-oem-64bit.iso
                If you still have the burnt DVD or USB stick, boot a computer or a virtual machine offline (turn off your router if in doubt) with it and let it load the live session.

                Once in the live session, if there is a file in /var/lib/man.cy, then this is an infected ISO.

                BRRABillB 1 Reply Last reply Reply Quote 1
                • scottalanmillerS
                  scottalanmiller
                  last edited by

                  In a "do what I say, not what I do" mode, remember it is always good to do an MD5 check of your downloads. Protects against most cases of this kind of thing.

                  BRRABillB 1 Reply Last reply Reply Quote 1
                  • BRRABillB
                    BRRABill @scottalanmiller
                    last edited by

                    @scottalanmiller said:

                    In a "do what I say, not what I do" mode, remember it is always good to do an MD5 check of your downloads. Protects against most cases of this kind of thing.

                    They also hacked that on the website, didn't they?

                    DashrenderD 1 Reply Last reply Reply Quote 0
                    • BRRABillB
                      BRRABill @Ambarishrh
                      last edited by

                      @Ambarishrh

                      I don't have the ISO anymore. Plus, after weeks of learning about never feeling safe with malware here, not sure how anyone could feel 100% safe it was only on the 20th.

                      If you read further down in their comments, even they say there's no way of 100% knowing.

                      1 Reply Last reply Reply Quote 0
                      • DashrenderD
                        Dashrender @BRRABill
                        last edited by

                        @BRRABill said:

                        @scottalanmiller said:

                        In a "do what I say, not what I do" mode, remember it is always good to do an MD5 check of your downloads. Protects against most cases of this kind of thing.

                        They also hacked that on the website, didn't they?

                        They might have, can't recall the exact working, on the WordPress site (one more reason I'm scared to death of standing up a WP site). But there were many other sources of the MD5 hash on other pages that were unaffected. Granted that wouldn't help most - why would you ever go out of your way to verify the MD5 has to more than one site.

                        I saw a question - why not move to a signed ISO, you check the cert signature and you're golden - the Mint guys said they were looking into that.

                        BRRABillB 1 Reply Last reply Reply Quote 0
                        • BRRABillB
                          BRRABill @Dashrender
                          last edited by

                          @Dashrender said:

                          I saw a question - why not move to a signed ISO, you check the cert signature and you're golden - the Mint guys said they were looking into that.

                          From the comments on that page, it seems a lot of the stuff the Mint guys were doing were not 100% secure.

                          Hopefully they can learn from this and move on.

                          I said to @scottalanmiller it's almost ridiculous how you can't be secure anywhere.

                          DashrenderD 1 Reply Last reply Reply Quote 0
                          • DashrenderD
                            Dashrender @BRRABill
                            last edited by

                            @BRRABill said:

                            @Dashrender said:

                            I saw a question - why not move to a signed ISO, you check the cert signature and you're golden - the Mint guys said they were looking into that.

                            From the comments on that page, it seems a lot of the stuff the Mint guys were doing were not 100% secure.

                            Hopefully they can learn from this and move on.

                            I said to @scottalanmiller it's almost ridiculous how you can't be secure anywhere.

                            Does anyone sign their ISOs today?

                            JaredBuschJ 1 Reply Last reply Reply Quote 0
                            • JaredBuschJ
                              JaredBusch @Dashrender
                              last edited by JaredBusch

                              @Dashrender said:

                              @BRRABill said:

                              @Dashrender said:

                              I saw a question - why not move to a signed ISO, you check the cert signature and you're golden - the Mint guys said they were looking into that.

                              From the comments on that page, it seems a lot of the stuff the Mint guys were doing were not 100% secure.

                              Hopefully they can learn from this and move on.

                              I said to @scottalanmiller it's almost ridiculous how you can't be secure anywhere.

                              Does anyone sign their ISOs today?

                              Pretty much all places offer MD5 hashes.

                              But if I was trying to hijack a distro, I would post an updated hash too.

                              1 Reply Last reply Reply Quote 1
                              • BRRABillB
                                BRRABill
                                last edited by

                                Even the hacker agrees (from an article on ZDNET)...

                                The hacker then used their access to the site to change the legitimate checksum -- used to verify the integrity of a file -- on the download page with the checksum of the backdoored version.

                                "Who the f**k checks those anyway?" the hacker said.

                                stacksofplatesS DashrenderD 2 Replies Last reply Reply Quote 0
                                • stacksofplatesS
                                  stacksofplates @BRRABill
                                  last edited by stacksofplates

                                  @BRRABill said:

                                  Even the hacker agrees (from an article on ZDNET)...

                                  The hacker then used their access to the site to change the legitimate checksum -- used to verify the integrity of a file -- on the download page with the checksum of the backdoored version.

                                  "Who the f**k checks those anyway?" the hacker said.

                                  Maybe people who use Linux Mint don't, but people who install things regularly do. Figuring out your ISO doesn't work by trying to install and it failing is a waste of time.

                                  Plus it may install, but packages could be missing or other strange things.

                                  BRRABillB 1 Reply Last reply Reply Quote 0
                                  • BRRABillB
                                    BRRABill @stacksofplates
                                    last edited by

                                    @johnhooks

                                    No I meant that he changed the legitimate checksum.

                                    stacksofplatesS 1 Reply Last reply Reply Quote 0
                                    • stacksofplatesS
                                      stacksofplates @BRRABill
                                      last edited by

                                      @BRRABill said:

                                      @johnhooks

                                      No I meant that he changed the legitimate checksum.

                                      Right, but he asked who checks them anyway. I was answering that part.

                                      BRRABillB 1 Reply Last reply Reply Quote 0
                                      • BRRABillB
                                        BRRABill @stacksofplates
                                        last edited by

                                        @johnhooks

                                        Ah. Yeah, probably a small percentage.

                                        And if they can also be hacked, what's the difference really?

                                        stacksofplatesS 1 Reply Last reply Reply Quote 0
                                        • stacksofplatesS
                                          stacksofplates @BRRABill
                                          last edited by

                                          @BRRABill said:

                                          And if they can also be hacked, what's the difference really?

                                          At least you'll know it will install correctly 😛

                                          I pretty much download ISOs from torrents if it's possible. It's faster, and these kinds of things don't happen.

                                          BRRABillB 1 Reply Last reply Reply Quote 0
                                          • DashrenderD
                                            Dashrender @BRRABill
                                            last edited by

                                            @BRRABill said:

                                            Even the hacker agrees (from an article on ZDNET)...

                                            The hacker then used their access to the site to change the legitimate checksum -- used to verify the integrity of a file -- on the download page with the checksum of the backdoored version.

                                            "Who the f**k checks those anyway?" the hacker said.

                                            lol - even Scott said - do as I say, not as I do.. LOL

                                            1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 6
                                            • 5 / 6
                                            • First post
                                              Last post