My Journey to Becoming a Linux End User on Linux Mint

Dashrender

@BRRABill said:

@scottalanmiller said:

In a "do what I say, not what I do" mode, remember it is always good to do an MD5 check of your downloads. Protects against most cases of this kind of thing.

They also hacked that on the website, didn't they?

They might have, can't recall the exact working, on the WordPress site (one more reason I'm scared to death of standing up a WP site). But there were many other sources of the MD5 hash on other pages that were unaffected. Granted that wouldn't help most - why would you ever go out of your way to verify the MD5 has to more than one site.

I saw a question - why not move to a signed ISO, you check the cert signature and you're golden - the Mint guys said they were looking into that.

BRRABill

@Dashrender said:

I saw a question - why not move to a signed ISO, you check the cert signature and you're golden - the Mint guys said they were looking into that.

From the comments on that page, it seems a lot of the stuff the Mint guys were doing were not 100% secure.

Hopefully they can learn from this and move on.

I said to @scottalanmiller it's almost ridiculous how you can't be secure anywhere.

Dashrender

@BRRABill said:

@Dashrender said:

I saw a question - why not move to a signed ISO, you check the cert signature and you're golden - the Mint guys said they were looking into that.

From the comments on that page, it seems a lot of the stuff the Mint guys were doing were not 100% secure.

Hopefully they can learn from this and move on.

I said to @scottalanmiller it's almost ridiculous how you can't be secure anywhere.

Does anyone sign their ISOs today?

JaredBusch

@Dashrender said:

@BRRABill said:

@Dashrender said:

I saw a question - why not move to a signed ISO, you check the cert signature and you're golden - the Mint guys said they were looking into that.

From the comments on that page, it seems a lot of the stuff the Mint guys were doing were not 100% secure.

Hopefully they can learn from this and move on.

I said to @scottalanmiller it's almost ridiculous how you can't be secure anywhere.

Does anyone sign their ISOs today?

Pretty much all places offer MD5 hashes.

But if I was trying to hijack a distro, I would post an updated hash too.

BRRABill

Even the hacker agrees (from an article on ZDNET)...

The hacker then used their access to the site to change the legitimate checksum -- used to verify the integrity of a file -- on the download page with the checksum of the backdoored version.

"Who the f**k checks those anyway?" the hacker said.

stacksofplates

@BRRABill said:

Even the hacker agrees (from an article on ZDNET)...

The hacker then used their access to the site to change the legitimate checksum -- used to verify the integrity of a file -- on the download page with the checksum of the backdoored version.

"Who the f**k checks those anyway?" the hacker said.

Maybe people who use Linux Mint don't, but people who install things regularly do. Figuring out your ISO doesn't work by trying to install and it failing is a waste of time.

Plus it may install, but packages could be missing or other strange things.

BRRABill

@johnhooks

No I meant that he changed the legitimate checksum.

stacksofplates

@BRRABill said:

@johnhooks

No I meant that he changed the legitimate checksum.

Right, but he asked who checks them anyway. I was answering that part.

BRRABill

@johnhooks

Ah. Yeah, probably a small percentage.

And if they can also be hacked, what's the difference really?

stacksofplates

@BRRABill said:

And if they can also be hacked, what's the difference really?

At least you'll know it will install correctly

I pretty much download ISOs from torrents if it's possible. It's faster, and these kinds of things don't happen.

Dashrender

@BRRABill said:

Even the hacker agrees (from an article on ZDNET)...

The hacker then used their access to the site to change the legitimate checksum -- used to verify the integrity of a file -- on the download page with the checksum of the backdoored version.

"Who the f**k checks those anyway?" the hacker said.

lol - even Scott said - do as I say, not as I do.. LOL

BRRABill

@johnhooks said:

I pretty much download ISOs from torrents if it's possible. It's faster, and these kinds of things don't happen.

You trust a torrent more than a site such as linuxmint?

Dashrender

@BRRABill said:

@johnhooks said:

I pretty much download ISOs from torrents if it's possible. It's faster, and these kinds of things don't happen.

You trust a torrent more than a site such as linuxmint?

Exactly - why would you trust a torrent more than a website download?

stacksofplates

The torrent file comes from the website, then it builds from the seeders.

Dashrender

@johnhooks said:

The torrent file comes from the website, then it builds from the seeders.

What prevents the hacker from seeding a bad torrent?

stacksofplates

@Dashrender said:

@johnhooks said:

The torrent file comes from the website, then it builds from the seeders.

What prevents the hacker from seeding a bad torrent?

They would be the only one seeding it.

Everything sent through a torrent is hashed, so they would somehow have to change everyone's copy of the ISO.

Dashrender

@johnhooks said:

@Dashrender said:

@johnhooks said:

The torrent file comes from the website, then it builds from the seeders.

What prevents the hacker from seeding a bad torrent?

They would be the only one seeding it.

Everything sent through a torrent is hashed, so they would somehow have to change everyone's copy of the ISO.

hack the page, call it a new version - seed the fake one to torrents - ok probably to many places to get caught.. but still possible.

stacksofplates

@Dashrender said:

@johnhooks said:

@Dashrender said:

@johnhooks said:

The torrent file comes from the website, then it builds from the seeders.

What prevents the hacker from seeding a bad torrent?

They would be the only one seeding it.

Everything sent through a torrent is hashed, so they would somehow have to change everyone's copy of the ISO.

hack the page, call it a new version - seed the fake one to torrents - ok probably to many places to get caught.. but still possible.

Right, it would take so long for that to happen that it would kind of be useless. If you change the direct download ISO then you've got everyone who downloaded it. However that's not the case with the torrents.

There is also no guarantee that anyone will seed from you either. You could sit there all day and maybe only a couple people seed a few parts from you.

scottalanmiller

@Dashrender said:

@johnhooks said:

The torrent file comes from the website, then it builds from the seeders.

What prevents the hacker from seeding a bad torrent?

MD5 Checksumming

Dashrender

@scottalanmiller said:

@Dashrender said:

@johnhooks said:

The torrent file comes from the website, then it builds from the seeders.

What prevents the hacker from seeding a bad torrent?

MD5 Checksumming

I meant doing their own seed, not trying to replace the real one.