[Discuss] Linux Mint backdoored

Deryk Barker (Honorary Colleague) dbarker at camosun.bc.ca
Mon Feb 22 11:54:29 PST 2016


You might think that, but either they didn't (I know) or they couldn't be bothered.

How do I know? Because I downloaded the ISO in November and the checksum on the download page matches.

deryk

-------
Deryk Barker, Faculty Emeritus
Computer Science Department
Camosun College, Victoria BC

________________________________________
From: Discuss [discuss-bounces at vlug.org] on behalf of Alan W. Irwin [irwin at beluga.phys.uvic.ca]
Sent: Sunday, February 21, 2016 10:06 PM
To: discuss at vlug.org
Subject: Re: [Discuss] Linux Mint backdoored

On 2016-02-21 17:19-0800 pw wrote:

> If they had access to the ISO wouldn't they also have access to the MD5?

Yeah, you can probably assume that.

The conclusions should be (a) for Linux Mint to create a
cryptographically signed MD5 or crytographically signed ISO (they may
well have taken one of those measures already since most non-naive
Linux distros do one or ther other), AND (b) for users to check such
cryptographic signatures as a matter of course.

It's that second part which is of most concern to me.  I have been
creating cryptographic signatures for release tarballs of PLplot for
years, but only a small fraction of users (e.g., 3 of 78 this week,
see <https://sourceforge.net/projects/plplot/files/plplot/5.11.1
Source/>) actually bother with checking that signature, and I suspect
that the PLplot experience with user indifference to security is
typical.

I cannot understand that indifference because to check an electronic
signature is incredibly easy.

By the way, if anyone still lurking on this list is not aware of how
to do that, here is an example. Suppose there is a file called
download.tar.gz and a separate signature file (typically very much
shorter) called download.tar.gz.asc.

Then download both files and run

gpg --verify download.tar.gz.asc

to verify every bit in the downloaded tarball file and also to give
you important unique identification information from the electronic
signature to help you decide whether it has been forged or not.

For example, if you have been using some Linux distro for years you
should keep track of the identification information (e.g., name,
e-mail, and unique identification numbers) associated with the
electronic signature they use to sign their isos. And if that
identification information changes without a bunch of publicity from
the distro, then it is time to become suspicious.

Alan
__________________________
Alan W. Irwin

Astronomical research affiliation with Department of Physics and Astronomy,
University of Victoria (astrowww.phys.uvic.ca).

Programming affiliations with the FreeEOS equation-of-state
implementation for stellar interiors (freeeos.sf.net); the Time
Ephemerides project (timeephem.sf.net); PLplot scientific plotting
software package (plplot.sf.net); the libLASi project
(unifont.org/lasi); the Loads of Linux Links project (loll.sf.net);
and the Linux Brochure Project (lbproject.sf.net).
__________________________

Linux-powered Science
__________________________

_______________________________________________
Discuss mailing list
Discuss at vlug.org
http://vlug.org/mailman/listinfo/discuss_vlug.org



More information about the Discuss mailing list