Re: Warning Linux Mint Website Hacked and ISOs replaced with Backdoored Operating System
On Tue, Feb 23, 2016 at 12:02:50PM +0100, Thomas Schmitt wrote:
> Hi,
>
> Nicolas George wrote:
> > Of course, that does not mean MD5 and SHA-1 should be used nowadays. New
> > theoretical attacks are found, keeping using hashes with known weaknesses is
> > stupid.
>
> The ISO checksums are provided more for transport verification than
> for the fight against intentional mainpulation.
> Signing the hash lists by PGP still seems a bit weak as protection.
>
> But well, if Debian armors its ISOs, then it would have to scrutinize
> the source of its packages, too.
>
The reproducible builds work now going on will make this much easier.
Anybody should be able to reproduce _exactly_ what was generated, anywhere
and with a very high confidence in every stage.
This may not be immediately evident for the current release - though more
and more of it is becoming reproducible - but will be very evident for Stretch
- Debian 9 - when released as stable.
> Most important seems a permanent supervision of the web site content
> from not publicly known client machines. Hash sums may be manipulated.
> But the whole content of an ISO is either original or not. Easy to spot.
>
>
Not quite so obvious if the attacker(s) have had significant time to build
and modify individual packages and get the changes pushed in - but see above.
> Have a nice day :)
>
> Thomas
Likewise :)
AndyC
Reply to: