Re: you iso's may have been hacked

2016-08-10 Thread Thomas Schmitt 
Hi,

Andrew F Comly wrote:
> Am I supposed to edit the script and put something in for magic=' '?

No. Magic is what an ISO 9660 should bear at byte offset 32768:
A byte with ASCII value 1 and five bytes saying "CD001":

  $ dd if=debian-8.4.0-amd64-netinst.iso bs=1 skip=32768 count=6 | od -c
  ...
  000 001   C   D   0   0   1

Your file yielded two blanks on this shell command

  dd if="/dev/sdb" bs=2048 skip=16 count=1 |
  dd bs=1 count=6 | od -x | head -1 | \
  awk '{print $2 " " $3 " " $4}'

Wheras an ISO is supposed to yield (on little-endian machine):

  4301 3044 3130

I get two blanks as result when i apply the command to a file which does
not have 32768 bytes or to which i have no read permission.
Given the fact that you run cmp under sudo, i'd guess it is about read
permission.

To my experience, /dev/sr0 is readable for the desktop user. So one would
not experience this difficulty with optical media.


Have a nice day :)

Thomas

Re: you iso's may have been hacked

2016-08-10 Thread Steve McIntyre 
Thomas Schmitt wrote:
>Steve McIntyre wrote:
>> It's also contained in the debian-role-keys keyring in the
>> debian-keyring package: [...]
>> and the full fingerprint is also on the Debian website using https for
>> people who would rather trust that.
>
>We users could easily be outsmarted in this aspect, i fear.
>It's hard to tell whom to trust and how to avoid being spoofed by others.
>
>In any case somebody with edit powers should replace in
>
>  https://www.debian.org/CD/faq/#verify
>
>"SHA1" and "MD5" by "SHA512".
>Just to make this aspect safe for the next few years ... hopefully.

Good point - I've just updated the FAQ to remove mentions of MD5 and
SHA1 and switch to SHA512 and SHA256 instead.

There's work ongoing on the new cleaner/clearer download page, and I'm
hoping to have that live soon-ish.

-- 
Steve McIntyre, Cambridge, UK.st...@einval.com
  Armed with "Valor": "Centurion" represents quality of Discipline,
  Honor, Integrity and Loyalty. Now you don't have to be a Caesar to
  concord the digital world while feeling safe and proud.

Re: you iso's may have been hacked

2016-08-10 Thread Thomas Schmitt 
Hi,

Steve McIntyre wrote:
> It's also contained in the debian-role-keys keyring in the
> debian-keyring package: [...]
> and the full fingerprint is also on the Debian website using https for
> people who would rather trust that.

We users could easily be outsmarted in this aspect, i fear.
It's hard to tell whom to trust and how to avoid being spoofed by others.


In any case somebody with edit powers should replace in

  https://www.debian.org/CD/faq/#verify

"SHA1" and "MD5" by "SHA512".
Just to make this aspect safe for the next few years ... hopefully.


Have a nice day :)

Thomas

Re: you iso's may have been hacked

2016-08-10 Thread Steve McIntyre 
Thomas Schmitt wrote:
>Hi,
>
>Andrew F Comly wrote:
>> gpg: WARNING: This key is not certified with a trusted signature!
>
>I wonder whom we could trust to certify the Debian gpg key ...

It's signed by a number of prominent DDs, including 2 DPLs and 2
Release Managers. Oh, and a number of idiots who don't understand GPG:
they have signed it and pushed signatures to the keyservers without
any fingerprint verification. :-(

It's also contained in the debian-role-keys keyring in the
debian-keyring package:

gpg --no-default-keyring -kvc --keyring 
/usr/share/keyrings/debian-role-keys.gpg DA87E80D6294BE9B
pub   4096R/DA87E80D6294BE9B 2011-01-05
  Key fingerprint = DF9B 9C49 EAA9 2984 3258  9D76 DA87 E80D 6294 BE9B
uid  Debian CD signing key 
sub   4096R/642A5AC311CD9819 2011-01-05

and the full fingerprint is also on the Debian website using https for
people who would rather trust that.

-- 
Steve McIntyre, Cambridge, UK.st...@einval.com
  Armed with "Valor": "Centurion" represents quality of Discipline,
  Honor, Integrity and Loyalty. Now you don't have to be a Caesar to
  concord the digital world while feeling safe and proud.

Re: you iso's may have been hacked

2016-08-10 Thread Pascal Hambourg 

Le 10/08/2016 à 08:36, Thomas Schmitt a écrit :


Andrew F Comly wrote:


Notice how the two sha512sum numbers (local vs burnt usb) don't match!


Of course : the image and the device do not have the same size.


Determine the ISO size on /dev/sdb by program isosize and curb its reading
by help of program dd, or try

  wget https://people.debian.org/~danchev/debian-iso/check_debian_iso

  ./check_debian_iso SHA512SUMS debian-8.5.0-i386-lxde-CD-1.iso /dev/sdb


Or use 'cmp' to compare the USB device contents with the image file.

cmp debian-8.5.0-i386-lxde-CD-1.iso /dev/sdb

If the comparison ends by reaching the end of the image file, there is 
no difference.

Re: you iso's may have been hacked

2016-08-10 Thread Thomas Schmitt 
Hi,

Andrew F Comly wrote:
> gpg: WARNING: This key is not certified with a trusted signature!

I wonder whom we could trust to certify the Debian gpg key ...


> Notice how the two sha512sum numbers (local vs burnt usb) don't match!

Determine the ISO size on /dev/sdb by program isosize and curb its reading
by help of program dd, or try

  wget https://people.debian.org/~danchev/debian-iso/check_debian_iso

  ./check_debian_iso SHA512SUMS debian-8.5.0-i386-lxde-CD-1.iso /dev/sdb


Have a nice day :)

Thomas

Re: you iso's may have been hacked

2016-08-10 Thread Thomas Schmitt 
Hi,

Doug wrote:

> If the md5 sum doesn't agree with what's posted, it most likely means a
> glitch in the data transmission. Download it again.

Good advise.

One has to be aware that MD5 is not considered to be safe against malicious
manipulations but only for transport safety. If one has to fear attacks,
then file SHA512SUMS.sign and program gpg --verify should be used to verify
file SHA512SUMS. Program sha512sum should then be used to obtain the SHA512
of the ISO which hopefully matches the one that is listed in SHA512SUMS.


> You can only check the md5 sum on the download. Once you
> burn it to a CD or DVD, there's no telling what the md5 sum will be.

There is one shown in
  https://www.debian.org/CD/faq/#verify

  The "isosize" program can be used to find out the appropriate amount
  of bytes to be read from the optical media. It shows the "sector count"
  and the "sector size" from the optical media, where "" is the
  device file of the loaded optical media.
$ /sbin/isosize -x 
sector count: 25600, sector size: 2048
  Then "sector count" and "sector size" are passed to "dd" to read the
  appropriate amount of bytes from the optical media and the byte stream
  is then piped to the appropriate checksum tool (md5sum, sha1sum, etc).
$ dd if= count= bs= | sha1sum
  The computed checksum is to be compared against the corresponding
  checksum found in the appropriate checksum file (MD5SUMS, SHA1SUMS, etc).

  Alternatively, there is a useful helper script called check_debian_iso
https://people.debian.org/~danchev/debian-iso/check_debian_iso
  which can verify ISO image files and optical media, reading the
  appropriate amount of bytes from media then computing the checksum and
  comparing it against the checksum file.

  ISO image file verification.
  This will compare the checksum of the debian-6.0.3-amd64-netinst.iso
  image file against the corresponding checksum found in the MD5SUMS
  checksum file.
$ ./check_debian_iso MD5SUMS debian-6.0.3-amd64-netinst.iso

  Optical media verification.
  This will compare the checksum of the media accessible as /dev/dvd
  against the checksum of debian-6.0.3-amd64-DVD-1.iso as found in the
  MD5SUMS checksum file. Note that the ISO image file itself is not
  needed, its name is merely used to locate the corresponding checksum
  in the checksum file.
$ ./check_debian_iso MD5SUMS debian-6.0.3-amd64-DVD-1.iso /dev/dvd


The proposals work for USB stick /dev/sdb too.
(It is about time this all gets updated to advise the use of SHA512.)


Have a nice day :)

Thomas

Re: you iso's may have been hacked

2016-08-09 Thread Doug 


On 08/09/2016 08:37 PM, limpia wrote:



On 2016-08-09 20:03, phil hall wrote:

i have just downloaded debian gnome 8.5.0 when complete i clicked
check MD5 sum it listed a number that's not in your MD5sum document. I
have never checked an MD5sum, so don't know if this is a Mint bug or
you've been hacked


On 2016-08-09 20:24, limpia wrote:

 Thanks, but it would be a lot more help to know more details,
Especially which mirror you used, what was the url to where you
downloaded it from, ?
 Was it a amd64 image or i386 ? Was it a "Live CD image", 
"netinstall" or ?

 Thank you
Additional note, I notice that here: 
https://www.debian.org/CD/faq/#verify
 It says :=== "The problem with the verification of written optical 
media is that some media types will possibly return more bytes than 
those found in the ISO image. This trailing garbage is impossible to 
avoid with CD written in TAO mode, incrementally recorded DVD-R[W], 
formatted DVD-RW, DVD+RW, BD-RE, and also with USB keys. Therefore, we 
need to read exactly the same number of sectors of data from the media 
as are found in the ISO image itself; reading any more bytes from the 
media will alter the checksum result.""


 There are more details here: https://www.debian.org/CD/verify
as well, Are you sure you are checking correctly ?

Yes, of course. You can only check the md5 sum on the download. Once you 
burn it to a CD or DVD, there's no telling what the md5 sum will be.

Re: you iso's may have been hacked

2016-08-09 Thread Doug 


On 08/09/2016 08:03 PM, phil hall wrote:
i have just downloaded debian gnome 8.5.0 when complete i clicked 
check MD5 sum it listed a number that's not in your MD5sum document. I 
have never checked an MD5sum, so don't know if this is a Mint bug or 
you've been hacked


If the md5 sum doesn't agree with what's posted, it most likely means a 
glitch in the data transmission. Download it again.


--doug

Re: you iso's may have been hacked

2016-08-09 Thread limpia 



On 2016-08-09 20:03, phil hall wrote:

i have just downloaded debian gnome 8.5.0 when complete i clicked
check MD5 sum it listed a number that's not in your MD5sum document. I
have never checked an MD5sum, so don't know if this is a Mint bug or
you've been hacked


On 2016-08-09 20:24, limpia wrote:

 Thanks, but it would be a lot more help to know more details,
Especially which mirror you used, what was the url to where you
downloaded it from, ?
 Was it a amd64 image or i386 ? Was it a "Live CD image", "netinstall" 
or ?

 Thank you
Additional note, I notice that here: 
https://www.debian.org/CD/faq/#verify
 It says :=== "The problem with the verification of written optical 
media is that some media types will possibly return more bytes than 
those found in the ISO image. This trailing garbage is impossible to 
avoid with CD written in TAO mode, incrementally recorded DVD-R[W], 
formatted DVD-RW, DVD+RW, BD-RE, and also with USB keys. Therefore, we 
need to read exactly the same number of sectors of data from the media 
as are found in the ISO image itself; reading any more bytes from the 
media will alter the checksum result.""


 There are more details here: https://www.debian.org/CD/verify
as well, Are you sure you are checking correctly ?

Re: you iso's may have been hacked

2016-08-09 Thread limpia 

On 2016-08-09 20:03, phil hall wrote:

i have just downloaded debian gnome 8.5.0 when complete i clicked
check MD5 sum it listed a number that's not in your MD5sum document. I
have never checked an MD5sum, so don't know if this is a Mint bug or
you've been hacked

 Thanks, but it would be a lot more help to know more details,
Especially which mirror you used, what was the url to where you
downloaded it from, ?
 Was it a amd64 image or i386 ? Was it a "Live CD image", "netinstall" 
or ?

 Thank you

you iso's may have been hacked

2016-08-09 Thread phil hall 
i have just downloaded debian gnome 8.5.0 when complete i clicked check MD5
sum it listed a number that's not in your MD5sum document. I have never
checked an MD5sum, so don't know if this is a Mint bug or you've been hacked