Re: you iso's may have been hacked
Hi, Andrew F Comly wrote: > Am I supposed to edit the script and put something in for magic=' '? No. Magic is what an ISO 9660 should bear at byte offset 32768: A byte with ASCII value 1 and five bytes saying "CD001": $ dd if=debian-8.4.0-amd64-netinst.iso bs=1 skip=32768 count=6 | od -c ... 000 001 C D 0 0 1 Your file yielded two blanks on this shell command dd if="/dev/sdb" bs=2048 skip=16 count=1 | dd bs=1 count=6 | od -x | head -1 | \ awk '{print $2 " " $3 " " $4}' Wheras an ISO is supposed to yield (on little-endian machine): 4301 3044 3130 I get two blanks as result when i apply the command to a file which does not have 32768 bytes or to which i have no read permission. Given the fact that you run cmp under sudo, i'd guess it is about read permission. To my experience, /dev/sr0 is readable for the desktop user. So one would not experience this difficulty with optical media. Have a nice day :) Thomas
Re: you iso's may have been hacked
Thomas Schmitt wrote: >Steve McIntyre wrote: >> It's also contained in the debian-role-keys keyring in the >> debian-keyring package: [...] >> and the full fingerprint is also on the Debian website using https for >> people who would rather trust that. > >We users could easily be outsmarted in this aspect, i fear. >It's hard to tell whom to trust and how to avoid being spoofed by others. > >In any case somebody with edit powers should replace in > > https://www.debian.org/CD/faq/#verify > >"SHA1" and "MD5" by "SHA512". >Just to make this aspect safe for the next few years ... hopefully. Good point - I've just updated the FAQ to remove mentions of MD5 and SHA1 and switch to SHA512 and SHA256 instead. There's work ongoing on the new cleaner/clearer download page, and I'm hoping to have that live soon-ish. -- Steve McIntyre, Cambridge, UK.st...@einval.com Armed with "Valor": "Centurion" represents quality of Discipline, Honor, Integrity and Loyalty. Now you don't have to be a Caesar to concord the digital world while feeling safe and proud.
Re: you iso's may have been hacked
Hi, Steve McIntyre wrote: > It's also contained in the debian-role-keys keyring in the > debian-keyring package: [...] > and the full fingerprint is also on the Debian website using https for > people who would rather trust that. We users could easily be outsmarted in this aspect, i fear. It's hard to tell whom to trust and how to avoid being spoofed by others. In any case somebody with edit powers should replace in https://www.debian.org/CD/faq/#verify "SHA1" and "MD5" by "SHA512". Just to make this aspect safe for the next few years ... hopefully. Have a nice day :) Thomas
Re: you iso's may have been hacked
Thomas Schmitt wrote: >Hi, > >Andrew F Comly wrote: >> gpg: WARNING: This key is not certified with a trusted signature! > >I wonder whom we could trust to certify the Debian gpg key ... It's signed by a number of prominent DDs, including 2 DPLs and 2 Release Managers. Oh, and a number of idiots who don't understand GPG: they have signed it and pushed signatures to the keyservers without any fingerprint verification. :-( It's also contained in the debian-role-keys keyring in the debian-keyring package: gpg --no-default-keyring -kvc --keyring /usr/share/keyrings/debian-role-keys.gpg DA87E80D6294BE9B pub 4096R/DA87E80D6294BE9B 2011-01-05 Key fingerprint = DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B uid Debian CD signing keysub 4096R/642A5AC311CD9819 2011-01-05 and the full fingerprint is also on the Debian website using https for people who would rather trust that. -- Steve McIntyre, Cambridge, UK.st...@einval.com Armed with "Valor": "Centurion" represents quality of Discipline, Honor, Integrity and Loyalty. Now you don't have to be a Caesar to concord the digital world while feeling safe and proud.
Re: you iso's may have been hacked
Le 10/08/2016 à 08:36, Thomas Schmitt a écrit : Andrew F Comly wrote: Notice how the two sha512sum numbers (local vs burnt usb) don't match! Of course : the image and the device do not have the same size. Determine the ISO size on /dev/sdb by program isosize and curb its reading by help of program dd, or try wget https://people.debian.org/~danchev/debian-iso/check_debian_iso ./check_debian_iso SHA512SUMS debian-8.5.0-i386-lxde-CD-1.iso /dev/sdb Or use 'cmp' to compare the USB device contents with the image file. cmp debian-8.5.0-i386-lxde-CD-1.iso /dev/sdb If the comparison ends by reaching the end of the image file, there is no difference.
Re: you iso's may have been hacked
Hi, Andrew F Comly wrote: > gpg: WARNING: This key is not certified with a trusted signature! I wonder whom we could trust to certify the Debian gpg key ... > Notice how the two sha512sum numbers (local vs burnt usb) don't match! Determine the ISO size on /dev/sdb by program isosize and curb its reading by help of program dd, or try wget https://people.debian.org/~danchev/debian-iso/check_debian_iso ./check_debian_iso SHA512SUMS debian-8.5.0-i386-lxde-CD-1.iso /dev/sdb Have a nice day :) Thomas
Re: you iso's may have been hacked
Hi, Doug wrote: > If the md5 sum doesn't agree with what's posted, it most likely means a > glitch in the data transmission. Download it again. Good advise. One has to be aware that MD5 is not considered to be safe against malicious manipulations but only for transport safety. If one has to fear attacks, then file SHA512SUMS.sign and program gpg --verify should be used to verify file SHA512SUMS. Program sha512sum should then be used to obtain the SHA512 of the ISO which hopefully matches the one that is listed in SHA512SUMS. > You can only check the md5 sum on the download. Once you > burn it to a CD or DVD, there's no telling what the md5 sum will be. There is one shown in https://www.debian.org/CD/faq/#verify The "isosize" program can be used to find out the appropriate amount of bytes to be read from the optical media. It shows the "sector count" and the "sector size" from the optical media, where "" is the device file of the loaded optical media. $ /sbin/isosize -x sector count: 25600, sector size: 2048 Then "sector count" and "sector size" are passed to "dd" to read the appropriate amount of bytes from the optical media and the byte stream is then piped to the appropriate checksum tool (md5sum, sha1sum, etc). $ dd if= count= bs= | sha1sum The computed checksum is to be compared against the corresponding checksum found in the appropriate checksum file (MD5SUMS, SHA1SUMS, etc). Alternatively, there is a useful helper script called check_debian_iso https://people.debian.org/~danchev/debian-iso/check_debian_iso which can verify ISO image files and optical media, reading the appropriate amount of bytes from media then computing the checksum and comparing it against the checksum file. ISO image file verification. This will compare the checksum of the debian-6.0.3-amd64-netinst.iso image file against the corresponding checksum found in the MD5SUMS checksum file. $ ./check_debian_iso MD5SUMS debian-6.0.3-amd64-netinst.iso Optical media verification. This will compare the checksum of the media accessible as /dev/dvd against the checksum of debian-6.0.3-amd64-DVD-1.iso as found in the MD5SUMS checksum file. Note that the ISO image file itself is not needed, its name is merely used to locate the corresponding checksum in the checksum file. $ ./check_debian_iso MD5SUMS debian-6.0.3-amd64-DVD-1.iso /dev/dvd The proposals work for USB stick /dev/sdb too. (It is about time this all gets updated to advise the use of SHA512.) Have a nice day :) Thomas
Re: you iso's may have been hacked
On 08/09/2016 08:37 PM, limpia wrote: On 2016-08-09 20:03, phil hall wrote: i have just downloaded debian gnome 8.5.0 when complete i clicked check MD5 sum it listed a number that's not in your MD5sum document. I have never checked an MD5sum, so don't know if this is a Mint bug or you've been hacked On 2016-08-09 20:24, limpia wrote: Thanks, but it would be a lot more help to know more details, Especially which mirror you used, what was the url to where you downloaded it from, ? Was it a amd64 image or i386 ? Was it a "Live CD image", "netinstall" or ? Thank you Additional note, I notice that here: https://www.debian.org/CD/faq/#verify It says :=== "The problem with the verification of written optical media is that some media types will possibly return more bytes than those found in the ISO image. This trailing garbage is impossible to avoid with CD written in TAO mode, incrementally recorded DVD-R[W], formatted DVD-RW, DVD+RW, BD-RE, and also with USB keys. Therefore, we need to read exactly the same number of sectors of data from the media as are found in the ISO image itself; reading any more bytes from the media will alter the checksum result."" There are more details here: https://www.debian.org/CD/verify as well, Are you sure you are checking correctly ? Yes, of course. You can only check the md5 sum on the download. Once you burn it to a CD or DVD, there's no telling what the md5 sum will be.
Re: you iso's may have been hacked
On 08/09/2016 08:03 PM, phil hall wrote: i have just downloaded debian gnome 8.5.0 when complete i clicked check MD5 sum it listed a number that's not in your MD5sum document. I have never checked an MD5sum, so don't know if this is a Mint bug or you've been hacked If the md5 sum doesn't agree with what's posted, it most likely means a glitch in the data transmission. Download it again. --doug
Re: you iso's may have been hacked
On 2016-08-09 20:03, phil hall wrote: i have just downloaded debian gnome 8.5.0 when complete i clicked check MD5 sum it listed a number that's not in your MD5sum document. I have never checked an MD5sum, so don't know if this is a Mint bug or you've been hacked On 2016-08-09 20:24, limpia wrote: Thanks, but it would be a lot more help to know more details, Especially which mirror you used, what was the url to where you downloaded it from, ? Was it a amd64 image or i386 ? Was it a "Live CD image", "netinstall" or ? Thank you Additional note, I notice that here: https://www.debian.org/CD/faq/#verify It says :=== "The problem with the verification of written optical media is that some media types will possibly return more bytes than those found in the ISO image. This trailing garbage is impossible to avoid with CD written in TAO mode, incrementally recorded DVD-R[W], formatted DVD-RW, DVD+RW, BD-RE, and also with USB keys. Therefore, we need to read exactly the same number of sectors of data from the media as are found in the ISO image itself; reading any more bytes from the media will alter the checksum result."" There are more details here: https://www.debian.org/CD/verify as well, Are you sure you are checking correctly ?
Re: you iso's may have been hacked
On 2016-08-09 20:03, phil hall wrote: i have just downloaded debian gnome 8.5.0 when complete i clicked check MD5 sum it listed a number that's not in your MD5sum document. I have never checked an MD5sum, so don't know if this is a Mint bug or you've been hacked Thanks, but it would be a lot more help to know more details, Especially which mirror you used, what was the url to where you downloaded it from, ? Was it a amd64 image or i386 ? Was it a "Live CD image", "netinstall" or ? Thank you
you iso's may have been hacked
i have just downloaded debian gnome 8.5.0 when complete i clicked check MD5 sum it listed a number that's not in your MD5sum document. I have never checked an MD5sum, so don't know if this is a Mint bug or you've been hacked