Choose style:

Author Topic: Warning  (Read 3010 times)

0 Members and 1 Guest are viewing this topic.

Offline AndyInMokum

  • Global Moderator
  • Hero
  • *****
  • Posts: 4808
  • Karma: 1012
  • "Keep on Rockin' in the Free World"
    • View Profile
  • Peppermint version(s): PM 9 & PM 8 Respin-2 (64-bit)
Re: Warning
« Reply #15 on: February 23, 2016, 07:24:58 pm »
I know it's a real pain in the backside for Clem and his team over at Mint at the moment.  Maybe we should also take note.  It appears that MD5 isn't as secure as it used to be.  In light of this unfortunate hack on Linux Mint, maybe Peppermint should consider using SHA256 for Peppermint Seven onwards  ;).
Backup! Backup! Backup! If you're missing any of these -  you ain't Backed Up!
For my system info please L/click HERE.

Offline PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 25462
  • Karma: 2800
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 8R, 9, and 9R
Re: Warning
« Reply #16 on: February 23, 2016, 08:29:29 pm »
md5 is fine .. the problem was that the hacker also changed the md5 that the Mint site was publishing .. so even if you checked it against the md5 published on the mint site it would look fine.

it wasn't that he'd managed to change the ISO without changing the md5 hash .. just that he made the site serve the wrong md5
That's why the torrents were okay.

the hacker could have done the same with SHA256/SHA1024 or any other generated checksum .. if you're checking against a false sum, there aint much you can do.
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Offline perknh

  • Trusted User
  • Hero
  • *****
  • Posts: 3820
  • Karma: 299
  • Soy un huevo, nada más.
    • View Profile
  • Peppermint version(s): Peppermint 10
Re: Warning
« Reply #17 on: February 24, 2016, 07:40:26 am »
I've never seen this happen before in the world of Linux.  This now means to me that the safest download method is to use BitTorrent.

I have a throttled high speed Internet service, which has made me reluctant to use BitTorrent on a regular basis.  It's not that I can't get the torrent (I can, and I have used BitTorrent several times before.), but it's that it is difficult for me to give back.  I've never been able to return the equivalence of one full torrent.  Unfortunately, in the world of torrents, people who do not give back are labeled as leaches.  ::)

But, this trickery with the MD5 checksum is making me think I should stop doing standard downloading.  :-\

We're all Peppermint users and that's what matters  ;).  -- AndyInMokum

Offline AndyInMokum

  • Global Moderator
  • Hero
  • *****
  • Posts: 4808
  • Karma: 1012
  • "Keep on Rockin' in the Free World"
    • View Profile
  • Peppermint version(s): PM 9 & PM 8 Respin-2 (64-bit)
Re: Warning
« Reply #18 on: February 24, 2016, 08:22:30 am »
I've never seen this happen before in the world of Linux.  This now means to me that the safest download method is to use BitTorrent.

I have a throttled high speed Internet service, which has made me reluctant to use BitTorrent on a regular basis.  It's not that I can't get the torrent (I can, and I have used BitTorrent several times before.), but it's that it is difficult for me to give back.  I've never been able to return the equivalence of one full torrent.  Unfortunately, in the world of torrents, people who do not give back are labeled as leaches.  ::)

But, this trickery with the MD5 checksum is making me think I should stop doing standard downloading.  :-\
Whenever possible, download using bit torrent.  It's much safer and in most cases, much quicker  ;).
Backup! Backup! Backup! If you're missing any of these -  you ain't Backed Up!
For my system info please L/click HERE.

Offline rjm65

  • Veteran
  • ****
  • Posts: 1003
  • Karma: 300
  • I have Peppermint Fresh Breath. :P
    • View Profile
  • Peppermint version(s): Win-98 /Win-7/ Peppermint 9
Re: Warning
« Reply #19 on: February 24, 2016, 09:25:29 am »
Whenever possible, download using bit torrent.  It's much safer and in most cases, much quicker  ;).
You can say that again, I always download via torrents, i get the distros in minutes rather then hours...
However when i do download it, i make sure i run my torrent program every day for a few weeks, so i get my ratio back up again...
I think I maintain a 10 to 1 ratio at all times...  meaning I give back 10 gigs to downloading 1 gig... 
Robert
Peppermint 9 User

Gateway Solo 9300 Pro
IBM T40

Offline GNULINUX

  • Trusted User
  • Member
  • *****
  • Posts: 987
  • Karma: 311
    • View Profile
  • Peppermint version(s): Peppermint Six (x64)
Re: Warning
« Reply #20 on: February 24, 2016, 12:39:26 pm »
It seems that there's more bad news...

Linux Mint Forum Database Compromised for at Least a Month Before Announcement
Quote
From what the Linux Mint team has said until now, we understood that this was a recent event, but it turns out that it's not the case. It's impossible to say how long ago the forum database was stolen, but a month ago it was being offered for sale.
Peppermint 6  (x64)   -   Windows 7 Ultimate SP1  (x64)
Running different OS flavors in VirtualBox, just for fun!

Offline perknh

  • Trusted User
  • Hero
  • *****
  • Posts: 3820
  • Karma: 299
  • Soy un huevo, nada más.
    • View Profile
  • Peppermint version(s): Peppermint 10
Re: Warning
« Reply #21 on: February 24, 2016, 03:26:14 pm »
So what is a person to do if he or she has already downloaded Linux Mint within this time period?  Reformat their disk slowly --with all zeros?  We do have a new member here in Peppermint forum who may have been a victim of this.  I'd like to know how to advise him.

However when i do download it, i make sure i run my torrent program every day for a few weeks, so i get my ratio back up again...
I think I maintain a 10 to 1 ratio at all times...  meaning I give back 10 gigs to downloading 1 gig... 

Thanks for giving back so much, rjm65.  I see now that that's how one should do it.  If I can even do 2 to 1, I'll be lucky.  I have a low level, DSL, high-speed Internet service, and it really isn't all that speedy at all.  In fact, on my computer, a torrent, or a standard download, take about the same amount of time to download the iso image.  But I'll start using BitTorrent again --especially since it is much safer.  If it takes weeks to give back, then that's how I'll do it.  I hope this process is automated though, and I hope it won't impact what my wife and I can do when using our mildly slow Internet service.  I'm a little nervous about that.

By the way, I've seen high-speed Internet in action.  I know one couple who has it, and it certainly is very impressive. :o
« Last Edit: February 24, 2016, 03:28:48 pm by perknh »
We're all Peppermint users and that's what matters  ;).  -- AndyInMokum

Offline murraymint

  • Trusted User
  • Veteran
  • *****
  • Posts: 1947
  • Karma: 335
  • soft boiled with a yolk of gold
    • View Profile
  • Peppermint version(s): 7, 8, 9
Re: Warning
« Reply #22 on: February 24, 2016, 04:14:29 pm »
It's very commendable to want to seed torrents and build up a massive ratio. But unless it's something ultra-rare or you're a member of a private torrent site nobody cares if you leech the odd torrent. You don't have to seed if you've got limited bandwidth.

In theory, couldn't the hackers have put a link to a torrent of the fake Mint ISO? It depends where you're getting your links from either way.

Offline perknh

  • Trusted User
  • Hero
  • *****
  • Posts: 3820
  • Karma: 299
  • Soy un huevo, nada más.
    • View Profile
  • Peppermint version(s): Peppermint 10
Re: Warning
« Reply #23 on: February 25, 2016, 03:12:27 pm »
Thank you, murraymint. ;)

Since some of us may have personally been, or know somebody who had personally been, involved with Linux Mint at the time of the time of the hack on Linux Mint, here's how to see if you, or other Mint users were compromised.  Also, you'll find some sound advice on what do about it if your, or other Linux Mint accounts, were compromised:

THE LINUX MINT HACK AND WHAT TO DO ABOUT IT

by Rohan Kapur

https://rootatkali.wordpress.com/2016/02/22/the-linux-mint-hack-and-what-to-do-about-it/

I hope the above link helps relieve the anxiety some of us may still be experiencing from this recent occurrence.
« Last Edit: February 25, 2016, 03:16:45 pm by perknh »
We're all Peppermint users and that's what matters  ;).  -- AndyInMokum

Offline Alex

  • Jr. Member
  • **
  • Posts: 98
  • Karma: 8
    • View Profile
Re: Warning
« Reply #24 on: May 06, 2016, 08:48:39 pm »
This is a old topic, ok.
Avast and Kaspersky helped Linux Mint team when this event occurred.
Proprietary software helping free software.  :D
I'm linux mint community member and i saw user's protests. Hard times for Clem but i like his courage.
I promote proprietary/closed software to earn some money. I see the both sides of the story.
Cheers.