The Mint 2016 hack?

Confused_nerd

Member
Credits
423
I was a reading a book, and it mentioned "the linux mint 2016 hack".
I looked it up and apparently some hackers put a backdoor to the system.
Does anyone know more about this?
I would also like to know how the sha256sums work(I verified mine before installing), cause like why couldn't the hackers just change that part too?
 


Nelson Muntz

Well-Known Member
Credits
4,438
I was a reading a book, and it mentioned "the linux mint 2016 hack".
I looked it up and apparently some hackers put a backdoor to the system.
Does anyone know more about this?
]



I would also like to know how the sha256sums work(I verified mine before installing), cause like why couldn't the hackers just change that part too?
Hopefully someone will be by to explain that.

I never check sha256sums and never had a problem.

A hacker with the right know how will be able to get around that check which is already been proven by the Linux Mint iso hack.

Just because you check the iso download with the sha256sum that doesn't mean the iso downloaded is free from bad guy stuff etc.
 

KGIII

Super Moderator
Staff member
Gold Supporter
Credits
13,056
Oh, yeah... Checksums are an immutable computation that expresses a file's traits. So, they're consistent across all computations with the same algorithm and changing the file even by a single bit would result in a different hash. If you use a torrent client to download the iso then it automatically verifies it for you. It's a 256 bit calculation and is absolutely 'secure enough'. You can't do things like reverse engineer the file with the hash, it doesn't work that way.
 

Nelson Muntz

Well-Known Member
Credits
4,438
I was under the impression the hackers loaded their own iso with the backdoor and their own sha256sum and removed the original iso and changed the sha256sum to match their hacked iso.

I may be wrong about that and if I am let me know and then I'll remove my posts or you can.
 

KGIII

Super Moderator
Staff member
Gold Supporter
Credits
13,056
My understanding is that they hadn't been able to change the checksum and that's how they were caught? I was also under the impression that they didn't compromise all the mirrors.

At least that's my memory of the event. It could easily be wrong.

LOL We have search engines. We could probably look this stuff up! Alas, I am lazy and Google is so very far away. I think I may sip some whiskey and get a little more lazy.
 

Nelson Muntz

Well-Known Member
Credits
4,438
Anyhow if my posts turn out to be wrong please remove them or let me know and I'll remove them.

Don't want to be posting and misinformation.
 

KGIII

Super Moderator
Staff member
Gold Supporter
Credits
13,056

Nelson Muntz

Well-Known Member
Credits
4,438
Oops, I missed the first link totally. Sorry Nelson!
@stan No apology is necessary. :)

We are here to answer questions when we can and offer help. :)

I could write a book on the things I've overlooked and just plain missed. :oops:

Hopefully the OP has gotten their question answered somewhat after all of our confusion.

@Confused_nerd Disregard what I said in my post #3 about the sha256sum go ahead and check it.

I don't because I'm impatient and have been fortunate and not have had any problems. My Apologies to you for making that statement.
 

Condobloke

Well-Known Member
Credits
9,262
You do that too ???!!!!
 

KGIII

Super Moderator
Staff member
Gold Supporter
Credits
13,056
You do that too ???!!!!
Do that too? Yes, and I pride myself on it!

Also, my wife is many, many years my junior and legitimately cute. She's indicating that it's time to put the whiskey away and go to bed. My foolish self is resisting this so that I can stay here and reply to this sorta stuff...

I need to get my priorities squared away!
 

stan

Well-Known Member
Credits
4,477
I would also like to know how the sha256sums work(I verified mine before installing), cause like why couldn't the hackers just change that part too?
If the hacker back then had been really good, he/she would have replaced the .iso file on the Mint server AND changed the md5sum and sha256sum values to match the hacked copy. So, they weren't that good, obviously. Not that time. Actually, the hacker did not even replace the .iso file on Mint's servers... they simply changed the link to a site they controlled where the hacked version was stored. The whole episode was pretty short lived because people are pretty attentive, usually.

Checking the md5sum or sha256sum verifies the integrity of the .iso file... that it wasn't corrupted during the download. It is only a partial validation of the authenticity of the file. After the hack, Linux Mint took an extra step to offer an encrypted key-based "signature" on the .iso file so you know that your download did indeed come from them, and not from a hacker. If you are paranoid about getting a hacked version of Mint, you should follow their instructions to verify the key signature (here).
 

wizardfromoz

Super Moderator
Staff member
Gold Supporter
Credits
13,648
After the hack,...
Afternoon, all.

Mint were also the first major player to introduce sha256 as their standard for distributing isos.

Currently, in a number of areas, sha512 is being used.

SHA is an acronym for Secure Hash Algorithm, and the SHA-2 "family" as it is known was developed by USA's NSA (National Security Agency) - be reassured, or not.

If you are paranoid about getting a hacked version...
I wouldn't say "paranoid" per se, my little green friend, as I have Mild Paranoia :) , perhaps "extremely security-conscious". That being said, I do not worry about checking the key signatures (and I have downloaded and installed probably 150 or so Linux Distros) unless I am suspicious by some evidence displayed that I need to follow up.

Instead, I use a 2-pronged approach with the shasums
  1. I verify the checksum during the download stage, using a browser addon called DownThemAll
  2. Following the download, if I have need to, before or after installation, I use a Utility called GTKHash, and you can read my article on it here https://www.linux.org/threads/gtkhash-–-hashing-out-the-basics.4430/
If I forget to do this, and I get as far as burning the iso to USB, with a view to install, and then think "Damn - I should check the iso", I can do it on the product on the USB stick, by using this article I wrote

https://linux.org/threads/hash-checking-rare-tips.13544/#post-45991

Cheers

Wizard
 
$100 Digital Ocean Credit
Get a free VM to test out Linux!

Staff online

Members online


Latest posts

Top