So a while back I heard that Linux Mint's site got hacked and the hackers pointed the download link from the site to a hacked version of the ISO. My question is, from this, if hackers were somehow able to hack an official version of the ISO (download available for everyone), would the Linux Mint developers be able to detect the threat and remove it?
I feel this would be more than easily possible to remove, but I figure I would check just to be sure.
Linux Mint is fine now, all that happened was a download link got changed
Yup if the sha- or md5sum of the ISO don't match with what the devs release then there's an issue
Yes. I understand that.
That's not my question.
They could recompile from the secure source in the event of any hack
Okay, I feel like it wouldn't even have to be the developers, but even general users able to detect something like a hack because it's open source.
Of course, They could use SHA or md5 so end users can verify the integrity of the download. If I'm not mistaken, the files compromised were found, and users were directed to the file location to delete from their system.
As people said before you could check the integrity of the download by checking the MD5 signature and know that the ISO is not the official.
So yeah if you are looking you can see immediately that something is not right. The issue is people are not always looking. Realistically the site admins realized that the site was compromised and warned people before any user realized that the ISO was not the official. The fake link was only live for like a day.
If you are asking about detecting the malware within the actual OS, well that depends. A malware will always try to hide itself within the OS and not make its presence obvious unless it has very obvious effect on the system. This particular one was only doing monitoring. The security guys think that this was just a dry run for the hackers to see how long would it take to be discovered. So this did not have much effect on the systems and you can easily miss it. The only straightforward way to detect would be to constantly monitor your network traffic and detect the extra traffic that the malware creates.
I meant like if hackers would be able to hack an official ISO somehow, I'm not sure if what I'm saying even makes sense though, I don't understand the download signature stuff, this is the first time I've heard of something like this.
Not sure what you mean...
Do you mean if the hackers could actually hack the real ISO that exists on the Mint servers without changing any signatures and made it look exactly like the official one?? I think theoretically it could be possible...But it might be too difficult to be worth even to try. Probably practically impossible really.
(simple explanation)
OK so the download signature is this thing called a MD5 hash sum. There are other types too but Most of the time you see MD5 or Sha1 what these things are basically an answer to a mathematical equation that the contents of the file are used as a part of. The nature of this mathematical equation is such that if even a single bit is changed the answer to the equation is vastly different. If hackers compromised the ISO in any way the hash would be completely different. So yes the developers would be able to detect it very simply.
use SHA256. I think most distros have moved away from MD5 now, even Linux mint.
Yeah or the ISO before it gets to the server.
And then your earlier post when you're talking about malware, you're talking about "live" malware right?
Yeah...That was what the hacked ISO had. A malware that did some kind of real-time monitoring...
Just a side note, the md5/ sha was posted on the same page, so the hackers (could have) replaced it with the check of the ISO they created.
The only way I see to protect against this would be to post the sum in a different place.
Although the number of people who even check it, and the subset of these who would bother looking for the sum wherever it was sepperately posted...
You can have it like Kali has Theirs setup, where they authenticated it against one from the server, or while downloading the torrent it authenticates it.