Reply to post: SHA256 was provided

Linux Mint hacked: Malware-infected ISOs linked from official site

Someone

SHA256 was provided

A file of SHA256 message digests for the ISOs was provided, and Lefebvre produced a GPG signature for that file. This has been the case since Linux Mint 17.0.

http://mirror.bytemark.co.uk/linuxmint/stable/17.3/

gpg: Signature made Wed 09 Dec 2015 16:09:06 GMT using DSA key ID 0FF405B2

gpg: Good signature from "Clement Lefebvre (Linux Mint Package Repository v1) <root@linuxmint.com>"

Primary key fingerprint: E1A3 8B8F 1446 75D0 60EA 666F 3EE6 7F3D 0FF4 05B2

Checking the authenticity of the ISOs could have been strongly emphasized on the Linux Mint website, but Linux Mint goes for ease of use, and checking GPG signatures isn’t ease of use. And, this is unlikely to help someone downloading Linux Mint for the first time. If your website gets hacked, the hacker can probably remove or change the recommend verification steps.

Even the Tor Project says that the number of downloads of hash and signature files is a tiny fraction of the overall downloads for Tor Browser. If the users of Tor Browser don’t care, users of Linux Mint are going to care even less.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER

Biting the hand that feeds IT © 1998–2020