Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Fri 17 Nov 2017, 13:14
All times are UTC - 4
 Forum index » Taking the Puppy out for a walk » Suggestions
Please start using SHA-256 checksums
Moderators: Flash, Ian, JohnMurga
Post new topic   Reply to topic View previous topic :: View next topic
Page 1 of 2 [16 Posts]   Goto page: 1, 2 Next
Author Message
pcalvert

Joined: 01 Mar 2013
Posts: 4

PostPosted: Tue 31 Oct 2017, 08:18    Post subject:  Please start using SHA-256 checksums
Subject description: MD5 is insecure
 

I just noticed that MD5 checksums are still being used for Puppy ISO files that are available for download. MD5 is now considered to be insecure. Please use SHA-256 instead. Thank-you. Smile

Phil
Back to top
View user's profile Send private message 
Flash
Official Dog Handler


Joined: 04 May 2005
Posts: 12699
Location: Arizona USA

PostPosted: Tue 31 Oct 2017, 12:47    Post subject:  

I think most Puppies come with the ability to calculate MD5 checksums but not SHA-256 ones. Am I wrong?
Back to top
View user's profile Send private message 
belham2

Joined: 15 Aug 2016
Posts: 1281

PostPosted: Tue 31 Oct 2017, 13:22    Post subject: Re: Please start using SHA-256 checksums
Subject description: MD5 is insecure
 

pcalvert wrote:
I just noticed that MD5 checksums are still being used for Puppy ISO files that are available for download. MD5 is now considered to be insecure. Please use SHA-256 instead. Thank-you. Smile

Phil



pcalvert,

I've written about this before, but I am always banging my head against the table because people do not understand what md5/sha sums do.

All md5/Sha1/256/512 and every other checksum out there ONLY provide file integrity check.They have nothing to do with security. Do not confuse the two.

If you want security, then one of two (preferably both) things need to happen:

1) developers/maintainers start using gnupg, get themselves a gpg key, get it up in the key repos, and start making downloaders get used to gpg --verify checking if that checksum they used actually came from the develop/maintainer. This is common practice for nearly every Linux OS in existence on the web right now. In Puppyland, well, you just gotta still take everything on faith it is ok Rolling Eyes

2) the 2nd thing that needs to happens is https on the murga site itself: why we (the users) who continually ask about this (to Flash) and keep getting put off, as if John Murga will not respond about it, just makes a person shake their head to the point of inventing a new dance. Why does this keep occurring? I ask again: is John dad or something?? The fact that a move to https might even be covered thru us murga-goers & posters funding it, we still cannot even get an answer to that.

It's just damn laziness, and inertia, on Murga here. And it looks to stay that way until something real sh!tty happens and ISOs of one of the popular pups get hits, and downloaders, many downloaders, get screwed over royally over a period of months. Maybe then something will happen, or someone will get off their collective hands & start moving forward with what every website on the web is doing---going to https and forcing their site developers/maintainers to issue gpg keys for the checksums.

Until then, be forewarned: you are your own security apparatus when it comes to anything puppy. Do not ever confuse that with simple file download integrity.
Back to top
View user's profile Send private message 
dancytron

Joined: 18 Jul 2012
Posts: 934

PostPosted: Tue 31 Oct 2017, 15:26    Post subject:  

I mostly agree with Benham.

The MD5/SHA's are to check the integrity of the download. That's all they are intended to do.

However, the security of this board doesn't effect the ISO's either. They are controlled by the security of the sites they are uploaded and downloaded from. If someone is going to tamper with an ISO, hacking this forum doesn't help them. They have to hack ibiblio and/or it's mirrors (or github, dropbox or wherever else a particular ISO is stored).

Like with almost everything else related to computer security, the real vulnerability is social. If someone want to put a tampered evil ISO into circulation, the most effective way would be to build one, put it on dropbox or wherever, and then post it to this forum and convince people to download it. There is no technical way to protect against that.
Back to top
View user's profile Send private message 
Galbi


Joined: 21 Sep 2011
Posts: 941
Location: Bs.As. - Argentina.

PostPosted: Tue 31 Oct 2017, 15:49    Post subject:  

If I understand it correctly, in this context, saying that MD5 sum is insecure, means that someone can inject malicious code into any file in an ISO Puppy Linux, and then, for some method, force the infected ISO to report the same MD5 sum as the original.

Am I right?

If I'm right, it's worth the effort?

_________________
Remember: "pecunia pecuniam parere non potest"
Back to top
View user's profile Send private message 
Mike Walsh


Joined: 28 Jun 2014
Posts: 3131
Location: King's Lynn, UK.

PostPosted: Tue 31 Oct 2017, 15:54    Post subject:  

Y'know, belham, don't take this the wrong way, but.....why are you so obsessed with this? It's a computer operating system we're talking about here, and associated software. It's not the Crown Jewels, or the irreplaceable Seventh Wonder of the World, right?

Anyway, I wouldn't worry too much about the software. I don't think you have even the remotest glimmerings of just how far-spread Puppy's resources are. I can guarantee you that in the event of the server going down, there is so much Puppy-related stuff mirrored privately on individual cloud 'hosting' accounts (and sundry other locations, too!), that the whole operation would be up-and-running again in less than a month.

(Don't forget, too, there's the 'alternate' forum at puppylinux.info. I believe aarf set that up originally some years ago when there was a major problem at John's end.....and for a while, it was pretty busy, 'cos Puppians migrated across for the duration.

Aarf still maintains it to this day.)

No, Puppy don't keep keep all her bones in one kennel, old son. And you know darn well there's no central organisation controlling Puppy, as there is with Canonical and Ubuntu. Diverse, diluted control has its advantages sometimes.

And so what if the community was to suffer an attack of compromised hardware? What do most of us run? That's right; old 'crap' most other folks would turn their noses up at as not being fit for the scrapyard, even. How long's it gonna take to replace that old 'crap', and re-install Pup? Days, man; hours, even, for many of us. And for those running from a flash drive, only minutes....

Keep calm, and 'Carry on...' (as we Brits used to say during the dark days of the last World War..!) Very Happy


Mike. Wink

_________________
If I've helped you.....please say 'Thanks'!
MY PUPPY PACKAGES
--------------------------------------


Last edited by Mike Walsh on Wed 01 Nov 2017, 19:08; edited 7 times in total
Back to top
View user's profile Send private message Visit poster's website 
dancytron

Joined: 18 Jul 2012
Posts: 934

PostPosted: Tue 31 Oct 2017, 15:59    Post subject:  

Galbi wrote:
If I understand it correctly, in this context, saying that MD5 sum is insecure, means that someone can inject malicious code into any file in an ISO Puppy Linux, and then, for some method, force the infected ISO to report the same MD5 sum as the original.

Am I right?

If I'm right, it's worth the effort?


No, it can't do that. Even if it could, it couldn't do it without defeating the security on ibiblio or wherever else the ISO resides.
Back to top
View user's profile Send private message 
8Geee


Joined: 12 May 2008
Posts: 1252
Location: N.E. USA

PostPosted: Tue 31 Oct 2017, 16:38    Post subject:  

The only thing here of relevance is that the OP has a misunderstanding of a checksum. Any alterations to a file or iso, etc will cause the checksum to be different.

Thus if I upload an iso and publish an sha1 checksum, the download can be compared to the published sha1sum. If the two match, the download is OK, else toss and try again.

At best its an implied security, but with merit. It does indicate the quality of the download connection.

Regards
8Geee

_________________
Linux user #498913
Back to top
View user's profile Send private message 
8Geee


Joined: 12 May 2008
Posts: 1252
Location: N.E. USA

PostPosted: Tue 31 Oct 2017, 16:40    Post subject:  

Flash wrote:
I think most Puppies come with the ability to calculate MD5 checksums but not SHA-256 ones. Am I wrong?


Separately...
Slacko5.7 can and does generate sha256sums. I have used it for U/L's of a browser.

Regards
8Geee

_________________
Linux user #498913
Back to top
View user's profile Send private message 
pcalvert

Joined: 01 Mar 2013
Posts: 4

PostPosted: Wed 01 Nov 2017, 11:45    Post subject:  

I remember reading a few years ago that MD5 is insecure. The person also claimed that an attacker could modify a file in such a way that the MD5 value would not change. Unfortunately, I did not save a link to it.

Apparently, that person was mistaken. Or maybe the scenario he was referring to is purely theoretical, and of no practical significance.

Phil
Back to top
View user's profile Send private message 
Flash
Official Dog Handler


Joined: 04 May 2005
Posts: 12699
Location: Arizona USA

PostPosted: Wed 01 Nov 2017, 15:37    Post subject:  

I believe a few different files were found that gave the same checksum. That's nothing at all like being able to modify a file at will and come up with the same checksum as the original file. In that sense, MD5 is still plenty secure.

If you must worry, then worry that someone could crack a download site (such as Ibiblio), replace files with modified files containing malware and change the associated checksums to match the modified files. It seems to me that would take a lot more ambition and/or ability than most people have who might want to do such a thing.
Back to top
View user's profile Send private message 
6502coder


Joined: 23 Mar 2009
Posts: 405
Location: Western United States

PostPosted: Wed 01 Nov 2017, 16:23    Post subject:  

A few references:

http://www.zdnet.com/article/researcher-generates-executable-md5-collisions-with-authenticode-signed-binary/

http://www.zdnet.com/article/md5-password-scrambler-no-longer-safe/

https://www.codeproject.com/Articles/11643/Exploiting-MD5-collisions-in-C
Back to top
View user's profile Send private message 
Flash
Official Dog Handler


Joined: 04 May 2005
Posts: 12699
Location: Arizona USA

PostPosted: Wed 01 Nov 2017, 21:54    Post subject:  

I stand corrected. Embarassed

It does appear that an arbitrary file can be somehow appended to a good file without changing the MD5 checksum of the resulting composite file. Anyway that's the way I interpret that last article. But to be useful it would require either the download site be cracked in order to replace the good file with the modified one, or the modified file to be circulated on the Internet.
Back to top
View user's profile Send private message 
8Geee


Joined: 12 May 2008
Posts: 1252
Location: N.E. USA

PostPosted: Thu 02 Nov 2017, 05:40    Post subject:  

I also stand corrected. It appears that you can have two different files with same md5sum. Thus using md5 as a "file-checker" is a bad choice.

I do recall Google announcing a 128-bit (SHA-1) collision, so that is also going to be deprecated shortly.

The OP stands as correct, we should use SHA-256 as file-checker.

Regards
8Geee

_________________
Linux user #498913
Back to top
View user's profile Send private message 
6502coder


Joined: 23 Mar 2009
Posts: 405
Location: Western United States

PostPosted: Thu 02 Nov 2017, 19:14    Post subject:  

8Geee wrote:
I also stand corrected. It appears that you can have two different files with same md5sum. Thus using md5 as a "file-checker" is a bad choice.

The existence of collisions is not unique to MD5. ANY checksum/hash must have collisions. This has to be true because every checksum/hash has a finite length, and therefore can only take on finitely many distinct values. Whereas there are infinitely many possible files/strings as inputs. You can't uniquely map infinitely many values onto a finite number of values. Collisions are inevitable. The question is, how easy is it to exploit the collisions? The presumption is that it is harder with SHA256 than with MD5.
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 1 of 2 [16 Posts]   Goto page: 1, 2 Next
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Taking the Puppy out for a walk » Suggestions
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0583s ][ Queries: 11 (0.0057s) ][ GZIP on ]