Verify Your Downloaded ISO Images Before Burning Them

FAIL (the browser should render some flash content, not this).


Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

md5?? ahh.

Spuffler's picture

Really, there is a RECENT article telling us to verify our lengthy downloads? Wow.

Here, kiddie, I have a tip for you.

I remember posting on some old "Linux-ISO" website, long since deceased, about how they were serving a Mandrake ISO (see? I told you it was an old website) which burned CDs that refused to boot. Refused to boot for everybody. Back when a hotrod 16x cdburner could, in a good afternoon, convert a spindle of blanks into coasters. Collectively on that day, many spindles of CDRs died for no reason.

Bittorrent was, IIRC, not yet out or maybe just not yet popular, so some membership based websites were serving 'new releases' to help members get access to the ISO without needing members to be up at 3am, wait in an FTP queue, etc., etc. for a direct connection.

Although my download from that membership site had the same MD5 as the MD5 the member site posted for that ISO, I had burned it 4 times with no success... people in the forum were also getting a lot of coasters.

I decided to see if Mandrake had a differently named ISO for that MD5, and maybe the membership ISO happened to not match what Mandrake had released or whatever. Hmm. Mandrake shows no ISO with that checksum. Not the same as Mandrake? What have I been served?

Turns out that the bozo who downloaded the ISO for his members never verified the MD5 of his ISO file, which file he in turn served to everyone else. Yes, he calculated an MD5 for the file he was serving to us, but he posted his own MD5 for his clients to work with. That is why Mandrake had no such MD5.

Yup, members all downloaded his ISO, we all calculated the same MD5, but the bozo was serving a corrupt download. He might have known how to calculate the MD5, but he simply assumed that since his other downloads were always a match.... why check his MD5 THIS time? I remember that I had lost $5 in blanks on his bad file.

Oh right, the point... ahem - 'do not assume the MD5 posted on a fourth tier server is the same MD5 posted at the origin of the file, up at tier one. Always get the MD5 data from the creator, not from some re-serving site'.

Keeps everyone on the same page.

Ok, here's your soapbox back.

What happened with u is the

Pnoenix_23's picture

What happened with u is the famous case of "ASSUMPTION".
- You assumed the MD5 on some third-party website to be same as of the original ISO.
- You assumed there would be another ISO on mandrake with same MD5 (if you closely look at properties of hash functions, you would realize that collission is not so easy)

In short, Md5 is still one of the reliable and most widely used methods of checking the integrity of a download. Now, from where you obtain the ISO or to what Md5 checksum you are comparing depends entirely on how educated the user is about hash signatures and download integrity. One can obatain the MD5 checksum from authentic websites and go ahead with download from 3-part sites.

No method of security or integrity is fool proof unless one uses it as it is supposed to be used.

My 2 cents.

MD5 and SHA1 are considered

Phoenix_23's picture

MD5 and SHA1 are considered broken as researchers were able to generate collisions.
However, these hashing algorithms are still pre-image resistant. Hence its nearly impossible for anyone to take a random iso and make its MD5 and SHA1 hash value match the hash of the actual iso.

So Md5 and SHA1 are still reliable sources of checksum calculation for the purpose of downloads....


After thinking about it, I

Maxim .'s picture

After thinking about it, I came to the insight that you're absolutely right! :)

So, I have to change my last statement in my last post to that it's ok as long as you got md5/sha1-checksum from a trusted site (or source).

md5/sh1 broken

Maxim .'s picture

Ya'll know that md5 and sha1 is broken right? Sha2 is slightly better though.

But I suppose you can use it if you download from a trusted site and wanna check that the download went ok.


Mitch Frazier's picture

You're right, they are exploitable.

Mitch Frazier is an Associate Editor for Linux Journal.

Good post

MCITP's picture

I usual use bit torrent for download. This is good. Linuxjournal website is good.

or... use BitTorrent

Renich's picture

One could just use BitTorrent for one's ISO downloads and just forget about {md5,sha1}sum

It's hard to be free... but I love to struggle. Love isn't asked for; it's just given. Respect isn't asked for; it's earned!
Renich Bon Ciric

Why? Does Bit-torrent

Jim Switzer's picture

Why? Does Bit-torrent automatically check the checksum for each block of data?


Anonymous's picture