Home

Verify Your Downloaded ISO Images Before Burning Them

Nov 24, 2009  By Mitch Frazier
 in
FAIL (the browser should render some flash content, not this).

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

md5?? ahh.

Spuffler's picture
Submitted by Spuffler (not verified) on Sat, 01/02/2010 - 03:59.

Really, there is a RECENT article telling us to verify our lengthy downloads? Wow.

Here, kiddie, I have a tip for you.

I remember posting on some old "Linux-ISO" website, long since deceased, about how they were serving a Mandrake ISO (see? I told you it was an old website) which burned CDs that refused to boot. Refused to boot for everybody. Back when a hotrod 16x cdburner could, in a good afternoon, convert a spindle of blanks into coasters. Collectively on that day, many spindles of CDRs died for no reason.

Bittorrent was, IIRC, not yet out or maybe just not yet popular, so some membership based websites were serving 'new releases' to help members get access to the ISO without needing members to be up at 3am, wait in an FTP queue, etc., etc. for a direct connection.

Although my download from that membership site had the same MD5 as the MD5 the member site posted for that ISO, I had burned it 4 times with no success... people in the forum were also getting a lot of coasters.

I decided to see if Mandrake had a differently named ISO for that MD5, and maybe the membership ISO happened to not match what Mandrake had released or whatever. Hmm. Mandrake shows no ISO with that checksum. Not the same as Mandrake? What have I been served?

Turns out that the bozo who downloaded the ISO for his members never verified the MD5 of his ISO file, which file he in turn served to everyone else. Yes, he calculated an MD5 for the file he was serving to us, but he posted his own MD5 for his clients to work with. That is why Mandrake had no such MD5.

Yup, members all downloaded his ISO, we all calculated the same MD5, but the bozo was serving a corrupt download. He might have known how to calculate the MD5, but he simply assumed that since his other downloads were always a match.... why check his MD5 THIS time? I remember that I had lost $5 in blanks on his bad file.

Oh right, the point... ahem - 'do not assume the MD5 posted on a fourth tier server is the same MD5 posted at the origin of the file, up at tier one. Always get the MD5 data from the creator, not from some re-serving site'.

Keeps everyone on the same page.

Ok, here's your soapbox back.

What happened with u is the

Pnoenix_23's picture
Submitted by Pnoenix_23 (not verified) on Tue, 01/19/2010 - 12:52.

What happened with u is the famous case of "ASSUMPTION".
- You assumed the MD5 on some third-party website to be same as of the original ISO.
- You assumed there would be another ISO on mandrake with same MD5 (if you closely look at properties of hash functions, you would realize that collission is not so easy)

In short, Md5 is still one of the reliable and most widely used methods of checking the integrity of a download. Now, from where you obtain the ISO or to what Md5 checksum you are comparing depends entirely on how educated the user is about hash signatures and download integrity. One can obatain the MD5 checksum from authentic websites and go ahead with download from 3-part sites.

No method of security or integrity is fool proof unless one uses it as it is supposed to be used.

My 2 cents.

MD5 and SHA1 are considered

Phoenix_23's picture
Submitted by Phoenix_23 (not verified) on Sun, 11/29/2009 - 16:56.

MD5 and SHA1 are considered broken as researchers were able to generate collisions.
However, these hashing algorithms are still pre-image resistant. Hence its nearly impossible for anyone to take a random iso and make its MD5 and SHA1 hash value match the hash of the actual iso.

So Md5 and SHA1 are still reliable sources of checksum calculation for the purpose of downloads....

HTH

After thinking about it, I

Maxim .'s picture
Submitted by Maxim . (not verified) on Tue, 12/08/2009 - 09:58.

After thinking about it, I came to the insight that you're absolutely right! :)

So, I have to change my last statement in my last post to that it's ok as long as you got md5/sha1-checksum from a trusted site (or source).

md5/sh1 broken

Maxim .'s picture
Submitted by Maxim . (not verified) on Wed, 11/25/2009 - 06:52.

Ya'll know that md5 and sha1 is broken right? Sha2 is slightly better though.

en.wikipedia.org/wiki/Md5
www.schneier.com/blog/archives/2005/02/sha1_broken.html

But I suppose you can use it if you download from a trusted site and wanna check that the download went ok.

True

Mitch Frazier's picture
Submitted by Mitch Frazier on Wed, 11/25/2009 - 11:41.

You're right, they are exploitable.

Mitch Frazier is an Associate Editor for Linux Journal.

Good post

MCITP's picture
Submitted by MCITP (not verified) on Wed, 11/25/2009 - 04:13.

I usual use bit torrent for download. This is good. Linuxjournal website is good.

or... use BitTorrent

Renich's picture
Submitted by Renich on Tue, 11/24/2009 - 14:56.

One could just use BitTorrent for one's ISO downloads and just forget about {md5,sha1}sum

It's hard to be free... but I love to struggle. Love isn't asked for; it's just given. Respect isn't asked for; it's earned!
Renich Bon Ciric

http://www.woralelandia.com/
http://www.introbella.com/

Why? Does Bit-torrent

Jim Switzer's picture
Submitted by Jim Switzer (not verified) on Wed, 12/30/2009 - 12:34.

Why? Does Bit-torrent automatically check the checksum for each block of data?

Precisely

Anonymous's picture
Submitted by Anonymous (not verified) on Thu, 12/31/2009 - 15:26.

Precisely

Webcast
More Resources
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers

Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.

Learn More

Sponsored by AMD

White Paper
More Resources
Red Hat White Paper: Using an Open Source Framework to Catch the Bad Guy

Built-in forensics, incident response, and security with Red Hat Enterprise Linux 6

Every security policy provides guidance and requirements for ensuring adequate protection of information and data, as well as high-level technical and administrative security requirements for a system in a given environment. Traditionally, providing security for a system focuses on the confidentiality of the information on it. However, protecting the data integrity and system and data availability is just as important. For example, when processing United States intelligence information, there are three attributes that require protection: confidentiality, integrity, and availability.

Learn more about catching the bad guy in this free white paper.

Learn More

Sponsored by DLT Solutions