HowToMD5SUM should say how to check a CD's integrity directly

Bug #146895 reported by Kannan Goundan on 2007-09-29
4
Affects Status Importance Assigned to Milestone
Ubuntu Documentation
Wishlist
Dougie Richardson

Bug Description

The HowToMD5SUM page has two ways of checking integrity:
1. Given an ISO, determine whether is one of the official Ubuntu ISOs.
2. Assuming you have an official Ubuntu ISO, and have burned it to CD, check to make sure the files were burned correctly.

There's no instructions for: "Given a CD, determine whether it was correctly burned from one of the official Ubuntu ISOs."

Use Cases:
1. I send an Ubuntu CD via postal mail to a friend. He needs to check the integrity before running it to make sure some malicious person isn't mailing him fake Ubuntu CDs.
2. I see an CD labelled "Ubuntu 7.04" lying around at work and want to use it. I need to check the integrity before running it.

Workaround:
1. Extract an ISO from the CD and check the ISO. But this negates some of the convenience of having a ready-to-install Ubuntu CD.

Possible Solutions:
1. On Unix you can just run md5sum on the block device (/dev/hdb1 or whatever). Then the UbuntuHashes page can have another md5sum posted for the raw CD bits (or will this be the same as the ISO md5sum?). Also, need to find out how to do this on Windows.
2. Post the CD's "md5sum.txt" file on the UbuntuHashes page. Users can download this and check their CD using this file instead of the one on the CD (which you can't necessarily trust). A problem with this is that "md5sum -c" will not complain if a file exists on the CD that doesn't exist in "md5sum.txt". This allows a malicious person to add files to the CD and have it go unnoticed.

With regard to possible solutions, it is my understanding from RFC1321 that MD5SUM are generated in respect of the number of bits. I'm not 100% sure about whether every CD burned by every manufacturers drives would generate the same MD5SUM, certainly different burning software writes different numbers of bits in closing the disc.

This is a perennial problem, noted throughout the community and as you state the common solution is to extract to ISO and then compare that MD5SUM against the immutable pages.

I agree there is the potential for misuse of the MD5 on the CD but the question is really where do we draw the line - MD5 can be cracked with rainbow tables if it isn't salted.

I think this warrants further discussion.

Changed in ubuntu-doc:
importance: Undecided → Wishlist
status: New → Confirmed
  • unnamed Edit (4.6 KiB, text/html; charset=ISO-8859-1)
Download full text (4.0 KiB)

The best solution I have found to this issue has been to check the ISO image
download and make sure the MD5SUM is correct as compared to the sums listed
on www.ubuntu.com, and then burn the image to a high quality CD or DVD at
the *slowest* speed your burner will allow. This will make the image burned
into the media "heavier". Media burned at higher speeds tend to have a
"ligher" burn and older PCs have trouble reading the data because they have
to re-read the data multiple times before it can decypher the data.

Many older PCs, due to the fact that they are slower, are unable to re-read
the data enough times before an error happens. I have found many instances
where an install failed from media burned at x24, but when the same image
was burned at x10 or slower the install worked without a problem. The only
thing that changed was the burn speed.

I agree with Dougie that it is very difficult to compare burned MD5SUMs
because of how different burning programs close out the burn. IMHO, I think
we should recommend checking the ISO MD5SUM after it is downloaded and
recommend burning at a slow speed on high quality media. I think this will
knock out most of the issues that come from using downloaded media.

On Tue, Apr 29, 2008 at 9:40 AM, Dougie Richardson <
<email address hidden>> wrote:

> With regard to possible solutions, it is my understanding from RFC1321
> that MD5SUM are generated in respect of the number of bits. I'm not 100%
> sure about whether every CD burned by every manufacturers drives would
> generate the same MD5SUM, certainly different burning software writes
> different numbers of bits in closing the disc.
>
> This is a perennial problem, noted throughout the community and as you
> state the common solution is to extract to ISO and then compare that
> MD5SUM against the immutable pages.
>
> I agree there is the potential for misuse of the MD5 on the CD but the
> question is really where do we draw the line - MD5 can be cracked with
> rainbow tables if it isn't salted.
>
> I think this warrants further discussion.
>
> ** Changed in: ubuntu-doc
> Importance: Undecided => Wishlist
> Status: New => Confirmed
>
> --
> HowToMD5SUM should say how to check a CD's integrity directly
> https://bugs.launchpad.net/bugs/146895
> You received this bug notification because you are a member of Ubuntu
> Documentation Project Team, which is subscribed to Ubuntu Documentation.
>
> Status in Ubuntu Documentation: Confirmed
>
> Bug description:
> The HowToMD5SUM page has two ways of checking integrity:
> 1. Given an ISO, determine whether is one of the official Ubuntu ISOs.
> 2. Assuming you have an official Ubuntu ISO, and have burned it to CD,
> check to make sure the files were burned correctly.
>
> There's no instructions for: "Given a CD, determine whether it was
> correctly burned from one of the official Ubuntu ISOs."
>
> Use Cases:
> 1. I send an Ubuntu CD via postal mail to a friend. He needs to check the
> integrity before running it to make sure some malicious person isn't mailing
> him fake Ubuntu CDs.
> 2. I see an CD labelled "Ubuntu 7.04" lying around at work and want to use
> it. I need to check the integrity be...

Read more...

Dustin Kirkland  (kirkland) wrote :

There's one other option...

Ubuntu install media have an option in the bootloader to "Check CD for defects".

This will boot the cd into a special mode where each file is checked
on an individual basis, rather than md5sum-ing the entire device as a
whole.

I think this method probably at least deserves a mention as well.

:-Dustin

Jeff Trower (jtrower1) wrote :
  • unnamed Edit (3.1 KiB, text/html; charset=ISO-8859-1)

Good call Dustin, I run this check and whenever I've done it, I haven't had
any issues.

Jeff

On Tue, Apr 29, 2008 at 9:20 PM, Dustin Kirkland <email address hidden>
wrote:

> There's one other option...
>
> Ubuntu install media have an option in the bootloader to "Check CD for
> defects".
>
> This will boot the cd into a special mode where each file is checked
> on an individual basis, rather than md5sum-ing the entire device as a
> whole.
>
> I think this method probably at least deserves a mention as well.
>
> :-Dustin
>
> --
> HowToMD5SUM should say how to check a CD's integrity directly
> https://bugs.launchpad.net/bugs/146895
> You received this bug notification because you are a member of Ubuntu
> Documentation Project Team, which is subscribed to Ubuntu Documentation.
>
> Status in Ubuntu Documentation: Confirmed
>
> Bug description:
> The HowToMD5SUM page has two ways of checking integrity:
> 1. Given an ISO, determine whether is one of the official Ubuntu ISOs.
> 2. Assuming you have an official Ubuntu ISO, and have burned it to CD,
> check to make sure the files were burned correctly.
>
> There's no instructions for: "Given a CD, determine whether it was
> correctly burned from one of the official Ubuntu ISOs."
>
> Use Cases:
> 1. I send an Ubuntu CD via postal mail to a friend. He needs to check the
> integrity before running it to make sure some malicious person isn't mailing
> him fake Ubuntu CDs.
> 2. I see an CD labelled "Ubuntu 7.04" lying around at work and want to use
> it. I need to check the integrity before running it.
>
> Workaround:
> 1. Extract an ISO from the CD and check the ISO. But this negates some of
> the convenience of having a ready-to-install Ubuntu CD.
>
> Possible Solutions:
> 1. On Unix you can just run md5sum on the block device (/dev/hdb1 or
> whatever). Then the UbuntuHashes page can have another md5sum posted for
> the raw CD bits (or will this be the same as the ISO md5sum?). Also, need
> to find out how to do this on Windows.
> 2. Post the CD's "md5sum.txt" file on the UbuntuHashes page. Users can
> download this and check their CD using this file instead of the one on the
> CD (which you can't necessarily trust). A problem with this is that "md5sum
> -c" will not complain if a file exists on the CD that doesn't exist in
> "md5sum.txt". This allows a malicious person to add files to the CD and
> have it go unnoticed.
>

--
Jeff Trower
480-231-9426
773-857-2399
<email address hidden>

Dustin/Jeff, you are quite right but it's not so much a question of whether or not the disc has been successfully burned as much as whether someone has added malicious code to a CD that the OP is concerned with.

Jeff Trower (jtrower1) wrote :
  • unnamed Edit (3.1 KiB, text/html; charset=ISO-8859-1)

Dougie/Dustin:

Would pulling an ISO off of the disc and checking the MD5SUM work as a
solution? I don't know if that would possibly find malicious code or not.
I know it is kind of a pain, but I'm not sure of any other ways to provide a
vanilla solution to this problem.

Jeff

On Wed, Apr 30, 2008 at 6:51 AM, Dougie Richardson <
<email address hidden>> wrote:

> Dustin/Jeff, you are quite right but it's not so much a question of
> whether or not the disc has been successfully burned as much as whether
> someone has added malicious code to a CD that the OP is concerned with.
>
> --
> HowToMD5SUM should say how to check a CD's integrity directly
> https://bugs.launchpad.net/bugs/146895
> You received this bug notification because you are a member of Ubuntu
> Documentation Project Team, which is subscribed to Ubuntu Documentation.
>
> Status in Ubuntu Documentation: Confirmed
>
> Bug description:
> The HowToMD5SUM page has two ways of checking integrity:
> 1. Given an ISO, determine whether is one of the official Ubuntu ISOs.
> 2. Assuming you have an official Ubuntu ISO, and have burned it to CD,
> check to make sure the files were burned correctly.
>
> There's no instructions for: "Given a CD, determine whether it was
> correctly burned from one of the official Ubuntu ISOs."
>
> Use Cases:
> 1. I send an Ubuntu CD via postal mail to a friend. He needs to check the
> integrity before running it to make sure some malicious person isn't mailing
> him fake Ubuntu CDs.
> 2. I see an CD labelled "Ubuntu 7.04" lying around at work and want to use
> it. I need to check the integrity before running it.
>
> Workaround:
> 1. Extract an ISO from the CD and check the ISO. But this negates some of
> the convenience of having a ready-to-install Ubuntu CD.
>
> Possible Solutions:
> 1. On Unix you can just run md5sum on the block device (/dev/hdb1 or
> whatever). Then the UbuntuHashes page can have another md5sum posted for
> the raw CD bits (or will this be the same as the ISO md5sum?). Also, need
> to find out how to do this on Windows.
> 2. Post the CD's "md5sum.txt" file on the UbuntuHashes page. Users can
> download this and check their CD using this file instead of the one on the
> CD (which you can't necessarily trust). A problem with this is that "md5sum
> -c" will not complain if a file exists on the CD that doesn't exist in
> "md5sum.txt". This allows a malicious person to add files to the CD and
> have it go unnoticed.
>

--
Jeff Trower
480-231-9426
773-857-2399
<email address hidden>

I realize this seems to be an uncommon use case, so let me explain how I ran into it. My coworkers (in a different city) will, when looking for a Linux distribution to install, just install whatever Fedora version is lying around. Burning an Ubuntu ISO doesn't seem very difficult but it's a significant barrier when the person is mostly apathetic. First of all, they have a Fedora CD and can start installing *now* instead of waiting for the Ubuntu ISO to download. Second, they may not have a blank CD on hand. My plan was to mail them an Ubuntu CD so those two barriers disappear.

The problem is that I really shouldn't be asking anyone to install software off of a CD they got in the mail. Getting people into that habit is just begging for an Ubuntu botnet. It's probably an uncommon attack vector right now, but isn't that always how it starts out? (Hmm... what if someone started mailing out fake ShipIt packages?)

One idea: Create a tiny authentication program that will either say: "The CD in your CD drive is not a valid Ubuntu installation CD" or "The CD in your CD drive is an Ubuntu installation CD for version X". This program could be made available over SSL from the Ubuntu website with pre-built binaries for Windows, Linux, and whatever else is common. I think the ease of having a ready-to-go Ubuntu CD offsets the pain of downloading and running the authenticator program.

BTW, if it's possible to extract the ISO and check that, then that's half a solution. If I wanted to use an Ubuntu CD I saw lying around at work, I'd be willing to extract the ISO and do the checksum. But I think the lazy/apathetic person use case is still important.

Jonathan Jesse (jjesse) wrote :

Why is this a bug against Ubuntu Documentation? THis hsould be a bug against the Ubuntu project itself, and shouldn't be something the documentation team deals with until the utility is created then it will need to be documentated.

Is there really that big of a problem with people using "fake" ubuntu disks?

Jonathan

bodhi.zazen (bodhi.zazen) wrote :

I do not understand why this is a "bug report" and would favor closing this "bug report".

Quote - "On Unix you can just run md5sum on the block device (/dev/hdb1 or whatever). Then the UbuntuHashes page can have another md5sum posted for the raw CD bits (or will this be the same as the ISO md5sum?)"

md5sum /dev/sdxy => returns a md5sum and the md5sum from a burned iso (finished CD) == the md5sum as the *.iso

You can test the integrity of the burn from burning software (biggest advantage of K3b IMO) and by booting the CD => Test disk integrity.

Seems like this is more of a question "how do I use md5sum ?" then a "bug report"

Hi Bodhi,

I want to change this to "Won't fix" for the reasons I posted on the list. This usage case has no real solution at present because of the reasons stated at the first point (https://bugs.launchpad.net/ubuntu-doc/+bug/146895/comments/1).

I'm reluctant to set to invalid, because the scenario stated is possible.

Charles Profitt (cprofitt) wrote :

I too, am not sure, if an md5checksum of a CD would be the same given different burning options... but perhaps we should test the theory.

Also, there is a file on the CD calld md5sum... it contains a host of checksums for files on the CD... If these were posted on the wiki then a person could verify a selection of the files and be reasonably sure that everything was ok.

> Also, there is a file on the CD calld md5sum... it contains a host of
> checksums for files on the CD... If these were posted on the wiki then
> a
> person could verify a selection of the files and be reasonably sure
> that
> everything was ok.

In the usage scenario given, the MD5SUM on the CD could have been altered as well.

Cheers,

Dougie

Charles Profitt (cprofitt) wrote :

Dougie:

Let me clarify.

The idea was to place the md5checksums on the wiki so that a person concerned about the CD being a 'fake' could use them to check the files on the CD. This is ofcourse assuming that folks are right that checksums of burned CDs will be slightly different as a whole. The only reason I brought up the checksums on the CD was as evidence that that the Ubuntu team is already determining the checksums of the various components of the distro.

PrivateVoid,

I understand your point and this is why I want to change the status. The "can do" attitude of Linux often makes us try to solve problems that, really no one needs to ask.

We know that Ubuntu makes the MD5 available and that integrity is important, it's just this particular usage case is either a very unusual situation or a user who doesn't fully grasp MD5 system. I feel it is the latter but either way - we cannot fix this issue.

If you see what I mean, LoL.

Changing to "Won't Fix" after discussion on the mailing list, this usage case is too unusual. No one as yet has a solution more practical then downloading a copy and checking it with MD5SUM.

Changed in ubuntu-doc:
assignee: nobody → ddrichardson
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers