this post was submitted on 10 Mar 2024
200 points (92.7% liked)

Piracy: ꜱᴀɪʟ ᴛʜᴇ ʜɪɢʜ ꜱᴇᴀꜱ

54788 readers
712 users here now

⚓ Dedicated to the discussion of digital piracy, including ethical problems and legal advancements.

Rules • Full Version

1. Posts must be related to the discussion of digital piracy

2. Don't request invites, trade, sell, or self-promote

3. Don't request or link to specific pirated titles, including DMs

4. Don't submit low-quality posts, be entitled, or harass others



Loot, Pillage, & Plunder

📜 c/Piracy Wiki (Community Edition):


💰 Please help cover server costs.

Ko-Fi Liberapay
Ko-fi Liberapay

founded 1 year ago
MODERATORS
 

Are y'all actually torrenting Linux ISOs. Cus I recommend. Its way faster and fun to have a collection of like 30 distros and try and new branch of the larger Linux tree. I just assume its a joke but I only started torrenting Linux ISO because of seeing it replied so much lol.

you are viewing a single comment's thread
view the rest of the comments
[–] FrostyCaveman@lemm.ee 33 points 8 months ago (2 children)

I always torrent Linux ISOs. Built in checksumming, I’m lazy

[–] pedroapero@lemmy.ml 6 points 8 months ago (3 children)

Insecure checksumming though (sha-1)

[–] NightAuthor@lemmy.world 9 points 8 months ago (1 children)

What’s the risk here? Isn’t the chance of collision so low that it’s virtually impossible for someone to create a malicious payload that has the same hash as the original file?

[–] pedroapero@lemmy.ml 2 points 8 months ago (1 children)

Last published attack estimated the prefix generation (not random collision) to less than 100k$.

[–] NightAuthor@lemmy.world 6 points 8 months ago (1 children)

Ok, definitely something to worry about when I’m that valuable of a target.

[–] cecilkorik@lemmy.ca 5 points 8 months ago* (last edited 8 months ago)

To be fair, in the case of something like a Linux ISO, you are only a tiny fraction of the target or you may not even need to be the target at all to become collateral damage. You only need to be worth $1 to the attacker if there's 99,999 other people downloading it too, or if there's one other guy who is worth $99,999 and you don't need to be worth anything if the guy/organization they're targeting is worth $10 million. Obviously there are other challenges that would be involved in attacking the torrent swarm like the fact that you're not likely to have a sole seeder with corrupted checksums, and a naive implementation will almost certainly end up with a corrupted file instead of a working attack, but to someone with the resources and motivation to plan something like this it could get dangerous pretty quickly.

Supply chain attacks are increasingly becoming a serious risk, and we do need to start looking at upgrading security on things like the checksums we're using to harden them against attackers, who are realizing that this can be a very effective and relatively cheap way to widely distribute malware.

[–] heisenbug4242@lemmy.world 5 points 8 months ago

Verify the SHA-256 or SHA-512 hash after downloading. Most Linux distros publish such hashes.

[–] cobra89@beehaw.org 3 points 8 months ago

If you can orchestrate an hash conflict attack across many seeders for a file the size of an ISO then you've earned it lol. That's like government agency levels of complexity and even then it's still a bit of a stretch cuz there are easier ways.