0

I have downloaded the ISO image of Kubuntu 20.10 and installed it.

I am afraid that the ISO image may have been tainted (for example, by the NSA) to insert a backdoor into it.

As I see it, there are two ways to insert a backdoor (I mean an intentional one, not an OpenSSL bug):

  1. Directly in the source code that is published on the internet. I don't think this is feasible. I don't have the time to read all the 10M+ lines of the Linux kernel, and, even if I did, I don't nearly have the skill to understand most of it. Moreover, I would also have to check all the source code of all the libraries on top of the kernel (qt, all the apps, etc.). But I am not worried about this for the following reason: I think a lot of people and companies work on the kernel (for instance, Google with android, Red Hat with its for-profit Linux OS, etc.). It would be in their financial interest, if they spot a backdoor, to blow the whistle and then sell their own backdoor-free kernel

  2. But, I don't know whether the binary I have downloaded results from the compilation of the source code published on the internet, or of some other source code (the idea, of course, is for the NSA to download the kernel source, add the backdoor, compile, and publish that binary). I don't mean that Canonical necessarily sold me a tainted binary. What I am telling here can be achieved in multiple ways. For example, the NSA can spoof the DNS records I use, and, when I digit ubuntu.com, they have me connect to their own website, which looks exactly like the official website, but the NSA binaries are provided instead of the correct ones.

How can I avoid the risk illustrated in number 2, and check that the ISO image I have downloaded was compiled from the source published on the web?

robertspierre
  • 495
  • 2
  • 11
  • Along with the ISO image, hash of ISO image is signed by the maintainer. Retrieve public key from maintainer's repository, verify the signature and compare hash. See [this](https://www.kali.org/docs/introduction/download-official-kali-linux-images/). – defalt Dec 10 '20 at 19:43

2 Answers2

1

You've specified that you don't care about source code vulnerabilities, so then the question really is "How do I verify that I've installed a legitimate binary?".

This depends on your distribution. Most of them have some level of cryptographic signing of packages; for instance, there will be a package that installs the GPG keys for the distro packagers, and every downloaded package is checked against your keychain.

Xiong Chiamiov
  • 9,384
  • 2
  • 34
  • 76
  • but if the NSA tainted the ISO image of the Kubuntu distribution I have downloaded, they would disable that check, or that check would be useless because the backdoor is already installed and is not downloaded in a new package right? I am not talking about post-installation tainted packages, I am talking about a tainted ISO image of the distribution, no? – robertspierre Dec 10 '20 at 19:00
  • I have edited the question to more precisely point out what I mean – robertspierre Dec 10 '20 at 19:02
  • @raffaem the distributors publish the checksums of the images (in the case of Kubuntu, here - https://kubuntu.org/alternative-downloads) - you can calculate the checksum of the suspicious ISO image that you have, and compare it with the checksum that it should have. – Peteris Dec 10 '20 at 19:51
0

If you think the specific iso you have downloaded is backdoored you can try to download it over a different internet connection and compare the checksums.

Questions you might want to ask/answer yourself:

Does it matter to you, as an end user, if the NSA uses a backdoor or just a normal bug in the kernel or other software to gain access to your system? How do you know the bug was not a well crafted backdoor? Why do you think the iso was backdoored?

Many "tech" companies are based in the US. Just like the NSA. As long as the gain outweighs the risk there is maybe no reason to fix backdoors. No one is selling "backdoor-free" (linux) kernels. If you want kernels with reduced risk of backdoors but also less functions/usability you can look at sel4 and the likes.

For 2. look up reproducible builds. This makes it harder to attack specific build systems because the binary build in the end should always be the same across all systems. If the source code is backdoored/has bugs still everyone would get those in their binaries.

I don't know however if *buntu isos are reproducible or if you can at least build an iso from the same source code.

instababe
  • 1