how do I know - how confident can I be - that a new Linux distro does not contain malicious software?

I suppose some do!

Can I test?

"Security References" in http://www.linuxquestions.org/questi...erences-45261/ kind of covers the field, but I don't understand, say, what to do before/after downloading the ISO / burning the disk. Except for checking the MD5 signature of the ISO, but didn't somebody work out recently how to maybe theoretically fake that?

In particular I'm interested in using Knoppix, Ubuntu, SystemRescueCD, maybe GParted Live.

MD5 only verifies that the file you downloaded onto your local system is identical to the file that was on the remote system. In other words, it only verifies no data was lost during transfer.

As for the question of a "malicious" distro, I am not 100% sure what you mean. Are you talking about somebody putting up modified versions of established distributions, like a Trojan? Or are you talking about the distribution itself containing malicious code (either intentionally or through some mistake)?

Either of those situations are possible. If we are talking about downloading an ISO for a particular distribution from a third party mirror, then comparing it with the MD5 sum from the distribution's website would at least verify that the third party didn't modify the ISO. But it would do nothing to assure you that some piece of software inside of that distribution isn't compromised.

I'd use SHA1 instead of MD5 if possible, as MD5 is quite broken. Still, checking the integrity of the ISO without verifying the authenticity of what you're using to check is not optimal. So yeah, you'd ideally want to do your check using a digital signature, which all major distros provide AFAICT. As for malicious code, well, to a certain extent you still rely on trust a great deal (as you do in the proprietary/closed-source model), except that here you at least are given the source code to everything so you can inspect it yourself or hire someone else to inspect it. You've basically brought up two different points, one being the integrity/authenticity of the software, and the other being the qualities of the software (and/or its source code).

Additionally you could list the packages installed and compare them with those from a trusted, official D/L mirror (apart from the fact the problem is that trust has to originate somewhere). This will be easier for some distributions than others as some package management systems are more equal than others, not all provide GnuPG keys next to hashes and not all package management systems allow you to verify package contents. And while it's not something to rely on the "many eyeballs" thing works: compromised official distribution or upstream source mirror servers and software itself is commonly quickly discovered.

It's impossible to check everything. Say, I know of some cases where a security hole in software was probably planned. There are some public examples of almost similar cases on the net. A backdoors masked as a logic error or they are just straightforward backdoor feature. While still it is possible to check source of all software, it's gonna take months of you. And the new software will be released long before you finish inspecting old sources.
What I trust is a kernel and coreutils. All the very basic programs. I bet they're all double and triple checked already for containing backdoors. While, of course, kernel may contain security issues, but not planned. I can say nothing of other software. Nothing. There's no knowing, really, and there are no tools that can check code for bugs, showing 100% of them.

I think you have to be realistic here and measure things upon practicality.

well many of us are long time linux users here and personally I use gentoo where we compile our own bin and modify the source to our likings. But if you use bin distros, well then you automatically are using other people's work, so naturally you entrusted others to do the work for you! note: you can always write your own from scratch if you are that paranoid.

Unlike other OS, most linux users knows there in/out of the OS, so if there is a distro that has any type of 'malicious' software, then it won't be long before it will be named and shamed within the community. I emphasized malicious as there are many network tools built into linux that can easily fit in that category. I would say most breaches are caused by the incompetency of the user to read/configure properly and secure the linux box rather than the unanticipated security holes caused by the packages. So to put it simply, you don't install without first understanding the risk, and all things in life carry a risk. The monitor you sit in front of can easy get shorted by a lightning strike causing you grievous bodily harm. So how do we measure that risk? Was it planned by the monitor manufacturer to accomplish such freak incident?

That's quite a claim. You know that because .... ??
and here I'm presuming you are talking about known/major distro, not some backyard job your friend's friend has handed to you.

you definitely can, start by learning C, and the source code is out there.

as with your other queries, I think Win32sux has covered it so no need to repeat.

I would guess that your best bet to be sure of getting the pure, unadulterated version of any distro is to order the disk set from their website. I used to get mine from Walnut Creek, whereas I now go to Columbus Microcenter to find something like FreeBSD or Slackware. They don't have the big open/shareware room they once had, as most folks simply download from the net these days. Use the distro's own links to get your distro. Or go to Distrowatch.com and use their links to get what you want. I would worry more about windoze having malicious code than most linux/unix distros, and I've had and tried dozens of each, going back to the early 90's without this sort of problem.

Most distros have signed files in their repos. Downloading from any distros home repo will be a pure download, a.k.a. the links from Distrowatch upon their release announcements.

And how confident are you that Windows doesn't contain malicious software? How much bloatware and third-party junk comes on a Windows system? How many backdoors for the "Windows Genuine Advantage" crap are shoved in?? And the security holes that are left there?? You know...the ones that are so bad, you need loads of anti-virus, firewall, malware, and adware blocking software to plug up??
Name one. Because I can't, because there aren't any. You CAN put something malicious out there, but think about it. MS can shovel anything they want out the door, and the source code is invisible. No one can check it or verify it. Linux isn't that way. Even if I wrote something malicious, and released it, millions of coders around the world would see it almost instantly, report it, and remove it.
Sure...there are many portscanners and security checkers out there, to run against a system. Nessus being one that jumps to mind. Configure a Linux box, and follow basic hardening procedures (easily found online). Run a scan on it, versus another Windows box, and see what you find.
Yes, but it's difficult, and rather pointless. There are many locations for distros to be downloaded. As soon as someone noticed that an MD5 key is different than what the original distributor released, they'd howl about it, rendering that poisoned distro useless. Anyone who had loaded it would remove it.
Enjoy. Any of them are fine, but you're leaving out MANY distros from that list.

0 members found this post helpful.

Thanks for comments. (Found my password...)

Some software that I need to use - actually all the time (disability keyboard substitute) - depends on Windows. On the other hand, Linux lets you "hack" your own computer. For instance I recently had to format a misbehaving memory stick...

I got paranoid because around new year I had some /probably/ coincidental negative experiences around SystemRescueCD,and I thought: "with whom am I dealing?"

One: after changing around some Windows hard disk partitions, plus running clamav from SRCD, the disabled "AutoPlay" feature on Windows removable volumes got un-disabled. A Windows Registry database entry appeared to have come into existence against my will to do this. It can be controlled per-user or per-machine apparently, but documentation only mentions the per-user setting(?), which is ignored if the equivalent per-machine key exists, regardless of what it actually says.

In other words, Windows started auto-running software on disks and sticks after I had specifically told it notto.

Two: I searched for SRCD comments and found somebody spamming forums semi-randomly offering their own download of SRCD.

Three: Windows security software called Malwarebytes said that SRCD's web page is a bad place to go.

There are a few problems with this picture, such as Malwarebytes forum operators separately saying that SRCD is a good thing to use. But I strongly suspect that the spammed-link version of SRCD would be malicious. After all, SRCD comes with instructions to customise your copy... and why else is it there?

MD5 signature...... Knoppix allows FTP of its ISO from various volunteer servers around the world. The MD5 signature of the ISO is available from the same server as the ISO - so how does that help? Won't a hacker just replace both files?

Turning the question around, how does a distro maker assure users that it's healthy to use?

Which is why it would be ridiculous to rely solely on that method if you're highly concerned.

By using digital signatures.

AFAICT, Knoppix provides you with digitally signed hash values (both MD5 and SHA1) for each ISO.

I don't know what you mean by 'new'; do you mean something that you haven't tried before, or something that is new to the world?

if you think that, eg, RHEL, would ruin their reputation by including software that was specifically intended to do something nasty to you, I would suggest that this is an exaggerated concern.

Potentially, it could happen, but I doubt that they would deliberately try to alienate a substantial part of their userbase.

OTOH, if you were to come across an otherwise unknown distro, particularly if it were called something hacker-ish, they may have no rep to protect.

And, malicious software?

Sounds as if you played around with some hacker-level tools that had unanticipated side-effects. Many distros -maybe, most distros - will include tools that take real expertise to use safely, but this is not malicious. You may have wanted more safety features incorporated and you may have expected more in the way of warning messages.

I don't know what you mean by 'new'; do you mean something that you haven't tried before, or something that is new to the world?

if you think that, eg, RHEL, would ruin their reputation by including software that was specifically intended to do something nasty to you, I would suggest that this is an exaggerated concern.

Potentially, it could happen, but I doubt that they would deliberately try to alienate a substantial part of their userbase.

OTOH, if you were to come across an otherwise unknown distro, particularly if it were called something hacker-ish, they may have no rep to protect.

And, malicious software?

Sounds as if you played around with some hacker-level tools that had unanticipated side-effects. Many distros - maybe, most distros - will include tools that take real expertise to use safely, but this is not malicious. You may have wanted more safety features incorporated and you may have expected more in the way of warning messages.

It would be very easy to take a perfectly legitimate Linux distro, particularly one intended for system-level, but legitimate, hacking and do something nasty with it. So, if there was a legitimate distro called 'System Rescue CD', you could produce a distro and a site called SysResCD, and most people would not realise that they are not dealing with the genuine System Rescue CD and whatever tools that you use to verify that your SysResCD is as the manufacturer intended will only prove that it is as SysResCD intended.

Don't forget that the distributions popularity and authenticity of the site in which you downloaded it from are the biggest tell-tale sign of all, IMO.

If I downloaded Ubuntu straight from Canonical's website, you are given 100% assurance.
Same with most.
Ones you need to look at for are small ones with no following or lesser still, a custom spin on a current one.

Still, the biggest thing to know is what Linux is based upon, the source code. If it's not released, this should raise an immediate red flag. Another is a license or the lack thereof.

Popularity is the big factor though. Developers won't develop and maintainers won't maintain if there is something like this going on.

I can certainly see where you're coming from, but the truth is that nothing can give you 100% assurance. On its own, having downloaded the ISO from one of Canonical's servers says nothing about whether that ISO is really what it's supposed to be. In other words, you don't know whether the ISO on the server has been tampered with by a cracker, or whether you're actually the victim of a MITM attack where nothing you see is real. Seriously, stuff like this is why we have digital signatures in the first place. Canonical provides digitally signed MD5, SHA1, and SHA256 hash values for their downloads, and if you're looking to get anywhere near 100% assurance, that's your best bet right there.