Isn't possible to check in the block chain to check if the attacker is actually receiving money? Just curious how much money ine makes with such attacks.
As soon as I saw the headline, I assumed something of this sort. Maybe it's naive, but I miss the days when you could just trust (however unfounded) open source software. I never had to hesitate before downloading a distro or a package. Now I only install something if I absolutely need it.
You could argue that if not crypto, it would have been something else eventually, and that the heightened vigilance it has necessitated has made it more difficult for other motivated attackers (like state actors) to backdoor or compromise OSS. But as someone who doesn't use crypto, I completely get the "f*ck crypto" sentiment.
I don't know how familiar you are with the sheer scope of malware, black markets, data theft, various extortion techniques, but gaining the ability to drop an arbitrary .exe on Xubuntu.org and actually direct enough traffic to it that people notice it is worth a LOT more than $0.
The value of your labor is being systemically destroyed through deliberate currency manipulation by the US Federal Reserve, in conjunction with the US Government and US Treasury.
You are more than twice as productive as your equivalent 1971 counterpart, but relative to inflation, he was being paid about the same as you. You make your employer twice as much money as he did but you're not rewarded twice as much.
Five, ten, twenty years from now, when the trend that has been visible in the data since the 1970s is complete, and your labor has no value at all, are you going to be okay?
The people who spent large majorities of their income accumulating scarce stores of value (gold, bitcoin, housing, profitable businesses, land, etc) are going to be fine.
> Thanks everyone. We're beholden to our hosting environment for upgrades and it looks like there was a bit of a slip-up here. It's being worked on, but for now the Downloads page is disabled.
Calling this a "slip-up" is an outrageous downplay. If anything this makes me suspicious of the moderator who posted the comment too. One does not accidentally prepare a zip file with a malicious exe and xubuntu-specific language, upload it to a server, and point a torrent link at it.
> Calling this a "slip-up" is an outrageous downplay. If anything this makes me suspicious of the moderator who posted the comment too.
You're making an assumption that this moderator is anything more than a Xubuntu enthusiast who wants to downplay outrage on Reddit. Keep in mind Xubuntu is mostly a community effort, not a large corporation with seniors who know how to handle this "best".
I am not making any assumptions, you are failing to do research.
Start by googling the username of the account. They are the Xubuntu Marketing and Website lead. This is the domain they are responsible for and, given their long history, they should know better.
This sort of thing must risk harming Canonical's reputation, so you'd think they'd want to use whatever leverage they have to enforce better practices.
It is an official flavor[1], that is, maintained as a community effort, but endorsed by Ubuntu. The related packages are hosted in Ubuntu's universe repository[2]. There is indeed a risk of reputation damage.
>Keep in mind Xubuntu is mostly a community effort, not a large corporation with seniors who know how to handle this "best".
which is why the whole distro zoo and "stick it to the man" theatre has always been a nightmare. Running some barely maintained operating system that is an nth-degree spin-off is like buying a pacemaker from craigslist. The people who go "I don't trust Canonical/Google" and then go download some binary blob browser fork/OS uploaded by an anonymous guy from the internet is way too large.
> which is why the whole distro zoo and "stick it to the man" theatre has always been a nightmare.
The real obnoxiousness is that Ubuntu doesn't keep these desktop and otherwise specialized variants partially in-house like they once did. It isn't like they don't have the money or the staff. It's just not part of their world takeover plan anymore; no deviation allowed.
Just get away from Ubuntu, install Debian, and choose XFCE when installing. Please.
On the other hand, there are far few developers working on XFCE compared to desktop environments like KDE or gnome. The more obscure places might be better places to hide malware, nobody would notice, unlike in XUbuntu.
Indeed that is a suspicious or at least untrustworthy way to deflect the seriousness of a malware infection that potentially affects all users of an OS distribution.
From what I understood, it's the torrent link that downloads a compromised zip file rather then the authentic image:
"Torrent downloads over at https://xubuntu.org/download/ are serving a zip file with a suspicious exe and a tos.txt inside. The TOS starts with Copyright (c) 2026 Xubuntu.org which is sus, because it is 2025. I opened the .exe with file-roller and couldn't find any .torrent inside."
Generally speaking, a signature is cryptographically signed, when a checksum value is encrypted with the owners private key. The according public key should ideally be distributed in a chain-of-trust, so it can be obtained through a trusted channel.
We are in a perpetual loop of inefficient check methods, a bunch of steps, rediscovering what a supply chain attack is, a bunch of steps and just loop back over again.
This url is on the main Xubuntu website, under "Xubuntu 24.04": click "Release page," then select United States. From there, you download the following files: SHA256SUMS, SHA256SUMS.gpg, xubuntu-24.04.3-desktop-amd64.iso
The output of the other checksum commands is shown here:
[user@host]$ gpg --keyid-format long --verify SHA256SUMS.gpg SHA256SUMS
gpg: Signature made Thu 07 Aug 2025 06:05:22 AM CDT
gpg: using RSA key 843938DF228D22F7B3742BC0D94AA3F0EFE21092
gpg: Can't check signature: No public key
[user@host]$ sha256sum --check SHA256SUMS
xubuntu-24.04.3-desktop-amd64.iso: OK
(output omitted for results of Xubuntu minimal version, which was not downloaded)
The checksum is a cryptographic hash generated from the ISO file's contents. While the checksum for a specific, unchanged ISO file is fixed, the checksum that is published on a website could be deliberately altered by an attacker to hide a modified, malicious ISO.
If an attacker can upload a compromised ISO I assume they can also upload a compromised checksum? In the age of https downloads — where the payload cannot be modified in transit — it never made sense to me why ISO checksums are a thing. For checksums to actually do anything there needs to be a chain of trust back to a trusted entity.
Lots of small, volunteer-run, low/zero-budget open-source projects cannot afford to pay for the server/CDN bandwidth they would need to host all their binary artifacts (ISOs, packages, etc.). They end up relying on mirrors provided for free by third parties instead. By publishing the checksums, they allow you to verify that the ISO image you downloaded from some mirror is the same one that they originally published.
It can fail mid-way of course, but it really shouldn't corrupt in any other way. HTTPS is authenticated after all and malicious manipulation is harder to defend against than accidental corruption. But this is reality and you can have bugs and errors outside the transport of course. Your file system could corrupt data, your drive could be bad etc.
For security you want signatures with a known, trusted key.
With these reports, I always wonder - do people really keep their software wallets on a machine they use every day? Personally I keep it on a laptop that is used just for that and it never occurred to me any other options is viable.
What scared me in that thread was the mention of the fake lubuntu site that is still up since someone took over the old domain last year(?). I downloaded and installed lubuntu just some week ago. Luckily I am pretty sure I downloaded it from the real site. The fake one only has downloads up to 19.04 or something.
Have not installed Lubuntu in a few years, so never noticed any of the news of the domain change and take-over. Did not really find anything more about it when searching today?
Thanks for this link. Opening reddit links on mobile is very frustrating for me because it opens the app and messes with the browser back button for me. Not sure if others have that problem too.
On iOS Safari, long-press the link and select Open (or Open in Background). That will open the link in the browser instead of in the app, and Safari will remember that preference for the app. Select Open in Reddit to revert.
That's because you're not supposed to open reddit links anymore, you can just share your content directly with AI companies and ad brokers and cut out the middleman.
On Android "Redreader" is the only third-party Reddit app that somehow survived the third-party-app-purge. Still free and open source, and much more pleasant than the official one.
Thanks for this, I was resorting to creating a PWA on old reddit (which has horrible ergonomics for mobile) per subreddit (you can't rename them so I remember which is which by position) thinking all the reddit clients that don't require login are gone.
I'm a grovelling Linux fiend and usually support related posts. I tried to visit the url and saw it was blocked. Didn't want the post to die so archived it asap.
Note too, that NextDNS blocks archive.is et al by default unless you manually add redirects.
I’ve noticed that even on VPNs, US exit points sometimes block archive.is. Not sure if that is DNS related or what. Non-US VPN exit points don’t seem to be blocked at those times that the site navigation fails on US ones.
I believe NextDNS is headquartered in the US, which may be related to the site nav issues we’re both experiencing.
Curiously, uBlock Origin and my blocklists seem to block content on archive.is from loading from mail.ru, which may be related to the blocks, but I have never heard anyone on HN or elsewhere mention this, so I am, so that it can be known and explained if any explanation exists for why mail.ru scripts on archive.is are present. I don’t seem to see those scripts on the Tor version of archive.today, which archive.is is a mirror of today; apparently the original domain is the .is one, in any case.
Consider my curiousity piqued!
(More info about the archive.is|.today mirrors including the Tor site are on the Wikipedia entry for the site:
In reality, if Microsoft Defender (Security or whatever the name is) can detect it (which does in this case), it means it is flagged on most target users' machine.
Of course, there are people who disable built-in security scanning and don't use another antivirus software, and that's on them.
But nobody wants to talk about true security. For example, why does a Python module that renders progress bars (for example) need my full trust about what it does to the rest of my system? Etc.
Jia Tan with the XZ backdoor was caught because some performance obsessed person noticed a tiny delay... I'm sure they learned their lesson and are ensuring their next backdoor doesn't impact performance.
That is the insidious question - how many parallel efforts were/are in play when xz was going down? Surely that was not the only long term plan to compromise an "unrelated" component of system security. The Jia Tan organization might have already inserted back doors into dozens of different projects by now.
Sure, but realistically, how many of us right here have state level actors in our threat models? I sure don't, because it'd be impossible to live a normal life then.
But state level actors could target you, so you should immediately abandon any hope of privacy, disable your ad blockers, stop using Signal, install Windows 11, cease any complaints about the government, and eat the bugs.
Nobody spends energy worrying that the universe is an evil compiler that warps reality specifically to target us. Because 1) it's unlikely, and 2) if it were true there's no change in defensive posture that would help. It's the same for most individuals when considering being targeted by state actors. Unlikely, and not defensible, so no point hand wringing.
"Nobody spends energy worrying that the universe is an evil compiler that warps reality specifically to target us"
I have not heard that specific scenario yet, but indeed quite similar ones from very depressed/mentally ill people. Basically that the whole universe was created to torture them specifically. (Probably there is even a medical term for that)
But yes, a sane person should rather be concerned to not fall scam to one of the various criminal groups. That is a real cyber threat for most people and companies.
So minding basic security helps, even if the NSA will likely get past that in no time.
Also, no state-actor would ever blow an immensely costly and rare backdoor like that on us peasants here. Even, if you would threaten to kill all the puppies. That's the sort of thing they reserve for state-level shenanigans, 100% targeting servers, infrastructure and industry, not individuals.
Though, I also doubt, they would just shelve these epic exploits, since a universal Linux backdoor likely puts themself at risk too, unless you can pull off a grand conspiracy, or deliver patched packages to your own people without questions asked. Maybe a completely locked down country like North Korea could do it. I doubt many other countries got an incentive, unless in preparation of a specific attack.
Official, popular, longstanding (20 years!) Linux distro is clearly distributing "a virus" via an official repo, with nothing about the danger on its website?
Linux mantra: Nothing wrong here, and if there is, someone will fix it eventually, probably, maybe..
On second thought, Qubes OS does not prevent such types of malicious downloads; it can also happen to Qubes images. Verify your downloads with checksums and cryptographic signatures [2].
On second thought, Qubes OS does not prevent such types of malicious downloads; it can also happen to Qubes images. Verify your downloads with checksums and cryptographic signatures [1].
Yes indeed. Qubes has a good article on verifying distribution images not only with checksums but also with cryptographic signatures that verify the checksum files [1].
The idea (outlined in the QubesOS documentation) is to clone the git repo of their website, verify the PGP commit signatures, then render the website yourself. Then you can be reasonably sure the website is legitimate, modulo a DoS attack stopping you from receiving updates to the website code, I suppose.
Getting the correct PGP public key appears to be an exercise left to the reader, but if you are already running e.g. Fedora, you can view the packaged QubesOS distro keys distributed by your current OS, cross-reference that with a second source such as a PGP keyserver, and unless you're being Mossaded upon you're probably good if they match.
the malware's main function seems to be to check the clipboard for crypto wallet addresses and then replace them with attacker addresses:
can't guarantee it doesn't do anything else.Isn't possible to check in the block chain to check if the attacker is actually receiving money? Just curious how much money ine makes with such attacks.
Here is the BTC and ETH address for convenience for anyone who wants to check: https://mempool.space/address/bc1qrzh7d0yy8c3arqxc23twkjujxx... https://etherscan.io/address/0x10A8B2e2790879FFCdE514DdE615b...
They are empty as of now.
I just checked all wallets, they're all empty with no recent transactions.
As soon as I saw the headline, I assumed something of this sort. Maybe it's naive, but I miss the days when you could just trust (however unfounded) open source software. I never had to hesitate before downloading a distro or a package. Now I only install something if I absolutely need it.
[flagged]
You could argue that if not crypto, it would have been something else eventually, and that the heightened vigilance it has necessitated has made it more difficult for other motivated attackers (like state actors) to backdoor or compromise OSS. But as someone who doesn't use crypto, I completely get the "f*ck crypto" sentiment.
stealing other data is less lucrative. i'm not confident someone could empty my bank account even with my username/password
other data is less lucrative than the $0 sitting in those static attacker wallets?
i think you're comparing apples and oranges. that they have so far failed to steal any coins does not mean anything with regards to this discussion
I don't know how familiar you are with the sheer scope of malware, black markets, data theft, various extortion techniques, but gaining the ability to drop an arbitrary .exe on Xubuntu.org and actually direct enough traffic to it that people notice it is worth a LOT more than $0.
The value of your labor is being systemically destroyed through deliberate currency manipulation by the US Federal Reserve, in conjunction with the US Government and US Treasury.
You are more than twice as productive as your equivalent 1971 counterpart, but relative to inflation, he was being paid about the same as you. You make your employer twice as much money as he did but you're not rewarded twice as much.
Five, ten, twenty years from now, when the trend that has been visible in the data since the 1970s is complete, and your labor has no value at all, are you going to be okay?
The people who spent large majorities of their income accumulating scarce stores of value (gold, bitcoin, housing, profitable businesses, land, etc) are going to be fine.
It's also very practical to allow open air corruption of highest level government elected officials.
There's a sticked comment on the source thread: https://old.reddit.com/r/xubuntu/comments/1oa43gt/xubuntuorg...
> Thanks everyone. We're beholden to our hosting environment for upgrades and it looks like there was a bit of a slip-up here. It's being worked on, but for now the Downloads page is disabled.
Calling this a "slip-up" is an outrageous downplay. If anything this makes me suspicious of the moderator who posted the comment too. One does not accidentally prepare a zip file with a malicious exe and xubuntu-specific language, upload it to a server, and point a torrent link at it.
> Calling this a "slip-up" is an outrageous downplay. If anything this makes me suspicious of the moderator who posted the comment too.
You're making an assumption that this moderator is anything more than a Xubuntu enthusiast who wants to downplay outrage on Reddit. Keep in mind Xubuntu is mostly a community effort, not a large corporation with seniors who know how to handle this "best".
I am not making any assumptions, you are failing to do research.
Start by googling the username of the account. They are the Xubuntu Marketing and Website lead. This is the domain they are responsible for and, given their long history, they should know better.
I used to be responsible for the Xubuntu.org website, way back when. I was a teenager back then.
Which is to say, I'm fairly sure that they're still just a volunteer community member.
To what extent is Xubuntu affiliated with Ubuntu?
This sort of thing must risk harming Canonical's reputation, so you'd think they'd want to use whatever leverage they have to enforce better practices.
It is an official flavor[1], that is, maintained as a community effort, but endorsed by Ubuntu. The related packages are hosted in Ubuntu's universe repository[2]. There is indeed a risk of reputation damage.
1. https://ubuntu.com/desktop/flavors
2. https://packages.ubuntu.com/search?keywords=xubuntu-desktop
>Keep in mind Xubuntu is mostly a community effort, not a large corporation with seniors who know how to handle this "best".
which is why the whole distro zoo and "stick it to the man" theatre has always been a nightmare. Running some barely maintained operating system that is an nth-degree spin-off is like buying a pacemaker from craigslist. The people who go "I don't trust Canonical/Google" and then go download some binary blob browser fork/OS uploaded by an anonymous guy from the internet is way too large.
> which is why the whole distro zoo and "stick it to the man" theatre has always been a nightmare.
The real obnoxiousness is that Ubuntu doesn't keep these desktop and otherwise specialized variants partially in-house like they once did. It isn't like they don't have the money or the staff. It's just not part of their world takeover plan anymore; no deviation allowed.
Just get away from Ubuntu, install Debian, and choose XFCE when installing. Please.
On the other hand, there are far few developers working on XFCE compared to desktop environments like KDE or gnome. The more obscure places might be better places to hide malware, nobody would notice, unlike in XUbuntu.
> looks like there was a bit of a slip-up
Indeed that is a suspicious or at least untrustworthy way to deflect the seriousness of a malware infection that potentially affects all users of an OS distribution.
Either way, nobody should use this distro ever again. It should be forked from a known good commit under a new maintainer.
Mistakes were made!
I heard tings
Calling this "a bit of a slip-up" while neither confirming nor denying the presence of malware is weird at best and incredibly suspicious at worst.
I ran the checksum for the current ISO file of the full Xubuntu desktop version on the Xubuntu website, and the checksum appears to be valid.
https://mirror.us.leaseweb.net/ubuntu-cdimage/xubuntu/releas...
[user@host]$ ls
SHA256SUMS SHA256SUMS.gpg xubuntu-24.04.3-desktop-amd64.iso
[user@host]$ cat SHA256SUMS
b61e083d8a5ab003bad6ef7ea31ec21d7bfdf19b99d75987ab3fa3bbe85ec1bf *xubuntu-24.04.3-desktop-amd64.iso
[user@host]$ sha256sum xubuntu-24.04.3-desktop-amd64.iso
b61e083d8a5ab003bad6ef7ea31ec21d7bfdf19b99d75987ab3fa3bbe85ec1bf xubuntu-24.04.3-desktop-amd64.iso
[user@host]$ echo $?
0
From what I understood, it's the torrent link that downloads a compromised zip file rather then the authentic image:
"Torrent downloads over at https://xubuntu.org/download/ are serving a zip file with a suspicious exe and a tos.txt inside. The TOS starts with Copyright (c) 2026 Xubuntu.org which is sus, because it is 2025. I opened the .exe with file-roller and couldn't find any .torrent inside."
> opened the .exe with file-roller
... This is a thing?
don't know about file roller but you can do this in 7-zip to peek at self-extracting archives
And where did you get the reference SHA256SUMS from ? Did you check the gpg signature on them against a good sig from somewhere?
According to the SHA256SUMS from Canonical's official download page at https://cdimage.ubuntu.com/xubuntu/releases/24.04.3/release/ that is the correct checksum.
Good Point. The checksums posted on Xubuntu.org could also compromised.
how does one know any signature they find is "good"?
Generally speaking, a signature is cryptographically signed, when a checksum value is encrypted with the owners private key. The according public key should ideally be distributed in a chain-of-trust, so it can be obtained through a trusted channel.
If you're using a Debian derivative these keys should be in packages distributed with your distro with trust coming from that
We are in a perpetual loop of inefficient check methods, a bunch of steps, rediscovering what a supply chain attack is, a bunch of steps and just loop back over again.
I downloaded the checksums and the ISO image from the Xubuntu website: https://mirror.us.leaseweb.net/ubuntu-cdimage/xubuntu/releas...
This url is on the main Xubuntu website, under "Xubuntu 24.04": click "Release page," then select United States. From there, you download the following files: SHA256SUMS, SHA256SUMS.gpg, xubuntu-24.04.3-desktop-amd64.iso
The output of the other checksum commands is shown here:
[user@host]$ gpg --keyid-format long --verify SHA256SUMS.gpg SHA256SUMS
gpg: Signature made Thu 07 Aug 2025 06:05:22 AM CDT
gpg: using RSA key 843938DF228D22F7B3742BC0D94AA3F0EFE21092
gpg: Can't check signature: No public key
[user@host]$ sha256sum --check SHA256SUMS
xubuntu-24.04.3-desktop-amd64.iso: OK
(output omitted for results of Xubuntu minimal version, which was not downloaded)
The checksum is a cryptographic hash generated from the ISO file's contents. While the checksum for a specific, unchanged ISO file is fixed, the checksum that is published on a website could be deliberately altered by an attacker to hide a modified, malicious ISO.
If an attacker can upload a compromised ISO I assume they can also upload a compromised checksum? In the age of https downloads — where the payload cannot be modified in transit — it never made sense to me why ISO checksums are a thing. For checksums to actually do anything there needs to be a chain of trust back to a trusted entity.
Mirrors.
Lots of small, volunteer-run, low/zero-budget open-source projects cannot afford to pay for the server/CDN bandwidth they would need to host all their binary artifacts (ISOs, packages, etc.). They end up relying on mirrors provided for free by third parties instead. By publishing the checksums, they allow you to verify that the ISO image you downloaded from some mirror is the same one that they originally published.
> In the age of https downloads — where the payload cannot be modified in transit — it never made sense to me why ISO checksums are a thing.
Is there no way a download over HTTPS can be corrupted non-maliciously, or can fail to complete?
It can fail mid-way of course, but it really shouldn't corrupt in any other way. HTTPS is authenticated after all and malicious manipulation is harder to defend against than accidental corruption. But this is reality and you can have bugs and errors outside the transport of course. Your file system could corrupt data, your drive could be bad etc.
For security you want signatures with a known, trusted key.
With these reports, I always wonder - do people really keep their software wallets on a machine they use every day? Personally I keep it on a laptop that is used just for that and it never occurred to me any other options is viable.
What scared me in that thread was the mention of the fake lubuntu site that is still up since someone took over the old domain last year(?). I downloaded and installed lubuntu just some week ago. Luckily I am pretty sure I downloaded it from the real site. The fake one only has downloads up to 19.04 or something.
Have not installed Lubuntu in a few years, so never noticed any of the news of the domain change and take-over. Did not really find anything more about it when searching today?
if you use ublock origin you should be OK, it warns you when you try to access lubuntu.net
oddly, the one "sus" thing flagged -- a " (C) 2026 " late in 2025 -- is consistent with practices of established book publishers.
I recall purchasing a textbook in September of year X and being surprised that it was "from the future" with a "Copyright X+1".
fortunately, in this case, it seems like the malware may be moot if you use the iso to wipe your windows installation...
But if you just try the live ISO and go back to your Windows without installing, you're infected? Seems like someone wants users to switch to Linux :P
Red Pill Linux
https://web.archive.org/web/20251019143921/https://old.reddi...
Thanks for this link. Opening reddit links on mobile is very frustrating for me because it opens the app and messes with the browser back button for me. Not sure if others have that problem too.
My solution is just to uninstall the app
On iOS Safari, long-press the link and select Open (or Open in Background). That will open the link in the browser instead of in the app, and Safari will remember that preference for the app. Select Open in Reddit to revert.
Also, don’t install the app? Use Sink It instead: https://gosinkit.com/
That's because you're not supposed to open reddit links anymore, you can just share your content directly with AI companies and ad brokers and cut out the middleman.
I had the same idea about the britcard - why doesn't the government just buy the information from the ad brokers?
On Android "Redreader" is the only third-party Reddit app that somehow survived the third-party-app-purge. Still free and open source, and much more pleasant than the official one.
Would definitely recommend.
Thanks for this, I was resorting to creating a PWA on old reddit (which has horrible ergonomics for mobile) per subreddit (you can't rename them so I remember which is which by position) thinking all the reddit clients that don't require login are gone.
Try pressing on the original link and opening it in another tab, that usually bypasses opening the app for me.
For the moment "yesterday for old reddit" on firefox android works quite well.
I'm a grovelling Linux fiend and usually support related posts. I tried to visit the url and saw it was blocked. Didn't want the post to die so archived it asap.
Note too, that NextDNS blocks archive.is et al by default unless you manually add redirects.
Whatta world
I’ve noticed that even on VPNs, US exit points sometimes block archive.is. Not sure if that is DNS related or what. Non-US VPN exit points don’t seem to be blocked at those times that the site navigation fails on US ones.
I believe NextDNS is headquartered in the US, which may be related to the site nav issues we’re both experiencing.
Curiously, uBlock Origin and my blocklists seem to block content on archive.is from loading from mail.ru, which may be related to the blocks, but I have never heard anyone on HN or elsewhere mention this, so I am, so that it can be known and explained if any explanation exists for why mail.ru scripts on archive.is are present. I don’t seem to see those scripts on the Tor version of archive.today, which archive.is is a mirror of today; apparently the original domain is the .is one, in any case.
Consider my curiousity piqued!
(More info about the archive.is|.today mirrors including the Tor site are on the Wikipedia entry for the site:
https://en.wikipedia.org/wiki/Archive.today
archiveiya74codqgiixo33q62qlrqtkgmcitqx5u2oeqnmn5bpcbiyd.onion )
Somebody did sneak a wayland compositor for xfce???
:P
Well actually...
https://wiki.xfce.org/releng/wayland_roadmap
Let's not kid ourselves. A state level actor who is playing the long game can compromise any distro, package, etc. without us knowing about it.
That kind of defeatism isn’t helpful.
The present case also just seems malware easily detected by VirusTotal: https://old.reddit.com/r/xubuntu/comments/1oa43gt/xubuntuorg...
Look at all the mainstream scanners that failed to detect it!
In reality, if Microsoft Defender (Security or whatever the name is) can detect it (which does in this case), it means it is flagged on most target users' machine.
Of course, there are people who disable built-in security scanning and don't use another antivirus software, and that's on them.
That’s pretty normal in my experience. That’s why you check with VirusTotal instead of a single “mainstream” scanner.
Sticking-your-head-in-the-sand-ism isn't helpful either.
But nobody wants to talk about true security. For example, why does a Python module that renders progress bars (for example) need my full trust about what it does to the rest of my system? Etc.
> why does a Python module that renders progress bars (for example) need my full trust about what it does to the rest of my system?
tqdm is pure Python and available as a wheel. Or is this a general complaint about sandboxing others' code at runtime?
What's the term for the fallacy that this problem can be ignored because that problem is so much worse?
Sorry, patient, why are we talking about setting your broken arm when you are genetically predisposed to cancer that's going to kill you anyway?
It is the "fallacy of relative privation", for the record.
Nobody said the problem could be ignored ...
Jia Tan with the XZ backdoor was caught because some performance obsessed person noticed a tiny delay... I'm sure they learned their lesson and are ensuring their next backdoor doesn't impact performance.
That is the insidious question - how many parallel efforts were/are in play when xz was going down? Surely that was not the only long term plan to compromise an "unrelated" component of system security. The Jia Tan organization might have already inserted back doors into dozens of different projects by now.
Sure, but realistically, how many of us right here have state level actors in our threat models? I sure don't, because it'd be impossible to live a normal life then.
As Stuxnet showed us, you don't need to run a nuclear program to be infected by malware developed by state level actors.
But state level actors could target you, so you should immediately abandon any hope of privacy, disable your ad blockers, stop using Signal, install Windows 11, cease any complaints about the government, and eat the bugs.
How would you know?
Don't most of us know what's in our threat model?
Nobody spends energy worrying that the universe is an evil compiler that warps reality specifically to target us. Because 1) it's unlikely, and 2) if it were true there's no change in defensive posture that would help. It's the same for most individuals when considering being targeted by state actors. Unlikely, and not defensible, so no point hand wringing.
"Nobody spends energy worrying that the universe is an evil compiler that warps reality specifically to target us"
I have not heard that specific scenario yet, but indeed quite similar ones from very depressed/mentally ill people. Basically that the whole universe was created to torture them specifically. (Probably there is even a medical term for that)
But yes, a sane person should rather be concerned to not fall scam to one of the various criminal groups. That is a real cyber threat for most people and companies.
So minding basic security helps, even if the NSA will likely get past that in no time.
Also, no state-actor would ever blow an immensely costly and rare backdoor like that on us peasants here. Even, if you would threaten to kill all the puppies. That's the sort of thing they reserve for state-level shenanigans, 100% targeting servers, infrastructure and industry, not individuals.
Though, I also doubt, they would just shelve these epic exploits, since a universal Linux backdoor likely puts themself at risk too, unless you can pull off a grand conspiracy, or deliver patched packages to your own people without questions asked. Maybe a completely locked down country like North Korea could do it. I doubt many other countries got an incentive, unless in preparation of a specific attack.
Which state actor? Not all pigs are equal.
Your comment reflects that truth.
"Linux doesn't get viruses"
Since Xubuntu inception a decade ago, facts certainly have changed!
Well, the virus in this case is a Windows executable targeted at Windows users trying to download Linux...
Official, popular, longstanding (20 years!) Linux distro is clearly distributing "a virus" via an official repo, with nothing about the danger on its website?
Linux mantra: Nothing wrong here, and if there is, someone will fix it eventually, probably, maybe..
A regrettable sign of Linux success
That is why I use Qubes OS [1] in order to have a certain peace of mind.
[1] https://www.qubes-os.org/
EDIT: further comment below:
On second thought, Qubes OS does not prevent such types of malicious downloads; it can also happen to Qubes images. Verify your downloads with checksums and cryptographic signatures [2].
[2] https://doc.qubes-os.org/en/latest/project-security/verifyin...
On second thought, Qubes OS does not prevent such types of malicious downloads; it can also happen to Qubes images. Verify your downloads with checksums and cryptographic signatures [1].
[1] https://doc.qubes-os.org/en/latest/project-security/verifyin...
qubes is just as vulnerable as xubuntu in this case (poor website security) no?
Yes indeed. Qubes has a good article on verifying distribution images not only with checksums but also with cryptographic signatures that verify the checksum files [1].
[1] https://doc.qubes-os.org/en/latest/project-security/verifyin...
But aren't you still trusting the website for instructions about how to verify the cryptographic signatures?
It's a standard procedure that could be learned in many other ways.
The idea (outlined in the QubesOS documentation) is to clone the git repo of their website, verify the PGP commit signatures, then render the website yourself. Then you can be reasonably sure the website is legitimate, modulo a DoS attack stopping you from receiving updates to the website code, I suppose.
Getting the correct PGP public key appears to be an exercise left to the reader, but if you are already running e.g. Fedora, you can view the packaged QubesOS distro keys distributed by your current OS, cross-reference that with a second source such as a PGP keyserver, and unless you're being Mossaded upon you're probably good if they match.
Check a history on archive.org and validate the checksum wasnt changed to be the potentially malicious iso?
Its not perfect... but its better than nothing.
so.. same a linux mint / xubuntu?