Isn't possible to check in the block chain to check if the attacker is actually receiving money? Just curious how much money ine makes with such attacks.
As soon as I saw the headline, I assumed something of this sort. Maybe it's naive, but I miss the days when you could just trust (however unfounded) open source software. I never had to hesitate before downloading a distro or a package. Now I only install something if I absolutely need it.
The value of your labor is being systemically destroyed through deliberate currency manipulation by the US Federal Reserve, in conjunction with the US Government and US Treasury.
You are more than twice as productive as your equivalent 1971 counterpart, but relative to inflation, he was being paid about the same as you. You make your employer twice as much money as he did but you're not rewarded twice as much.
Five, ten, twenty years from now, when the trend that has been visible in the data since the 1970s is complete, and your labor has no value at all, are you going to be okay?
The people who spent large majorities of their income accumulating scarce stores of value (gold, bitcoin, housing, profitable businesses, land, etc) are going to be fine.
You could argue that if not crypto, it would have been something else eventually, and that the heightened vigilance it has necessitated has made it more difficult for other motivated attackers (like state actors) to backdoor or compromise OSS. But as someone who doesn't use crypto, I completely get the "f*ck crypto" sentiment.
I don't know how familiar you are with the sheer scope of malware, black markets, data theft, various extortion techniques, but gaining the ability to drop an arbitrary .exe on Xubuntu.org and actually direct enough traffic to it that people notice it is worth a LOT more than $0.
> Thanks everyone. We're beholden to our hosting environment for upgrades and it looks like there was a bit of a slip-up here. It's being worked on, but for now the Downloads page is disabled.
Calling this a "slip-up" is an outrageous downplay. If anything this makes me suspicious of the moderator who posted the comment too. One does not accidentally prepare a zip file with a malicious exe and xubuntu-specific language, upload it to a server, and point a torrent link at it.
> Calling this a "slip-up" is an outrageous downplay. If anything this makes me suspicious of the moderator who posted the comment too.
You're making an assumption that this moderator is anything more than a Xubuntu enthusiast who wants to downplay outrage on Reddit. Keep in mind Xubuntu is mostly a community effort, not a large corporation with seniors who know how to handle this "best".
I am not making any assumptions, you are failing to do research.
Start by googling the username of the account. They are the Xubuntu Marketing and Website lead. This is the domain they are responsible for and, given their long history, they should know better.
This sort of thing must risk harming Canonical's reputation, so you'd think they'd want to use whatever leverage they have to enforce better practices.
>Keep in mind Xubuntu is mostly a community effort, not a large corporation with seniors who know how to handle this "best".
which is why the whole distro zoo and "stick it to the man" theatre has always been a nightmare. Running some barely maintained operating system that is an nth-degree spin-off is like buying a pacemaker from craigslist. The people who go "I don't trust Canonical/Google" and then go download some binary blob browser fork/OS uploaded by an anonymous guy from the internet is way too large.
Indeed that is a suspicious or at least untrustworthy way to deflect the seriousness of a malware infection that potentially affects all users of an OS distribution.
From what I understood, it's the torrent link that downloads a compromised zip file rather then the authentic image:
"Torrent downloads over at https://xubuntu.org/download/ are serving a zip file with a suspicious exe and a tos.txt inside. The TOS starts with Copyright (c) 2026 Xubuntu.org which is sus, because it is 2025. I opened the .exe with file-roller and couldn't find any .torrent inside."
If an attacker can upload a compromised ISO I assume they can also upload a compromised checksum? In the age of https downloads — where the payload cannot be modified in transit — it never made sense to me why ISO checksums are a thing. For checksums to actually do anything there needs to be a chain of trust back to a trusted entity.
Lots of small, volunteer-run, low/zero-budget open-source projects cannot afford to pay for the server/CDN bandwidth they would need to host all their binary artifacts (ISOs, packages, etc.). They end up relying on mirrors provided for free by third parties instead. By publishing the checksums, they allow you to verify that the ISO image you downloaded from some mirror is the same one that they originally published.
Generally speaking, a signature is cryptographically signed, when a checksum value is encrypted with the owners private key. The according public key should ideally be distributed in a chain-of-trust, so it can be obtained through a trusted channel.
We are in a perpetual loop of inefficient check methods, a bunch of steps, rediscovering what a supply chain attack is, a bunch of steps and just loop back over again.
This url is on the main Xubuntu website, under "Xubuntu 24.04": click "Release page," then select United States. From there, you download the following files: SHA256SUMS, SHA256SUMS.gpg, xubuntu-24.04.3-desktop-amd64.iso
The output of the other checksum commands is shown here:
[user@host]$ gpg --keyid-format long --verify SHA256SUMS.gpg SHA256SUMS
gpg: Signature made Thu 07 Aug 2025 06:05:22 AM CDT
gpg: using RSA key 843938DF228D22F7B3742BC0D94AA3F0EFE21092
gpg: Can't check signature: No public key
[user@host]$ sha256sum --check SHA256SUMS
xubuntu-24.04.3-desktop-amd64.iso: OK
(output omitted for results of Xubuntu minimal version, which was not downloaded)
The checksum is a cryptographic hash generated from the ISO file's contents. While the checksum for a specific, unchanged ISO file is fixed, the checksum that is published on a website could be deliberately altered by an attacker to hide a modified, malicious ISO.
What scared me in that thread was the mention of the fake lubuntu site that is still up since someone took over the old domain last year(?). I downloaded and installed lubuntu just some week ago. Luckily I am pretty sure I downloaded it from the real site. The fake one only has downloads up to 19.04 or something.
Have not installed Lubuntu in a few years, so never noticed any of the news of the domain change and take-over. Did not really find anything more about it when searching today?
Thanks for this link. Opening reddit links on mobile is very frustrating for me because it opens the app and messes with the browser back button for me. Not sure if others have that problem too.
On Android "Redreader" is the only third-party Reddit app that somehow survived the third-party-app-purge. Still free and open source, and much more pleasant than the official one.
That's because you're not supposed to open reddit links anymore, you can just share your content directly with AI companies and ad brokers and cut out the middleman.
On iOS Safari, long-press the link and select Open (or Open in Background). That will open the link in the browser instead of in the app, and Safari will remember that preference for the app. Select Open in Reddit to revert.
I'm a grovelling Linux fiend and usually support related posts. I tried to visit the url and saw it was blocked. Didn't want the post to die so archived it asap.
Note too, that NextDNS blocks archive.is et al by default unless you manually add redirects.
In reality, if Microsoft Defender (Security or whatever the name is) can detect it (which does in this case), it means it is flagged on most target users' machine.
Of course, there are people who disable built-in security scanning and don't use another antivirus software, and that's on them.
But nobody wants to talk about true security. For example, why does a Python module that renders progress bars (for example) need my full trust about what it does to the rest of my system? Etc.
Jia Tan with the XZ backdoor was caught because some performance obsessed person noticed a tiny delay... I'm sure they learned their lesson and are ensuring their next backdoor doesn't impact performance.
That is the insidious question - how many parallel efforts were/are in play when xz was going down? Surely that was not the only long term plan to compromise an "unrelated" component of system security. The Jia Tan organization might have already inserted back doors into dozens of different projects by now.
Sure, but realistically, how many of us right here have state level actors in our threat models? I sure don't, because it'd be impossible to live a normal life then.
But state level actors could target you, so you should immediately abandon any hope of privacy, disable your ad blockers, stop using Signal, install Windows 11, cease any complaints about the government, and eat the bugs.
Nobody spends energy worrying that the universe is an evil compiler that warps reality specifically to target us. Because 1) it's unlikely, and 2) if it were true there's no change in defensive posture that would help. It's the same for most individuals when considering being targeted by state actors. Unlikely, and not defensible, so no point hand wringing.
Also, no state-actor would ever blow an immensely costly and rare backdoor like that on us peasants here. Even, if you would threaten to kill all the puppies. That's the sort of thing they reserve for state-level shenanigans, 100% targeting servers, infrastructure and industry, not individuals.
Though, I also doubt, they would just shelve these epic exploits, since a universal Linux backdoor likely puts themself at risk too, unless you can pull off a grand conspiracy, or deliver patched packages to your own people without questions asked. Maybe a completely locked down country like North Korea could do it. I doubt many other countries got an incentive, unless in preparation of a specific attack.
On second thought, Qubes OS does not prevent such types of malicious downloads; it can also happen to Qubes images. Verify your downloads with checksums and cryptographic signatures [2].
On second thought, Qubes OS does not prevent such types of malicious downloads; it can also happen to Qubes images. Verify your downloads with checksums and cryptographic signatures [1].
Yes indeed. Qubes has a good article on verifying distribution images not only with checksums but also with cryptographic signatures that verify the checksum files [1].
The idea (outlined in the QubesOS documentation) is to clone the git repo of their website, verify the PGP commit signatures, then render the website yourself. Then you can be reasonably sure the website is legitimate, modulo a DoS attack stopping you from receiving updates to the website code, I suppose.
Getting the correct PGP public key appears to be an exercise left to the reader, but if you are already running e.g. Fedora, you can view the packaged QubesOS distro keys distributed by your current OS, cross-reference that with a second source such as a PGP keyserver, and unless you're being Mossaded upon you're probably good if they match.
They are empty as of now.
You are more than twice as productive as your equivalent 1971 counterpart, but relative to inflation, he was being paid about the same as you. You make your employer twice as much money as he did but you're not rewarded twice as much.
Five, ten, twenty years from now, when the trend that has been visible in the data since the 1970s is complete, and your labor has no value at all, are you going to be okay?
The people who spent large majorities of their income accumulating scarce stores of value (gold, bitcoin, housing, profitable businesses, land, etc) are going to be fine.
Calling this a "slip-up" is an outrageous downplay. If anything this makes me suspicious of the moderator who posted the comment too. One does not accidentally prepare a zip file with a malicious exe and xubuntu-specific language, upload it to a server, and point a torrent link at it.
You're making an assumption that this moderator is anything more than a Xubuntu enthusiast who wants to downplay outrage on Reddit. Keep in mind Xubuntu is mostly a community effort, not a large corporation with seniors who know how to handle this "best".
Start by googling the username of the account. They are the Xubuntu Marketing and Website lead. This is the domain they are responsible for and, given their long history, they should know better.
Which is to say, I'm fairly sure that they're still just a volunteer community member.
This sort of thing must risk harming Canonical's reputation, so you'd think they'd want to use whatever leverage they have to enforce better practices.
which is why the whole distro zoo and "stick it to the man" theatre has always been a nightmare. Running some barely maintained operating system that is an nth-degree spin-off is like buying a pacemaker from craigslist. The people who go "I don't trust Canonical/Google" and then go download some binary blob browser fork/OS uploaded by an anonymous guy from the internet is way too large.
Indeed that is a suspicious or at least untrustworthy way to deflect the seriousness of a malware infection that potentially affects all users of an OS distribution.
https://mirror.us.leaseweb.net/ubuntu-cdimage/xubuntu/releas...
[user@host]$ ls
SHA256SUMS SHA256SUMS.gpg xubuntu-24.04.3-desktop-amd64.iso
[user@host]$ cat SHA256SUMS
b61e083d8a5ab003bad6ef7ea31ec21d7bfdf19b99d75987ab3fa3bbe85ec1bf *xubuntu-24.04.3-desktop-amd64.iso
[user@host]$ sha256sum xubuntu-24.04.3-desktop-amd64.iso
b61e083d8a5ab003bad6ef7ea31ec21d7bfdf19b99d75987ab3fa3bbe85ec1bf xubuntu-24.04.3-desktop-amd64.iso
[user@host]$ echo $?
0
"Torrent downloads over at https://xubuntu.org/download/ are serving a zip file with a suspicious exe and a tos.txt inside. The TOS starts with Copyright (c) 2026 Xubuntu.org which is sus, because it is 2025. I opened the .exe with file-roller and couldn't find any .torrent inside."
Lots of small, volunteer-run, low/zero-budget open-source projects cannot afford to pay for the server/CDN bandwidth they would need to host all their binary artifacts (ISOs, packages, etc.). They end up relying on mirrors provided for free by third parties instead. By publishing the checksums, they allow you to verify that the ISO image you downloaded from some mirror is the same one that they originally published.
Is there no way a download over HTTPS can be corrupted non-maliciously, or can fail to complete?
This url is on the main Xubuntu website, under "Xubuntu 24.04": click "Release page," then select United States. From there, you download the following files: SHA256SUMS, SHA256SUMS.gpg, xubuntu-24.04.3-desktop-amd64.iso
The output of the other checksum commands is shown here:
[user@host]$ gpg --keyid-format long --verify SHA256SUMS.gpg SHA256SUMS
gpg: Signature made Thu 07 Aug 2025 06:05:22 AM CDT
gpg: using RSA key 843938DF228D22F7B3742BC0D94AA3F0EFE21092
gpg: Can't check signature: No public key
[user@host]$ sha256sum --check SHA256SUMS
xubuntu-24.04.3-desktop-amd64.iso: OK
(output omitted for results of Xubuntu minimal version, which was not downloaded)
The checksum is a cryptographic hash generated from the ISO file's contents. While the checksum for a specific, unchanged ISO file is fixed, the checksum that is published on a website could be deliberately altered by an attacker to hide a modified, malicious ISO.
Have not installed Lubuntu in a few years, so never noticed any of the news of the domain change and take-over. Did not really find anything more about it when searching today?
I recall purchasing a textbook in September of year X and being surprised that it was "from the future" with a "Copyright X+1".
Would definitely recommend.
Also, don’t install the app? Use Sink It instead: https://gosinkit.com/
Note too, that NextDNS blocks archive.is et al by default unless you manually add redirects.
Whatta world
:P
https://wiki.xfce.org/releng/wayland_roadmap
The present case also just seems malware easily detected by VirusTotal: https://old.reddit.com/r/xubuntu/comments/1oa43gt/xubuntuorg...
Of course, there are people who disable built-in security scanning and don't use another antivirus software, and that's on them.
But nobody wants to talk about true security. For example, why does a Python module that renders progress bars (for example) need my full trust about what it does to the rest of my system? Etc.
Sorry, patient, why are we talking about setting your broken arm when you are genetically predisposed to cancer that's going to kill you anyway?
Nobody spends energy worrying that the universe is an evil compiler that warps reality specifically to target us. Because 1) it's unlikely, and 2) if it were true there's no change in defensive posture that would help. It's the same for most individuals when considering being targeted by state actors. Unlikely, and not defensible, so no point hand wringing.
Though, I also doubt, they would just shelve these epic exploits, since a universal Linux backdoor likely puts themself at risk too, unless you can pull off a grand conspiracy, or deliver patched packages to your own people without questions asked. Maybe a completely locked down country like North Korea could do it. I doubt many other countries got an incentive, unless in preparation of a specific attack.
Since Xubuntu inception a decade ago, facts certainly have changed!
[1] https://www.qubes-os.org/
EDIT: further comment below:
On second thought, Qubes OS does not prevent such types of malicious downloads; it can also happen to Qubes images. Verify your downloads with checksums and cryptographic signatures [2].
[2] https://doc.qubes-os.org/en/latest/project-security/verifyin...
[1] https://doc.qubes-os.org/en/latest/project-security/verifyin...
[1] https://doc.qubes-os.org/en/latest/project-security/verifyin...
Getting the correct PGP public key appears to be an exercise left to the reader, but if you are already running e.g. Fedora, you can view the packaged QubesOS distro keys distributed by your current OS, cross-reference that with a second source such as a PGP keyserver, and unless you're being Mossaded upon you're probably good if they match.
Its not perfect... but its better than nothing.