How are they ‘changing on the fly’ the distro I downloaded the week before and ran a CRC check on?
Well, you’re uploading it remotely at some point. Essentially it’s a supply chain attack, where during the process of upload it’s compromised by the remote server. The logic would be - they can fingerprint any reasonable distro you might use, and replace it with a pre-prepared compromised version. Any tools you might use to check its veracity could potentially be poisoned the same way, no? As I said, remote possibility and high cost, but not implausible.
Serious question, do you have any background in IT security?
and as for ‘tools I might use to check’, literally anyone can code their own CRC checker in python with no python experience in like 20 mins using widely attested public algorithms
Then you understand how statistically impossible it is to craft a modified distro that passes a CRC check?
And by statistically impossible, I mean this in a thermodynamic sense, as in that it is much more likely that you are a brain floating in a void that cohered completely from nothingness due to vacuum energy than it is that any given iteration of a modified file of considerable length will match the same CRC as an established, published, vetted copy.
It is about 100 times easier to randomly guess the private key of a bitcoin wallet than it is to iterate arbitrary changes to match CRC results.
There is a reason it is still the gold standard of file authenticity despite it being literally based on a largely unchanged 50 year old technology.
Well, you’re uploading it remotely at some point. Essentially it’s a supply chain attack, where during the process of upload it’s compromised by the remote server. The logic would be - they can fingerprint any reasonable distro you might use, and replace it with a pre-prepared compromised version. Any tools you might use to check its veracity could potentially be poisoned the same way, no? As I said, remote possibility and high cost, but not implausible.
A little. I’m in IT, and know the basics.
and as for ‘tools I might use to check’, literally anyone can code their own CRC checker in python with no python experience in like 20 mins using widely attested public algorithms
Then you understand how statistically impossible it is to craft a modified distro that passes a CRC check?
And by statistically impossible, I mean this in a thermodynamic sense, as in that it is much more likely that you are a brain floating in a void that cohered completely from nothingness due to vacuum energy than it is that any given iteration of a modified file of considerable length will match the same CRC as an established, published, vetted copy.
It is about 100 times easier to randomly guess the private key of a bitcoin wallet than it is to iterate arbitrary changes to match CRC results.
There is a reason it is still the gold standard of file authenticity despite it being literally based on a largely unchanged 50 year old technology.