Anonymosus-OS: the checksums that don't check out

Further to the ignoble saga of Anonymosus-OS, an Ubuntu variant targeted as people who want to participate in Anonymous actions: Sean Gallagher has done the legwork to compare the checksums of the packages included in the OS with their canonical versions and has found a long list of files that have been modified. Some of these ("usr/share/gnome/help/tomboy/eu/figures/tomboy-pinup.png: FAILED") are vanishingly unlikely to be malware, while others ("usr/share/ubiquity/apt-setup") are more alarming.

None of this is conclusive proof of malware in the OS, but it is further reason not to trust it -- if you're going to produce this kind of project and modify the packages so that they don't check, you really should document the alterations you've made.

all.md5 > /dev/shm/check.txt
md5sum: WARNING: 143 of 95805 computed checksums did NOT match
anonymous@anonymous:/$ grep -v ': OK$' /dev/shm/check.txt
usr/share/locale-langpack/en_AU/LC_MESSAGES/subversion.mo: FAILED
usr/share/locale-langpack/en_GB/LC_MESSAGES/gbrainy.mo: FAILED
usr/share/applications/language-selector.desktop: FAILED
usr/share/locale-langpack/en_GB/LC_MESSAGES/file-roller.mo: FAILED
usr/share/locale-langpack/en_CA/LC_MESSAGES/metacity.mo: FAILED
usr/share/locale-langpack/en_GB/LC_MESSAGES/jockey.mo: FAILED
usr/share/locale-langpack/en_AU/LC_MESSAGES/lightdm.mo: FAILED
usr/share/doc/libxcb-render0/changelog.Debian.gz: FAILED...

The bad checksums in Anonymous-OS (Thanks, Sean!)

I write books. My latest is a YA science fiction novel called Homeland (it's the sequel to Little Brother). More books: Rapture of the Nerds (a novel, with Charlie Stross); With a Little Help (short stories); and The Great Big Beautiful Tomorrow (novella and nonfic). I speak all over the place and I tweet and tumble, too.

MORE: anonymous • floss • security • web theory

More at Boing Boing

Eurovision 2013: An American in London

The technology that links taxonomy and Star Trek

kartwaffles

Looks like Sean Gallagher actually ran Anonymosus-OS in order to run the checksums. Dumb, dumb dumb.

Mount the Anonymosus-OS image readonly, noexec, with a trusted known-good operating system. Then use *THAT* operating system’s checksum tools to examine the files.
- rageaholic
  
  virtualization. perhaps you’ve heard of it. it’s a thing.
  - fuzzyfuzzyfungus
    
    That would protect your system(barring some very fancy VM exploit that would be worth so much for precision attacks on high value targets that they can likely be ignored here); but it wouldn’t solve the “if you are going to tamper with the OS, you should probably bug the tools that somebody would use to check for tampering” problem.(though freezing the VM and mounting its disk any time that suited you wouldn’t be so terribly difficult, and it’s easier than finding a physical computer with a CD-ROM drive, at least in my house.)
digi_owl

Tomboy-pinup.png?

Edit: ah, never mind…

http://projects.gnome.org/tomboy/
- Daemonworks
  
  That’s exactly what I was wondering about.
stationstops

anyone who actually downloaded this software is kind of out of their mind anyway
- zarray
  
  I imagine they look like this
  http://static.fjcdn.com/pictures/Noob+Kid_cd732d_3302770.jpeg
- Anon_Mahna
  
  or not paranoid enough to suspect it’s a ringer put out by an Alphabets agency. Yes i know that is probably giving them too much credit, but hey ‘even a blind squirrel finds a nut’ as they say.
Xof

“Of course this OS is safe and can be used for activities that you don’t want to be traced back to you! A bunch of anonymous hackers assure you of its integrity. See, we’re wearing a Guy Fawkes mask! Only good people do that.”
http://www.facebook.com/people/Aron-Briggs/1386087012 Aron Briggs

looks safe to me.
http://twitter.com/sqlrob Rob

The vast majority of those are UI.

I’d like to see the diffs between the others, but I’m guessing those are UI changes as well. Wouldn’t bet my life on it, but it does seem somewhat likely.
- digi_owl
  
  Kinda heavy handed of them to change the files rather than creating an alternate theme alongside the Gnome default. If that is what they have done. Or could it be a cause of steganography?
  - http://twitter.com/sqlrob Rob
    
    From what I saw in another review of it, yeah, it’s heavy handed. The sum up of it was Anonymous didn’t do it because they wouldn’t want their name associated with something done this badly.
    
    Of course, I thought LOIC was VB, so maybe that’s wrong.
    - digi_owl
      
      Not sure, but i guess LOIC could run under Wine.
      - http://apebox.org/wordpress/ Jo Shields
        
        LOIC is C#. It runs fine with Mono. It doesn’t build with Mono, because the developers are jackasses who closed by simple bugfix as WONTFIX.
Douglas Rushkoff

oy. Kind of makes me reconsider the “program or be programmed” concept, at least insofar as a little knowledge of programming can be a dangerous thing if one assumes there are other people who don’t know a whole lot more.
dnebdal

… the files in the example are translation text files and shortcut descriptors, and completely harmless – incidentally. :)
onereader

.mo files are i18n (translations), .desktop files are more or less launchers, then some changelogs and image files. apt-setup is from ubiquity, the livecd installer, so it seems that most of the changes are due to the media customization.

I wouldn’t use it, but there’s nothing immediately suspicious there.
- dnebdal
  
  Spending another 20 seconds or so before submitting on weeding out all the obviously harmless changes would have made for a more compelling post, ye. :)
  
  There are a few things I’d like to see a bit more about, though. In no particular order:
  usr/sbin/update-initramfs
  usr/sbin/anacron
  usr/sbin/update-icon-caches
  usr/bin/perldoc
  usr/lib/ubiquity/user-setup/user-setup-apply
  usr/share/ubiquity/apt-setup
  
  At this point I’d be surprised if there was anything dodgy in any of them, but still.
fuzzyfuzzyfungus

I certainly have no reason to trust this particular spin; but you’d expect a fair number of changes in UI-related packages and package install lists. It does, after all, look different and have different packages installed…

The risk I’d be inclined to worry about would be anything that simply doesn’t have an analogous package in Ubuntu(or isn’t installed via a package at all: package management is a convenience, there is no enforcement against manually added stuff).

There would be nothing stopping somebody from, say, using a dead-stock Ubuntu kernel, MD5s right from the factory; and loading a bugged kernel module stashed manually in the filesystem somewhere. Modifying the package directly would be deeply suspicious; but there is absolutely no requirement that all kernel modules be provided by the package that has ‘kernel-modules’ somewhere in the name.

Kernel modules would just be an example, of course, a suitably clever and malicious actor could overlay enough goodies to compromise the system in all sorts of places without touching the packages or package manager at all…
http://www.mrericsir.com MrEricSir

I’m assuming the packages weren’t built by Launchpad then?
Doug Nelson

No one ever explained the deliberate misspelling. Is it an SEO thing?
- elix
  
  Because Anonym.OS was already taken, I imagine.
- SamSam
  
  No, it’s a Cory thing, for reasons he hasn’t ever explained why. The project itself is just called Anonymous-OS with no extra ‘s’. And that’s the way all the rest of the press has described it.
  
  I think Cory just typoed in the first post and has decided to keep it that way ever since (Cory isn’t the best at admitting mistakes here… ;)
twiddl

why would anyone want to use that thing?
- zarray
  
  http://i.imm.io/jjd7.jpeg
http://obsidian.kokolis.net Chloramphenicol

I’m sure it’s been said before, but I’m going to say it again anyway… BackTrack.
http://pulse.yahoo.com/_OAUXAA362EXWLYVMPJOKLFB5JQ Incipient Madness

If you already use Ubuntu as I do you could snag all these functions from reliable sources using the terminal window. And if you have to use a clickable ling to get this OS, it’s fake.

Every Ubuntu user knows you can’t click for the cool stuff. Terminal only.
- http://www.mrericsir.com MrEricSir
  
  Some of these tools are already in the Ubuntu repos and/or PPAs, meaning you don’t need the terminal. Ubuntu Software Center or Synaptic would work fine.
  
  Of course, you will need the terminal to use some of the apps but that’s a different story. Hacking tools ain’t for noobs.
- Rah El
  
  Actually you can click on this link for a really cool, penetration test-centered OS based on Ubuntu:
  http://www.backtrack-linux.org/
unaboomer

Is it wrong to root against the script kiddies? Not that Im some 1337 haxor, but come on.
http://rhinocrisy.org/ saurabh

I am unable to understand why, in the wake of the whole FBI/Sabu clusterfuck, anyone would even consider running this thing.
- C W
  
  With a however many million Anon, there’s bound to be a few thousand naive followers that’ll check it out.
Lee Dannascher

this is the sort of thing which might be fun to run on a neighbors network with a packet sniffer and just let it cook for a while.
Really, it’s just about trust. FOSS is safer (i’d say) simply because there’s more eyes on the code. these allegations can be brought and they’ll be proven or thrown out. We have no such safety with a microsoft, apple (or google) product.
SomeGuy

What’s this file /etc/kernel/fbi/gonna/nail/yer/ass.ha_ha_ha?

Never mind. I’m sure it’s nothing.
Bob Webb

What’s the difference between Anonymosus-OS and Anonymous-OS?
- SamSam
  
  None. One’s a typo by Cory that has persisted through three posts.
Guest

Of course it’s fake. The real variant will be called EXPECT_OS