shadowy, sort of fly by night debian mirrors? ...

Discussion:

(too old to reply)

Albretch Mueller

2021-02-21 13:50:01 UTC

as I tried to download debian, I noticed that the download was being
redirected real time (which in itself doesn't necessarily have to mean
bad), what I found a worrying was that:

1) as I used a known public hotspot connection, there was a new
hotspot advertising itself as "Wifi4EU" (of course, I didn't bite that
bait)

2) getting a connection through (apparently) the right hotspot took
way more time than expected

3) downloads were being redirected real time

4) the usual server side responses were not being produced, just:

WARNING: certificate common name `ftp.acc.umu.se' doesn't match
requested host name `chuangtzu.ftp.acc.umu.se'.
2021-02-17 11:14:47
URL:https://chuangtzu.ftp.acc.umu.se/debian-cd/current/amd64/iso-dvd/debian-10.8.0-amd64-DVD-2.iso
[4697370624/4697370624] -> "debian-10.8.0-amd64-DVD-2.iso" [1]

WARNING: certificate common name `ftp.acc.umu.se' doesn't match
requested host name `laotzu.ftp.acc.umu.se'.
2021-02-17 11:46:46
URL:https://laotzu.ftp.acc.umu.se/debian-cd/current/amd64/iso-dvd/debian-10.8.0-amd64-DVD-3.iso
[4679073792/4679073792] -> "debian-10.8.0-amd64-DVD-3.iso" [1]

5) the mirror debian site (ftp.acc.umu.se) had smelly prefixes as
subdomains (apparently Chinese transliterations) {chuangtzu, laotzu}

6) whois registry for umu.se

$ whois um.se
# Copyright (c) 1997- The Swedish Internet Foundation.
# All rights reserved.
# The information obtained through searches, or otherwise, is protected
# by the Swedish Copyright Act (1960:729) and international conventions.
# It is also subject to database protection according to the Swedish
# Copyright Act.
# Any use of this material to target advertising or
# similar activities is forbidden and will be prosecuted.
# If any of the information below is transferred to a third
# party, it must be done in its entirety. This server must
# not be used as a backend for a search engine.
# Result of search for registered domain names under
# the .se top level domain.
#
This whois printout is printed with UTF-8 encoding.
#
state: active
domain: um.se
holder: (not shown)
admin-c: -
tech-c: -
billing-c: -
created: 2014-12-02
modified: 2020-11-16
expires: 2021-12-02
transferred: 2017-08-24
nserver: ns1.nameisp.info
nserver: ns2.nameisp.info
dnssec: unsigned delegation
registry-lock: unlocked
status: ok
registrar: www.NameSRS.com
$

7) the md5 and sha1 hashes that I computed could not be found online

0296cfbeaf3823055901d7ad2077a077
0b742d83d23207db9a24553100d4155eb8c701bf debian
10.8.0-amd64-DVD-2.iso
37baf26293b8132fe95b4bd19262ca6b
122a2612ed63ff89db56eec0765e87268bf72318 debian
10.8.0-amd64-DVD-3.iso

I have kept those files in hard drives/computers I never connect to
the Internet (that, to me, is the only way to do something with some
"privacy"/security). I later downloaded what seem to be the right
files, anyway. They would make for some easy and nice forensic
analysis (just extracting the content of those iso files, using find
and diff) whenever I find the time to do so.

lbrtchx

Andy Smith

2021-02-21 14:20:02 UTC

Permalink

Hello,

Post by Albretch Mueller
1) as I used a known public hotspot connection, there was a new
hotspot advertising itself as "Wifi4EU" (of course, I didn't bite that
bait)

Does not really seem relevant to a remote Debian mirror, unless you
are suggesting that someone has set up a rogue wifi hotspot in that
particular location and used it to distribute compromised Debian
images, which seems rather far-fetched.

Post by Albretch Mueller
2) getting a connection through (apparently) the right hotspot took
way more time than expected

I'm not saying it's aliens
but it's aliens.

Post by Albretch Mueller
3) downloads were being redirected real time

OK? Web servers are allowed to issue redirects, and you're being
redirected to another hostname at the same org, so doesn't seem very
suspicious.

Post by Albretch Mueller
WARNING: certificate common name `ftp.acc.umu.se' doesn't match
requested host name `chuangtzu.ftp.acc.umu.se'.
2021-02-17 11:14:47
URL:https://chuangtzu.ftp.acc.umu.se/debian-cd/current/amd64/iso-dvd/debian-10.8.0-amd64-DVD-2.iso
[4697370624/4697370624] -> "debian-10.8.0-amd64-DVD-2.iso" [1]

Right, so it's just saying you requested something at ftp.acc.umu.se
but it's HTTP redirecting you to chuangtzu.ftp.acc.umu.se which
doesn't have a TLS certificate with the name "ftp.acc.umu.se".

Many Debian mirrors don't support HTTPS enough to have a TLS cert in
the correct name and/or a debian.org name. I think you can use host
deb.debian.org in your sources.list to hit a Fastly CDN node that is
network-wise reasonably close to you and will work with TLS without
complaint, though you don't know what transports it uses between
itself and the origin servers in the background.

Post by Albretch Mueller
5) the mirror debian site (ftp.acc.umu.se) had smelly prefixes as
subdomains (apparently Chinese transliterations) {chuangtzu, laotzu}

Why do Chinese names seem "smelly" to you?

Post by Albretch Mueller
6) whois registry for umu.se

Unclear why the domain registry info for a Swedish university is of
any bearing…

Those SHA1 hashes do appear here on another mirror:

http://mirrorservice.org/sites/cdimage.debian.org/debian-cd/10.8.0/amd64/iso-dvd/SHA1SUMS

though they seem to be associated with different files in the
sequence:

122a2612ed63ff89db56eec0765e87268bf72318 debian-10.8.0-amd64-DVD-2.iso
0b742d83d23207db9a24553100d4155eb8c701bf debian-10.8.0-amd64-DVD-3.iso

Was it a copy/paste error on your side that switched these around or
is that really what you downloaded?

Post by Albretch Mueller
I later downloaded what seem to be the right files, anyway. They
would make for some easy and nice forensic analysis (just
extracting the content of those iso files, using find and diff)
whenever I find the time to do so.

Knock yourself out but I don't see any indication that anything
nefarious has happened nor that you have downloaded tampered files,
so it just sounds like a huge waste of time.

If that's not the case and you did manage to download something that
claims to be a Debian ISO but isn't, please do tell us more.

I mean, worst case, they've somehow got the names of some genuine
files mixed up - because the SHA1 hashes match real Debian files but
with different names. That's assuming no mix up on your side. Unless
you are experiencing a SHA1 collision as well on top of everything
else.

Cheers,
Andy

--
https://bitfolk.com/ -- No-nonsense VPS hosting

Albretch Mueller

2021-02-22 09:00:02 UTC

Permalink

Post by Andy Smith

http://mirrorservice.org/sites/cdimage.debian.org/debian-cd/10.8.0/amd64/iso-dvd/SHA1SUMS

Maybe, as you say that is happening to me because I am an allien.
That explains it all: Yet, in my searches google as telling me such
strings couldn't be found:

https://www.google.com/search?&q=2612ed63ff89db56eec0765e87268bf72318

Your search - 2612ed63ff89db56eec0765e87268bf72318 - did not match
any documents.

I would expect for that string to appear on a few mirrors at least.
Also, hy ere their servers not producing any server side logs?

lbrtchx

Andrei POPESCU

2021-02-22 09:20:02 UTC

Permalink

Post by Albretch Mueller

Post by Andy Smith

http://mirrorservice.org/sites/cdimage.debian.org/debian-cd/10.8.0/amd64/iso-dvd/SHA1SUMS

Maybe, as you say that is happening to me because I am an allien.
That explains it all: Yet, in my searches google as telling me such
https://www.google.com/search?&q=2612ed63ff89db56eec0765e87268bf72318
Your search - 2612ed63ff89db56eec0765e87268bf72318 - did not match
any documents.
I would expect for that string to appear on a few mirrors at least.

Why do you expect that string to show in search engines?

Post by Albretch Mueller
Also, hy ere their servers not producing any server side logs?

Why should any server side logs be accessible to the public?

Kind regards,
Andrei

--
http://wiki.debian.org/FAQsFromDebianUser

Andy Smith

2021-02-22 12:10:02 UTC

Permalink

Hi Albrecht,

Post by Albretch Mueller

Post by Andy Smith
http://mirrorservice.org/sites/cdimage.debian.org/debian-cd/10.8.0/amd64/iso-dvd/SHA1SUMS

[…]

Post by Albretch Mueller
I would expect for that string to appear on a few mirrors at least.

I just showed you exactly where the hashes for the ISO files are on
one mirror, I assume they are in the same place on every other
mirror.

You have not yet explained how come you show hashes with mismatched
file names - whether that was a simple error on your side while
composing the email or something you actually downloaded from the
Debian mirror.

Post by Albretch Mueller
Also, hy ere their servers not producing any server side logs?

I am unable to parse the question as my understanding of what
"server side logs" means can't possibly line up with yours. Please
elaborate.

Cheers,
Andy

--
https://bitfolk.com/ -- No-nonsense VPS hosting

Albretch Mueller

2021-02-24 16:30:01 UTC

Permalink

This post might be inappropriate. Click to display it.

Andy Smith

2021-02-24 16:40:02 UTC

Permalink

Albrecht,

Post by Albretch Mueller
I take pride at being from very prejudiced to cautiously racist
towards those not only "un-Amerikan", but, even "communist"
Chinese before they spread the Corona Virus…

Your racist conspiracy theories are not only abhorrent but also a
violation of Debian's Code of Conduct. Please do not post this kind
of thing to any part of Debian's infrastructure again (or
preferably, anywhere, ever, but it is specifically not tolerated
at Debian).

https://lists.debian.org/debian-user/2021/02/msg00010.html
https://www.debian.org/MailingLists/#codeofconduct
https://www.debian.org/code_of_conduct

Thanks,
Andy

--
https://bitfolk.com/ -- No-nonsense VPS hosting

Reco

2021-02-24 16:50:01 UTC

Permalink

This post might be inappropriate. Click to display it.

Steve McIntyre

2021-02-24 18:50:02 UTC

Permalink

Post by Albretch Mueller
Also, I take pride at being from very prejudiced to cautiously racist
towards those not only "un-Amerikan", but, even "communist" Chinese
before they spread the Corona Virus and about the fact that Vladimir

<rest of the rant deleted>

This kind of stuff has *no* place at all on Debian mailing lists, nor
anywhere else in our community. Please keep this kind of garbage to
yourself in future, or you will be blocked from posting to Debian
lists.

Steve, for the Community Team.

--
Steve McIntyre ***@debian.org
Debian Community Team ***@debian.org

Andrew M.A. Cater

2021-02-21 16:00:01 UTC

Permalink

Post by Albretch Mueller
as I tried to download debian, I noticed that the download was being
redirected real time (which in itself doesn't necessarily have to mean
1) as I used a known public hotspot connection, there was a new
hotspot advertising itself as "Wifi4EU" (of course, I didn't bite that
bait)
2) getting a connection through (apparently) the right hotspot took
way more time than expected
3) downloads were being redirected real time
WARNING: certificate common name `ftp.acc.umu.se' doesn't match
requested host name `chuangtzu.ftp.acc.umu.se'.
2021-02-17 11:14:47
URL:https://chuangtzu.ftp.acc.umu.se/debian-cd/current/amd64/iso-dvd/debian-10.8.0-amd64-DVD-2.iso
[4697370624/4697370624] -> "debian-10.8.0-amd64-DVD-2.iso" [1]
WARNING: certificate common name `ftp.acc.umu.se' doesn't match
requested host name `laotzu.ftp.acc.umu.se'.
2021-02-17 11:46:46
URL:https://laotzu.ftp.acc.umu.se/debian-cd/current/amd64/iso-dvd/debian-10.8.0-amd64-DVD-3.iso
[4679073792/4679073792] -> "debian-10.8.0-amd64-DVD-3.iso" [1]
5) the mirror debian site (ftp.acc.umu.se) had smelly prefixes as
subdomains (apparently Chinese transliterations) {chuangtzu, laotzu}

No idea what is happening with WiFi hotspots.

Are you trying to download the files for DVD via http or https?

Debian cd images are normally available to download via http - it's quite
difficult to get https to work for all the world's mirrors.

cdimage.debian.org itself is housed at the university of Umeea in Sweden.
There are other mirrors which may be closer.

If you already have a Debian machine running - and from previous responses to
the list I don't think you do - you could use jigdo-file and download the images
by building them in pieces from a nearby mirror - which is often faster. The
download process also is able to be restarted in the event of any interruption.

Checksums are automatically calculated and GPG keys are also checked. [For the
members of the Debian media team, this is the preferred way to transfer images
around internally between machines for verification.]

Post by Albretch Mueller
6) whois registry for umu.se
$ whois um.se
# Copyright (c) 1997- The Swedish Internet Foundation.
# All rights reserved.
# The information obtained through searches, or otherwise, is protected
# by the Swedish Copyright Act (1960:729) and international conventions.
# It is also subject to database protection according to the Swedish
# Copyright Act.
# Any use of this material to target advertising or
# similar activities is forbidden and will be prosecuted.
# If any of the information below is transferred to a third
# party, it must be done in its entirety. This server must
# not be used as a backend for a search engine.
# Result of search for registered domain names under
# the .se top level domain.
#
This whois printout is printed with UTF-8 encoding.
#
state: active
domain: um.se
holder: (not shown)
admin-c: -
tech-c: -
billing-c: -
created: 2014-12-02
modified: 2020-11-16
expires: 2021-12-02
transferred: 2017-08-24
nserver: ns1.nameisp.info
nserver: ns2.nameisp.info
dnssec: unsigned delegation
registry-lock: unlocked
status: ok
registrar: www.NameSRS.com
$

Typo - ftp.umu.se

Post by Albretch Mueller
7) the md5 and sha1 hashes that I computed could not be found online
0296cfbeaf3823055901d7ad2077a077
0b742d83d23207db9a24553100d4155eb8c701bf debian
10.8.0-amd64-DVD-2.iso
37baf26293b8132fe95b4bd19262ca6b
122a2612ed63ff89db56eec0765e87268bf72318 debian
10.8.0-amd64-DVD-3.iso
I have kept those files in hard drives/computers I never connect to
the Internet (that, to me, is the only way to do something with some
"privacy"/security). I later downloaded what seem to be the right
files, anyway. They would make for some easy and nice forensic
analysis (just extracting the content of those iso files, using find
and diff) whenever I find the time to do so.
lbrtchx

All best, as ever, Hope the above is helpful.

Andy C.

Stefan Monnier

2021-02-21 21:20:02 UTC

Permalink

Post by Albretch Mueller
5) the mirror debian site (ftp.acc.umu.se) had smelly prefixes as
subdomains (apparently Chinese transliterations) {chuangtzu, laotzu}

FWIW, when naming machines in a subdomain (e.g. for .acc.umu.se) it's
quite common to first decide on a "theme" and then pick names from that
theme. E.g. a computer lab's nodes may all have names of dinosaurs, or
names of alcoholic drinks, etc...

Searching for chuangtzu and laotzu suggests these are names of great
figures of Taoism, so it seems very kosher to me.

Stefan

Weaver

2021-02-21 22:30:01 UTC

Permalink

Post by Stefan Monnier

Post by Albretch Mueller
5) the mirror debian site (ftp.acc.umu.se) had smelly prefixes as
subdomains (apparently Chinese transliterations) {chuangtzu, laotzu}

FWIW, when naming machines in a subdomain (e.g. for .acc.umu.se) it's
quite common to first decide on a "theme" and then pick names from that
theme. E.g. a computer lab's nodes may all have names of dinosaurs, or
names of alcoholic drinks, etc...
Searching for chuangtzu and laotzu suggests these are names of great
figures of Taoism, so it seems very kosher to me.

The only mirror that has ever pulled anything hinky with me, over about
20 years, was the Australian one: mirror.aarnet.edu.au.
I got dropped any number of times, then advised `server unobtainable',
persistently.
These days, under current circumstances of insanity, I should feel much
more comfortable working of a Chinese server than any number of others.
But then, I'm not a bankrupt national context grasping at straws on the
way down.
Cheers!

Harry.

--
`The World is not dangerous because of those who do harm but
because of those who look on without doing anything'.
-- Albert Einstein