Tails 3.14 Compromised?

4 points

7 years ago

I have upgraded to Tails 3.14 from (2) different Tails ( 3.12.1 ) & ( 3.13.2 ) from (2) different local networks protected with passwords. One of which I am not associated with. The 2 downloads occured at a 24 hour interval. THe release was on May 24th. I upgraded on May 25th and 26th.

Upon being prompted by the system that an upgrade is available and do I wish to upgrade, I proceded as usual. Then, I verified the integrity of the system via the 3 methods described on :

https://tails.boum.org/install/download/index.en.html

1 - Firefox Tails verification Extension

2 - Open PGP

3 - Command Line

All gave me " Bad or forged Signature " data compromised ...

I then ran a md5sum && sha256sum for good measure, No match.

I send a bug report via the integrated whisper back feature ( in the compromised system yesterday : / ) it may or may not have gotten through to the devs.

I sent one today using another uncompromised version of an older release.

Takeaway ; verify your checksums and please someone look into this.

Since it happened on 2 networks and 2 systems, this might be a compromised mirror site serving that to many users.

Eastern Canada.

No comments

No comments