Highly Suspected Compromised Solus ISO / Rootkits Post Fresh Install

DataDrake It's not an accusation. It's a support request for a suspected security flaw. If it's not taken seriously than how can I comfortably continue to use and recommend your distribution.

JoshStrobl I didn't realize until after the fact how old the video was which is even more concerning.

[deleted] What was done about this then. Was it reported? English Bob is active on Big Daddy Linux and I'm sure he must've mentioned it.

dbarron Your cool and I appreciate that. Yeah I'm not so sure one of my tarballs might have let something through but I already ran the tarballs through virus total and they came up clean.

Wow my entire comment was just zapped. I may very well be wrong and I hope that I am. As an IT Pro myself the symptoms I was having that I listed below screams malware. It's that type of behavior that I'd see on any Windows machine I work on.

For what it's worth I'll verify the ISO on a reinstall but do you guys think I should post my findings as a bug report. Just listing the systems alone without any unwarranted suspections or extraneous commentary so as to not yield another false alarm if that is the case.

Ultimately my findings were concerning enough that it brought me to posting it just as I did. I was very worried. I do believe my issue is very valid.

DataDrake I will hopefully have that documented soon. I completly understand you wanting to see proof. Don't we all but you cannot just expect any average user to have such proof.

You have to be able to deal with things on a case by case basis and take every reasonable post with caution and concern.

JoshStrobl I am very happy to hear Solus is taking the security of it's ISO's so seriously. Thanks for letting me know this. I will hopefull be able to get proof of my finding again soon. I just didn't have time or patience to save the documentation last time. I was in a dead rush working with clients.

I appologize for any undue turmoil this may have caused. My findings were serious and concerning to me which led me to making this post. I sincerely wanted help and still do wish to resolve the issue.

DataDrake Fake News really. It's clearly not fake news. It's my real world experience this past June 2019 weekend.

I've had so much anxiety over this and it was over the weekend. For you to call my serious hard work and findings fake news is a little concerning. I use my system for work. I

'm being brutally honest just like always. Would you please remove your childish flag. It's very off putting, judgmental and unhelpful.

[deleted] Don't we all but you cannot just expect any average user to have such proof.

I would expect anyone making such accusations no matter their expertise to have proof.

[deleted] We currently use a SHA1 hash for our package index. It's not as big a deal as you think, and is something we will be improving when we replace eopkg. Inside every package you will also find a listing of files with both sizes and SHA1 hashes. Fooling a SHA1 is possible, but not at the same file size. It's also something that we can verify in seconds if there's even a mild concern.

[deleted] I will not remove the flag. You have demonstrated no proof of your claims and have unnecessarily spread fear to other users. On top of that you did not even remotely choose the right channels to send this information through which shows either a lack of respect or experience for how to report potential security vulnerabilities. One does not inform their friend that their front door is unlocked at a specific address, out loud, in a quiet public place for all to hear.

[deleted]

I completly understand you wanting to see proof. Don't we all but you cannot just expect any average user to have such proof.

If you have reason to suspect something, that reason should be given in order to serve as proof of needing to investigate.

[deleted]

DataDrake Your passive aggressive behavior is quite comical. What is your technical competency that's going to be necessary to help me resolve this issue.

I am literally the Technical Lead for Solus. So far you have demonstrated to me that you overestimate your own knowledge of Linux and computer security, you have absolutely no clue how to properly report security issues, and that you have no desire to show me or JoshStrobl the respect that is deserved for our years of service to Solus and in our current roles as leaders of the project. Put simply, you came into our house, uninvited, with wild accusations, and couldn't be bothered to provide thorough and complete evidence even when prompted.

Now you are insulting us over our rightful hostility towards this inflammatory post that was irresponsibly presented to us through an unsecure channel.

You are also insulting me without bothering to learn one iota of information about my background. It just so happens that I have done one variety of IT or another for over 15 years and have been using Linux for longer. I also happen to have both a BS and MS in Computer Engineering, with a Minor is Computer Science during my undergraduate studies. I have been with the Solus project since 2016. Our founder Ikey was convinced enough with my technical skills that I was asked to join the Core Team, our highest level of leadership, less than 6 months after my first contribution to the project.

Meanwhile, a quick waltz around the internet shows that you do some level of IT support, of which I am uncertain because a website for your company doesn't even show up in a google search. You also appear to lack a LinkedIn, so I could not find any information about your technical background. What I could find, was a series of references to your poor attitude and behavior in the comment sections of various YouTubers and a series of videos from yourself which in my own opinion demonstrate poor respect for people who don't agree with your ideologies or assessments.

So forgive me if I have a hard time being pleasant in the face of all of this.

DataDrake eloquent and accurate.

I have barely said a harsh word to you. I bit my tongue at the shocking lack of customer service skills shown here. I have been the consummate professional throughout. Respect is earned and I've shown nothing but it to reasonable responses of course and even where I could have easily spoken in anger and off the cuff. I reported the issue directly from the forum after establishing my account. I have followed the guidelines.

I wasn't seeking a history of your accomplishments and credentials. I was only seeking a resolution to my problem and findings. I've been awfully nice and professional throughout discourse today and bit my tongue several times. Your team and yourself have been quite rude towards me from the onset of my posting.

If I came off a little direct well that's just me. I am direct but I try not to be hateful or disrespectful towards anyone. Which video did you come across that made you think I was spewing hate and vitriol because I assure you I've never done so in any of my videos.

Actually YouTube green lighted me based on my google record to have a lot of the benefits for a brand new channel that I'm not aware that anyone has access to immediately. This must be do to my track record on YouTube. I've made an effort to watch how I respond and if and when I do come off harshly I'm always sure to edit my comments and make sure I'm presenting myself in a professional tone.

I've made great efforts to protect my reputation online without hiring anyone. My LinkedIn profile being non existent results from my opting out of the social network and may or may not return but likely not. I have my reasons.

Again I'm sorry you feel this way. I am sorry for any negative way that I made you feel. I truly am but I will say I have a completely different perception of what has occurred here today. I am sure that I must not be alone in my feelings.