Check your ISOs

I almost never check the integrity of the ISOs I download for Linux and BSD installs. But I should.

While I was able to install PC-BSD 1.3 without trouble on my $0 Laptop (the Gateway Solo 1450), the install for

version 1.4 kept crapping out.

Then I checked the ISO by doing its MD5 sum. It was bad.

What is MD5? Here's what SearchSecurity.com has:

MD5 is an algorithm that is used to verify data integrity through the creation of a 128-bit message digest from data input (which may be a message of any length) that is claimed to be as unique to that specific data as a fingerprint is to the specific individual. MD5, which was developed by Professor Ronald L. Rivest of MIT, is intended for use with digital signature applications, which require that large files must be compressed by a secure method before being encrypted with a secret key, under a public key cryptosystem. MD5 is currently a standard, Internet Engineering Task Force (IETF) Request for Comments (RFC) 1321. According to the standard, it is "computationally infeasible" that any two messages that have been input to the MD5 algorithm could have as the output the same message digest, or that a false message could be created through apprehension of the message digest. MD5 is the third message digest algorithm created by Rivest. All three (the others are MD2 and MD4) have similar structures, but MD2 was optimized for 8-bit machines, in comparison with the two later formulas, which are optimized for 32-bit machines. The MD5 algorithm is an extension of MD4, which the critical review found to be fast, but possibly not absolutely secure. In comparison, MD5 is not quite as fast as the MD4 algorithm, but offers much more assurance of data security.

Whew! More than we all wanted to know.

At any rate, we think the files that we download are always perfect, and they should be. Remember the pre-Internet days when we downloaded files from BBSes and had about six different protocols to use? Some had more error-checking than others, and as a result were slower.

I don't know the strength of error-checking in a standard Internet TCP/IP download, but if we have MD5s to check, it must not be 100 percent all of the time.

So here's how to check.

In Linux, it's easy. Just open up a shell and do this:

% md5sum filename.iso

then wait for the longish output, which will look something like this:

defbcfc51c1e05ad908198d669bf159b

If that matches the MD5 that comes with the file you downloaded, you're good. By the way, the "good" MD5 is usually printed somewhere on the same Web page from which you found the file, and is almost always contained in a text file accompanying the full ISO on the FTP site.

But what if you're downloading and burning in Windows -- something I do all the time? Use winMD5Sum, a great program that checks MD5s on your Windows box.

Soapbox time: Why can you check an MD5 sum on ANY Linux box but not on Windows until you purchase an additional program? Because Microsoft doesn't want you to even be tempted to download huge files of operating systems that lessen your dependence on Windows. Hmmmm ... they want to keep you as a customer by giving you less? Sounds like a plan, all right.