Timeline Of Events: Linux Mint Website Hack That Distributed Malicious ISOs (softpedia.com) 188
An anonymous reader writes: The Linux Mint website was hacked last night and was pointing to malicious ISOs that contained an IRC bot known as TSUNAMI, used as part of an IRC DDoSing botnet. While the Linux Mint team says they were hacked via their WordPress site, security experts have discovered that their phpBB forum database was put up for sale on the Dark Web at around the same time of the hack. Also, it seems that after the Linux Mint team cleaned their website, the hackers reinfected it, which caused the developers to take it down altogether.
WordPress ??? (Score:2)
The worst of the worst unless anyone can figure out that spaghetti called Drupal.
It is the IE 6 of CMS and people keep using it.
I swear we all should just give up and write our own cms.
Re:WordPress ??? (Score:4, Funny)
Which is how we got Joomla, which is the IE 7 of CMSs.
Re: WordPress ??? (Score:4, Funny)
Only as bad as IE 7? Oh OK then
Re:WordPress ??? (Score:5, Interesting)
Ah, Drupal. Drupal is amazing, in that it's clear the developers looked at PHP, said "this is a horrible insecure language" and then decided "let's create a giant platform on top of it to try and fix up the flaws" rather than "let's look for a language that isn't terrible."
So now Drupal is its own language and library onto itself, and PHP has evolved to fix many of the problems Drupal attempts to solve but Drupal is stuck with their own implementations.
The amount of code Drupal has to load to render a single webpage is hilarious and somewhat worrying. It's enough that Drupal has to have its own code caching system on top of Zend or whatever you use to try and get performance to reasonable levels.
Which is probably the only reason you hear about WordPress getting hacked more than Drupal. Drupal has an impressive list of CVEs, but most people who try and use Drupal end up saying "fuck this" and using WordPress instead, because it's possible to get WordPress running without driving yourself insane.
Re: (Score:2)
Re: (Score:1)
Says the anonymous coward who is probably still struggling with their first "Hello World" program in quick basic.
Re: (Score:3)
in the world of machine safety, we call it "reasonably foreseeable misuse". If a programming language allows security flaws happen when the programmer is lazy, it's a bad language, and should not be used for this application. Point.
http://www.controleng.com/blog... [controleng.com]
Re:WordPress ??? (Score:4, Funny)
Re: (Score:2)
Yep, but by putting basic idiot proof, you tackle the low hanging fruit 95% of errors. And that lacks in the Software industry.
Re: (Score:2)
Re: (Score:2)
What language will totally prevent errors and exploits like buffer over flows and sql injection? Or allow clear text storage of passwords? Or hashed, but unsalted passwords?
The biggest "problem" with PHP is that it allows just about anyone to start writing code and putting it out there, with no guarantee of developer skill or security consciousness. And because they got it to just about work and they want to "be helpful and give back", they publish the code/solution as a half assed howto or web article or
Re: (Score:2)
Rust? Go? Javascript? Buffer overflows are totally prevented in most higher level languages. You can cause them, but the application will *always* crash safely.
SQL injection is a product of SQL itself being a poor language that doesn't clearly delineate data and code.
Re: (Score:2, Insightful)
Re: (Score:1)
The possibility of putting together insecure code without realizing it is high, in any language, even ones with massive safety nets like VMs, strict typing, garbage collection ala Java...none of those systems, or any one that you could mention either, eliminate the possibility of the _programmer_ making a mistake. It's not that difficult to miss, either. SQL injection is still one of the most popular website hacks, why? The mistakes that lead to SQL injection are easy to make, in any language.
Bad PHP progra
Re: (Score:2)
Re: WordPress ??? (Score:2)
Please don't. There's about a million of them already. A CMS is the text editor of web development where someone thinks they can do better than the existing ones and is usually wrong.
Re: (Score:2)
Ever try to archive a WordPress site? Nothing but reams of PHP, and good luck finding the site's content.
Re: (Score:2)
I now got an idea for a project to teach myself Erlang.
Re: (Score:2)
I now got an idea for a project to teach myself Erlang.
No man, all the cool kids use Outlaw Techno Pyschobitch [youtube.com] as the real rockstar language.
Re: (Score:2)
Re: (Score:1)
Re:STFU (Score:4, Funny)
>>Name a better CMS.
Notepad.
Re:STFU (Score:4, Funny)
Re: (Score:2)
The Banshee Content Management Framework [banshee-php.org].
Re:STFU (Score:4, Interesting)
Name a better CMS.
Offline. There is no way to secure WordPress for any length of time, so use it as a static site generator and post that. (Or Drupal, or anything else) More security and less resources needed.
Re: (Score:2)
Git, hosted at Github.
If you mean a "web publishing system", then Wordpress has a reasonable history of being one. But that doesn't make it a CMS.
Re: (Score:3, Insightful)
It's not really WordPress that's so bad. Not really. They used to be pretty bad but they, themselves, have gotten their act together. The problem is that people don't keep things updated and will use extensions and add-ons and the likes from anywhere. They won't keep those updated either. If they're maintained well, if you pick the add-ons by activity and reputation and timely security fixes, and if you're a little attentive then you'll be okay.
There are a few add-ons (oddly enough) to help with this. There
Re: (Score:2)
First, if the default out of the box is highly insecure, the product's insecure. If it has a plugin framework that is insecure, the product is insecure.
Just because you can make it secure (you think) doesn't mean the product is secure. Take windows for example, you can run it standalone with only vetted code in a vault and it'll be pretty "secure", but that doesn't make windows secure. You can also run a very stripped down version with lots of unnecessary crap removed and that will make it more secure tha
Re: (Score:1)
It's not highly insecure out of the box. It used to be pretty bad but it has improved greatly. The plugin framework isn't insecure, in and of itself.
Nothing is secure, they're all varied degrees. I get far more security updates on a stock Linux distro install than I ever did on a stock Windows install. Yet, I'd still say that Linux is secure - because I know that nothing is completely secure, so the definition is reduced to "reasonably secure."
Speaking of Windows, you can use Windows normally and just fine
Re: (Score:2)
I've got a big problem with that idea. If WordPress is only secure today because you had to install a critical update a week to keep it that way, that means WordPress is NOT secure. It doesn't matter if at 10:07 EDT as I write this, a fully updated WP install is free of known security issues. The fact that there were a dozen issues that I had to patch for previously means there were inevitably stretches of time when there *were* known issues. Even if I
Re: (Score:1)
AH yes the old "WINDOWS JUST GETS SO MANY VIRUSES BECAUSE IT'S POPULAR" and yet still the iPhone platform has been relatively damn secure through its life (and I say this as someone who doesn't otherwise like Apple products that much).
WordPress gets so much shit re security because it is so shit re security. It is popular because of inertia and because the options aren't any better - again, just like Windows through the '90s and early '00s.
Last year iOS and OSX each had more security vulnerabilities than Flash.
They Need To Take EVERYTHING Down (Score:3, Insightful)
They've got a serious breach with no idea how the attackers got in and continue to get in. They need to take EVERYTHING down including their name servers and verify that their registration with the root servers hasn't changed, until they have done a through post breach analysis. Only then can they bring up newly installed servers with whatever vulnerability fixed.
This should take several days. Possibly even weeks, depending on the extent of their infrastructure.
I hope the virus was open source at least (Score:3)
I mean, at least make the code available.
Re: (Score:2)
There was no virus, it was a security flaw in Wordpress.
PHP is a security vulnerability! (Score:1)
Don't use it!
Re: (Score:1)
OK, what should I used instead? Serious question.
I need to set up a dynamic site with an e-store, blog, forum, and mailing list, ready to go out-of-the-box, without having to hack piles of code to set it up and modify it. I don't have an endless budget or endless development time to do this. What should I use?
Re: (Score:1)
The question is why do you need all of those things if you're Linux Mint?
An e-store is nice, because it brings in revenue. There's e-store code out there that's not as vulnerable as WP.
A forum is not a bad idea - it allows your users to receive some kind of support and provides a place for announcements and FAQs. There's forum code out there that's not as vulnerable as WP.
While these are not as easy to use as some kind of 'universal' solution like WP, they are also much more secure. Getting hacked in thi
Re: (Score:1)
Okay my professional opinion is to copy what OpenBSD does. For everything. Down to being as abrasive as Theo de Raadt.
Re: (Score:1)
Okay, so I'll just install PHP on OpenBSD [php.net] then.
Re: (Score:2)
I need to set up a dynamic site...
Why? Seriously, why does the site need to be dynamic? Could you do what you need with a static site with a few dynamic pages? Thinking this way is how security works. Just going with some package downloaded off the Internet is how major compromises work.
Re: (Score:1)
Any idiot can make a site secure by serving up static content and web forms, but managing that content can be a big job. Making changes across a large site is a big job.
It doesn't address the point anyway: people keep saying there are better languages than PHP that can do what PHP can do, only more securely. I seriously want to know what they are.
Re: (Score:2)
Any idiot can make a site secure by serving up static content and web forms, but managing that content can be a big job. Making changes across a large site is a big job.
I guess we have different versions of "big job." Install WordPress internally. Let the internal devops idiots go wild. Run a script nightly that generates static content, pushes it in to a repository (like svn) for history, and then pushes it live. They break something and run a script to roll back SVN in push the last version live again while they fix it. Rocket science...
(Oh shut up about git being better. No need for anyone to fork it... It is a backup!)
Re: (Score:2)
Re: PHP is a security vulnerability! (Score:1)
Re: (Score:2)
Re: (Score:2)
I jest went through "Smallwall" and "pfSense" training...
Now where did you find SmallWall training? Because they do not have any. Not by them anyway. You may have taken some MOCC somewhere, but SmallWall didn't do it. So I am going to have to call bullshit, Mr. AC.
wtf? (Score:1)
1. Not isolating download servers from forum/blog servers.
2. Not auditing changes of all critical files with immediate reporting.
3. Not instructing all users to check signature from various well-reputed third party locations.
4. Using Wordpress when most people need sufficiently few features that they'd be better off rolling their own.
Re: (Score:3)
FTA:
"During the second compromise, all Linux Mint ISO download mirrors were pointing to the same Bulgarian FTP site (IP: 5.104.175.212)"
repos unharmed? (Score:1)
Anyone checked repositories ?
Re: (Score:1)
If it were the repos, we'd be hearing about Ubuntu, not Mint.
Stop. Using. Wordpress!! (Score:1)
Re: (Score:2)
What makes you think if someone is incapable of securing wordpress that the outcome would be different with any other system?
Re: (Score:2)
Re: (Score:2)
No one is capable of securing Wordpress.
Most of the internet would disagree with you.
Re: (Score:2)
Re: Stop. Using. Wordpress!! (Score:3)
How is that relevant? I've never built a car either but I have still owned some really shit ones and have said as much. WordPress is messy, insecure and is tightly coupled to one DBMS. It's quick to set up but awkward to do it right.
Just an IRC bot (Score:1)
I read the article and man are these guys full of themselves.
They were disappointed at being a "top shelf Linux distro" and getting hacked by amateurs, for a lowly IRC bot.
"They hacked php-this and we thought they hacked php-that, they should have waited longer and really had us."
The whole article could have been reposted from 1998 with a hashtag thrown in.
You were burgled by amateurs, and your sysadmins should be embarrassed.
old-school (Score:2, Interesting)
y'know... there's a reason why debian sticks with old-school mailing lists and why the mirrors keep it as utterly simple as possible. but the other question is, were users verifying the md5/sha1 checksums on the ISO images? how would they do that (when usually they will be downloading a check-program from the same website)? would they *know* to verify the checksums?
Re:old-school (Score:5, Informative)
If the website is compromised the md5 sums available for download on the same website are highly likely to be compromised, too...
Re: (Score:3)
but the other question is, were users verifying the md5/sha1 checksums on the ISO images? how would they do that (when usually they will be downloading a check-program from the same website)? would they *know* to verify the checksums?
Seriously?? This is why public keys exist...
Re:old-school (Score:4, Insightful)
No. Public keys exist to ensure only one person can decrypt what you are sending.
No, public keys also exist to verify private signatures. In all the years my public key has been out there, I've had it used for encryption maybe a handful of times (mostly for Debian voting verification), but it's been used for signature verification (mostly with Debian packages) more times than I can count.
I dodged this by following advice from paranoids.. (Score:1)
When I pressed the update icon in my toolbar (linux mint 17) I got a strange alert saying "cannot verify that the software is what it is supposed to be" (can't recall the exact wording, but everything I have read here and elsewhere said to me "don't install stuff you don't trust and can't verify"
So, I clicked cancel. The updates were fishy, even though they were through a legitimate source, but who knows when that source could get hacked?
Thanks slashdot for all the paranoia over security for the past 15 yea
Re: (Score:3)
When I pressed the update icon in my toolbar (linux mint 17) I got a strange alert saying "cannot verify that the software is what it is supposed to be" (can't recall the exact wording, but everything I have read here and elsewhere said to me "don't install stuff you don't trust and can't verify"
So, I clicked cancel. The updates were fishy, even though they were through a legitimate source, but who knows when that source could get hacked?
Thanks slashdot for all the paranoia over security for the past 15 years, it's paid off, just last night. :) Cheers!
To all the jerks that say I have a tinfoil hat, have fun with your viruses!
That's exactly what you were supposed to do! And its properly called precaution, not paranoia.
Blame it on Wordpress (Score:2)
While the culprit turned out to be something else, I think it speaks volumes that the folks at Mint jumped straight to the conclusion that it was a WordPress hack. WordPress must be among the must frequently targeted and compromised systems on the web. To a large degree, you can pin this on market share. But over the years, the many cries pointing out the insecurities in WordPress have not been entirely without merit. Hence the first conclusion. The great thing of course about
Re: (Score:2)
I see your points, but the first thing a WP redo should do is redesign the architecture. It's the classic mess done by people who started developing in the first web-boom and never learned to normalise a DB correctly.
The security problems with WP are somewhat inherent to the LAMP stack and not so much WP. A proper Webapp Server built in some serious PL such as C++ or Go would to the trick, but that would kill the huge advantages of these awesome products cobbled together in PHP.
It's a tradeoff, and for that
Somebody wasn't doing their homework. (Score:5, Informative)
Now WP and PHP are going to get tons of flak, once again.
To put things into perspective: WordPress has north of 100 Million aktive installs. It powers more than a fourth of the entire web. That's orders of magnitude more than any other system on the planet ever has. For that, WP has an excellent security track record with the last new exploit infecting roughly 8000 websites. Once again of that type that weren''t following basic security procedures.
Using WP for a high-profile, high traffic website such as Linux Mint may be questionable due to load issues alone, but it is doable if you follow just the simplest security principles - such as disabling the login page, using non-standard garbled logins, de-coupling login and username and using a non-standard table prefix.
All this is SOP on any non-development WP installation and mitigates 99.999% of the standard attacks on WordPress. That, and not showering your install with tons of plugin-bloat perhaps.
WordPress is a system for quickly cobling together a high functionality website and for that it is excellent. But you have to know your basics about PHP and the LAMP stack, otherwise you have no business setting up a WP intallation and are way better of getting one at wordpress.com or some other apphoster for WP. Which, btw., is a perfectly viable option if you've got your hands full maintaining a Linux distro and couldn't
The Linux Mint people screwed up and prerhaps even compromised some boxes that have yesterdays fake ISOs installed on them. They didn't to their homework in terms of basic web-security and this is not the fault of WP or PHP.
I hope they learn their lesson.
Re: (Score:1)
Switch up the login page and mildly obfuscate the SQL table names? THAT'S supposed to protect a WP site from 99.999% of attacks? I'll grant you these are some of the first baby steps to securing a WP site, but this is a far cry from the 99.999% you're throwing around.
Re: (Score:3)
such as disabling the login page, using non-standard garbled logins, de-coupling login and username and using a non-standard table prefix.
All this is SOP on any non-development WP installation and mitigates 99.999% of the standard attacks on WordPress
<Location /wp-login.php> /wp-admin>
Order Allow,Deny
Allow From 1.2.3.0/24
</Location>
<Location
Order Allow,Deny
Allow From 1.2.3.0/24
</Location>
This is enough to secure most installs for brute force / stolen credentials.
You don't get to be number one (Score:1)
And not be challenged?
Re:forum (Score:5, Insightful)
They were selling the database. The PMs aren't encrypted in most forums, I'm not sure about phpBB. The passwords are salted and hashed so they're not gonna be digging out rainbow tables and getting passwords. They'll have email addresses that tie in with usernames. They'll know a little about the person so spear phishing is a possibility as is just plain phishing.
I've got some data involved in this one. Nothing major, nothing important. I am not the least bit concerned. I did not download any of the torrents. I do have the legit versions of the .ISOs seeding - all current versions and some older versions - going back to at least v. 14. So, it sucks but it's not the end of the world - unless this damages their reputation so much that people bail on them.
I like Linux Mint. I call it Linux for Retards - which means that I can use it without even looking at the manual. They're well supported, give access to the Ubuntu ecosystem, a cautious and safe build, and not a horrible community. I have a laptop with me that has Cinnamon on it. They'll be okay.
But, there's a few things that make the database valuable. The emails and username combinations are a good start. They can then do some work and figure out more personal traits and then attempt some social engineering, phishing, and even targeted malware - if they want to invest enough energy.
Re: (Score:2)
The passwords are salted and hashed so they're not gonna be digging out rainbow tables and getting passwords.
They can brute force their way to at least some of the passwords. And given that there's likely an overlap between the group of people who choose insecure passwords and people who reuse passwords on other sites, it doesn't take a lot of hits before the yield is valuable.
Re: (Score:1)
Doesn't phpBB use different salts for each user? If they do and if I am understanding properly then I'm not sure how far they'll get? Though, to be clear, I am not 100% certain that I'm understanding everything correctly. They really shouldn't be able to do much in the way of brute forcing?
Re: (Score:2)
Doesn't phpBB use different salts for each user? If they do and if I am understanding properly then I'm not sure how far they'll get? Though, to be clear, I am not 100% certain that I'm understanding everything correctly. They really shouldn't be able to do much in the way of brute forcing?
Doesn't matter.
Unique salt (which is the only way to do salt; there's zero reason to bother salting if the salts aren't unique), just means that each password has to be brute forced individually. But passwords can be tested so fast that a high percentage of passwords on most sites are found with only a few minutes effort, so brute forcing is well worth the effort.
Passwords suck, and they're getting worse all the time.
Re: (Score:1)
How exactly are they brute forced? I guess that's what I'm not getting. If they'd be doing simple brute force, why bother with the hash at all and just not authenticate it on a server that they control? How would they brute force the hash - and wouldn't each one be unique? It seems to me that's just a waste of time when they can use phpMyAdmin (for example) import the DB, and just use a local version of phpBB with timeout or attempt limits nullified from the script?
I'm really positive that I'm missing somet
Re: (Score:3)
Brute forcing hash based passwords involves getting a program like John the Ripper or one of the versions that supports the bit coin mining hardware and just asking it to try a trillion of the most likely passwords in a few seconds.
I find it entertaining that many security experts are claiming sha-256 hashes are more secure than older weaker hashes yet I can spend less than $1,500 and buy hardware that will try more than 2 trillion sha-256 hashes a second yet the cost do the early md5 based passwords is now
Re: (Score:1)
Yeah, that'd probably be faster than punching through the phpBB script's login function. I'd have just built a local phpBB instance and pounded on it after removing the timeout security checks and capcha if applicable. I've not done anything of the sort in a very long time. I'm not going to start up now. But, that's how I'd have gone at it. Start with dictionary then brute-force. It should be fast enough as it's being run locally. Anyone without a complex password is gonna be found pretty quickly. Unless I'
Re: (Score:2)
How exactly are they brute forced? I guess that's what I'm not getting. If they'd be doing simple brute force, why bother with the hash at all and just not authenticate it on a server that they control? How would they brute force the hash - and wouldn't each one be unique? It seems to me that's just a waste of time when they can use phpMyAdmin (for example) import the DB, and just use a local version of phpBB with timeout or attempt limits nullified from the script?
Going through a login interface is orders of magnitude slower than brute forcing the passwords from extracted hashes in specialized cracking programs. You load in the hashes and salts and run a fast loop with the hashing algorithm over millions of guesses in the same time it takes to do just a handful of guesses against a login interface.
And even though it's brute force, it's not dumb brute force. First, dictionary attacks including passwords found on other sites, permutations of words, letter substitutio
Re: (Score:1)
I don't know how to do the latter. If I were to try this, I'd strip out the time checks and security from the phpBB script, run it locally, and hammer that with a dictionary and then a brute force attack. It'd work and I'm gonna get results. Anyone with a short and easy password will be gone quick. I've already got a list of usernames to check, I might split them and assign them some priority based on what I can glean from the site and see who's an admin and whatnot. I might even load it on a few boxes and
Re: (Score:2)
You newfangled kids and your fancy and effective (and cheaper and faster) methods! Get off my lawn!
Oh, and I'm well behaved today. I have to be. You go right to prison for playing those sorts of games now. I could just build my own DB and poke at it. I'm not sure what the benefit would be.
I'm not as young as you might think.
As a sysadmin, I periodically run crackers against the password hash databases for apps I admin, and send users notifications to change the password if it falls quickly to fairly standard cracking programs, or if it falls and the same password turns out to be used for more than one service. Either is bad, and scanning for and correcting this is a good thing, if we ever get hacked.
Also, for servers in attacked positions, "haystacking" them, injecting tens of thousands of
Re: (Score:2)
I'd strip out the time checks and security from the phpBB script, run it locally, and hammer that with a dictionary and then a brute force attack. It'd work and I'm gonna get results
Sure, but a few orders of magnitude slower than doing the hashing locally on dedicated hardware.
The best way to do this is to run the hashing on a set of GPUs, each of which has dozens to hundreds of cores. With your method you'll be lucky to test a thousand passwords per second. With dedicated hardware -- and assuming a computationally cheap hash like SHA-256 or MD-5, you can build a system that will test a billion passwords per second for a few thousand dollars -- or rent one on AWS or similar for a few
Re: (Score:2)
Re: (Score:2)
> The passwords are salted and hashed so they're not gonna be digging out rainbow tables and getting passwords.
No, they can merely apply brute force guessing techniques to verify password guesses. I've seen no hint that the distributed work and very effective ruleset of Alec Moffett's old "crack" password guessing utility have ever yielded less than 10% of any DES or now 3DES based list of hashed passwords.
Re: (Score:1)
Alright. I'm kind of getting it. Needless to say, I've not gone password cracking in a very, very long time. Err... I'm a bit more responsible these days. I'd also like to avoid felonies. We used to have some neat ways to just hammer on the regular user/password combos in a dictionary attack and get plenty of hits. If you can refine that to specific usernames, you're way ahead and there are a lot more cheap compute cycles kicking around now. I think I'm going to just continue to observe and pay attention as
Re: (Score:2)
Re:forum (Score:4, Informative)
Remember that such exploit is merely a way to create zombies, and a huge botnet of thousands and thousands of active zombies can be rented for a few dollars per hour. It's not a very lucrative market when you consider the labor and risk involved.
That explains why those hackers who got caught by the FBI a few years ago were immensely thrilled when they made $7,000 in bitcoins.
Re: (Score:2)
Azure and AWS aren't that expensive, either.....a single core VM on Azure is $0.09/hr. Not quite as cheap as some sliver of thousands of machines, but not as shady.
Re:forum (Score:4, Interesting)
Probably not. You know they like Linux, you've got a known working (verified) email address, you've got a username, you might be able to make some sort of personal profile based on forum comments. You can check locations with IP addresses but that's not always a certainty. You can probably narrow down which is their preferred Mint. Depending on what they've said in public (and maybe in private) then there's some potential to assign that profile to a person. If they've used the email and/or username elsewhere, they can put some more data together.
It really depends on what they're willing to put into it for effort. $85 is pretty cheap but they're probably not selling it as an exclusive so others will be targeting the users. They'll probably be coming through the data. It's a relational database so they may even automate some of this away (I would) and then simply start running reports. They might even have a way to weigh the data and find the more prominent posters and "mash up" what data they've shared. They'll potentially have some of the site's maintainers, admins, and even the dev team interacting with each other via PM. They might have even been dumb enough to PM passwords to each other.
But no, really that's not much. Not as far as data spillage goes, it's not much at all.
Re: I hope they fix their name someday (Score:1)
Re:This is what happens when you use Linux (Score:5, Insightful)
Re: (Score:1, Offtopic)
We need a revolutionary workers party that Lenin and Trotsky would call their own.
No! What we need is an all powerful nationalistic dictator who can "feel" terrorism and wave his satanic wand and do dark magic to fix everything!
TRUMP/PALIN 2016
TRUMP/PALIN FOREVER!!
What's awesome is how disconnected from the truth your comment is.
How is life on planet angry loon?
this is the worst thread I've seen on Slashdot this year, I had to be part of it.
#WorstOf2016SoFar
Re: (Score:1, Offtopic)
We need a revolutionary workers party that Lenin and Trotsky would call their own.
No! What we need is an all powerful nationalistic dictator who can "feel" terrorism and wave his satanic wand and do dark magic to fix everything!
TRUMP/PALIN 2016
TRUMP/PALIN FOREVER!!
What's awesome is how disconnected from the truth your comment is.
How is life on planet angry loon?
this is the worst thread I've seen on Slashdot this year, I had to be part of it.
#WorstOf2016SoFar
give it a week.
Re: (Score:2)
This is one reason why GPG signed would be a much better idea than posting sha512sums. The sums are marginally useful to verify a mirror or whatever, but a gpg signed would allow you to verify new content going forward.
Re: (Score:2)
Indeed. Checksums are only good to check for transmission errors, unless the checksums are PGP-signed. Checking for transmission errors is a good idea with these sizes, but not any protection against attacks.
Re: (Score:3)
Re: (Score:2)
"affected".
Re: (Score:2)
That is why you use PGP signatures. Unless they compromise the key before you got it, they are out of luck.
Re: (Score:2)
Re: (Score:1)
debian.org
Re: (Score:3)
Verify the ISO against the SHA512 hashes and the PGP signature of the hash-file. Unlike re-downloading that actually gives you security.
Re: (Score:2)
And one more: Unlike re-downloading, that gives you actual security.
And what about: Unlike re-downloading, this gives you actual security.
Language relies on the listener having a clue and interpret in the right way. Otherwise it does not work at all.
As the first sentence is an imperative, there really is no potential for misunderstanding here.