/srv/irclogs.ubuntu.com/2015/03/12/#lubuntu.txt

molly_millionsWould anyone kindly share a link to or results for SHA256 hash of Ubuntu Mini 64-bit Trusty Tahr 14.04?02:59
holstein!mini03:00
ubottuThe Minimal CD image is very small in size, and it downloads most packages from the Internet during installation, allowing you to select only those you want.  The installer is text based (rather than graphical as used on the Desktop DVD). See https://help.ubuntu.com/community/Installation/MinimalCD03:00
holsteinshoud be posted there.. probably just the md5's for the images..03:00
holstein!md503:00
ubottuTo verify your Ubuntu ISO image (or other files for which an MD5 checksum is provided), see http://help.ubuntu.com/community/HowToMD5SUM or http://www.linuxquestions.org/linux/answers/LQ_ISO/Checking_the_md5sum_in_Windows03:00
molly_millionsI have verified the MD5 and SHA1 hashes. Why isn't a SHA256 available on Ubuntu's website for the mini?03:01
molly_millionsIs it due to the size?03:01
holsteinmolly_millions: not sure.. what are you thinking? its not 'secure' enough? its not really a security step so much, there.. its just so you can test the iso for the content03:02
molly_millionsCorrect, I would like to verify the security (integrity?) of the image.03:03
holsteinmolly_millions: well, those are not the same03:03
molly_millionsPlease continue.03:03
holsteinthe integrity is just that.. "is this image ok, based on my internet?" and other variables03:04
holsteinits not "did someone replace this, or part of the iso?"03:04
molly_millionsIn other words, did the file make it to my computer without some sort of routine transmission corruption?03:04
holsteinmolly_millions: correct03:04
holstein*if* someone has access to change the iso, they have access to change the sum.. likely03:04
molly_millionsSo, those hashes are about integrity?03:05
holsteinmolly_millions: correct.. its not about making sure no one has "messed with" the iso03:05
holsteinif they messed with it, on the server, then, they can "mess with" the hash sum.. no matter how slick, new and/or modern03:05
molly_millionsOkay, so how might I assess the security of the image? I was under the impression that hashes also indicated something about that. Do hashes not provide any real indication of security?03:06
holsteinmolly_millions: as i said, you really cant that way03:07
holsteinmolly_millions: *if* we had, for example, some sha256 hash with the iso's, then, the "hacker", having access to whatever files, or server to replace the iso, would replace the sha256 sum03:07
holsteinmolly_millions: its more about, who can upload to that server?03:07
holsteinmolly_millions: try uploading a "bunk" iso to ubuntu.com ;)03:08
molly_millionsThanks, I think I understand. They could also change the page that lists the hash.03:08
holsteinyup03:09
molly_millionsSo, let's say I download any given image. What would someone do to assess the security?03:09
holsteinit would have to be a 3rd party service, that, you woud then *also* be trusting03:09
holsteinthe iso "is what it is".. then, you have access to "official" repos for the software03:09
holsteinthose repos and packages are "maintained".. not just anyone can upload a package there03:10
molly_millionsI see. I think the bottom line is that there isn't much to worry about, right?03:10
holstein*thats* what would happen.. a key gets compromised,and a compromised version of firefox gets installed on systems03:10
holsteinwhat to do about it? you can always do "linux from scratch" or get *all* these parts and source *right* from the creators, and build them yourself03:11
holsteinfor example, you would be getting the source from mozilla and building it.. but, then, you have the same questions there03:11
holsteinwho uploaded this source? how can i "trust" it?.. etc03:11
holsteinmolly_millions: well, im just saying, the system is built with the concerns you raise in mind03:12
molly_millionsIt seems to be a rather complicated problem.03:12
holsteinmolly_millions: i say, dont trust anyone.. and always be skeptical.. but, when downloading the installer iso, thats not a big issue03:12
holsteinespecially with the mini03:12
holsteinnothing come on the mini iso.. just the minimum03:12
holsteinyou can then see what is coming from the official repos..03:13
molly_millionsWhy isn't the image listed with the SHA256 like the other images?  And, where does gnupg come into play?03:13
holsteinmolly_millions: ask them03:13
holsteinhttps://www.gnupg.org/03:13
holsteinGnuPG allows to encrypt and sign your data and communication03:13
holsteinso, if someone on some build team says, via email "im linking to something i need pushed into the code of something vital in the security layer of something"03:14
holsteinthe folks in that email chain have things,such as the tool you reference, in place, to make sure that person *is* who they say they are03:14
holsteinthere are "key signing parties"03:14
holsteinwhere a person "vouches" for you, in person, then, a 'web of trust' is created03:15
holsteinyou *know* that someone you know knows a person that knows that person, and has "approved" the key.. so, they are "trusted"03:15
molly_millionsRight, the "Web of Trust"? I've been reading about gpg and would like a robust understanding. Can't downloaded files also be checked with gpg?03:16
holsteinmolly_millions: sure.. and that key can be compromised03:16
holsteinmolly_millions: so, again, you have to ask "whats the goal?"03:16
holsteinif its, "how can i be totally safe online?", you shut the computer off..03:16
holsteinif its, "how can i turst that this is what the person says it is?" you can ask for a key to verify what the stuff is.. but, you trust that key, and that person03:17
holsteinif you dont know that person, then, you cant trust the key either03:17
holsteinif its "i want to send private emai?" this is the wrong channel03:17
molly_millionsSo, I should talk to my local user group for keys?03:18
holsteinmolly_millions: what to you need a key for?03:18
molly_millionsI'm learning about information security as a hobby and want to create a hardened system and establish secure channels of communication. Mostly academic interest.03:19
holsteinsure.. so, ask in a ##security channel.. start with a distro that is aimed at that03:19
holsteinubuntu is not.. its aimed at "normal" desktop use03:19
holsteinanything here will be relevant https://wiki.debian.org/Hardening but, im sure you have read that..03:20
molly_millionsThank you. This is all very helpful.03:21
holstein"information security" would be that.. you meet a person, *in* *person*.. and they say they are who they say they are, and they give you a key03:21
holsteineverything else is a version of that,where, you trust someone to knows that person.. etc03:21
molly_millionsWould you not consider lubuntu a secure OS?03:22
holsteinlubuntu is not the problem.. lubuntu is what it is03:23
holsteinif you use it securely, its used securely..03:23
holsteinwhat im saying is, lubuntu doenst say "come learn about security using lubuntu"03:23
holsteinits the lightweight official flavor of ubuntu running lxde.. thats it.. its not intended as a security tool or training ground03:24
holsteinkali is.. as well as other tools that you *can* use in lubuntu, and apply your knowledge learned to lubuntu from03:24
molly_millionsOkay, this has given me a lot to think about. Thank you for all of the feedback.03:26
holsteinsure.. cheers03:27
=== len_ is now known as Guest63838
=== not_phunyguy is now known as phunyguy
aikidoukeanyone help with troubleshooting an issue with steam install?13:42
absk007is Flash Filesystems supported https://en.wikipedia.org/wiki/Flash_file_system#Linux_flash_filesystems17:37
wxlabsk007: if the kernel supports it, probably.17:38
wxlabsk007: know what flags it needs?17:39
absk007wxl, i don't know. So asking. I wanna install and run lubuntu in my microSD without wearing out my microSD17:40
wxlabsk007: hard for me to easily check, then17:41
wxlif worse comes to worst you can always compile your own, absk00717:42
absk007wxl, that's what i can't do but my wish is that i wanna run lubuntu in my microSD without wearing it out17:42
wxlabsk007: if you can't do that, then go to #ubuntu-kernel and ask them if the standard kernel supports it17:43
wxlabsk007: /boot/config* should show you the flags17:44
absk007wxl, actually, i'm a noob and do not understand it properly17:45
absk007wxl, i've not installed lubuntu. I want to install it on a flash FS17:45
wxlabsk007: so ask #ubuntu-kernel17:45
absk007wxl, asked already. No reply17:46
wxlabsk007: then be patient. people are volunteers, not paid to sit at their desk and wait for questions :)17:47
wxlabsk007: i've figured out that the generic kernel is built with default support for JFFS2, UBIFS, and F2FS modules17:49
absk007wxl, so can i install lubuntu in them or not?17:50
wxli think you'll have to do a bunch of work to make it happen17:50
wxlabsk007: http://askubuntu.com/questions/357237/install-to-sd-removable-flash-sdhc-emmc-with-f2fs17:52
absk007wxl, which flash FS is good?17:52
wxlabsk007: don't ask me17:52
absk007wxl, i'll be doing software development stuffs17:52
wxlthis is certainly not "officially supported" in the sense of there being official documentation and such17:53
wxlin other words, you kind of have to figure it out17:53
wxlbut everything you need to make it happen is there17:53
wxlsuch is the case with many edge cases in linux: the tools are there, but you have to figure out how to use them17:54
=== len_ is now known as Guest43709
twagerSamsung printer driver cannot find libsane but libsane is installed...Any tips welcome20:47

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!