[02:59] Would anyone kindly share a link to or results for SHA256 hash of Ubuntu Mini 64-bit Trusty Tahr 14.04? [03:00] !mini [03:00] The Minimal CD image is very small in size, and it downloads most packages from the Internet during installation, allowing you to select only those you want. The installer is text based (rather than graphical as used on the Desktop DVD). See https://help.ubuntu.com/community/Installation/MinimalCD [03:00] shoud be posted there.. probably just the md5's for the images.. [03:00] !md5 [03:00] To verify your Ubuntu ISO image (or other files for which an MD5 checksum is provided), see http://help.ubuntu.com/community/HowToMD5SUM or http://www.linuxquestions.org/linux/answers/LQ_ISO/Checking_the_md5sum_in_Windows [03:01] I have verified the MD5 and SHA1 hashes. Why isn't a SHA256 available on Ubuntu's website for the mini? [03:01] Is it due to the size? [03:02] molly_millions: not sure.. what are you thinking? its not 'secure' enough? its not really a security step so much, there.. its just so you can test the iso for the content [03:03] Correct, I would like to verify the security (integrity?) of the image. [03:03] molly_millions: well, those are not the same [03:03] Please continue. [03:04] the integrity is just that.. "is this image ok, based on my internet?" and other variables [03:04] its not "did someone replace this, or part of the iso?" [03:04] In other words, did the file make it to my computer without some sort of routine transmission corruption? [03:04] molly_millions: correct [03:04] *if* someone has access to change the iso, they have access to change the sum.. likely [03:05] So, those hashes are about integrity? [03:05] molly_millions: correct.. its not about making sure no one has "messed with" the iso [03:05] if they messed with it, on the server, then, they can "mess with" the hash sum.. no matter how slick, new and/or modern [03:06] Okay, so how might I assess the security of the image? I was under the impression that hashes also indicated something about that. Do hashes not provide any real indication of security? [03:07] molly_millions: as i said, you really cant that way [03:07] molly_millions: *if* we had, for example, some sha256 hash with the iso's, then, the "hacker", having access to whatever files, or server to replace the iso, would replace the sha256 sum [03:07] molly_millions: its more about, who can upload to that server? [03:08] molly_millions: try uploading a "bunk" iso to ubuntu.com ;) [03:08] Thanks, I think I understand. They could also change the page that lists the hash. [03:09] yup [03:09] So, let's say I download any given image. What would someone do to assess the security? [03:09] it would have to be a 3rd party service, that, you woud then *also* be trusting [03:09] the iso "is what it is".. then, you have access to "official" repos for the software [03:10] those repos and packages are "maintained".. not just anyone can upload a package there [03:10] I see. I think the bottom line is that there isn't much to worry about, right? [03:10] *thats* what would happen.. a key gets compromised,and a compromised version of firefox gets installed on systems [03:11] what to do about it? you can always do "linux from scratch" or get *all* these parts and source *right* from the creators, and build them yourself [03:11] for example, you would be getting the source from mozilla and building it.. but, then, you have the same questions there [03:11] who uploaded this source? how can i "trust" it?.. etc [03:12] molly_millions: well, im just saying, the system is built with the concerns you raise in mind [03:12] It seems to be a rather complicated problem. [03:12] molly_millions: i say, dont trust anyone.. and always be skeptical.. but, when downloading the installer iso, thats not a big issue [03:12] especially with the mini [03:12] nothing come on the mini iso.. just the minimum [03:13] you can then see what is coming from the official repos.. [03:13] Why isn't the image listed with the SHA256 like the other images? And, where does gnupg come into play? [03:13] molly_millions: ask them [03:13] https://www.gnupg.org/ [03:13] GnuPG allows to encrypt and sign your data and communication [03:14] so, if someone on some build team says, via email "im linking to something i need pushed into the code of something vital in the security layer of something" [03:14] the folks in that email chain have things,such as the tool you reference, in place, to make sure that person *is* who they say they are [03:14] there are "key signing parties" [03:15] where a person "vouches" for you, in person, then, a 'web of trust' is created [03:15] you *know* that someone you know knows a person that knows that person, and has "approved" the key.. so, they are "trusted" [03:16] Right, the "Web of Trust"? I've been reading about gpg and would like a robust understanding. Can't downloaded files also be checked with gpg? [03:16] molly_millions: sure.. and that key can be compromised [03:16] molly_millions: so, again, you have to ask "whats the goal?" [03:16] if its, "how can i be totally safe online?", you shut the computer off.. [03:17] if its, "how can i turst that this is what the person says it is?" you can ask for a key to verify what the stuff is.. but, you trust that key, and that person [03:17] if you dont know that person, then, you cant trust the key either [03:17] if its "i want to send private emai?" this is the wrong channel [03:18] So, I should talk to my local user group for keys? [03:18] molly_millions: what to you need a key for? [03:19] I'm learning about information security as a hobby and want to create a hardened system and establish secure channels of communication. Mostly academic interest. [03:19] sure.. so, ask in a ##security channel.. start with a distro that is aimed at that [03:19] ubuntu is not.. its aimed at "normal" desktop use [03:20] anything here will be relevant https://wiki.debian.org/Hardening but, im sure you have read that.. [03:21] Thank you. This is all very helpful. [03:21] "information security" would be that.. you meet a person, *in* *person*.. and they say they are who they say they are, and they give you a key [03:21] everything else is a version of that,where, you trust someone to knows that person.. etc [03:22] Would you not consider lubuntu a secure OS? [03:23] lubuntu is not the problem.. lubuntu is what it is [03:23] if you use it securely, its used securely.. [03:23] what im saying is, lubuntu doenst say "come learn about security using lubuntu" [03:24] its the lightweight official flavor of ubuntu running lxde.. thats it.. its not intended as a security tool or training ground [03:24] kali is.. as well as other tools that you *can* use in lubuntu, and apply your knowledge learned to lubuntu from [03:26] Okay, this has given me a lot to think about. Thank you for all of the feedback. [03:27] sure.. cheers === len_ is now known as Guest63838 === not_phunyguy is now known as phunyguy [13:42] anyone help with troubleshooting an issue with steam install? [17:37] is Flash Filesystems supported https://en.wikipedia.org/wiki/Flash_file_system#Linux_flash_filesystems [17:38] absk007: if the kernel supports it, probably. [17:39] absk007: know what flags it needs? [17:40] wxl, i don't know. So asking. I wanna install and run lubuntu in my microSD without wearing out my microSD [17:41] absk007: hard for me to easily check, then [17:42] if worse comes to worst you can always compile your own, absk007 [17:42] wxl, that's what i can't do but my wish is that i wanna run lubuntu in my microSD without wearing it out [17:43] absk007: if you can't do that, then go to #ubuntu-kernel and ask them if the standard kernel supports it [17:44] absk007: /boot/config* should show you the flags [17:45] wxl, actually, i'm a noob and do not understand it properly [17:45] wxl, i've not installed lubuntu. I want to install it on a flash FS [17:45] absk007: so ask #ubuntu-kernel [17:46] wxl, asked already. No reply [17:47] absk007: then be patient. people are volunteers, not paid to sit at their desk and wait for questions :) [17:49] absk007: i've figured out that the generic kernel is built with default support for JFFS2, UBIFS, and F2FS modules [17:50] wxl, so can i install lubuntu in them or not? [17:50] i think you'll have to do a bunch of work to make it happen [17:52] absk007: http://askubuntu.com/questions/357237/install-to-sd-removable-flash-sdhc-emmc-with-f2fs [17:52] wxl, which flash FS is good? [17:52] absk007: don't ask me [17:52] wxl, i'll be doing software development stuffs [17:53] this is certainly not "officially supported" in the sense of there being official documentation and such [17:53] in other words, you kind of have to figure it out [17:53] but everything you need to make it happen is there [17:54] such is the case with many edge cases in linux: the tools are there, but you have to figure out how to use them === len_ is now known as Guest43709 [20:47] Samsung printer driver cannot find libsane but libsane is installed...Any tips welcome