[02:59] <molly_millions> Would anyone kindly share a link to or results for SHA256 hash of Ubuntu Mini 64-bit Trusty Tahr 14.04?
[03:00] <holstein> !mini
[03:00] <holstein> shoud be posted there.. probably just the md5's for the images..
[03:00] <holstein> !md5
[03:01] <molly_millions> I have verified the MD5 and SHA1 hashes. Why isn't a SHA256 available on Ubuntu's website for the mini?
[03:01] <molly_millions> Is it due to the size?
[03:02] <holstein> molly_millions: not sure.. what are you thinking? its not 'secure' enough? its not really a security step so much, there.. its just so you can test the iso for the content
[03:03] <molly_millions> Correct, I would like to verify the security (integrity?) of the image.
[03:03] <holstein> molly_millions: well, those are not the same
[03:03] <molly_millions> Please continue.
[03:04] <holstein> the integrity is just that.. "is this image ok, based on my internet?" and other variables
[03:04] <holstein> its not "did someone replace this, or part of the iso?"
[03:04] <molly_millions> In other words, did the file make it to my computer without some sort of routine transmission corruption?
[03:04] <holstein> molly_millions: correct
[03:04] <holstein> *if* someone has access to change the iso, they have access to change the sum.. likely
[03:05] <molly_millions> So, those hashes are about integrity?
[03:05] <holstein> molly_millions: correct.. its not about making sure no one has "messed with" the iso
[03:05] <holstein> if they messed with it, on the server, then, they can "mess with" the hash sum.. no matter how slick, new and/or modern
[03:06] <molly_millions> Okay, so how might I assess the security of the image? I was under the impression that hashes also indicated something about that. Do hashes not provide any real indication of security?
[03:07] <holstein> molly_millions: as i said, you really cant that way
[03:07] <holstein> molly_millions: *if* we had, for example, some sha256 hash with the iso's, then, the "hacker", having access to whatever files, or server to replace the iso, would replace the sha256 sum
[03:07] <holstein> molly_millions: its more about, who can upload to that server?
[03:08] <holstein> molly_millions: try uploading a "bunk" iso to ubuntu.com ;)
[03:08] <molly_millions> Thanks, I think I understand. They could also change the page that lists the hash.
[03:09] <holstein> yup
[03:09] <molly_millions> So, let's say I download any given image. What would someone do to assess the security?
[03:09] <holstein> it would have to be a 3rd party service, that, you woud then *also* be trusting
[03:09] <holstein> the iso "is what it is".. then, you have access to "official" repos for the software
[03:10] <holstein> those repos and packages are "maintained".. not just anyone can upload a package there
[03:10] <molly_millions> I see. I think the bottom line is that there isn't much to worry about, right?
[03:10] <holstein> *thats* what would happen.. a key gets compromised,and a compromised version of firefox gets installed on systems
[03:11] <holstein> what to do about it? you can always do "linux from scratch" or get *all* these parts and source *right* from the creators, and build them yourself
[03:11] <holstein> for example, you would be getting the source from mozilla and building it.. but, then, you have the same questions there
[03:11] <holstein> who uploaded this source? how can i "trust" it?.. etc
[03:12] <holstein> molly_millions: well, im just saying, the system is built with the concerns you raise in mind
[03:12] <molly_millions> It seems to be a rather complicated problem.
[03:12] <holstein> molly_millions: i say, dont trust anyone.. and always be skeptical.. but, when downloading the installer iso, thats not a big issue
[03:12] <holstein> especially with the mini
[03:12] <holstein> nothing come on the mini iso.. just the minimum
[03:13] <holstein> you can then see what is coming from the official repos..
[03:13] <molly_millions> Why isn't the image listed with the SHA256 like the other images?  And, where does gnupg come into play?
[03:13] <holstein> molly_millions: ask them
[03:13] <holstein> https://www.gnupg.org/
[03:13] <holstein> GnuPG allows to encrypt and sign your data and communication
[03:14] <holstein> so, if someone on some build team says, via email "im linking to something i need pushed into the code of something vital in the security layer of something"
[03:14] <holstein> the folks in that email chain have things,such as the tool you reference, in place, to make sure that person *is* who they say they are
[03:14] <holstein> there are "key signing parties"
[03:15] <holstein> where a person "vouches" for you, in person, then, a 'web of trust' is created
[03:15] <holstein> you *know* that someone you know knows a person that knows that person, and has "approved" the key.. so, they are "trusted"
[03:16] <molly_millions> Right, the "Web of Trust"? I've been reading about gpg and would like a robust understanding. Can't downloaded files also be checked with gpg?
[03:16] <holstein> molly_millions: sure.. and that key can be compromised
[03:16] <holstein> molly_millions: so, again, you have to ask "whats the goal?"
[03:16] <holstein> if its, "how can i be totally safe online?", you shut the computer off..
[03:17] <holstein> if its, "how can i turst that this is what the person says it is?" you can ask for a key to verify what the stuff is.. but, you trust that key, and that person
[03:17] <holstein> if you dont know that person, then, you cant trust the key either
[03:17] <holstein> if its "i want to send private emai?" this is the wrong channel
[03:18] <molly_millions> So, I should talk to my local user group for keys?
[03:18] <holstein> molly_millions: what to you need a key for?
[03:19] <molly_millions> I'm learning about information security as a hobby and want to create a hardened system and establish secure channels of communication. Mostly academic interest.
[03:19] <holstein> sure.. so, ask in a ##security channel.. start with a distro that is aimed at that
[03:19] <holstein> ubuntu is not.. its aimed at "normal" desktop use
[03:20] <holstein> anything here will be relevant https://wiki.debian.org/Hardening but, im sure you have read that..
[03:21] <molly_millions> Thank you. This is all very helpful.
[03:21] <holstein> "information security" would be that.. you meet a person, *in* *person*.. and they say they are who they say they are, and they give you a key
[03:21] <holstein> everything else is a version of that,where, you trust someone to knows that person.. etc
[03:22] <molly_millions> Would you not consider lubuntu a secure OS?
[03:23] <holstein> lubuntu is not the problem.. lubuntu is what it is
[03:23] <holstein> if you use it securely, its used securely..
[03:23] <holstein> what im saying is, lubuntu doenst say "come learn about security using lubuntu"
[03:24] <holstein> its the lightweight official flavor of ubuntu running lxde.. thats it.. its not intended as a security tool or training ground
[03:24] <holstein> kali is.. as well as other tools that you *can* use in lubuntu, and apply your knowledge learned to lubuntu from
[03:26] <molly_millions> Okay, this has given me a lot to think about. Thank you for all of the feedback.
[03:27] <holstein> sure.. cheers
[13:42] <aikidouke> anyone help with troubleshooting an issue with steam install?
[17:37] <absk007> is Flash Filesystems supported https://en.wikipedia.org/wiki/Flash_file_system#Linux_flash_filesystems
[17:38] <wxl> absk007: if the kernel supports it, probably.
[17:39] <wxl> absk007: know what flags it needs?
[17:40] <absk007> wxl, i don't know. So asking. I wanna install and run lubuntu in my microSD without wearing out my microSD
[17:41] <wxl> absk007: hard for me to easily check, then
[17:42] <wxl> if worse comes to worst you can always compile your own, absk007
[17:42] <absk007> wxl, that's what i can't do but my wish is that i wanna run lubuntu in my microSD without wearing it out
[17:43] <wxl> absk007: if you can't do that, then go to #ubuntu-kernel and ask them if the standard kernel supports it
[17:44] <wxl> absk007: /boot/config* should show you the flags
[17:45] <absk007> wxl, actually, i'm a noob and do not understand it properly
[17:45] <absk007> wxl, i've not installed lubuntu. I want to install it on a flash FS
[17:45] <wxl> absk007: so ask #ubuntu-kernel
[17:46] <absk007> wxl, asked already. No reply
[17:47] <wxl> absk007: then be patient. people are volunteers, not paid to sit at their desk and wait for questions :)
[17:49] <wxl> absk007: i've figured out that the generic kernel is built with default support for JFFS2, UBIFS, and F2FS modules
[17:50] <absk007> wxl, so can i install lubuntu in them or not?
[17:50] <wxl> i think you'll have to do a bunch of work to make it happen
[17:52] <wxl> absk007: http://askubuntu.com/questions/357237/install-to-sd-removable-flash-sdhc-emmc-with-f2fs
[17:52] <absk007> wxl, which flash FS is good?
[17:52] <wxl> absk007: don't ask me
[17:52] <absk007> wxl, i'll be doing software development stuffs
[17:53] <wxl> this is certainly not "officially supported" in the sense of there being official documentation and such
[17:53] <wxl> in other words, you kind of have to figure it out
[17:53] <wxl> but everything you need to make it happen is there
[17:54] <wxl> such is the case with many edge cases in linux: the tools are there, but you have to figure out how to use them
[20:47] <twager> Samsung printer driver cannot find libsane but libsane is installed...Any tips welcome