Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 22 Mar 2015 12:04:54 +1000
From: Justin Steven <justin@...tinsteven.com>
To: oss-security@...ts.openwall.com
Cc: Assign a CVE Identifier <cve-assign@...re.org>
Subject: Re: CVE for Kali Linux

Kali, like its upstream (Debian), signs packages using gpg.

https://wiki.debian.org/SecureApt

Kali provides sha1sums over https at their site to verify the .iso
download, as well as providing gpg signatures for .iso files

--
Justin

On 22 March 2015 at 11:59, Kurt Seifried <kseifried@...hat.com> wrote:

> From RISKS, looks like it needs a CVE
>
> Date: Tue, 17 Mar 2015 07:37:50 -0700
> From: Henry Baker <hbaker1@...eline.com>
> Subject: Kali Linux security is a joke!
>
> FYI -- Your best chance to hack the hackers...
>
>   "Downloading Kali Linux"
>
>   "Alert!  Always make certain you are downloading Kali Linux from official
>   sources, as well as verifying md5sums against official values.  It would
>   be easy for a malicious entity to modify a Kali install to contain
>   malicious code, and host it unofficially."
>   http://docs.kali.org/category/introduction
>
> ---
>
> No kidding!
>
> So how come whenever you do apt-get install in Kali Linux, it accesses
> http://security.kali.org and http://http.kali.org ??
>
> Hasn't Kali heard about MITM attacks against http ??
>
> What's the point of verifying md5 sums against "official values", if Kali
> can't even get the "official values" securely ??
>
>
>
> --
> Kurt Seifried -- Red Hat -- Product Security -- Cloud
> PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
>
>

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ