[Cryptography] Kali Linux security is a joke!
Jason Cooper
cryptography at lakedaemon.net
Tue Mar 17 14:42:27 EDT 2015
Henry,
On Mon, Mar 16, 2015 at 12:07:08PM -0700, Henry Baker wrote:
> FYI --
>
> http://docs.kali.org/category/introduction
>
> "Downloading Kali Linux"
>
> "Alert! Always make certain you are downloading Kali Linux from official
> sources, as well as verifying md5sums against official values. It would be
> easy for a malicious entity to modify a Kali install to contain malicious
> code, and host it unofficially."
> ---
>
> No kidding!
You can do further verification here:
https://www.kali.org/downloads/
Which includes instructions for retrieving their PGP key, and verifying the
sha1sums of the isos.
> So how come whenever you do apt-get in Kali Linux, it accesses
> http://security.kali.org and http://http.kali.org ??
>
> Hasn't Kali heard about MITM attacks against http ??
Kali is based upon debian. Debian relies on package signing with PGP keys.
There's still a valid argument for not advertising *which* packages you are
installing/updating (some may be illegal in some regions). But short of a repo
key compromise, an http-MITM isn't going to succeed.
hth,
Jason.
More information about the cryptography
mailing list