[Cryptography] Kali Linux security is a joke!
Rob Meijer
pibara at gmail.com
Thu Mar 19 15:42:56 EDT 2015
2015-03-16 20:07 GMT+01:00 Henry Baker <hbaker1 at pipeline.com>:
> FYI --
>
> http://docs.kali.org/category/introduction
>
> "Downloading Kali Linux"
>
> "Alert! Always make certain you are downloading Kali Linux from official
> sources, as well as verifying md5sums against official values. It would be
> easy for a malicious entity to modify a Kali install to contain malicious
> code, and host it unofficially."
> ---
>
> No kidding!
>
> So how come whenever you do apt-get in Kali Linux, it accesses
> http://security.kali.org and http://http.kali.org ??
>
> Hasn't Kali heard about MITM attacks against http ??
>
>
Packaging security should be packager to user, not http(s) server to
http(s) client. Any packaging integrity system relying on 600+ CA's to be
uncompromised in inherently flawed.
> What's the point of verifying md5sums against official values, if Kali
> can't even get the "official values" securely ??
>
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150319/54c45934/attachment.html>
More information about the cryptography
mailing list