Yes, it doesn't matter where you download the ISO from. Even if you download from an extremely trustworthy site via SSL, there's still nothing to guarantee the ISO hasn't been tampered with, so you really should get into the habit of verifying.

I don't use Fedora but I would assume their package manager automatically does digital signature verification for you. I found this site after a quick google so it would seem my assumption is correct.

You mean provide the package manager/updater with fake/tampered packages? Of course they can, but digital signature verification is there to (among other things) detect when these kind of attacks take place, preventing the package from being installed.

You should verify the initial download, even from the fedora project site. As I said, also verify them AFTER you burn to disc too. This accomplishes several things: 1 - you verify that you received a good image. Several things can go wrong including the wrong file being uploaded on the server, an error in transmission that passes the check sum tests, a hijacked project site. 2 - You know that you didn't have any problems with the creation of the iso. Many of these files will get copied to your drive and a wrong bit or byte could cause crashes.

Once you have the system up and running, when using the known repositories, the packages will automatically get verified against the PGP signatures as part of the process. In order to download from other repositories, you will need to manually install the keys to do so, adding a layer of "I know what I am doing" protection.

Relax, I think you are worrying too much about this. Be vigilant, but not paranoid.

"http://docs.fedoraproject.org/en-US/Fedora/13/html/Installation_Guide/s1-diskpartsetup-x86.html" is how I've been installing.. 'Seems to be the best method...

If the "original site" isn't.. then where do we get our OS install ISO's and updates from..?

Huge passwords is a real pain in the foof, but it's the only way to go...

Thanks Doc.. For me "upping meds", would be taking a second multi-vitamin with multi-minerals, plus a double muti amino-acid complex, and maybe an extra dropper of passion flower extract natural beta blocker, or pomegranite extract bb..
Which meds are your choice of favourites?..

Thanks for the info expert dude..

If there was just one thing that could keep your black-skills out of a target's Fedora OS, What would that be..? besides pulling the net-connection or power-cord...

Quoting: "I think you are worrying too much about this. Be vigilant, but not paranoid."


I ain't worried in the slightest.. If doo hits my fan, doo hits my fan.. is when I run a clean-up, what ever it takes... this is me learning how to be vigilant... I am merely striving to learn the obscure facts, so there won't be need to do clean-ups, by my own fault...


_________________



Quoting: "There are no answers, only choices."


Maybe to make a choice, one needs the list of answers..?

Quoting: "https://fedoraproject.org/keys"...


___________


Jeepers! that's a lot to know and do to be only slightly secure..
It seems to run a truly secure PC OS, one need be a computer expert.. and even then it's still iffy if you have something the kooks want to steal, or you've upset the expert kooks and their puppeteers into childish vengeance-mode, given that the calming/rationalising serotonin feature in humanity is progressively self-destructing, by various obvious negative-health debilitative factors...

I've been pondering the ways the computer industry could modify the PC, to make it safer from attacks, for noisy "goodie-goodie" environmentalists and such.. I'm wondering if the industry made a tiny package in the tower, isolated from the base system's mother-board as a secondary sister-board, and ran that as the "internet PC".. shuttling items back and forth with built-in AVS auto-scanned flash-system.. wouldn't that be the way to go, to make interneting safer and cleaner, for Innocents, in this war-torn black-soul Internet..?
After all, the internet was invented exclusively/inclusively as a war-tool, and everything that's evil about humanity is stringently represented ("echoed") in/on the internet...
I thinks the world needs a tiny Net PC that acts as a "middleman" between their private personal data computers, blocking the evils of the Internet, a system which totally isolates the private PC system from the global com-system.. then no PC would ever be black hack infiltrated, nor compromised.. but that's just a silly pipedream, for another time, another place, another planet...

Quoting: "You mean provide the package manager/updater with fake/tampered packages? Of course they can, but digital signature verification is there to (among other things) detect when these kind of attacks take place, preventing the package from being installed."


_______________


Can "digital signature", or "digital signature verification", and the "other things", be compromised..?

"How would you know that someone has tried to get into your hd's OS?" Screwdriver marks on the casing? Footprints in the butter?

...and the door entry-counter registering too many digits.. and the hidden old Windows tower recording IR video activity where and when there shouldn't be.. and the covert-entry remote-alarm beeping in my pocket...

Of course. If you get access to the private key, you can use it to sign files.

For example, Red Hat suffered this type of breach not too long ago.

Well that took some of the wind outa my sails as far as me trying to make residential Net computer secure...

Why do people do that to good honest people, and to their good honest projects..?

Even if I managed to secure my PC, it wouldn't matter.. my internet activity is extremely monitored... Some unscrupulous people are desperate for new input... If they asked as friend and a brother, I’d give them what they need freely.. They don't need to try to steal everything all of the time, just because they can...
I suppose we can confidentially say that there's no such thing as a secure computer, if it's connected to the war-based Internet...

Why do you run Ubuntu on the Net, when it is so vulnerable to outside access and tampering..?
Doesn't your hd have that little yuck partition that Linux installs can't delete..? or do you use DBAN as a hd cleaner too..? or something else..?
I'm supposing you're running some sort of evolved bot..? and the computer you're running on the Net is probably your "I don't give a damn what happens to it computer"... Or, your front end is protected by corporate and/or military-class state of the art super-walls..? Probably all three... I thinks you're a good-black, or better...

Me thinks I'm gonna learn some more, from the super users, like yourself.. and I'm gonna maintain my policy of "one crapper tower for Net work, transferring data via flash, and the others, my personal items PC's, never connected.. connecting them only for the occasional update and package, then maintaining them disconnected ASAP, like I've been doing...
I figures if it works do it... If only I could get the ISO install CD happnin' of the OS as I've got it.. then whenever the OS so much as twitches wrong, I could run DBAN, then drop-in the custom install CD.. which is probably my best overall basic security plan for my connected PC.. but I just can't figure what I'm doing wrong..? All I'm doing is wasting CD's, and hours and hours of computer time creating duds...
Ten years I've been trying to make an ISO install CD for this purpose, and all attempts failed... I'm feeling very stupid...

There's secure computers all over the Internet. You're using one of them right now (LQ). The thing is, there's no computers which are 100% secure. They all have some levels of risk which must be managed, regardless of whether they are connected to the Internet or not.

LOL! Where did you get the idea that Ubuntu is such a crappy distro? It actually has some decent security features out of the box, and it doesn't stand in your way when you want to take additional measures on your own.

My PC doesn't have any fancy security measures (I'm just an average GNU/Linux user, don't let the Moderator title fool you).

If you look in a book store, such as Barnes & Nobels, they may sell Linux magazines & starter kit magazines where you can purchase a pressed CD/DVD. A read only source from a magazine should be secure unless the distributor has been hacked.

If you download an ISO image, compare the md5sum hash with what is published on the website. Your burner software will calculate the hash of the ISO image for you.

Make sure you select to burn an image. You might be burning a disc with the ISO file in it instead.

In the ConSecWest competition where security experts competed to crack a Windows, Mac and Linux and Ubuntu laptop for a $20,000 prize, the Ubuntu laptop survived. The others required user interaction (e.g. using the browser) to be compromised. These computers had up-to-date security updates applied. The Mac fell first, because Apple hadn't promptly released a security patch for a known vulnerability. The lesson I learned from this competition was how important it is to apply security patches.

I can burn ISO install CD's from the ISO downloads.. but I just find find it to create and burn the live installable customized OS, as I've made it, with all my preferred packages and files, and tweaking... This one CD would be my Best defence clean-up to hack attacks...
I've found that when corporate hacks can't find anything in my OS of value, they often trash the OS in spite.. sort of like "the kid who breaks another kids toy, because he can't have it"...

_________________


Quoting: "In the ConSecWest competition where security experts competed to crack a Windows, Mac and Linux and Ubuntu laptop for a $20,000 prize."

That would have been a riot to spectate... It would even make a good novel and movie...

_________________


Here's a weird thing that happens way too often..
Nearly every time I mention, in a PC forum, about problems making a custom bootable ISO of the OS, I gets an email from Acronis a few minutes after I've posted about failing to make that CD...
And sure enough, suddenly there's yet another Acronis offer in my inbox...

I wonder why you think that Acronis, or any corporation, will monitor you or break into your computer regularly and break things?

Thinking that keeping your computer off the Internet will make it more secure is a fallacy also. Just google about Iran's nuclear plants and the "weaponized" virus that was used. Mind bogglingly genius...

To be honest though, I don't know what scared me more when reading about it; how far viruses had evolved or that Iran runs their nuclear plants on Windows!!

HTH
Dave

1 members found this post helpful.