Re: debian unofficial website hacked

[Jude DaShiell <jdashiel@panix.com>]

I found out, those firmware images aren't seeded for very long at all so 
effectively go away quickly.
I was mistaken thinking since the file name was on that site it would 
have torrent support until either removed or replaced.

On Fri, 9 Feb 2018, john doe wrote:

> Date: Fri, 9 Feb 2018 01:35:58
> From: john doe <johndoe65534@mail.com>
> To: debian-accessibility@lists.debian.org
> Subject: Re: debian unofficial website hacked
> Resent-Date: Fri,  9 Feb 2018 06:36:14 +0000 (UTC)
> Resent-From: debian-accessibility@lists.debian.org
>
> On 2/8/2018 9:06 PM, Jude DaShiell wrote:
> >  https://cdimage.debian.org/cdimage/unofficial/non-free/cd-including-firmware/buster_di_alpha2/amd64/bt-dvd/ 
>
> Please try the following:
>
> Eatch line that starts with a dollar sign ($) is a command and should be 
> entered as written.
>
>
> $ mkdir alfa2
> $ cd alfa2
>
> $ wget 
> https://cdimage.debian.org/cdimage/unofficial/non-free/cd-including-firmware/buster_di_alpha2/amd64/bt-dvd/SHA512SUMS.sign 
> https://cdimage.debian.org/cdimage/unofficial/non-free/cd-including-firmware/buster_di_alpha2/amd64/bt-dvd/SHA512SUMS
>
> Output of the above command:
>
> --...-- 
> https://cdimage.debian.org/cdimage/unofficial/non-free/cd-including-firmware/buster_di_alpha2/amd64/bt-dvd/SHA512SUMS.sign
> Resolving cdimage.debian.org (cdimage.debian.org)... 194.71.11.165, 
> 194.71.11.173, 2001:6b0:19::173, ...
> Connecting to cdimage.debian.org (cdimage.debian.org)|194.71.11.165|:443... 
> connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 833
> Saving to: ???SHA512SUMS.sign???
>
> SHA512SUMS.sign 
> 100%[======================================================================================================>]
>     833  --.-KB/s    in 0s
>
> ... (11.4 MB/s) - ???SHA512SUMS.sign??? saved [833/833]
>
> --...-- 
> https://cdimage.debian.org/cdimage/unofficial/non-free/cd-including-firmware/buster_di_alpha2/amd64/bt-dvd/SHA512SUMS
> Reusing existing connection to cdimage.debian.org:443.
> HTTP request sent, awaiting response... 200 OK
> Length: 172
> Saving to: ???SHA512SUMS???
>
> SHA512SUMS 
> 100%[======================================================================================================>]
>     172  --.-KB/s    in 0s
>
> ... (208 MB/s) - ???SHA512SUMS??? saved [172/172]
>
> FINISHED --...--
> Total wall clock time: 0.5s
> Downloaded: 2 files, 1005 in 0s (13.6 MB/s)
>
> $ gpg --delete-keys debian
>
> Output of the above command:
>
> pub  4096R/0xDA87E80D6294BE9B 2011-01-05 Debian CD signing key 
> <debian-cd@lists.debian.org>
>
> Delete this key from the keyring? (y/N) y
>
> Comment: Press 'y' for eatch keys that are to be deleted.
>
> $ gpg --recv-key 0xDA87E80D6294BE9B
>
> Output of the above command:
>
> gpg:  requesting key 0xDA87E80D6294BE9B from hkps server 
> hkps.pool.sks-keyservers.net
> gpg:  key 0xDA87E80D6294BE9B: public key "Debian CD signing key 
> <debian-cd@lists.debian.org>" imported
> gpg:  2 marginal(s) needed, 2 complete(s) needed, PGP trust model
> gpg: depth:  0  valid:   3  signed:   1  trust: 0-, 0q, 0n, 0m, 0f, 3u
> gpg: depth:  1  valid:   1  signed:   0  trust: 1-, 0q, 0n, 0m, 0f, 0u
> gpg:  Total number processed: 1
> gpg:                imported: 1  (RSA: 1)
>
> $ gpg --verify SHA512SUMS.sign SHA512SUMS
>
> Output of the above command:
>
> gpg:  Signature made Wed, Dec 06, 2017  3:02:18 AM CET
> gpg:                 using RSA key 0xDA87E80D6294BE9B
> gpg:  Good signature from "Debian CD signing key 
> <debian-cd@lists.debian.org>"
> gpg:  WARNING: This key is not certified with a trusted signature!
> gpg:           There is no indication that the signature belongs to the 
> owner.
> Primary key fingerprint: DF9B 9C49 EAA9 2984 3258  9D76 DA87 E80D 6294 BE9B
>
> If it does not work please post the commands used and the output of those 
> commands.
>
> Note that my mailer might fold this e-mail.
>
> >  On Thu, 8 Feb 2018, john doe wrote:
> >
> > >  Date: Thu, 8 Feb 2018 14:03:40
> > >  From: john doe <johndoe65534@mail.com>
> > >  To: debian-accessibility@lists.debian.org
> > >  Subject: Re: debian unofficial website hacked
> > >  Resent-Date: Thu,? 8 Feb 2018 19:03:53 +0000 (UTC)
> > >  Resent-From: debian-accessibility@lists.debian.org
> > >
> > >  On 2/8/2018 7:54 PM, Jude DaShiell wrote:
> > > >  ?Yes, I imported the debian signing key and I have MD5SUMS and
> > > >  MD5SUMS.sign
> > > >  ?sha256SUMS SHA256SUMS.sign SHA512SUMS and SHA512SUMS.sign SHA1SUMS
> > > >  ?SHA1SUMS.sign.
> > >
> > >  From which URL did you get the? files?
> > >
> > > >  ?On Thu, 8 Feb 2018, john doe wrote:
> > > >
> > > > >  ?Date: Thu, 8 Feb 2018 07:12:27
> > > > >  ?From: john doe <johndoe65534@mail.com>
> > > > >  ?To: debian-accessibility@lists.debian.org
> > > > >  ?Subject: Re: debian unofficial website hacked
> > > > >  ?Resent-Date: Thu,? 8 Feb 2018 12:12:39 +0000 (UTC)
> > > > >  ?Resent-From: debian-accessibility@lists.debian.org
> > > > >
> > > > >  ?On 2/8/2018 12:34 PM, Jude DaShiell wrote:
> > > > > >  ??running gpg --verify *.sign on all sign files found where
> > > > > >  debian-buster
> > > > > >  ?is
> > > > > >  ??downloaded returns bad key and [unknown] on those files.? I think
> > > > > >  the
> > > > > >  ??website has got dirty.
> > > > >
> > > > >  ?- Did you import the Debian signing key?
> > > > >  ?- Which files did you verify (URL used, you should only use
> > > > >  debian.org)?
> > > > >  ?- What commands did you use and what are the output of those commands?

--