Re: Debian Desktop Environment
My recommendation generally is to fetch it at least via tor/tails and
another network and compare both .pukey files as described under
http://www.elstel.org/software/GnuPG-usage.html.en. That should be ok.
Concerning the strange https configuration it is just about me not
having been willing to pay for a correct configuration (so the
certificate issued for alfahosting-server.de should be the right one.).
Well, I must confess it is an issue of time too as I have already
considered moving to dotplex ...
Likely however this mailing list is hosted more correctly so that you
may like to compare against the key from this list that follows here
(keyservers should also host that key by its fingerprint:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1
-----END PGP PUBLIC KEY BLOCK-----
On 27.10.2015 18:11, Paul Tagliamonte wrote:
Your HTTPS is configured funny - it's issued for *.alfahosting-server.de
<http://alfahosting-server.de>, not elstel.org <http://elstel.org>. You
might consider fixing that -- after all, OpenPGP won't help secure
communications if you don't have a secure way of ensuring the right key
is distributed to users.
On Tue, Oct 27, 2015 at 1:02 PM, Elmar Stellnberger <firstname.lastname@example.org
Dear Jason Fergus,
Dear Subscribers of the Debian Security List,
I am ready to share some more data about the incident and its
circumstances as soon as you would contact me via gpg-mail as
described under https://www.elstel.org/Contact.html. Anyone who is
interested and reading this mail is welcome!
Just email-me gpg-ed including your public key for response
describing or giving me reference to who your are / what you are
doing in the community (if not exuberantly returned by Google). As
any gpg-key may either be lost or get in touch with an infected
computer any time I would highly prefer if you were ready to incur
the work of generating an own throw-away key for the communication.
On 27.10.2015 17:36, Jason Fergus wrote:
I'm curious about how you were infected by a rootkit, which one
and what you did to discover it? Using a Sandbox is a great
those two, except of course those are generally the applications
the most sensitive data as well. I always try to disable html
but people insist on using it...
On Tue, 2015-10-27 at 16:25 +0100, Elmar Stellnberger wrote:
I would believe that it will heavily depend on how you
* One feature I do always turn off is desktop auto indexing
otherwise even storing an email attachement just for
invoking it with
online view-as-jpeg service could cause an infection. Note
have to do this twice (once for Gnome and once for KDE) if
installed according programs of both environments.
* select starting a new session on every bootup (the session
can be used as a hook for ephemeral and home directory rootkits)
* under KDE there is a list of background services that
may reduce it to what you really need (invokable via
* likely there are other important configuration options
* get some understanding of what your X-server does (f.i.
http://www.elstel.org/xchroot : problems with a pure chroot,
resolve these problems by hand)
* double check the security of the underlying system
* note that your email program and your browser are the two most
vulnerable parts of your desktop environment; consider
under qemu in a virtual machine
Once you would comply with all these hints you may likely
rootkit inside the virtual machine for emailing or browsing
as I did
lately. The KDE environment of the host system did not
appear to have
compromised the security of the whole system so far at me.
On 27.10.2015 12:29, Mateusz Kozłowski wrote:
Could You tell me which debian desktop environment is
security and the best privacy and which You recommned
users? (KDE, XFCE, GNOME etc.)?