linux-modder/Clem Email: Secret

## Clem Email:
Clem,

In recent days I re-started my seeding of  Mint ISOs and noticed a few rather alarming security things outlined below:

1) the torrent server should not be wide open on :80 even if its  forcing the http:// -->  https:// on the fly.

    1a)   you should make it all https://  or not at all, forget this  half baked  hsts  nonsense.

    1b)  You should NEVER leave a  torrent tracker open on the same port as the generic traffic ,this leaves you wide open to drive-by attacks on damn near all your infrastructure.


2) Your  ../verify.php page has some issues and some glaringly  odd issues.

        2a) the sha256sum.txt files are  only view-able in a typical browser,  likely to lead folks to either 1) copy / paste in any fashion that suits their  fancy of the day or 2) totally disregard OR almost as annoying 3) load the  -help channel with ' how the hell do I check these  files?

        2b)  you really should have  a better naming syntax something like LM18-CHECKSUM256  and  LM18-CHECKSUM256.asc   clear-signing the former so as allowing  viewing  in clear text but validating with the gpg key in use.

        2c) doing a gpg -search-keys  root@linuxmint.com  shows something like 9 varying keys of varying ages which for an offline confirmation would be a pain in the arse to parse as you have the  checksum files and the gpg key(s) used on separate pages on the site.

3) at this point:

    Import the signing key from a Keyserver (see above).

There really should be a how to link for those not familiar with this process,  remember you are targeting the novice user and recent Windows convert.


Proposed  changes:

*    Add a mention of  wget / curl for  checksum files so  gpg --verify-files   sha256sums.txt.gpg   sha256sums.txt  works  natively  and is less ambiguous.

*    Use a clear-signed detached sig that  verifies them and hosting the public on server

*    How To guides / links on ../verify.php for gpg --recv-keys and or an offline mode guide as  not everyone has internet access at all times to check / obtain keys  (the distro targets all regions of the world after all).


IRC OPs,

As I've recently mentioned in -chat

the new rules namely  #2 #3  #4 #5 #6 seem sadly TOO vague:


proposed rewrites for them:


#2: Any actions / comments  that are knowingly or reasonably known to discriminate against any race,gender (including pan/cis/gender-fluid), ethnicity,nationality, or other recognized identity or group, including slurs, or jokes / jests whether known to the intended party or not,  if known to an op or other channel user and mentioned shall be  prohibited.

#3 Flooding the channel OR a user in PM (private message, in some clients called a dialog message).  Flooding is deemed to be any rapid comments that exceed 3 lines in
rapid succession, while long  messages have been known to do this they are  generally in the context of a long winded explanation of your issue deemed abusive but may  still result in temporary kick on the 3 rapid lines portion of the rule.

#4 Abusing CAPS, also known as  yelling in any channel is  highly frowned upon here on our network. Use of caps for emphasis like: user1 type the boldface text here in your client to do that:  /MSG NICKSERV REGISTER <SOME_NICK> <SOME_PASSWORD>  is  okay however,   ANYONE HERE TO HELP ME WITH MY ISSUE  {some times passes} GUESS NOT,  THIS CHANNEL SUCKS.  is  NOT welcome here.

#5:  Any and all actions of disclosing personal / identifiable info on any user (regular / non regular user or  op) that can not readily be gleaned from a simple google search or self disclosed social media sites (i.e. Facebook,Linked, Diaspora, twitter), often called 'doxxing someone' are STRICTLY prohibited, so is knowingly engaging in actions to do the same and should be grounds for an IMMEDIATE G-line (removal from network).  Any user of or channels should feel safe whilst on our network and strictly  enforcing this is one such measure to ensure this.

#6  Advertisements, illegal material (e.g., piracy and malicious hacking) or pornography, this includes ASL (Age, sex, location requests made infamous by AOL),  questions about kali or its tools or anything like torrenting cracked / warez files / programs).  Please understand that whilst  techniques for recovering / changing a lost passwords aren't generally  nefarious  seeing as we must take your word its your hardware, some users may refuse to help and recommend a reinstall.


----
Corey W. Sheldon
PGP:
0x5A88E539 / C006 564F FA67 CDEA E29B F202 8B4E 8943 5A88 E539
0xD2264944 / 6292 9ABD 6374 6AA7 6D4B 730F 5927 6298 D226 4944
Find me elsewhere: https://gist.github.com/linux-modder/ac5dc6fa211315c633c9

“Be like water making its way through cracks. Do not be assertive, but adjust to the object, and you shall find a way around or through it.
If nothing within you stays rigid, outward things will disclose themselves. Empty your mind, be formless. Shapeless, like water. If you put
water into a cup, it becomes the cup. You put water into a bottle and it becomes the bottle. You put it in a teapot, it becomes the teapot.
Now, water can flow or it can crash. Be water, my friend.”


Confidentiality Note:  This message is intended for use only by the individual or entity to which it is addressed and may contain information that is privileged, confidential, and
exempt from disclosure under applicable law.  If the reader of this message is not the intended recipient or the employee or agent responsible for delivering the message to the
intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited.  If you have received this communication
in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy.
	Clem,

	In recent days I re-started my seeding of Mint ISOs and noticed a few rather alarming security things outlined below:

	1) the torrent server should not be wide open on :80 even if its forcing the http:// --> https:// on the fly.

	1a) you should make it all https:// or not at all, forget this half baked hsts nonsense.

	1b) You should NEVER leave a torrent tracker open on the same port as the generic traffic ,this leaves you wide open to drive-by attacks on damn near all your infrastructure.


	2) Your ../verify.php page has some issues and some glaringly odd issues.

	2a) the sha256sum.txt files are only view-able in a typical browser, likely to lead folks to either 1) copy / paste in any fashion that suits their fancy of the day or 2) totally disregard OR almost as annoying 3) load the -help channel with ' how the hell do I check these files?

	2b) you really should have a better naming syntax something like LM18-CHECKSUM256 and LM18-CHECKSUM256.asc clear-signing the former so as allowing viewing in clear text but validating with the gpg key in use.

	2c) doing a gpg -search-keys root@linuxmint.com shows something like 9 varying keys of varying ages which for an offline confirmation would be a pain in the arse to parse as you have the checksum files and the gpg key(s) used on separate pages on the site.

	3) at this point:

	Import the signing key from a Keyserver (see above).

	There really should be a how to link for those not familiar with this process, remember you are targeting the novice user and recent Windows convert.


	Proposed changes:

	* Add a mention of wget / curl for checksum files so gpg --verify-files sha256sums.txt.gpg sha256sums.txt works natively and is less ambiguous.

	* Use a clear-signed detached sig that verifies them and hosting the public on server

	* How To guides / links on ../verify.php for gpg --recv-keys and or an offline mode guide as not everyone has internet access at all times to check / obtain keys (the distro targets all regions of the world after all).


	IRC OPs,

	As I've recently mentioned in -chat

	the new rules namely #2 #3 #4 #5 #6 seem sadly TOO vague:


	proposed rewrites for them:


	#2: Any actions / comments that are knowingly or reasonably known to discriminate against any race,gender (including pan/cis/gender-fluid), ethnicity,nationality, or other recognized identity or group, including slurs, or jokes / jests whether known to the intended party or not, if known to an op or other channel user and mentioned shall be prohibited.

	#3 Flooding the channel OR a user in PM (private message, in some clients called a dialog message). Flooding is deemed to be any rapid comments that exceed 3 lines in
	rapid succession, while long messages have been known to do this they are generally in the context of a long winded explanation of your issue deemed abusive but may still result in temporary kick on the 3 rapid lines portion of the rule.

	#4 Abusing CAPS, also known as yelling in any channel is highly frowned upon here on our network. Use of caps for emphasis like: user1 type the boldface text here in your client to do that: /MSG NICKSERV REGISTER <SOME_NICK> <SOME_PASSWORD> is okay however, ANYONE HERE TO HELP ME WITH MY ISSUE {some times passes} GUESS NOT, THIS CHANNEL SUCKS. is NOT welcome here.

	#5: Any and all actions of disclosing personal / identifiable info on any user (regular / non regular user or op) that can not readily be gleaned from a simple google search or self disclosed social media sites (i.e. Facebook,Linked, Diaspora, twitter), often called 'doxxing someone' are STRICTLY prohibited, so is knowingly engaging in actions to do the same and should be grounds for an IMMEDIATE G-line (removal from network). Any user of or channels should feel safe whilst on our network and strictly enforcing this is one such measure to ensure this.

	#6 Advertisements, illegal material (e.g., piracy and malicious hacking) or pornography, this includes ASL (Age, sex, location requests made infamous by AOL), questions about kali or its tools or anything like torrenting cracked / warez files / programs). Please understand that whilst techniques for recovering / changing a lost passwords aren't generally nefarious seeing as we must take your word its your hardware, some users may refuse to help and recommend a reinstall.


	----
	Corey W. Sheldon
	PGP:
	0x5A88E539 / C006 564F FA67 CDEA E29B F202 8B4E 8943 5A88 E539
	0xD2264944 / 6292 9ABD 6374 6AA7 6D4B 730F 5927 6298 D226 4944
	Find me elsewhere: https://gist.github.com/linux-modder/ac5dc6fa211315c633c9

	“Be like water making its way through cracks. Do not be assertive, but adjust to the object, and you shall find a way around or through it.
	If nothing within you stays rigid, outward things will disclose themselves. Empty your mind, be formless. Shapeless, like water. If you put
	water into a cup, it becomes the cup. You put water into a bottle and it becomes the bottle. You put it in a teapot, it becomes the teapot.
	Now, water can flow or it can crash. Be water, my friend.”



	Confidentiality Note: This message is intended for use only by the individual or entity to which it is addressed and may contain information that is privileged, confidential, and
	exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or the employee or agent responsible for delivering the message to the
	intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication
	in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy.