F24-20160815 Updated ISOS Available NOW.

Today we have the newest installment of the  F24 Updated Lives, carrying on average 580 Mb of updates over the Gold Images from two months ago.

Some great news for intel cpu / gpu users: 4.6.6-300 has patch fixes for the screen tearing.

You will notice this round there is HASHSUM512-20160815 AND HASHSUMS-20160815,  the 512 are the sha512sums of the torrents and HASHSUMS are straight torrent hashes (fully searchable type).

F24 Updated Lives


NO Source Torrent is made if you have a need for one contact me either via email or in a comment here.

daa06ee7a8e277fc39b7b614dfce0e581823f95e68c7d6491cbffc1504e9a998a43c50da98400ba16af1be69d7ab6f9515adbe7f682eb6d3549853b4b8a7ba0e F24-source-20160815.iso

2439b2fb5f2c1b260ebaf560b9b680cec774bd890baebfb1d35fd6e8ed10e6b787bd2c978505a91f30de9757984ddff140d13ce0a9a41d1dbff2c38e8be8ba1c F24-x86_64-CINN-20160815.iso

914b61c3bb2524420239b1d0adea1c986f726e9eac135f3ba49dda7c1b1f1dc6d21b69541172e33a2ae4617461041cfe13ac09f7e30faae4c4b2584bc4b9e4fc F24-x86_64-KDE-20160815.iso

e2cb9cbb7b72a1bfb90c3de4f495fc45351d0121ba27e6cb4a0715e25a2123f8324862579105c839fd72ed52a790c6571afcffb2b0bd0058e8058b909d6e6d76 F24-x86_64-LXDE-20160815.iso

c50fd8e41b2a738eb6b0c8cfb7bed5f1e98d9504b6b65a8eb1930c075c502e30c64cb384b1316f9de240eb33258389d4c40eb0efabd902396dc8f9592895ea64 F24-x86_64-MATE-20160815.iso

bd808438d9ee0b4171490719d54fa3172440fd664b1187bf3e8a569cf73eefbc3b3cde36b113d43084565481b6f51a74ba58cbf99b29062b16f35c914e0f9a19 F24-x86_64-WORK-20160815.iso

01b97737fcfd709db3461026cd7705d957d93e196a80c97d200510c868c63ee34c9896b02499294bc216cf238af6fd1dbbde667a281cbaebf374b16bc7c7331a F24-x86_64-XFCE-20160815.iso


b66a07ac15a1a0f148b3dade7bd17520f0fd123bb8801786ff628b4b89ed02325c52052790ca02400bc8d143a3e3ae2d827dca2a49f09acdeec2ea028c844811 /seedbox/F24-x86_64-CINN-20160815.torrent

f8ebaba5a0271b33519d71b4adf6ede4c13e76bc9e5a0f7c63bc108b2d7ca1e65b2a7753b565bd5d3efaedb0b8870c6e46fe336ae9cfa695d9d5ed9699f21e2c /seedbox/F24-x86_64-KDE-20160815.torrent

55eadd80a7eec36ed2ca3f535edb668ea398bd3d00eb1645d22d80db0b6d96670c6ab16c26ed405c3153718b9ff433e46fc1b879eeca84114002c2c3fd3d54f8 /seedbox/F24-x86_64-LXDE-20160815.torrent

b2c2dc103f149e54292feefb3de94e3d106d18361c73f9e499ed72165d8084d02084623c7cdb656c0aaa181aa539f759cb83d84aee5405e77f5dcca5c14eec1b /seedbox/F24-x86_64-MATE-20160815.torrent

35f0404f181164612c1ca641ca3faf86f36c226fb568fbf61ff801d824bad9107bdda76a546c54ac049a824e26a56d4936fa13a6bee294d9acffdf604fa2288a /seedbox/F24-x86_64-WORK-20160815.torrent

fa05a9a713266e01796bc80d34391081477e74425b2fbe0ee135ee794a1a10a6ee038879efc7ab3839201506c79f41a03981b213aae6cb10b58c404d380cf983 /seedbox/F24-x86_64-XFCE-20160815.torrent

7f231fa325578fd52a7b9315fa589bbb3b469b7efe988e9a383a9fbd26cab8ecca5b73d782ddc9d146c96a223e6d73ddd3695cb6abb70f128714ed2da08566de /seedbox/HASHSUMS-20160815


LastPass 0Day — Why Using cleartext tokens in the URL is bad practice.

Source: lastpass password manager tell all

This is yet another reason why sanitizing OpenAuth or  other token urls to the minimal allowed to resolve (the hostname) is good practice.

So exactly what is the issue at hand?

Well LastPass as with most password managers that in some way connect to a sync or cloud mechanism,  uses a  cookie of sorts on all sites you setup with autofill ( no typing needed,  great defense against keyloggers),  however the issue is that the parser to determine if such a site is accessed / logged in leaves cleartext tokens in the url and takes a malformed url as username:password @ foo.tld i.e. johndoe/mypassword@facebook.com which allows an attacker on a machine that is logged in (without 2fa –more on this later) to spill the beans about all passwords in 2 ways.

Method 1:  log in or access a machine that is logged in and not locked out (Lock screens are useful folks) to access without any further password/credential prompts the password store and click ‘show password’ and then jig is up.  As alluded to earlier if 2fa (two factor auth) is enabled this is thwarted as it requires that secondary challenge for anything account or password store related.

Method 2: Typing in the username (in plaintext in password store) and the target site and the password becomes visible in plaintext in the url.

The really scary part is that now 2  security researchers have exposed these attacks and its still unpatched.

Original article courtesy of https://www.thehackernews.com

F23-20160420 Updated Lives Available NOW!!!

Hello again fellow Fedorians,

Last night, 4.4.7-300 was deemed stable and we have new updated lives f23-{i386,x86_64}-{CINN,KDE,LXDE,MATE,SOAS,WORK,XFCE}-20160420.


20160420 Kernel Fixes / Changelog




Where to get them? F23 Live-Respins (updated to 20160420/4.4.7-300)

Want to torrent pull? F23 Live Respins (updated to 201604020/4.4.7-300)

No Torrent Hashes ? F23-20160420 ISO Checksums & Torrent Hashes

Per request from a few folks I have  pgp signed  the  hash files and  a non gpg signed hash files (which  both match for those that have  shown fears of a  modified  hash / MiTM… The key used is my  Fedora key: OxD2264944  FP: 6292 9ABD 6374 6AA7 6D4B 730F 5927 6298 D226 4944

Want to run a installfest / have options for install? F23-20160420 Multi Boot ISO (x86_64 Only) — I can help you create a Multi Arch or host one elsewhere if desired however with the reduction in i686 installs in this day and age it’s not something I will host normally.

LATE POST: F23-20160408 Updated Lives Availabel (4.4.6-301 + Several bug fixes)

Hello again fellow Fedorians,

Last friday, 4.4.6-301 was deemed stable and we have new updated lives  f23-{i386,x86_64}-{CINN,KDE,LXDE,MATE,SOAS,WORK,XFCE}-20160408.


20160408 Kernel Fixes / Changelog

  • 4.4.6-301


Where to get them? F23 Live-Respins (updated to 20160408/4.4.6-301)

Want to torrent pull? F23 Live Respins (updated to 20160408/4.4.6-301)

No Torrent Hashes ? F23-20160408 ISO Checksums & Torrent Hashes

Want to run a installfest /  have options for  install? F23-20160408 Multi Boot ISO (x86_64 Only) — I can help you create a  Multi Arch or host one elsewhere if desired however with the reduction in i686 installs in this day and age it’s not something I will host normally.

Look out for posts | tutorials  | github repo creation / modifications for  this as well in the coming  week(s).

Some help with rsyncd overload?

So you love  Fedora so much you have  decided to mirror it ?  Great! However some of you are causing undo strain on the master servers by doing  partial rsyncs ( times out mid way  or  connection tanks).   So how to know if you are one of strainers and /or  why would | should you care one iota? Well  those partials are  `stat`ed and  take a very large toll on  remaining open connections for others, seeing as in the default rsync the master servers have to check your current copy  against its copy to see what you have and still need.  These partials of  (often 1Tb-10Tb trees like alt, development (Alpha builds for Fedora 24), and rawhide) take up bandwidth, IOPS, and available connections for other folks namely the registered `Tier 0` and `Tier 1` mirrors (aka the ones we  average mortals  get updates from).  Makes sense that if they  can’t  get timely  copies of  updates on their  drives they  surely  can’t get them to you can they?

So you think you may be one of these offenders or  wanna help someone (friend who is mirroring or the admin of your local mirror) stop / prevent being one,  what can you do?

  • Read Mirroring Guidelines: Recommended rsyncd timing
  • Set your cron jobs to a more sane and practical 6-8 hours OR 2/3x daily
  • Let your main internal use mirror source your machines in your environment, updating your local master daily
  • Ensure you are on the master list of official mirrors, and the mirroring mailing list, which keeps you (or the admin running it) up to date of  high traffic  days or  pre-release `bit-flip` times when rsyncs that are not  deltas are  requested to stay at a minimal
  • Once you are fully  updated that first time  use delta pulls `–delta –delete-after`  which only  pulls in  what is  missing not  re-downloading the entire mirror



Source: partial rsyncs causing undo stress on main servers