Topic: [XMR] Monero - A secure, private, untraceable cryptocurrency - page 67. (Read 4670972 times)

Actually a pretty good point.

Maybe he should tweet the Key and have a link to it on the site and then they would have to hack a much tougher target to push a verifiable bad binary.

Only if the GPG key displayed on the webpage is not compromised 

Fluffypony is the mark?    lol 

aha right thanks

Verification of the file against Fluffypony's GPG key would fail though.

See the link elrippos friend posted. The link is displayed on the downloads page.

If the file can be compromised then presumably they could compromise the hash too.

https://src.getmonero.org/resources/user-guides/verification-allos-advanced.html

Point 3.1. Get hash file

wget -O hashes.txt https://getmonero.org/downloads/hashes.txt

Not helpful.

I think he means you have to grab the text and create the text file yourself. It's easy.

Dos command for n00bs on winblows:
Copy con hashes.txt [entr]
paste text here
[f6 key]


Are you trying to make it look complicated?
They can also just paste in notepad (or any "Basic text editor like TED for Dos) and save but not anything like wordpad that adds control characters.

Doesn't everyone know this stuff?


Why make it easy for n00bs when we can just shovel up a tough to check binary that's infected?
Its not like someone profited from that right?


Ignore Button?
You can also use the report button for trolling.

"Page" sounds like a website.
Again, where exactly is this hashes.txt file?

You don't necessarily have to use wget to download the binaries. Put differently, you can simply download the file (.tar.bz2 for Linux 64-bit in your case) from the website.

The hashes.txt file is present on the downloads page. You need to save the content to a text file on your local system.

You should check the hashes.txt file against Fluffypony's GPG key. Merely checking the SHA256 hash is not sufficient, as an adversary could replace that.

Admittedly, the guide could use an update. That being said, there is a limit to how easy verifying the GPG signed hashes can be made. However, moneromooo is working on a secure updater/installer for Monero, see:

https://github.com/moneromooo-monero/monero-update

Holy God.  Is there no escaping this demented creature?

WHAT PART OF "BREACHED BINARIES" ARE YOU FUCKED UP ABOUT?    LEL REEEEEE

I use linux 64 bit cli only.
Going through the ridiculously complicated verification procedure now.
Just finished section 3.2 of these instructions:
https://src.getmonero.org/resources/user-guides/verification-allos-advanced.html
Section 4, download and verify binary, directs you to get the file via command line
But after executing the command, I notice it's version 12.0.0.  So is the correct command actually
?
And where did the file go, if it's not in the downloads folder?
I just did the point-and-click download of the cli file from the getmonero.org website
and monero-linux-x64-v0.15.0.1.tar.bz2 appears in the downloads folder.
So I am going to go back and do the command
continue following the instructions, and hope for the best I suppose.
And now the instructions say
Your SHA256 hash should match the one listed in the hashes.txt file for your binary file.

 Where is this file?  Yeah, I'm going to look for it, but I shouldn't have to.
Ok, scrolling back, I see that in step 3.1 I downloaded hashest.txt
It's not in downloads.  Where is it, or is somebody going to imply that I'm simply stupid for not having the answer?
I'm starting to get annoyed, and I've been involved with this coin since the very beginning, spring 2014.
Somebody needs to make monero usable or nobody's ever going to adopt this coin except total freaking nerdheads who live in bubbles.

Okay, since I don't know where my hashes.txt file is, I go to getmonero.org to see the hash for 15.0.1 linux cli only.  It matches the result of the shasum command, so I guess it's safe to continue.
Just one little problem.  The zip in downloads is the one I downloaded from getmonero.org through the browser.  Where is the binary that I downloaded through the cli?
Ah, I see it's in the home directory (along with 12.0.0 that I downloaded as a result of naively copy-pasting the command in the instructions, and which a less alert person might have installed unthinkingly LOL).  
And of course another stupid mistake I could make would be to use the zip which is in the downloads folder, and isn't actually verified.

So there you have a narrative of what happens when a normal human being attempts to RTFM and use monero properly.  It's not a pretty picture.

GUI v0.15.0.1 'Carbon Chamaeleon' released!

https://www.reddit.com/r/Monero/comments/e0j98n/gui_v01501_carbon_chamaeleon_released/

---

CLI v0.15.0.1 'Carbon Chamaeleon' released!

https://www.reddit.com/r/Monero/comments/e0j5s1/cli_v01501_carbon_chamaeleon_released/

which vulnerability has been used to hack the website ?

https://bartblaze.blogspot.com/2019/11/monero-project-compromised.html

Oh, that is crazy! Thank you for the update.
How is something like this even possible?
I downloaded the wallet a while ago in my PC with Ryzen 7 1700 to be ready for RandomX.
Anyway, the checksum matches as I downloaded directly from the GitHub releases.

Looks like the CLI binaries available at getmonero.org has been compromised and the users are advised to check the integrity of the binaries they download.


source: https://amp.reddit.com/r/Monero/comments/dyfozs/security_warning_cli_binaries_available_on/