Fake Red Hat security update [LWN.net]

Fake Red Hat security update

Posted Oct 25, 2004 18:52 UTC (Mon) by ccchips (guest, #3222)
Parent article: Fake Red Hat security update

I just re-read the "announcement" here.

wget?

I have a thought:

This person may be out to prove that Linux is no longer as secure as we'd like now that the average Joe can get 'hold of it, and now that it's becoming popular.

Myself, I would have cought this on a number of points:
- fedora-redhat.com is not a Red Hat site
- Bad english, as others have pointed out
- Security patch announcements from reputable companies don't come by e-mail, and if they do, the link is almost always to a site you can trust
- Security patches wouldn't be made available by "wget".

However, I am almost certain that some Windows users would have fallen for this, and I can't help but wonder if this clown was after newly-migrated Windows users.

(Log in to post comments)

Fake Red Hat security update

Posted Oct 26, 2004 9:06 UTC (Tue) by hppnq (subscriber, #14462) [Link]

I got one today that claimed to be Microsoft's. Same story, but it did look a lot more professional (working links to microsoft.com, graphics and all). I didn't have a chance to disassemble the attached update, it was removed by my ISP.

Sigh.

Fake Red Hat security update

Posted Oct 28, 2004 3:02 UTC (Thu) by marduk (subscriber, #3831) [Link]

I dont' think they're out to "prove" anything regarding Linux. These are the same kinds of people who who send out the fake PayPal/Citibank registration emails. They're not trying to make a statement, just trying to screw over some poor soul. The only real difference is that these guys know how to use the command line...

Fake Red Hat security update

Posted Oct 28, 2004 16:26 UTC (Thu) by bod (subscriber, #17096) [Link]

> wget?

Nothing wrong with wget. Debian security advisories routinely include
instructions for using wget as one of the ways to fetch updated packages. See http://lists.debian.org/debian-security-announce/debian-s...
for a recent example.

Note however that DSAs are both signed and include MD5 sums for the updated
packages.

Fake Red Hat security update

Posted Oct 28, 2004 19:57 UTC (Thu) by Alan_Hicks (subscriber, #20469) [Link]

- Security patch announcements from reputable companies don't come by e-mail

You just called Slackware Inc. an irreputable company by inference. Granted, Slackware Inc. only sends security advisories out by the mailing list, so if you meant that they don't randomnly send out e-mails to users, you're correct.

Of course, those e-mails (as well as the packages) are digitally signed, meaning you can verify if it really did come from Slackware Inc. or not.

Fake Red Hat security update

Posted Oct 28, 2004 22:19 UTC (Thu) by BackSeat (subscriber, #1886) [Link]

> Security patch announcements from reputable companies don't come by e-mail

Most mainstream distributions have a security email list (SuSE, Gentoo, Debian, etc).

security patch announcements by email

Posted Oct 29, 2004 21:49 UTC (Fri) by giraffedata (subscriber, #1954) [Link]

A lot of people would says it's irresponsible of a company not to email its customers and tell them they need a security patch. I'm not a customer of any companies that distribute security patches, but I do occasionally get an email from my ISP urging me to get recent Windows updates.