The most common route to compromise lay in malicious downloads, verifying the integrity of those downloads should be among our highest priorities.
One of the most vital topics to learn is cryptographic verification, for download integrity.
TIP: Where applicable, take advantage of multiple sources to validate checksums.
MULTIPLE SOURCES FOR VERIFICATION
Every server has the potential for compromise.
Do you rely on checksums provided by the same server where you download ISO?
If said download server were compromised, it is likely, an (even) somewhat savy attacker replaces that checksum, matching up with their malicious addition. Gaining your trust...
And malware installation.
Cases like these remind us to not to trust single sources for verification.
While downloading the latest EndeavourOS, sharing this example for checksums.
Using the above screenshot for our example, it would be wise to grab the checksum from an OUTSIDE server from the one you download.
For example, if I were to download my ISO from Gigenet, I might choose the checksum to verify integrity from Alpix server.
In the case where download server is compromised, at least we are not completely reliant on attacker supplied files.
Even so, many do not offer multiple sources for this method of verification (this is where PGP comes in).
Thanks for following.