Trojanized, Info-Stealing PuTTY Version Lurking Online

← Back to Stories (view on slashdot.org)

Trojanized, Info-Stealing PuTTY Version Lurking Online

Posted by timothy on Tuesday May 19, 2015 @02:22AM from the at-your-command-prompt dept.

One of the best first steps in setting up a Windows machine is to install PuTTY on it, so you have a highly evolved secure shell at your command. An anonymous reader writes, though, with a note of caution if you're installing PuTTY from a source other than the project's own official page. A malicious version with information-stealing abilities has been found in the wild. According to the article: Compiled from source, this malicious version is apparently capable of stealing the credentials needed to connect to those servers. "Data that is sent through SSH connections may be sensitive and is often considered a gold mine for a malicious actor. Attackers can ultimately use this sensitive information to get the highest level of privileges on a computer or server, (known as 'root' access) which can give them complete control over the targeted system," the researchers explained. The Symantec report linked above also shows that (at least for this iteration) the malware version is easy to spot, by hitting the "About" information for the app.

216 comments

Min score:

Reason:

Sort:

Is it on the main download page? by danbob999 · 2015-05-19 02:26 · Score: 3, Insightful

And if not, why should I care?
1. Re:Is it on the main download page? by Anonymous Coward · 2015-05-19 02:30 · Score: 0
  
  But is the one in the app store that can show up when you search for putty may not be the clean one. Thanks MS for getting rid of start.
2. Re:Is it on the main download page? by mwvdlee · 2015-05-19 02:44 · Score: 5, Insightful
  
  In this particular situation; because at first glance the main download page, site and URL doesn't look "official" at all.
  http://www.chiark.greenend.org...
  It would be pretty easy to confuse a slightly more modern looking page for the "main download page".
  
  --
  Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
3. Re:Is it on the main download page? by Anonymous Coward · 2015-05-19 02:47 · Score: 0
  
  To warn your idiot colleagues.
4. Re:Is it on the main download page? by jones_supa · 2015-05-19 02:51 · Score: 5, Insightful
  
  That's a good point actually.
5. Re:Is it on the main download page? by antiperimetaparalogo · 2015-05-19 02:59 · Score: -1, Troll
  
  NO, "it is NOT on the main download page" (Mod me "Score:5, Informative"!), and, since "it is NOT on the main download page"... you should ask directly the submitter "why should you care" (Mod parent "Score:5, Insightful"...).
  
  --
  Antisthenes: "Wisdom begins by examining the words/names." - excuse my English, i am (slightly...) better with my Greek!
6. Re:Is it on the main download page? by danbob999 · 2015-05-19 03:00 · Score: 4, Insightful
  
  I agree however http://www.putty.org/ links to this page and is the first result on google. The second result is this page. As long as scammers can't get their trojanized putty on google's first page I don't think there is much of a risk.
7. Re:Is it on the main download page? by Anonymous Coward · 2015-05-19 03:04 · Score: 0
  
  The Git address on that page is also "git.tartarus.org". How can I know if this is the legit one or something that an intruder has replaced in the web page? There's a pretty big attack vector here if such hobbyist addresses are used.
8. Re:Is it on the main download page? by bluefoxlucid · 2015-05-19 03:13 · Score: -1, Troll
  
  You should care because the world is still full of idiots who immediately install PuTTY on a new machine, instead of loading cygwin and using openssh.
  
  --
  Support my political activism on Patreon.
9. Re:Is it on the main download page? by danbob999 · 2015-05-19 03:16 · Score: 3, Interesting
  
  Because it would be impossible to add a trojan to cygwin or openssh?
10. Re:Is it on the main download page? by Anonymous Coward · 2015-05-19 03:16 · Score: 2, Informative
  
  While that seems like sound reasoning, I have found that in practically every case it is a recipe for disaster to think that way.
  Most high-quality software packages and libraries, at the highest levels, come from very spartan websites.
  The Flash junkies will argue this point with me for years, and it's nice to have flashy web design as part of a broad-spectrum marketing strategy, but it's all just fluff that gives too many problems a chance to creep in undetected.
11. Re:Is it on the main download page? by Gr8Apes · 2015-05-19 03:31 · Score: 1
  
  There is always a risk if you must download something from the web and install it for your security toolset. I blame MS for not putting a basic solid security tool into their distribution that has existed for decades, and was in wide use prior to the release of Windows NT 4.0.
  
  --
  The cesspool just got a check and balance.
12. Re:Is it on the main download page? by jellomizer · 2015-05-19 03:34 · Score: 4, Interesting
  
  I am still trying to figure out why Microsoft hasn't packaged SSH based tools with windows.
  
  --
  If something is so important that you feel the need to post it on the internet... It probably isn't that important.
13. Re:Is it on the main download page? by operagost · 2015-05-19 03:35 · Score: 3, Insightful
  
  So if someone wants to install a single GUI tool instead of a app compatibility layer and a command line tool, they're an idiot?
  What if they installed one of those Heartbleed-vulnerable versions of openssl? Are they smart?
  
  --
  
  Gamingmuseum.com: Give your 3D accelerator a rest.
14. Re:Is it on the main download page? by Anonymous Coward · 2015-05-19 03:38 · Score: 1
  
  Really? Because when I think 'suspicious page,' I'm usually not seeing a spartan webpage; I'm seeing something that looks like it was vomited up by 'Web 2.0' and strained through a stock photo website.
15. Re:Is it on the main download page? by Penguinisto · 2015-05-19 03:38 · Score: 5, Informative
  
  ...what sibling said. Anything can be trojanized, and it's turtles all the way down if you're proposing that by simply using a different application (or suite/kernel/VM/whatever thereof).
  In all seriousness, PuTTY is a quick and dirty way of getting a working SSH shell on a Windows box. For the greybeards (like myself), it's also a quick and kick-ass means of plugging an old laptop into a serial port on the back of a Sun/HPUX/IBM-PPC box.
  It's a self-contained executable that you can keep on a geek stick. No dependencies, no lengthy installation bullshit like Cygwin, no muss, no fuss. It just works.
  In fact, I still keep a copy on my phone just in case, in spite of the fact that I typically use a MacBook Pro nowadays (OSX has a working *nix shell that I can open Terminal with and SSH from all day long, tab the hell out of, have customized nine ways from Sunday for local Git coloring, pre-hooks, branch awareness, etc). That said, I use PuTTY when I find myself stuck with a 'doze box (usually when having to show a 'doze user something on a *nix box from his machine), or when I find myself in a datacenter with only a shitty old laptop and no other useful means of getting some RS-232 love (because let's face it, HyperTerminal sucks donkey balls).
  
  --
  Quo usque tandem abutere, Nimbus, patientia nostra?
16. Re:Is it on the main download page? by peragrin · 2015-05-19 03:47 · Score: 4, Funny
  
  Can you imagine powershell ssh commands?
  SSH-Connect -host -ipv4{192.168.100.1} -username {no smith}
  Oh and go ahead and hack my machine script kiddies.
  
  --
  i thought once I was found, but it was only a dream.
17. Re:Is it on the main download page? by tnk1 · 2015-05-19 03:50 · Score: 5, Interesting
  
  I am always struck by the fact that something in such widespread use as PuTTY is still downloaded from what looks like someone's public home directory.
  On the other hand, it is such an anomaly that I instantly recognize the site when I see it as the correct download site.
18. Re:Is it on the main download page? by Anonymous Coward · 2015-05-19 03:52 · Score: 0
  
  So in which way is it disaster to think that way? What are your arguments supporting that high quality software packages should keep coming from very spartan websites with obscure addresses? Wouldn't it be an improvement to place everything behind professional and unspurious web addresses? For example, www.putty.org and git.putty.org would make a lot of sense to me, and they would also be easier to remember.
19. Re:Is it on the main download page? by bluefoxlucid · 2015-05-19 04:12 · Score: 3, Insightful
  
  No, because putty is ballsacks that can't be properly scripted, uses weird key files that need special conversion (it doesn't use an openssh key, but a putty identity key that you can convert to openssh using another program), and handles all kinds of terminal interactions in such a wrong way that you may as well be using Microsoft Word with a VB script to send commands across ssh. Start in a real terminal, where 27 sessions is C-a " instead of "oh fuck which alt-tab icon is it?!"
  
  --
  Support my political activism on Patreon.
20. Re:Is it on the main download page? by Rufty · 2015-05-19 04:14 · Score: 5, Funny
  
  I agree, except you've over-rated HyperTerminal.
  
  --
  Red to red, black to black. Switch it on, but stand well back.
21. Re:Is it on the main download page? by Anonymous Coward · 2015-05-19 04:16 · Score: 1
  
  Impossible.
  Powershell Cmdlets are named Verb-Noun, so it would be Connect-SSH...
22. Re:Is it on the main download page? by elfprince13 · 2015-05-19 04:21 · Score: 1
  
  No, but you're also an idiot for not knowing the difference between SSL and SSH ;)
23. Re:Is it on the main download page? by Anonymous Coward · 2015-05-19 04:31 · Score: 1
  
  Some people (like myself) downloaded via https://ninite.com after a fresh install of Windows.
24. Re:Is it on the main download page? by David_Hart · 2015-05-19 04:47 · Score: 4, Informative
  
  That said, I use PuTTY when I find myself stuck with a 'doze box (usually when having to show a 'doze user something on a *nix box from his machine), or when I find myself in a datacenter with only a shitty old laptop and no other useful means of getting some RS-232 love (because let's face it, HyperTerminal sucks donkey balls).
  I use a free program called mRemote v1.50 as it integrates Putty, RDP, VNC, Citrix, etc. into one console. It's a good tool as you can organize your connections using folders. As a network architect, it's nice to be able to connect to network devices by site. It has a few bugs, such as screwing up the sort order, but nothing major.
  There is a newer version out called mRemoteNG 1.72. The last update was from the end of 2013 and it looks like the project is on hold for whatever reason.
  It does what I need it to do and that's all I ask of any tool...
25. Re:Is it on the main download page? by cyberchondriac · 2015-05-19 04:52 · Score: 1
  
  Not really so idiotic: up until only a year ago, OpenSSH required OpenSSL for the crypto.
  
  --
  
  Look back up at my post, now look back down, you're on the Internet. Now look back up. I'm a signature.
26. Re:Is it on the main download page? by ahodgson · 2015-05-19 04:54 · Score: 4, Insightful
  
  Because SSH is mostly used to talk to Linux servers. Since when has Microsoft ever done anything to make Windows easier to use with other systems?
27. Re:Is it on the main download page? by jellomizer · 2015-05-19 04:59 · Score: 1
  
  During Phases: Embrace and Extend.
  
  --
  If something is so important that you feel the need to post it on the internet... It probably isn't that important.
28. Re:Is it on the main download page? by Anonymous Coward · 2015-05-19 05:00 · Score: 0
  
  That's where experience comes in handy! It's better to find the reasons Simon Tatham has no time to make a modern Web site page, then click on the links to download PuTTY and the puzzles collection.
29. Re:Is it on the main download page? by elfprince13 · 2015-05-19 05:06 · Score: 1
  
  Heartbleed was a TLS protocol bug, not a crypto bug.
30. Re:Is it on the main download page? by skids · 2015-05-19 05:08 · Score: 2
  
  Really the OSes fault. SSH should be a base install item. And it isn't just Windows. (Android, I'm looking at you.)
  
  --
  Someone had to do it.
31. Re:Is it on the main download page? by AmiMoJo · 2015-05-19 05:10 · Score: 1
  
  They don't make much use of SSH servers so there is little point bundling a client. The only thing you would use it for is administering non Microsoft severs.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
32. Re:Is it on the main download page? by Curtman · 2015-05-19 05:19 · Score: 2
  
  We have that. Apt-get install ssh-client.
  
  Windows will catch up someday.
33. Re:Is it on the main download page? by Shakrai · 2015-05-19 05:33 · Score: 3, Interesting
  
  Because SSH is mostly used to talk to Linux servers. Since when has Microsoft ever done anything to make Windows easier to use with other systems?
  All Windows shops still have switches and routers.....
  
  --
  I want peace on earth and goodwill toward man.
  We are the United States Government! We don't do that sort of thing.
34. Re:Is it on the main download page? by Coren22 · 2015-05-19 05:34 · Score: 2, Informative
  
  http://en.wikipedia.org/wiki/W...
  It isn't that unheard of.
  
  --
  APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
35. Re:Is it on the main download page? by Coren22 · 2015-05-19 05:35 · Score: 1
  
  It would probably be better than the current situation of running Powershell through IIS like that makes any sense. It would be more stable as well. Have you ever tried to fix WinRM when it gets all mucked up?
  
  --
  APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
36. Re:Is it on the main download page? by ne0n · 2015-05-19 05:40 · Score: 1
  
  Tried to confirm, apt-get install putty grabbed a good binary. Checksums match. This article is blowing smoke.
  
  --
  $ :(){ :|:& };:
37. Re:Is it on the main download page? by danbob999 · 2015-05-19 05:55 · Score: 1
  
  yeah, I wouldn't know how to get that executable which is "lurking around" even if I wanted to.
38. Re:Is it on the main download page? by Fnord666 · 2015-05-19 06:04 · Score: 1
  
  I agree, except you've over-rated HyperTerminal.
  And disrespected the donkey.
  
  --
  'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
39. Re:Is it on the main download page? by Coren22 · 2015-05-19 06:13 · Score: 3, Insightful
  
  Windows has that, it is called the Microsoft Store.
  
  --
  APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
40. Re:Is it on the main download page? by cyberchondriac · 2015-05-19 06:19 · Score: 2
  
  Fair enough. But still, if someone installed a vulnerable version of openSSL I suppose they might start using it for other things than openSSH in their Cygwin environment, where HB might still rear it's head. An iffy, minor point, I concede.
  In any case, I never really had an issue with puTTY if I had to SSH on Windows, but then that's not very often. It's not my preference. I usually use my linux box for SSH, it's just more comfortable. All of us in our workgroup have 1 win box and 1 linux box, and it baffles me to see that some of my coworkers seem to prefer puTTY. But then, some people have no problem working in a window the size of a postage stamp when they could easily drag the window larger too, so.. I dunno.
  
  --
  
  Look back up at my post, now look back down, you're on the Internet. Now look back up. I'm a signature.
41. Re:Is it on the main download page? by Ben+Hutchings · 2015-05-19 06:21 · Score: 1
  
  Since they realised their customers were going to use a mixture of systems anyway. For example, they turned off a feature in the Windows CIFS client because the server side was broken in Samba.
42. Re:Is it on the main download page? by Coren22 · 2015-05-19 06:23 · Score: 2
  
  I wonder if there is any intention of handling more connection types. I have been using Remote Desktop Manager, but their free restrictions are kind of onerous as they don't allow password save in the free edition.
  
  --
  APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
43. Re:Is it on the main download page? by Ben+Hutchings · 2015-05-19 06:39 · Score: 4, Insightful
  I know that's the official site, but:
  
  I'm supposed to download binaries that don't have Authenticode signatures, from a web server that doesn't support TLS.
  And then I have to download (and somehow verify) a copy of PGP or GnuPG, in order to verify the signatures they do provide. (I also have to know and remember the fingerprint of the genuine PGP signing key.)
  
  Finally, I have to trust that no-one has cracked a 1024-bit PGP key.
  
  I can only assume that almost all downloads from the official site are vulnerable to MITM'ing. And, as PuTTY is such a popular tool, it is surely a prime target for that.
44. Re: Is it on the main download page? by Anonymous Coward · 2015-05-19 07:28 · Score: 0
  
  My P.H.B. Can't figure out how to download Putty. I now fear something worse than him bothering me for a Google search.
45. Re:Is it on the main download page? by Anonymous Coward · 2015-05-19 07:32 · Score: 0
  
  thats what hyperterminal and internet explorer are for
46. Re:Is it on the main download page? by danbob999 · 2015-05-19 07:45 · Score: 1
  
  Which is metro-only, Windows 8-only and still lacks most apps you can think of (since developers need a web site to download for older Windows version anyways)
47. Re:Is it on the main download page? by Anonymous Coward · 2015-05-19 07:46 · Score: 0
  
  HyperTerminal is fugly, true, but it does a better job passing vttest than many other Windows emulators. So that's something.
48. Re:Is it on the main download page? by shadowknot · 2015-05-19 07:52 · Score: 2
  
  I feel the same way. If it supported TN3270 I might consider it...maybe.
49. Re:Is it on the main download page? by Coren22 · 2015-05-19 07:56 · Score: 2
  
  So, MS makes efforts to shift over to the model you advocate, and you slam them for the older versions of the OS people refuse to get rid of?
  
  --
  APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
50. Re:Is it on the main download page? by Jadecristal · 2015-05-19 08:20 · Score: 3, Interesting
  
  I know that there are checksums on the download page. We know how to use them. Other people don't.
  I don't understand WHY, after all this time, the author(s) continue to refuse to get a code-signing certificate and sign the executable files and the installer. I'm almost assuming that it's on principle somehow, because it's not that expensive and if a request was made I'd bet donations would take care of the cost in under a day.
51. Re: Is it on the main download page? by Anonymous Coward · 2015-05-19 08:32 · Score: 0
  
  Because attacker would just make his own installer like they do with cracked games... Or just use the Nullsoft one, it's free.
52. Re:Is it on the main download page? by Anonymous Coward · 2015-05-19 08:43 · Score: 0
  
  What installer?
53. Re:Is it on the main download page? by Anonymous Coward · 2015-05-19 08:51 · Score: 0
  
  It never came with ssh and was only available on the server or enterprise editions of Windows. Although you can still download the software, it was discontinued in 2010 and all support stopped in 2014.
54. Re:Is it on the main download page? by Anonymous Coward · 2015-05-19 09:38 · Score: 0
  
  It's actually not Metro only any more. Well, soon, anyway.
55. Re:Is it on the main download page? by Anonymous Coward · 2015-05-19 10:26 · Score: 0
  
  Especially since Powershell requires administrative, remote access to the C$ hidden share on every target host. In other words, if you turn *off* file sharing, you can no longer use powershell at all to reach the machine, and the filesharing has access to *your entire hard drive*.
56. Re:Is it on the main download page? by Lord+Bitman · 2015-05-19 11:10 · Score: 1
  
  The main download page? you mean "some guy's personal web page on a site that looks like it hasn't been updated since 1982, served over plain HTTP"?
  chiark.grenend.org.uk/~sgtatham/putty/download.html ? looks like a legit, right?
  
  --
  -- 'The' Lord and Master Bitman On High, Master Of All
57. Re: Is it on the main download page? by Anonymous Coward · 2015-05-19 11:51 · Score: 3, Informative
  
  Because it would provide no extra security.
  Certs and digital signatures cannot vouch for the person who made them. All they say is: After running my verification algorithm, I have determined that a key that is mathematically equivalent to this public cert was used to sign this file.
  Notice that the algorithm, the key, the signature, nor can the file in question is actually verified in this statement. From the user's perspective, they *assume* the algorithm is secure and trustworthy. The user *assumes* that the person who made the cert and signatures is trustworthy. The user *assumes* that the file was not tampered with such to exploit a bug in the verification algorithm that they use. Etc. Etc. Etc.
  To those of you who say: "It's not the job of the algorithm to do that, it's the user's job. (User in this case being the system administrator.)", I say this: Most people don't do this. Yes it is their job, but most do not nor even know that they should. They see the word secure and trust and the vast majority of them turn their brains off. Just like when they are smacked with a wall of text, some cryptic error message, or any other popup that tries it's hardest to get their attention and make them think about what they are doing. As a result all certs and signatures do for most people is create more annoying messages, add yet another dialog box to click through, and ultimately more blind trust and false assurances.
  In the case of the article, even if they had a cert and signature system in place already, a new user who downloads putty (or any other software for that matter) would not know whether or not to trust it's developer, much less the origin of the software download. If they saw two different signatures some people might question it, but most would assume both match, or that there was an error or a typo. (Of course any malware author worth his job is going to try his hardest to make any reference to the legitimate version very hard to find or out right eliminate said reference to help mislead the potential victim. Or make it such that if found out, the blame goes to the legitimate developer.)
  There is no way for them to find out if that signature is valid either, assuming they trust the signature. If the developer lives on the other side of the world, they can't walk up to them and ask, any attempt to use the net is a folly as that's using an insecure channel to verify an insecure transmission. They could attempt to find someone else near them who could vouch for the signature, but then is that person trustworthy? If they are how do you contact them? Most people don't have many people to trust, and it's not like the ones they do trust would be able to vouch for some random download. Basicly unless someone they know also uses the same download, they don't have anyone to trust. (That also assumes that person is also not a victim of mistrust, and that they did get a ligit copy of the software that has not been modified.)
  Basically long story short all digital signatures do is: Take more work that should be the user's job anyway (even though that task is extremely difficult, if not outright impossible for them to do successfully), do that work for them (while not giving them the ability to inspect that work in many instances, even if they do, you would need to be a cryptologist to verifiy it; most people are not), then give the false assurances that what it just "verified" is safe to use. (Despite the aforementioned issues, thus misleading the user.) It's complexity without benefit, (complexity is bad, as it makes things harder to verify) and most of the people in this scenario who will have this problem are people who blindly trust a binary blob OS with encryption algorithms they can't examine without an expert in cryptology and x86 machine assembly code, or would have to download another random software's source code, and have it verified by an expert in programming, x86 machine assembly code, and cryptology. (Verify the source code, compiler, and generated object, and executable.)
58. Re:Is it on the main download page? by Anonymous Coward · 2015-05-19 12:43 · Score: 0
  
  Posting anonymously as I'm not sure if this is public knowledge, but what I heard from a MS employee is that it was never intended to actually be used, it was just added for regulatory reasons because some government regulation decided that computers for government use need to conform to POSIX, and it was easier to just create a dummy POSIX-compliant subsystem than making Microsoft's actual software POSIX compliant.
59. Re:Is it on the main download page? by Anonymous Coward · 2015-05-19 16:18 · Score: 0
  
  Out Demon. OUT! Back to 1999 with you!!!
60. Re:Is it on the main download page? by Anonymous Coward · 2015-05-19 16:39 · Score: 0
  
  I'd suggest you try Tera Term sometime: it supports ssh (via CygTerm) and serial comms, and I find its terminal emulation and features to be quite a bit nicer than PuTTY's or pure Cygwin. The homepage is http://en.osdn.jp/projects/ttssh2/ (osdn.jp is basically the Japanese sourceforge).
61. Re:Is it on the main download page? by mwvdlee · 2015-05-19 19:26 · Score: 1
  
  A checksum does you no good if you're on the wrong download page.
  I'm pretty sure the checksum published by the hackers will match the hacked download file.
  
  --
  Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
62. Re:Is it on the main download page? by mwvdlee · 2015-05-19 19:35 · Score: 1
  
  Like the still (supposedly) supported Windows 7 and even Vista?
  Windows 8 is good for tablets but it isn't a serious desktop OS; the most recent desktop version of Windows is 7.
  
  --
  Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
63. Re:Is it on the main download page? by mwvdlee · 2015-05-19 19:40 · Score: 1
  
  The thing is; not everybody is experienced.
  All of us, including you, has had to download it for the first time in their live at some point.
  If I tell a new collegue to install Putty, there's a chance he'll download the wrong version because he won't trust the site he sees. Unless I tell him the correct site, but having to do so pretty much proves the point.
  
  --
  Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
64. Re:Is it on the main download page? by pop+ebp · 2015-05-19 22:56 · Score: 1
  
  I'm supposed to download binaries that don't have Authenticode signatures, from a web server that doesn't support TLS.
  Actually, the download server that it links to supports TLS now.
  But yes, I completely agree that the switch to 2048- or 4096-bit keys is long overdue...
65. Re:Is it on the main download page? by danbob999 · 2015-05-19 23:11 · Score: 1
  
  Because if they made reals efforts, their Windows Store would be installable on any Windows version and wouldn't be limited to metro.
66. Re:Is it on the main download page? by Anonymous Coward · 2015-05-20 09:22 · Score: 0
  
  1024-bit PGP is probably secure against all but state-level adversaries, and they would be likely to just threaten to break his kneecaps if he doesn't cooperate rather than go to the expense.
67. Re: Is it on the main download page? by Anonymous Coward · 2015-05-20 21:45 · Score: 0
  
  First you complain that it lacks the pseudosecurity of TLS and complain that it use the much more secure PGP/GPG standard.
68. Re: Is it on the main download page? by Anonymous Coward · 2015-05-20 22:27 · Score: 0
  
  Why wouldn't it. It's a security tool, not a pyramid scheme website. Putting money in some fancy graphics adds exactly nothing to the users or the developers.
69. Re: Is it on the main download page? by Anonymous Coward · 2015-05-20 22:33 · Score: 0
  
  People using OpenSSL-based TLS servers usually use package management which wouldn't install a un outdated version of the software.
70. Re:Is it on the main download page? by Anonymous Coward · 2015-05-21 09:37 · Score: 0
  
  Looks like a programmer's website to me. I feel a lot safer with this than some site with a billion gradients, what's wrong with you people?
Dear DICE by mr.mctibbs · 2015-05-19 02:28 · Score: 3, Informative

I stayed through the beta bullshit. I stayed through Bennett. Autoplaying audio advertisement, and what the fuck ever you're letting through that's running my machine to a crawl with javascript: these are the final straw. Fuck you, I'm done.
1. Re:Dear DICE by Anonymous Coward · 2015-05-19 02:39 · Score: 0
  
  Yea, it seems the "Ads Disabled" checkbox does not disable ads completely anymore. :/
  Goodbye, my friend.
2. Re:Dear DICE by ArcadeMan · 2015-05-19 02:41 · Score: 1
  
  Maybe DICE decided to mine bitcoins with our computers.
  
  --
  Get free satoshi (Bitcoin) and Dogecoins
3. Re:Dear DICE by aaaaaaargh! · 2015-05-19 03:06 · Score: 4, Insightful
  
  /. works fine for me (except that, yes, it sucks more and more and seems to have become a generic news aggregator).
  Anyway, why don't you just use an ad-blocker like uBlock or Adblock Edge?
4. Re:Dear DICE by armanox · 2015-05-19 03:30 · Score: 2
  
  Are you not using Ad Block plus? Or an ad blocking hosts file? Never put all your eggs in one basket.
  
  --
  I'm starting to think GNU is the problem with "GNU/Linux" these days.
5. Re:Dear DICE by Anonymous Coward · 2015-05-19 03:39 · Score: 0
  
  You think they care?
  Hey, you might be interested in this, actually. I have some really nice Florida real estate that's a really good investment ... you interested?
6. Re:Dear DICE by Anonymous Coward · 2015-05-19 03:50 · Score: 0
  
  You don't AdBlock? You are no nerd. Leave this place!
7. Re:Dear DICE by camperdave · 2015-05-19 06:00 · Score: 0
  
  Dear DICE...
  Slashdot doesn't belong to Dice anymore. It's DHI Group now.
  
  --
  When our name is on the back of your car, we're behind you all the way!
8. Re:Dear DICE by Anonymous Coward · 2015-05-19 06:27 · Score: 0
  
  ghostery. Why "block" adds when you can get rid of everything.
9. Re:Dear DICE by ShaunC · 2015-05-19 07:24 · Score: 1
  
  Slashdot doesn't belong to Dice anymore. It's DHI Group now.
  DHI is Dice Holdings, Inc.
  
  --
  Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
10. Re:Dear DICE by Anonymous Coward · 2015-05-19 07:43 · Score: 0
  
  Don't say the "H" word. You'll summon him.
11. Re:Dear DICE by Anonymous Coward · 2015-05-19 11:46 · Score: 0
  
  LOL. Flash ads using 100% of CPU are not a new thing here.
  Slashdot is the reason I installed Adblock 10 years ago.
12. Re:Dear DICE by Anonymous Coward · 2015-05-19 14:46 · Score: 0
  
  Wow, we fear A-P-K more than Cthulhu?
  
  He's probably not even real. Just a script that greps slashdot looking for his letters followed by the H word.
  
  Posting anon to avoid script wrath. It gets angry when you mock it.
13. Re:Dear DICE by AFCArchvile · 2015-05-19 15:55 · Score: 1
  
  You're allowing Javascript? Why?
  Install a plugin like NoScript and lock down as much as humanly possible. Then, take screenshots of all the half-broken webpages, send them to the webmasters, and tell them how much better their page looks without all of the CPU-sapping, privacy-violating scripts running.
  
  --
  "Ancillary does not mean you get to rule the world." --U.S. Circuit Judge Harry Edwards, speaking to the FCC's lawyer
Why? by Anonymous Coward · 2015-05-19 02:29 · Score: -1

One of the best first steps in setting up a Windows machine is to install PuTTY on it, so you have a highly evolved secure shell at your command.
I know what PuTTY is. I even used it once, back in college.
That was pretty much the last time I used Windows, but if I were to set up a Windows machine now, I wouldn't even think to install PuTTY. Why would you?
1. Re:Why? by danbob999 · 2015-05-19 02:34 · Score: 1
  
  To connect to a Linux machine remotely?
2. Re:Why? by Anonymous Coward · 2015-05-19 02:34 · Score: 0
  
  20 years using Windows machines, never used it
3. Re:Why? by ledow · 2015-05-19 02:35 · Score: 5, Informative
  
  Any sort of COM port access.
  Any sort of SSH access.
  Any sort of SSH tunnelling access.
  I work in IT, PuTTY is one of the first things I install in every workplace - not "just because" but I'll be damned if I'm going to SSH into a remote server's management module without it or try to use some junky HTTP/Java monstrosity to achieve what one command can achieve on the CLI.
  Hell, I've diagnosed mail servers using it by telnetting to the mail port and issuing commands direct for a setting that some Exchange "experts" denied would ever affect anything - when you can show them the entire mail transaction live rather than some convoluted log that purports to tell you everything that happens on the email sending with a junky bounce error, it kinda hurts.
  Sure, a lot of stuff is HTTP-managed nowadays but wait until Chrome removes Java and see if the other browsers follow suit. Because then you'll be back on the CLI quite quickly.
  The last Cisco switch I installed came only with some absolutely worthless piece of software that only works if you have version X of IE etc. But SSH was a one-tick enable and I could do everything else from there.
4. Re:Why? by Anonymous Coward · 2015-05-19 02:41 · Score: 0
  
  To make SSH console connections to other machines, genius. Why wouldn't that be useful?
5. Re:Why? by Anonymous Coward · 2015-05-19 02:42 · Score: 0
  
  I don’t generally use Windows, but when I do the first thing I install is Cygwin so I can use openssh there instead of putty.
6. Re:Why? by Anonymous Coward · 2015-05-19 02:46 · Score: 0
  
  The last Cisco switch I installed came only with some absolutely worthless piece of software that only works if you have version X of IE etc. But SSH was a one-tick enable and I could do everything else from there.
  Or Firefox. However, that did not prevent me from using Chrome (or any webkit engine) to connect to it, and having no issues with the interface. That page is really more of an alert telling you that the browser you are using is not QA'ed.
  Regardless, real Cisco people use PuTTY over the console port to enable SSH. :P
7. Re:Why? by Anonymous Coward · 2015-05-19 02:47 · Score: -1
  
  But any adult OS has a terminal emulator built in.
8. Re:Why? by Daniel+Hoffmann · 2015-05-19 02:52 · Score: 3, Interesting
  
  PuTTY also runs in linux, if you are doing a simple SSH access you can do it in any terminal easily, but PuTTY also does a lot of stuff that you need to be a command-line specialist to be able to do by hand. Plus it saves your configurations for later uses.
  Personally I always do tunneling through PuTTY
9. Re:Why? by ledow · 2015-05-19 02:54 · Score: 5, Interesting
  
  CygWin is a damn nightmare, especially if you have other software that uses it.
  It suffers from enormous "DLL Hell" problems when it has multiple versions trying to load and if you use programs that use older versions of Cygwin, they don't necessarily run at all in co-existence with programs using newer versions. "Cygwin1.dll" exists is so many different versions that it's almost impossible to manage properly.
  I used to develop on Windows with Eclipse and Cygwin. I quickly moved to MinGW because silly things like random games, utilities, etc. that use it would interfere with the version I was developing against.
  If all you want is a real terminal on a GUI, Cygwin is total overkill. Not only that, if you use WinSCP as well, it will manage the keys for you properly between both programs so you don't even notice that you're using it.
  Use *nix, or use Windows and PuTTY. For sure, as a network admin, I wouldn't let put Cygwin near your computers but I'll happily pre-install PuTTY for you (zero install needed, certainly no pissing about with PATH and multiple versions of the DLL etc.).
10. Re:Why? by Anonymous Coward · 2015-05-19 02:54 · Score: 0
  
  If I were setting up a Windows machine, it would probably be for my gamer brother. Why would he need an SSH client?
11. Re:Why? by X0563511 · 2015-05-19 03:14 · Score: 2
  
  Putty runs circles around the cmd.exe terminal you'd have to suffer with, going that route.
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
12. Re:Why? by nehumanuscrede · 2015-05-19 03:15 · Score: 2
  
  The last Cisco switch I installed came only with some absolutely worthless piece of software that only works if you have version X of IE etc. But SSH was a one-tick enable and I could do everything else from there.
  Chuckle. If one is using a GUI to configure Cisco gear, one should probably not be using Cisco gear.* :D
  *Unless you're trying to learn it, then the GUI will help get you started.
13. Re:Why? by Anonymous Coward · 2015-05-19 03:17 · Score: 1
  
  Linux saves your configurations too, with the magic of CTRL+R ;)
14. Re: Why? by Anonymous Coward · 2015-05-19 03:28 · Score: 1
  
  Your opinion is subjective hell. Cygwin works very well. If course, you can install unneeded packages but just because you can doesn't mean you should. Want say tunneling to a Windows service? Try doing that with putty and winscp. If you use Windows only as a client, sure putty will do but not if you want it to be a proper server.
15. Re:Why? by Hognoxious · 2015-05-19 03:40 · Score: 1
  
  I don't work as a sysadmin or anything, but I even have it on my phone.
  Occasionally I get a rogue process on my server and I can go in and sort it even if the console goes all Helen Keller.
  
  --
  Confucius say, "Find worm in apple - bad. Find half a worm - worse."
16. Re:Why? by Hognoxious · 2015-05-19 03:42 · Score: 1
  
  That's like saying you've been playing with Lego for 20 years, and you can't see why anyone would ever need a spanner.
  
  --
  Confucius say, "Find worm in apple - bad. Find half a worm - worse."
17. Re: Why? by ledow · 2015-05-19 03:53 · Score: 4, Informative
  
  Cygwin works well until you get other programs that use it. You either have to install them within your Cygwin install folder (and hope they are able to cope with Cygwin updates you make, e.g. to Cygwin 2) or suffer DLL hell. Look at the Cygwin FAQ for ".DLL" - if you're not familiar with those errors already, you haven't used Cygwin very much. Now consider across a bunch of workstations on a network.
  "Want say tunneling to a Windows service? If you use Windows only as a client...."
  Don't. Use a proper tool. PuTTY is a client, not a server. This is like saying that ssh-client is no good at being sshd,.. of course not. But that's not what we're talking about.
  And the fact is that for every SSH server set up (properly), you probably have 10-100 clients joining to it or you wouldn't bother setting it up. And one of the main points of things like SSH servers is cross-compile farms and remote access. And almost all the universities that offer such services recommend PuTTY if you're on Windows (because they've dealt with the Cygwin issues, I assure you, and decided it's not worth the hassle).
  Opinion, of course. So's yours. Just because it's contrary doesn't make it more or less valid.
  However, PuTTY is widely used and recommended for everything from talking to your Arduino's over a serial port to logging into your University server... go take a look. Cygwin - if and when it comes up - is not mentioned in nearly as many places for such simple actions.
  Cygwin is, in fact, overkill for the majority of users who just want to use SSH, telnet or serial services from Windows. If they wanted Linux, generally they end up installing it in preference to Cygwin.
18. Re:Why? by Anonymous Coward · 2015-05-19 03:58 · Score: 0
  
  Cygwin is basically such a mess that you might as well just install Linux and it will probably work better for any given use-case.
19. Re:Why? by Anonymous Coward · 2015-05-19 03:59 · Score: 0
  
  Stop trying to do real work on Windows you tool. Then again most people who 'work in IT' are desktop support which is H1B work in the making.
20. Re:Why? by Anonymous Coward · 2015-05-19 04:00 · Score: 0
  
  Bingo. HP's OAs on their blade enclosures are a lot less painful if you use SSH. Same with IBM HMCs. In fact, administrating network devices require SSH for all but basic stuff.
  Yes, there are commercial SSH clients, but the price is insane per seat, and they provide almost nothing more than PuTTY does. Might as well send a donation to the PuTTY authors and use that.
21. Re:Why? by Phusion · 2015-05-19 04:04 · Score: 1
  
  There's always Cmder too ===> http://gooseberrycreative.com/cmder/
  
  --
  640k ought to be enough for anyone.
22. Re:Why? by Anonymous Coward · 2015-05-19 04:04 · Score: 1
  
  Great comparison! An SSH client is to Windows as a wrench is to Lego.
23. Re:Why? by Anonymous Coward · 2015-05-19 04:09 · Score: 0
  
  You forget Cisco has mistakenly released some gear with only HTTP/HTTPS access such as those terrible CE-500 switches.
24. Re:Why? by Anonymous Coward · 2015-05-19 05:36 · Score: 0
  
  No, it's like saying is a very specific tool that is used by people that know where to download it from, and not random from sources on the internet
25. Re:Why? by camperdave · 2015-05-19 06:02 · Score: 1
  
  Um... Duplo
  
  --
  When our name is on the back of your car, we're behind you all the way!
26. Re:Why? by jdavidb · 2015-05-19 06:10 · Score: 1
  
  I have used Cygwin daily at work and at home for ten years and have almost never seen the issues you are talking about. I'm sure they are real and affect people who do things differently than me. I don't typically download third party applications that depend on the Cygwin DLL. I use the complete official Cygwin package repository or (very rarely) compile from source. I use Eclipse, Java, ant, Cygwin, and am about as happy as I can be with my environment (I'd be happier writing Perl, but that's another story). I use Cygwin openssh every day and it works great.
  
  --
  Secession is the right of all sentient beings.
27. Re:Why? by 0dugo0 · 2015-05-19 06:59 · Score: 1
  
  But any adult OS has a terminal emulator built in.
  And they all suck hairy donkey balls.. You know you have been using PuTTY too long when..
  You LOL at all the post about www.chiark.greenend.org because you know how to blindly download the last version from the.earth.li.
  The first thing you do on a brand new Mac is downloading VirtualBox and a warezed TinyXP just to run PuTTY.
  You do the same on any fresh unixbox just to ssh into the host because you can't stand the behaviour of the native terminal emulator.
  Can give a 20 minute speech on how PuTTY-on-Ubuntu/Mac/whatyouhave is Not The Same Thing
  You pranked friends with a trojaned version in the previous century.
28. Re: Why? by 0dugo0 · 2015-05-19 07:04 · Score: 2
  
  Connection->ssh->tunnels, works like a charm.
29. Re: Why? by pr100 · 2015-05-19 07:21 · Score: 1
  
  Cygwin with openssh works fine. Putty is OK. But for things you use regulary, scripts and SSH are nicer.
30. Re:Why? by dickens · 2015-05-19 07:27 · Score: 1
  
  Ditto here. I suspect they are, as you suggest, downloading 3rd party applications that depend on the Cygwin DLL. I use the setup.exe provided and have never had a problem.
31. Re:Why? by jdavidb · 2015-05-19 08:19 · Score: 1
  
  Putty runs circles around the cmd.exe terminal you'd have to suffer with, going that route.
  Cygwin has changed a lot since you last looked at it. Cygwin's default terminal is now mintty.exe, which is a project based off of Putty's terminal.
  
  --
  Secession is the right of all sentient beings.
32. Re: Why? by shadowknot · 2015-05-19 08:22 · Score: 1
  
  I'm very much with you on that. It makes my life bearable given that I can't put Linux on my work lappy due to the whole full disk encryption thing they have going here (financial industry so it makes some sense). My job would be far slower using standalone tools like PuTTY. It's OK for simple SSH access and it has some lovely features for doing things like tunneling (which I use it for sometimes) but for managing a good sized environment where I'm moving stuff around and want to script things it's not really useful. I second the above complaint about the way it does key management too, not a fan of that. Another minor gripe I have is purely aesthetic. I grew up on yellow/amber phosphorus WYSE serial terminals (attached to RS6000's mostly) so I like a nice pale amber as my terminal's primary color, I also like full screen multiple tabbed terminals and though MtPuTTY is out there it's a little clunky IMO. In summary I use Cygwin with mate-terminal as my primary way of connecting to my guests (Linux on z running under z/VM) and it's the optimum way for me. Others might think differently but that's the beauty of open source!
33. Re:Why? by X0563511 · 2015-05-19 09:09 · Score: 1
  
  When was this? My latest installation is only around 3 months old.
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
34. Re:Why? by jdavidb · 2015-05-19 09:15 · Score: 1
  
  mintty has been around for 3+ years, maybe longer. For a default cygwin install on a fresh machine, the "Cygwin" icon that gets installed launches mintty.
  
  --
  Secession is the right of all sentient beings.
35. Re:Why? by jdavidb · 2015-05-19 09:17 · Score: 1
  
  Apparently mintty has been the default since 2011: http://en.wikipedia.org/wiki/Mintty
  
  --
  Secession is the right of all sentient beings.
36. Re:Why? by Anonymous Coward · 2015-05-19 09:22 · Score: 0
  
  I used to do that, but now I install git, it contains a full feature command-line environment (bash, ssh, vim, less, cat ...). It's not clear to me whether it uses mingw alone or cygwin as well, but it's much simpler to install than cygwin and much faster as well.
37. Re:Why? by Anonymous Coward · 2015-05-19 12:15 · Score: 1
  
  ~/.ssh/config is quite straightforward. And it will also be there for the next use.
  There are no "command-line" specialists. Just read the man page, it's all there, even examples.
38. Re: Why? by Zontar+The+Mindless · 2015-05-19 15:09 · Score: 1
  
  Doesn't sound like cygwin has changed much in the last 10 years. Thanks for the trip down memory lane--I think. :)
  
  --
  Il n'y a pas de Planet B.
39. Re: Why? by Anonymous Coward · 2015-05-20 22:06 · Score: 0
  
  No in fact it's not. It's a very common tool for everything from IRC:ing to managing home network equipment. It's faster and simpler than any other tool for remote control.
  Arguments like your is quite common but you are making the classic mistake of projecting your own prejudice about SSH on others that you think would be like you and therefore make the same choices you do.
  I don't know if you use SSH or not because it goes both ways. Some doesn't use it because they consider it for a special brand of nerds and therefore thinks that everyone else that's not that demographics doesn't use it. Others belong to that demographic and think that the uninformed masses doesn't use it. Both have failed to see the numerous use cases that makes it a popular tool among people who doesn't really know how it works beyond for example running IRC on an "IRC Shell". Or to run BBS Door gamed like Legion of The Red Dragon. Or the generic MUD. The list of use case that's entirely outside your frame of mind are extensive so I just give you a few examples.
40. Re: Why? by Anonymous Coward · 2015-05-20 22:18 · Score: 0
  
  Cygwin is a great tool if you are a paying customer. If you use the free version and your use case doesn't match those of paying customers then good luck.
  As the paying customers are few Red Hat doesn't put much resources into it.
  I traded cygwin for VirtualBox and Fedora quite some time ago. It's easier to install and maintain and it got a lot more software. That's where RH puts most of the resources that used to belong to the cygwin project.
Breaking news! by Anonymous Coward · 2015-05-19 02:29 · Score: 0

Malicious! Software! Exists! Online! Everyone! Panic!
Really slashdot?
1. Re:Breaking news! by Anonymous Coward · 2015-05-19 02:47 · Score: -1
  
  Most security vulnerabilities and other problems are found in the Linux world these days, so it is newsworthy to tell if there's a rare problem under Windows.
  It's actually quite surprising and even relaxing to think that I've been using Windows for ages now and had zero malware. You can easily avoid it if you don't install obvious shady shit like this malicious version of PuTTY.
  Ahh, now I'm gonna crack open a cola and enjoy some GTA V though. :)
WTF by Anne+Thwacks · 2015-05-19 02:36 · Score: 2

So, what is it we are supposed to look for on the about page?
"This is the malicious version! If you want the secure one, please delete me and go elsewhere!"
Is there a way to read the about page without installing?
The article came quite close to being useful, but then missed by a mile.

--
Sent from my ASR33 using ASCII
1. Re:WTF by dav1dc · 2015-05-19 02:47 · Score: 0
  
  MD5 checksums - checked against those published by the author IS THE ONLY WAY TO BE CERTAIN.
2. Re:WTF by Anonymous Coward · 2015-05-19 02:54 · Score: 0
  
  How are these MD5s published? The official download page isn't served over HTTPS so in theory anything could be there!
3. Re:WTF by Anonymous Coward · 2015-05-19 03:01 · Score: 3, Informative
  
  No it's not. MD5 has been broken for years now and needs to die. PLEASE STOP RECOMMENDING MD5 ALREADY.
  http://www.kb.cert.org/vuls/id/836068
  http://en.wikipedia.org/wiki/MD5
4. Re:WTF by Anonymous Coward · 2015-05-19 03:32 · Score: 0
  
  yea, appending random garbage to the end of the file until checksum clicks what made the MD5 and SHA-1 useless for checksumming for some time. But dont burst the dav1dc's bubble. He probably believes that data cannot be modified in transit, if he uses SSL with TLS as well. Let him be. His adress bar is green, that means he's safe :)
5. Re:WTF by sconeu · 2015-05-19 04:34 · Score: 4, Informative
  
  Simon publishes MD5, SHA1, SHA256 and SHA512 sums for all official binaries.
  
  --
  General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
6. Re:WTF by camperdave · 2015-05-19 06:11 · Score: 3, Insightful
  
  Don't you think that a person who is making a malicious version of Putty is also capable of putting MD5 checksums of the malicious code on their download site? Checking MD5 sums against those published by the author is useless. You need to check against publicly verified, independently published checksums.
  
  --
  When our name is on the back of your car, we're behind you all the way!
7. Re:WTF by Coren22 · 2015-05-19 06:33 · Score: 1
  
  From the second link in TFS:
  http://www.symantec.com/connec...
  The about shows "Unidentified Build" rather than the build number. Seems like sloppy hijacking to me.
  
  --
  APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
Only Use Known Reliable Resources by Anonymous Coward · 2015-05-19 02:39 · Score: 1, Funny

You should basically only be downloading from the official repository.
Anything else is just insanity.
Handy Url Included:
http://putty.cc?version=latest
1. Re:Only Use Known Reliable Resources by X0563511 · 2015-05-19 03:15 · Score: 2
  
  WTF is that? Because that's not sgtatham's site.
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
2. Re:Only Use Known Reliable Resources by jones_supa · 2015-05-19 03:57 · Score: 1
  
  What would you say if someone set up a website with the following URL: http://www.chiark.greenend.org/~sgtatham/putty/download.html
  Do you see what the problem is here?
3. Re:Only Use Known Reliable Resources by Anonymous Coward · 2015-05-19 05:04 · Score: 0
  
  Why do you exclude the possibility that PuTTY was developed on Cocos Islands and sgtatham from the UK trojanized it? Some prejudices against third-world nations?
Putty domain by watermark · 2015-05-19 02:41 · Score: 3, Insightful

I never did like that you had to download putty from a "random" domain. The putty.org website takes you to some greenend.org.uk domain. If you google for putty, it takes you directly to the greenend.org.uk domain. The official binary really should be hosted on the putty.org domain, or at the least have the actual download link on the official domain, using that greenend.org.uk domain as a CDN for the binary.
1. Re:Putty domain by red_dragon · 2015-05-19 02:52 · Score: 5, Insightful
  
  greenend.co.uk is the official domain for PuTTY (specifically, www.chiark.greenend.co.uk). Simon Tatham has hosted it there from the start. I'd be more suspicious of putty.org, honestly.
  
  --
  In Soviet Russia, Jesus asks: "What Would You Do?"
2. Re:Putty domain by Anonymous Coward · 2015-05-19 03:18 · Score: 2, Insightful
  
  Yes, but a newcomer would find www.chiark.greenend.co.uk more suspicious than putty.org.
3. Re:Putty domain by jones_supa · 2015-05-19 04:08 · Score: 2
  
  greenend.co.uk is the official domain for PuTTY (specifically, www.chiark.greenend.co.uk). Simon Tatham has hosted it there from the start. I'd be more suspicious of putty.org, honestly.
  Except that the official domain is greenend.org.uk. See, even you got confused it there.
4. Re:Putty domain by Anonymous Coward · 2015-05-19 04:42 · Score: 0
  
  He's not confused, he's familiar with PuTTY's history and author, so he knows that greenend.co.uk is more trustworthy than putty.org. The real problem is that he expects everyone to know this.
5. Re:Putty domain by radarskiy · 2015-05-19 04:54 · Score: 1
  
  greenend.co.uk may be more trustworthy than putty.org, but neither will get you the official PuTTY release.
6. Re:Putty domain by adolf · 2015-05-19 05:39 · Score: 0
  
  greenend.co.uk may be more trustworthy than putty.org, but neither will get you the official PuTTY release.
  ftp://ftp.chiark.greenend.org....
  What confusion?
  
  --
  Kid-proof tablet..
7. Re:Putty domain by Anonymous Coward · 2015-05-19 05:54 · Score: 0
  
  That is greenend.org.uk.
8. Re:Putty domain by Anonymous Coward · 2015-05-19 09:47 · Score: 0
  
  http://greenend.co.uk/?s=putty
  No results found.
  So what is the official site?
9. Re:Putty domain by adolf · 2015-05-20 14:33 · Score: 1
  
  That is greenend.org.uk.
  Because that's where PuTTY comes from, you dolt.
  
  --
  Kid-proof tablet..
10. Re:Putty domain by radarskiy · 2015-05-20 16:57 · Score: 1
  
  Yes, that is where it comes from, not greenend.co.uk. like red_dragon and the AC claimed.
11. Re:Putty domain by adolf · 2015-05-21 13:51 · Score: 1
  
  Right. I know this. It's also available from that main site, directly, via anonymous FTP....which, AFAICT, is still something that Windows browsers transparently support just as they always have.
  
  --
  Kid-proof tablet..
12. Re:Putty domain by radarskiy · 2015-05-21 15:12 · Score: 1
  
  "Right. I know this. "
  But you did not know that people like red_dragon and the AC kept pointing to the wrong site. red_dragon' claimed that there should be no confusion about what is the right site to get PuTTY but in doing so demonstrated red_dragon's own confusion over what was the right site thus refuting the claim.
13. Re:Putty domain by adolf · 2015-05-24 21:52 · Score: 1
  
  I did know that. I just didn't spell it out. (How do you propose to know what I know, anyway? Preposterous!)
  Look, do you want PuTTY binaries directly from the official site, or not? Because that's the problem being discussed.
  Or at least it was until you showed up.
  
  --
  Kid-proof tablet..
For those who don't RTFA by AverageCitizen · 2015-05-19 02:41 · Score: 4, Informative

The infected client contains "Unidentified build, Nov 29 2013 21:41:02" on the about PuTTY page while the official has "Release 0.63". Cisco has a good article here: http://blogs.cisco.com/securit... by Robert Semans, Brandon Enright, James Sheppard, and Matt Healy.
1. Re:For those who don't RTFA by ledow · 2015-05-19 02:59 · Score: 5, Informative
  
  That's just because they compiled without specifying the build number.
  That's LITERALLY a ten-second fix and recompile to resolve.
  Don't identify software / spam / viruses by "it has X feature that's easily copied", whether that's a registry entry, a process name or an arbitrary string.
  Publish the damn checksums at a minimum, or GPG signing key ideallly.
2. Re:For those who don't RTFA by chispito · 2015-05-19 03:44 · Score: 1
  
  Publish the damn checksums at a minimum, or GPG signing key ideallly.
  They are published:
  http://www.chiark.greenend.org.uk/~sgtatham/putty/download.htm
  
  Your average Windows user and his average admin don't know what to do with a checksum, however.
  
  --
  The Daddy casts sleep on the Baby. The Baby resists!
3. Re:For those who don't RTFA by Anonymous Coward · 2015-05-19 04:19 · Score: 0
  
  Publish the damn checksums at a minimum, or GPG signing key ideallly.
  Won't they also need the password to use the signing key?
  ('they' being the folks who would like to sign future bogus versions)
Best first steps by ArcadeMan · 2015-05-19 02:44 · Score: 4, Insightful

One of the best first steps in setting up a Windows machine is to install PuTTY on it.
The best first step is to install Steam, because Windows is only used for gaming.
How does it feel to be on the other side of a generalization, timothy?

--
Get free satoshi (Bitcoin) and Dogecoins
1. Re:Best first steps by Anonymous Coward · 2015-05-19 02:57 · Score: -1
  
  Since your statement was accurate, I can't imagine him having a problem with it.
2. Re:Best first steps by Sarten-X · 2015-05-19 03:49 · Score: 1, Insightful
  
  I just rebuilt my Windows desktop at home.
  The first thing I did was to install Google Chrome, because I'd rather not tolerate IE while fetching other stuff. Next was Steam, mostly so I could get it downloading a game immediately. Once my game was underway, I downloaded PuTTY, followed by a few other utilities.
  From my perspective, you're all very close, but wrong nonetheless.
  
  --
  You do not have a moral or legal right to do absolutely anything you want.
3. Re:Best first steps by tepples · 2015-05-19 03:51 · Score: 1
  
  Windows is only used for gaming.
  Or for game development, for which you might need a shell to administer your version control server.
4. Re:Best first steps by cyborg_monkey · 2015-05-19 04:45 · Score: -1
  
  That was a fucking fantastic story. You should write a book containing all your wit and wisdom, you shaved taco.
Cygwin appreciation society! by MrKaos · 2015-05-19 02:45 · Score: 4, Interesting

I've never really be that fond of putty, although I see where it is useful. Cygwin offers so much more having use of the shell on windows and ssh if you need to get into a system. Cygwin/X is even better when I need to get a gui. Add windowspager and Windows becomes a great presentation layer!
Thank you Cygwin people!

--
My ism, it's full of beliefs.
1. Re:Cygwin appreciation society! by Pope+Hagbard · 2015-05-19 03:08 · Score: 3, Informative
  
  MobaXterm is pretty nice as a SSH/Telnet/X11/mosh/tunnel client. It doesn't do anything you can't do with Cygwin in that regard but it's less work to get set up.
2. Re:Cygwin appreciation society! by Blaskowicz · 2015-05-19 03:43 · Score: 2
  
  I sort of like Teraterm Pro, I don't think it really does more than putty but it's self-contained (in regard to the GUI), tabbed and the set up is mostly setting up the font, font size and text color. With either putty or Teraterm, install Xming to do X11 (next/next/finish, then check a box in the terminal program's settings)
3. Re:Cygwin appreciation society! by KermodeBear · 2015-05-19 04:29 · Score: 1
  
  A second vote for MobaXTerm. I moved to it from Putty. It has tabs and the X11 stuff built in, don't have to configure a thing - it just works. Love it.
  
  --
  Love sees no species.
4. Re:Cygwin appreciation society! by PincushionMan · 2015-05-19 15:18 · Score: 1
  
  I'd like to comment about MobaXterm: It is a Lazarus (or more likely Delphi) application with the source code freely available under the GPL v3 license. However, it uses some closed source items as part of its build environment, so it will not compile from the available source. It cobbles together pieces of MinGW and the MinGW Xserver into a nice product. Worth installing, if you cannot have a true Linux terminal. Link
  
  That said, security-wise, be careful with MobaXterm. Per Nessus it runs on its host with its X11 server wide open. Nessus will even happily grab a screen shot of what was going on on your screen the moment it scans it.
  I think he has the remote Xserver screen grab turned on for the Windows 7+ peek feature, so you can have some idea of the window you want to open. Problem is, that feature doesn't fully work yet. If you have multiple overlapping windows, you get what's on top - that it. So if you have something fullscreen with covering something else behind it, you'll get a peek of the part of the fullscreen window, and not the window you really want.
  
  That said, it's the best inexpensive shareware/nagware terminal/X11 server around, short of using 100% Linux. On the full commercial side, Hummingbird's Reflection product may technically be better, but when it costs $500 to $1000 per seat per version - no thanks. $70 to $100/year is more reasonable than that (price is based on Euro, so Dollar price varies)
This is why we can't have nice stuff... by QuietLagoon · 2015-05-19 02:50 · Score: 1

Someone's always gonna ruin it.
What about the installer executable? by Culture20 · 2015-05-19 02:54 · Score: 1

That's not from the main putty page but is linked to from the main page.
Why is any of this necessary? by Jeremi · 2015-05-19 02:58 · Score: 1, Troll

Sure, in 2015, it wouldn't be so hard for Microsoft to include an SSH client with their OS? I can't think of any other OS that doesn't come with one pre-installed.

--

I don't care if it's 90,000 hectares. That lake was not my doing.
1. Re:Why is any of this necessary? by silas_moeckel · 2015-05-19 03:02 · Score: 1
  
  Because their solution was powershell with it's own nonstandard remote interface.
  
  --
  No sir I dont like it.
2. Re:Why is any of this necessary? by danbob999 · 2015-05-19 03:12 · Score: 1
  
  And Windows can't even run powershell scripts by default, making it useless. You need to change some security settings in order to execute a simple Windows equivalent of a ".sh".
3. Re:Why is any of this necessary? by Anonymous Coward · 2015-05-19 03:14 · Score: 0
  
  Well, For one, it wouldn't be insurmountably hard for hackers to hack the windows and exploit the client somehow. Second, the public version of Putty is maintained to a standard that is not so Microsoft influenced. Third, after examining PowerShell ins and outs, it seems like Microsoft would make something that is less POSIX looking and requires a learning curve, and shifts paradigms so that they can have some copyright on it. Four, is same is as third, will Microsoft screw it up somehow? Five, can Microsoft get a popular POSIX program right the first time? Allot of untils with putty are useful in batch files (psftp being one), sometimes you can pass password as argument and more files around programaticaly, combine with some UNIX utils, one place here: sourceforge.net/projects/unxutils/, very useful now and again. I say, putty is great, some non command line or powershell version would screw it up; when augmented by UNIX untils mentioned and cURL and xmlstarlet (possibly also SVN and a better tar and make from MIT) it makes a nice substitute for powershell; saves on running a large cygwin install and doing builds.
4. Re:Why is any of this necessary? by Anonymous Coward · 2015-05-19 04:31 · Score: 0
  
  and also; powershell scripts are not compatible with any other platform.
  Anybody remember REXX?
5. Re:Why is any of this necessary? by Anonymous Coward · 2015-05-19 04:35 · Score: 0
  
  There actually was a minimally useful toolset on Windows called "Services for Unix". ( I think it can be optionally installed on server 2008).
  There were also a couple of third party tools that put unix commands on Windows (way back in the win2k/NT days). But Cygwin really turned out to be the most useful.
  I think the biggest problem with these kinds of compatibility layers, is the incomplete mapping between POSIX file system permissions, and NTFS permissions.
  Putty is fine, I guess, but it never really did enough. If I want ssh access, I will also want a real bash shell so I can do some scripting, or script development.
6. Re:Why is any of this necessary? by shadowknot · 2015-05-19 09:34 · Score: 1
  
  Yep, I use it daily in z/VM!
7. Re:Why is any of this necessary? by VGPowerlord · 2015-05-19 10:02 · Score: 1
  
  Windows has used something called Terminal Services to do remote connections for the last 20 years or so.
  They renamed it "Remote Desktop Services" at some point, but if you put a pig in a dress, it's still a pig.
  
  --
  GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
PuTTY is Passe by Anonymous Coward · 2015-05-19 03:13 · Score: 1

If you haven't found MobaXterm yet, do yourself a favor.
1. Re:PuTTY is Passe by Anonymous Coward · 2015-05-19 03:53 · Score: 0
  
  MobaXterm, while nice is built on PuTTY and can be infected the same way.
  Don't really see that as a better option.
2. Re:PuTTY is Passe by PincushionMan · 2015-05-19 15:25 · Score: 1
  
  I respectfully disagree. There's no way the terminal in MobaXterm is PuTTY. It behaves differently, and doesn't have the configuration knobs that PuTTY has. I believe it is using mintty, like Cygwin uses.
  
  I think that he parses the registry for the PuTTY settings, and loads them (15 or so connections for the free version, all for the paid version). If he uses any PuTTY code, it is just to marshall that hunk of registry data into clickable links that mintty can understand. Look for SimonTatham in your registry.
serial by Anonymous Coward · 2015-05-19 03:23 · Score: 0

I bricked my WRT1900AC and used Putty to do a serial connection to reflash the firmware. I also use it hundreds of times a day for SSH and occasionally for telnet. Absolutely indispensable tool.
1. Re:serial by phayes · 2015-05-19 07:21 · Score: 1
  
  Putty corrupts data when copying/pasting large amounts. I got tired of that screwing up network confs & moved to TeraTerm.
  
  --
  Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
2. Re:serial by Anonymous Coward · 2015-05-19 09:30 · Score: 0
  
  Maybe you're just incompetent.
3. Re:serial by Anonymous Coward · 2015-05-19 16:46 · Score: 0
  
  I don't understand the love for PuTTY - Tera Term just seems so much better. Though for a long time it was easy to find 2.3 and ridiculously difficult to find the 4.x site.
Which C runtime library for MinGW? by tepples · 2015-05-19 03:30 · Score: 1

I used to develop on Windows with Eclipse and Cygwin. I quickly moved to MinGW because silly things like random games, utilities, etc. that use it would interfere with the version I was developing against.
Which C runtime library do you use with MinGW? I'm told third-party applications shouldn't use MSVCRT.dll anymore.
1. Re:Which C runtime library for MinGW? by VGPowerlord · 2015-05-19 09:49 · Score: 1
  
  I'm not sure about the OP, but on my work Windows 7 computer, I have no less than 13 versions of Microsoft's C++ libraries installed.
  And that's with the versions from Visual Studio 2013 not being listed in Programs and Features for whatever reason. I know they're installed as one of the programs I needed to compile requires them because they're the first versions that have C++11 support.
  The point is that each time Microsoft releases a new version, the old versions also stick around. I have 4 x86 and 2 x64 versions of the Visual C++ 2008 / 9.0.x libraries for example.
  
  --
  GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
Obvious in what way? by tepples · 2015-05-19 03:32 · Score: 1

obvious shady shit like this malicious version of PuTTY
The problem here is that it isn't "obvious shady shit" as you claim. The official PuTTY download page doesn't look very "official". This makes it easier to fool people into downloading the trojaned version instead of the official version.
1. Re:Obvious in what way? by Anonymous Coward · 2015-05-19 05:23 · Score: 0
  
  If a user only scrutinizes their software by how 'official' the distributor looks they are doomed.
2. Re:Obvious in what way? by tepples · 2015-05-19 06:38 · Score: 1
  
  Then what steps should an end user take to determine the official maintainer for any given piece of software, especially once malware purveyors become better at SEO than the official maintainer?
TRWTF is that there is no putty.cc by tepples · 2015-05-19 03:48 · Score: 1

I tried that and got "Firefox can't find the server at www.putty.cc." The fact that putty.cc doesn't exist is the real problem.
Telnet shell? by Anonymous Coward · 2015-05-19 03:53 · Score: 0

People still use telet for Windows? Just asking. I haven't heard of Telnet since the late 1990s.
1. Re:Telnet shell? by mmell · 2015-05-19 04:06 · Score: 1
  
  Telnet is a great diagnostic tool. I wouldn't use it for connectivity, but to see what's happening on a specified network port somewhere it's great. Microsoft still provides the telnet client, even with Windows 8.1 - PuTTY not required. Then again, the average Windows user should probably use PuTTY's telnet client - the averagre Windows user actually shouldn't use Telnet at all, but at least PuTTY makes it point 'n' click easy.
PuTTY Replacement - KiTTY by Anonymous Coward · 2015-05-19 04:01 · Score: 0

I only install KiTTY now for some time.
http://www.9bis.net/kitty/
"KiTTY is a fork from version 0.64 of PuTTY, the best telnet / SSH client in the world"
I think it's more truly PuTTY evolved... the differences/improvements are listed.
Personally, I prefer Cygwin's OpenSSH client. by mmell · 2015-05-19 04:02 · Score: 1

Unlike PuTTY (which is a fantastic piece of work, BTW), I understand the OpenSSH client. I guess my UNIX roots are showing.
With that said, I do routinely install PuTTY - I've gotten tired of the old arguments:
(ME): "What ports should I use on the jump server, and is Netcat installed there?"
(COWORKER): "Just click on PuTTY and go to the Tunnels part . . ."
(ME): "Can't you just tell me what ports to use?"
(COWORKER): "The only way I know how is in PuTTY."
Anybody but me ever felt the urge to punch the monkey?
1. Re:Personally, I prefer Cygwin's OpenSSH client. by Anonymous Coward · 2015-05-19 04:31 · Score: 0
  
  Sometimes cow-orkers require percussive maintenance to reduce the incidence of pebkac episodes.
2. Re:Personally, I prefer Cygwin's OpenSSH client. by Anonymous Coward · 2015-05-19 04:38 · Score: 0
  
  You're killing me, smalls.
3. Re:Personally, I prefer Cygwin's OpenSSH client. by Anonymous Coward · 2015-05-19 05:36 · Score: 0
  
  yes, this drives me batty.
  We fought this for years, by requiring a cygwin install as part of our basic toolset.
  Eventually, we abandoned Windows for Redhat.
4. Re:Personally, I prefer Cygwin's OpenSSH client. by Culture20 · 2015-05-19 06:40 · Score: 1
  
  Sometimes cow-orkers require percussive maintenance to reduce the incidence of pebkac episodes.
  While I agree that no one should be orking cows, I think beatings are a rather severe punishment.
5. Re:Personally, I prefer Cygwin's OpenSSH client. by spongman · 2015-05-19 09:30 · Score: 1
  
  you two are speaking different languages. but you're making a judgement call as to which is better, and you haven't justified that position.
Use SecureShell in Chrome by Anonymous Coward · 2015-05-19 04:16 · Score: 0

Get rid of the middle man!
google Chrome-> appstore -> SecureShell
done already, and so? by s.petry · 2015-05-19 04:19 · Score: 1

The check sums are already published, anyone that wants to check can check.
To the other half, I can modify any Windows binary to have malware and keep the version the same. Check sums can fix that almost all of the time. The build information is as reliable as the binary's name, in that it has very little use.
People pushing this gunk are not going after knowledgeable users that check sources (obviously), they are going after the low hanging fruit which could be "got" any number of ways. The latest craze of pushing STEM and IT Security has created a huge set of wanna-bes who know enough to be dangerous while thinking they are intelligent.

--
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
1. Re:done already, and so? by camperdave · 2015-05-19 06:17 · Score: 1
  
  I'm sure the publishers of tainted versions of PuTTY also have MD5s I can download and verify against.
  
  --
  When our name is on the back of your car, we're behind you all the way!
2. Re:done already, and so? by chispito · 2015-05-19 07:34 · Score: 1
  
  I'm sure the publishers of tainted versions of PuTTY also have MD5s I can download and verify against.
  Do you know what the purpose of a checksum is? What you said doesn't really make sense.
  
  --
  The Daddy casts sleep on the Baby. The Baby resists!
3. Re:done already, and so? by Lost+Race · 2015-05-19 08:04 · Score: 1
  
  Putting the checksum right next to the binary on the download server only helps to check for bitrot in the download. It does nothing whatsoever to establish provenance of the binary, since whoever put the binary there could generate their own checksum from it. You need a checksum or signature that is more trustworthy than the binary in order to verify it.
  It would be nice if every publisher would sign every downloadable blob, and the OS maintainers would countersign the true public keys for all popular projects. Then we wouldn't have to care about whether we're downloading from an "official" site or not.
4. Re:done already, and so? by shadowknot · 2015-05-19 08:34 · Score: 1
  
  I think he's saying that if you've been swindled by the false website they'll likely publish a checksum that matches their bogus binary so even if you did do a hash comparison it wouldn't throw up a red flag because it would match the one they're providing. I think you may be assuming that people who are fooled by this have the sense to download from the fraudulent site and hop over to the official site to do a hash comparison. I suspect that's not the case!
Who uses putty that way? by damn_registrars · 2015-05-19 04:28 · Score: 1

I use Putty plenty, but I haven't had a time yet where I have needed to use it on a new system and needed root access on the system I am logging in to. If I'm using it on a new box, I am logging in with my usual non-root account on my remote system. How exactly would they use that to gain root access?

--
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
And PuTTY-CAC? by whitroth · 2015-05-19 04:44 · Score: 1

Anyone know if there's a trojanized version of PuTTY-CAC?
For the rest of you, that's for use with "smart cards" (i.e., US fed gov PIV, or US DoD CAC id cards), and it's a fork of PuTTY.
And what about pageant?
mark
That easy to detect... whew! by cjjjer · 2015-05-19 05:08 · Score: 1

2015-05-19 Malware pretending to be PuTTY
A Symantec blog post warns that a trojaned copy of PuTTY has been detected in the wild. Fortunately, it's easily recognisable by its version identification ("Unidentified build, Nov 29 2013 21:41:02"). If you've encountered this version, we suggest you treat any machine that's run the malicious version as potentially compromised, change any passwords that might have been stolen, and resecure the accounts they protect.
1. Re:That easy to detect... whew! by Culture20 · 2015-05-19 06:55 · Score: 1
  
  Yeah, I only have to connect to all of our machines with an admin account with psexec and run a c:\program files (x85)\PuTTY\pscp.exe -V with my admin account. Then I'll know if it's malware that I shouldn't run with an admin account. Huzzah!
FOSS Licence by Damiano · 2015-05-19 05:20 · Score: 2

It is nice to know that the trojanized version retains the copyright notice and disclaimer of warranty as required by the PuTTY FOSS license. Good to see people properly using Open Source!
ZOC Terminal...any others? by bhlowe · 2015-05-19 05:27 · Score: 1

I use ZOC terminal. Its commercial and worth it to me. Anyone else have a favorite SSH client?
MobaXterm ftw by Anonymous Coward · 2015-05-19 06:30 · Score: 0

You guys are still using PuTTY? I switched to MobaXterm years ago.
Hash? by paulzeye · 2015-05-19 07:11 · Score: 1

Anyone have a hash for the bad file? I didn't see one in the article
404 by Anonymous Coward · 2015-05-19 12:40 · Score: 0

you forgot an 'l' (L) in the link.
Real link:http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
For fuck slashdot .. by Anonymous Coward · 2015-05-19 13:58 · Score: 0

For fuck slashdot, that you are now reduced to trolling Open Source on your own forum.