So I've got the 3.9 distribution burned. I checked the MD5 and it's OK.

Since this OS is put together by volunteers, how do I know my username and passwords are secure? I mean, what's to say https: logins aren't sent to someone that hacked the distribution?

Are the MD5 codes available on www.knopper.net or do I have to rely on a mirror site?

Sorry to be so anal in my questions, but these are my financial accounts.

Thanks

So I've got the 3.9 distribution burned. I checked the MD5 and it's OK.

Since this OS is put together by volunteers, how do I know my username and passwords are secure? I mean, what's to say https: logins aren't sent to someone that hacked the distribution?

Are the MD5 codes available on www.knopper.net or do I have to rely on a mirror site?

Sorry to be so anal in my questions, but these are my financial accounts.

ThanksWith the exploits & viruses running rampant on the Windows platform, it is good you are seeking confirmation that access to your accounts is secure. If you downloaded from a mirror & are worried about tampering, then you can use GPG to cryptographically confirm that the CD ISO is from Klaus Knopper http://debian.tu-bs.de/knoppix_cd/KNOPPIX_V3.9-2005-05-27-EN.iso.md5.asc. I did this for a version from last August but I have forgotten the steps. You will have to google for help on GPG.

You are correct in that Knoppix is a volunteer effort. What I like about it is as a open source project, Knoppix is developed & made in the open. Knoppix is based on Debian & uses practically all Debian created packages to make a working system. The Debian developers adhere to the Debian Social Contract http://www.debian.org/social_contract & this contract spells out how Debian is to behave. So you should have trust in their work as it is both created, tested & used in an open manner. If you so desire, you can get the source code for all the packages & then inspect the code yourself (or hire someone who understands code) to see if anything nefarious has been inserted into it. Something that all folks should note is that with closed source or proprietary software not done in an open manner, we have no guarantee that someting malicious isn't happening in the background. Unlike scientific journals that use the scientific method (arguably the foundation of medicine & technology), proprietary software is behind closed doors & under lock & key and is not up for peer review. Thus if we trust closed source, then what is the basis of trust?

In the past I have cryptographically confirmed the ISO. I trust the Debian & Knoppix developers because of their past history of solid releases. If I felt something was capturing my passwords or stealing my account info, I could easily use another Linux box (or even a windows box) to eavesdrop on the network so that I could confirm my hypothesis.