Indeed. Instead of `cat`, OP could've used `sha256sum` on the config.php to prove the authenticity of your report without exposing the site to even more attacks.
But that wasn't the point, the point was to expose the level of stupidity at play here.
I strongly believe the users deserve to know just how incompetent these guys are, because next time it won't be some idiot swapping the iso links. It'll be someone slightly more competent that pushes a backdoored commit or gets into the apt repos, and then _every_ _single_ user will be affected...
Also, at the time of the posting the site was down. And it remains so.
