Re: Iso image integrity verification
Physical email is as susceptible to MITM attacks as network connections. I know a story of laptops entering the mail system and car springs coming out the other end in the same box. :-) Yes, the MITM was DPD. Great currier. I recommand it to everyone. NOT!
Re: Iso image integrity verification
Yes, the MITM was DPD. Great currier. I recommand it to everyone. NOT! ^courier
Re: Iso image integrity verification
On Fri, Sep 13, 2013 at 10:32:43AM +0300, Paul Irofti wrote: Yes, the MITM was DPD. Great currier. I recommand it to everyone. NOT! ^courier the two aren't necessarily mutually exclusive ;) - P -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Iso image integrity verification
Security itself is not the primary issue here. The issue is to easily prove an assessor without reasonable doubt that you are running the right thing. They will not worry about governments trying to break in with MITM signed ssl or about armies breaking in with the tanks. But they would worry about me not building the image the right way, someone tampering with the image or leaving the door unlocked at the server room. Also, they require people to take responsibility for the thing they do (in this case, CD images). On Fri, Sep 13, 2013 at 1:56 AM, Kenneth R Westerback kwesterb...@rogers.com wrote: On Thu, Sep 12, 2013 at 07:52:22PM +0300, Valentin Zagura wrote: There is no entity that owns or can be held responsible for the code, or is capable of providing a solid evidentuary path from commit to your hands. I thought if we buy the CDs we WILL get a solid evidentuary path from commit to our hands. So this isn't the case? Physical email is as susceptible to MITM attacks as network connections. I know a story of laptops entering the mail system and car springs coming out the other end in the same box. :-) CDs will give you the best evidentuary path available. Compiling everything yourself with a compiler and hardware you built from piles of dirt in a clean room would be better. And then you still have to worry about nano technology being slipped into the dirt. Ken On Wed, Sep 11, 2013 at 1:58 PM, Peter N. M. Hansteen pe...@bsdly.net wrote: On Wed, Sep 11, 2013 at 01:49:14PM +0300, Valentin Zagura wrote: We are going to use a OpenBSD system in a PCI-DSS compliant environment. Is there any way we can prove to our PCI-DSS assessor that the OpenBSD image we use for our installation can be checked so that it is the correct one (is not modified in a malicious way by a third party) ? Probably not what you want to hear, but starting with http://www.openbsd.org/orders.html is usually an excellent idea in this context. Verifiably delivered from a trusted source. A https link to some kind of ISO checksum or something similar (but using strong cryptography) I think would do it, but I could not find any (except a line in the FAQ stating If the men in black suits are out to get you, they're going to get you. which is not the case :) ) It's possible some of the more prominent entries on http://www.openbsd.org/support.html could be persuaded to provide something like that (M:Tier comes to mind, but why are they not on that page?) in exchange for a reasonable fee. But again, for -RELEASE, the CD sets are a good starting point. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Iso image integrity verification
* Valentin Zagura put...@gmail.com [2013-09-13 10:15]: Security itself is not the primary issue here. The issue is to easily prove an assessor without reasonable doubt that you are running the right thing. They will not worry about governments trying to break in with MITM signed ssl or about armies breaking in with the tanks. But they would worry about me not building the image the right way, someone tampering with the image or leaving the door unlocked at the server room. Also, they require people to take responsibility for the thing they do (in this case, CD images). buy the CD set. it's more than good enough for the PCI DSS theatre (been there). -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: Iso image integrity verification
We've all expressed reasonable doubt. In the US you can be assured that the USPS will open, scan, read, and deliver your mail. So it's reasonable to believe that they may also tamper with your openbsd CD's. Just buy the disks, let this thread die along with the stupidity of PCI-DSS (which I've danced the dance with for a great long while). On Fri, Sep 13, 2013 at 9:20 AM, Kenneth R Westerback kwesterb...@rogers.com wrote: On Fri, Sep 13, 2013 at 11:13:36AM +0300, Valentin Zagura wrote: Security itself is not the primary issue here. The issue is to easily prove an assessor without reasonable doubt that you are running the right thing. They will not worry about governments trying to break in with MITM signed ssl or about armies breaking in with the tanks. But they would worry about me not building the image the right way, someone tampering with the image or leaving the door unlocked at the server room. Also, they require people to take responsibility for the thing they do (in this case, CD images). easily prove and without reasonable doubt clash. To say the least. The entire thread has shown that all proposed courses of action, most of which are easy to use rather than easy to implement, do not remove any more reasonable doubt than the current arrangements. Unless one is a professor of metaphysico-theologo-cosmonigology like Dr. Pangloss. Which, I concede, many a security assessor may be. At least as far as reasonable doubt is understood by the OpenBSD community. And what other understanding can we apply? Ken
Re: Iso image integrity verification
People, Let me mention my sadness at trying to research this. 1. The PCI-DDS v 2.0 pdf is behind a click through that proports to create a binding legal contract. So the boilerplate looked okay but there was a warning about the document mayhaps being a controlled munition. I was irritated and just gave up. 2. It appears that v 3.0 makes Valetin responsible for Theo. 3. I wonder about what chain of custody means internationally. Anyway I decided the real answer involves consultants. As a political and educational option this is a however a good opportunity to speak to a changing spirit of the time. That would be to buck the current rules and make OBSD plus packages trivial to remotely install on a win xp machine. I think this would be a good opportunity for some of your consultants to do a coordinated construction of site specific sets of packages and then provide newbie support. Blessings, Max On Sep 12, 2013 3:59 PM, Daniel Bolgheroni dan...@bolgh.eng.br wrote: On Thu, Sep 12, 2013 at 07:52:22PM +0300, Valentin Zagura wrote: I thought if we buy the CDs we WILL get a solid evidentuary path from commit to our hands. So this isn't the case? You'll be safe enough.
Re: Iso image integrity verification
I think you're in trouble. Some of the software on the openbsd CDs was written by me, and I never made any promises it's safe to use on an important server. Not that you should trust me even if I did make such a promise. It's software you're getting from the Internet. Made by people from the Internet. On Fri, Sep 13, 2013 at 11:13, Valentin Zagura wrote: Security itself is not the primary issue here. The issue is to easily prove an assessor without reasonable doubt that you are running the right thing. They will not worry about governments trying to break in with MITM signed ssl or about armies breaking in with the tanks. But they would worry about me not building the image the right way, someone tampering with the image or leaving the door unlocked at the server room. Also, they require people to take responsibility for the thing they do (in this case, CD images). On Fri, Sep 13, 2013 at 1:56 AM, Kenneth R Westerback kwesterb...@rogers.com wrote: On Thu, Sep 12, 2013 at 07:52:22PM +0300, Valentin Zagura wrote: There is no entity that owns or can be held responsible for the code, or is capable of providing a solid evidentuary path from commit to your hands. I thought if we buy the CDs we WILL get a solid evidentuary path from commit to our hands. So this isn't the case? Physical email is as susceptible to MITM attacks as network connections. I know a story of laptops entering the mail system and car springs coming out the other end in the same box. :-) CDs will give you the best evidentuary path available. Compiling everything yourself with a compiler and hardware you built from piles of dirt in a clean room would be better. And then you still have to worry about nano technology being slipped into the dirt. Ken On Wed, Sep 11, 2013 at 1:58 PM, Peter N. M. Hansteen pe...@bsdly.net wrote: On Wed, Sep 11, 2013 at 01:49:14PM +0300, Valentin Zagura wrote: We are going to use a OpenBSD system in a PCI-DSS compliant environment. Is there any way we can prove to our PCI-DSS assessor that the OpenBSD image we use for our installation can be checked so that it is the correct one (is not modified in a malicious way by a third party) ? Probably not what you want to hear, but starting with http://www.openbsd.org/orders.html is usually an excellent idea in this context. Verifiably delivered from a trusted source. A https link to some kind of ISO checksum or something similar (but using strong cryptography) I think would do it, but I could not find any (except a line in the FAQ stating If the men in black suits are out to get you, they're going to get you. which is not the case :) ) It's possible some of the more prominent entries on http://www.openbsd.org/support.html could be persuaded to provide something like that (M:Tier comes to mind, but why are they not on that page?) in exchange for a reasonable fee. But again, for -RELEASE, the CD sets are a good starting point. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Iso image integrity verification
Commercial software is the same. They make it clear that no promises are made that the software is fit for any particular purpose in the EULA. My assumption is making such a promise would hold them accountable when it failed, and I doubt any company would find it profitable to invest in enough QA to make that statement. Especially when the closest alternative is for customers to pay for a support contract. Coming from a company that does lots of global credit card transactions (but no OBSD there...yet. :-) ), I have never heard of this validation of install media without reasonable doubt requirement. I've never bothered to read all of the DSS docs, but have skimmed through them. Perhaps it exists in such strict form and I am insulated from others in the company performing these tasks but I get the impression that either this guy is being given an especially hard time or has not realized that Install media is downloaded, or physical media purchased, directly from the vendor is probably good enough to meet the requirement. Install media downloaded from bittorrent or purchased on a street corner is what might raise some red flags... Valentin, If you're actually having to account for MITM, postal, etc. attacks on install media then the company has larger issues to which undeniably-secure install media will provide no additional protection. Stating that you get the install media directly from the vendor should be good enough. On Fri, Sep 13, 2013 at 9:09 PM, Ted Unangst t...@tedunangst.com wrote: I think you're in trouble. Some of the software on the openbsd CDs was written by me, and I never made any promises it's safe to use on an important server. Not that you should trust me even if I did make such a promise. It's software you're getting from the Internet. Made by people from the Internet. On Fri, Sep 13, 2013 at 11:13, Valentin Zagura wrote: Security itself is not the primary issue here. The issue is to easily prove an assessor without reasonable doubt that you are running the right thing. They will not worry about governments trying to break in with MITM signed ssl or about armies breaking in with the tanks. But they would worry about me not building the image the right way, someone tampering with the image or leaving the door unlocked at the server room. Also, they require people to take responsibility for the thing they do (in this case, CD images). On Fri, Sep 13, 2013 at 1:56 AM, Kenneth R Westerback kwesterb...@rogers.com wrote: On Thu, Sep 12, 2013 at 07:52:22PM +0300, Valentin Zagura wrote: There is no entity that owns or can be held responsible for the code, or is capable of providing a solid evidentuary path from commit to your hands. I thought if we buy the CDs we WILL get a solid evidentuary path from commit to our hands. So this isn't the case? Physical email is as susceptible to MITM attacks as network connections. I know a story of laptops entering the mail system and car springs coming out the other end in the same box. :-) CDs will give you the best evidentuary path available. Compiling everything yourself with a compiler and hardware you built from piles of dirt in a clean room would be better. And then you still have to worry about nano technology being slipped into the dirt. Ken On Wed, Sep 11, 2013 at 1:58 PM, Peter N. M. Hansteen pe...@bsdly.net wrote: On Wed, Sep 11, 2013 at 01:49:14PM +0300, Valentin Zagura wrote: We are going to use a OpenBSD system in a PCI-DSS compliant environment. Is there any way we can prove to our PCI-DSS assessor that the OpenBSD image we use for our installation can be checked so that it is the correct one (is not modified in a malicious way by a third party) ? Probably not what you want to hear, but starting with http://www.openbsd.org/orders.html is usually an excellent idea in this context. Verifiably delivered from a trusted source. A https link to some kind of ISO checksum or something similar (but using strong cryptography) I think would do it, but I could not find any (except a line in the FAQ stating If the men in black suits are out to get you, they're going to get you. which is not the case :) ) It's possible some of the more prominent entries on http://www.openbsd.org/support.html could be persuaded to provide something like that (M:Tier comes to mind, but why are they not on that page?) in exchange for a reasonable fee. But again, for -RELEASE, the CD sets are a good starting point. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673
Re: Iso image integrity verification
The real problem here is that in order to be added to certain lists of trusted PKI providers, you must be audited by security Assessors one of the things they look for is proof that the software your using isnt tampered with. It appears the OP is trying to solve that issue. EVEN using the CD is not enough to convince some of these people that the software is genuine and untampered with. pgp signed sha256 keys in a public accessible place should do it. Though it would seem to me, that if the sha signature is the same on all the mirrors through openbsds distribution channels that would be verification enough. As then you would have to break into a lot of systems ran by very pedantic, system admins in order to change it on all of them. But let me repeat it isnt the OPS idea of security that is important, its the idea of the people they are paying a lot of money to, and the rules implemented by such companies as Microsoft that are important here. RG On 09/11/2013 10:10 PM, Valentin Zagura wrote: I was saying that other projects do it in a way they feel comfortable with and maybe you will find a way to do it that you are comfortable with. Using https was one simple idea. I understand that you don't think that this adds any value but maybe there are other ways like signing with PGP, maybe using SSH somehow or having Theo de Raadt saying the SHA checksums on a video on youtube at each release :) or some other simple and effective way that you are comfortable with. I just wanted to point out that one can not easely show his security assessor that it has the right images using some industry standard ways, or someone living in a country that has an oppressive government and would download the image through tor could have some problems if the exit node is malicious. If you feel that any kind of verification is futile, it's ok, that would not stop us from buying the CDs. On Wed, Sep 11, 2013 at 10:32 PM, Kenneth R Westerback kwesterb...@rogers.com wrote: On Wed, Sep 11, 2013 at 08:53:50PM +0300, Valentin Zagura wrote: I don't think I'm more paranoid than the average considering that Debian has a way to do this (http://www.debian.org/CD/verify), fedora has a way to do this (https://fedoraproject.org/verify), even Freebsd has a way to do this ( https://www.freebsd.org/releases/9.1R/announce.html). So you're saying that less paranoid projects are doing it, so why doesn't OpenBSD join the crowd and provide some fuzzy feel good but pointless security theatre? :-) The thought of being more paranoid than an OpenBSD guy is not very comfortable :) Don't worry. You're apparently not paranoid enough yet. The true practical paranoid does not waste time on such mummery. Ken On Wed, Sep 11, 2013 at 8:13 PM, Daniel Bolgheroni dan...@bolgh.eng.br wrote: On Wed, Sep 11, 2013 at 03:17:20PM +0300, Valentin Zagura wrote: Yes, we know, but that file can also be easily compromised if it's not available for download with a secure protocol (HTTPS) If you're paranoid, build your own hardware from the ground up, including designing your own CPU and complementary circuits, download all the sources, audit them all, compile and then run. You can't be fooled by wrong measurements of security.
Re: Iso image integrity verification
On Thu, Sep 12, 2013 at 10:49:30AM +0200, InterNetX - Robert Garrett wrote: The real problem here is that in order to be added to certain lists of trusted PKI providers, you must be audited by security Assessors one of the things they look for is proof that the software your using isnt tampered with. It appears the OP is trying to solve that issue. EVEN using the CD is not enough to convince some of these people that the software is genuine and untampered with. pgp signed sha256 keys in a public accessible place should do it. Though it would seem to me, that if the sha signature is the same on all the mirrors through openbsds distribution channels that would be verification enough. As then you would have to break into a lot of systems ran by very pedantic, system admins in order to change it on all of them. But let me repeat it isnt the OPS idea of security that is important, its the idea of the people they are paying a lot of money to, and the rules implemented by such companies as Microsoft that are important here. And the ideas of the people they are paying a lot of money to are one or more of a) wrong. b) arbitrary. c) unknown. As you say --- ... should do it.. And how will we know it does it? Who will the security assessors accept as valid guarantors? Theo? Bob? Austin? The Foundation? Resellers? Anybody running a mirror? Some threshold number of developers? There is no entity that owns or can be held responsible for the code, or is capable of providing a solid evidentuary path from commit to your hands. And the OpenBSD community is not some collective Zelig. Ken RG On 09/11/2013 10:10 PM, Valentin Zagura wrote: I was saying that other projects do it in a way they feel comfortable with and maybe you will find a way to do it that you are comfortable with. Using https was one simple idea. I understand that you don't think that this adds any value but maybe there are other ways like signing with PGP, maybe using SSH somehow or having Theo de Raadt saying the SHA checksums on a video on youtube at each release :) or some other simple and effective way that you are comfortable with. I just wanted to point out that one can not easely show his security assessor that it has the right images using some industry standard ways, or someone living in a country that has an oppressive government and would download the image through tor could have some problems if the exit node is malicious. If you feel that any kind of verification is futile, it's ok, that would not stop us from buying the CDs. On Wed, Sep 11, 2013 at 10:32 PM, Kenneth R Westerback kwesterb...@rogers.com wrote: On Wed, Sep 11, 2013 at 08:53:50PM +0300, Valentin Zagura wrote: I don't think I'm more paranoid than the average considering that Debian has a way to do this (http://www.debian.org/CD/verify), fedora has a way to do this (https://fedoraproject.org/verify), even Freebsd has a way to do this ( https://www.freebsd.org/releases/9.1R/announce.html). So you're saying that less paranoid projects are doing it, so why doesn't OpenBSD join the crowd and provide some fuzzy feel good but pointless security theatre? :-) The thought of being more paranoid than an OpenBSD guy is not very comfortable :) Don't worry. You're apparently not paranoid enough yet. The true practical paranoid does not waste time on such mummery. Ken On Wed, Sep 11, 2013 at 8:13 PM, Daniel Bolgheroni dan...@bolgh.eng.br wrote: On Wed, Sep 11, 2013 at 03:17:20PM +0300, Valentin Zagura wrote: Yes, we know, but that file can also be easily compromised if it's not available for download with a secure protocol (HTTPS) If you're paranoid, build your own hardware from the ground up, including designing your own CPU and complementary circuits, download all the sources, audit them all, compile and then run. You can't be fooled by wrong measurements of security.
Re: Iso image integrity verification
On Thu, Sep 12, 2013 at 09:22:51AM -0400, Kenneth R Westerback wrote: On Thu, Sep 12, 2013 at 10:49:30AM +0200, InterNetX - Robert Garrett wrote: The real problem here is that in order to be added to certain lists of trusted PKI providers, you must be audited by security Assessors one of the things they look for is proof that the software your using isnt tampered with. It appears the OP is trying to solve that issue. EVEN using the CD is not enough to convince some of these people that the software is genuine and untampered with. pgp signed sha256 keys in a public accessible place should do it. Though it would seem to me, that if the sha signature is the same on all the mirrors through openbsds distribution channels that would be verification enough. As then you would have to break into a lot of systems ran by very pedantic, system admins in order to change it on all of them. But let me repeat it isnt the OPS idea of security that is important, its the idea of the people they are paying a lot of money to, and the rules implemented by such companies as Microsoft that are important here. And the ideas of the people they are paying a lot of money to are one or more of a) wrong. b) arbitrary. c) unknown. As you say --- ... should do it.. And how will we know it does it? Who will the security assessors accept as valid guarantors? Theo? Bob? Austin? The Foundation? Resellers? Anybody running a mirror? Some threshold number of developers? There is no entity that owns or can be held responsible for the code, or is capable of providing a solid evidentuary path from commit to your hands. And the OpenBSD community is not some collective Zelig. Let me post a link to a post by myself from 2007 referring a post by myself from 2002. http://www.mail-archive.com/misc@openbsd.org/msg52819.html These posts already mention the issues Ken is referring to. -Otto
Re: Iso image integrity verification
On Thu, Sep 12, 2013 at 07:52:22PM +0300, Valentin Zagura wrote: There is no entity that owns or can be held responsible for the code, or is capable of providing a solid evidentuary path from commit to your hands. I thought if we buy the CDs we WILL get a solid evidentuary path from commit to our hands. So this isn't the case? Physical email is as susceptible to MITM attacks as network connections. I know a story of laptops entering the mail system and car springs coming out the other end in the same box. :-) CDs will give you the best evidentuary path available. Compiling everything yourself with a compiler and hardware you built from piles of dirt in a clean room would be better. And then you still have to worry about nano technology being slipped into the dirt. Ken On Wed, Sep 11, 2013 at 1:58 PM, Peter N. M. Hansteen pe...@bsdly.netwrote: On Wed, Sep 11, 2013 at 01:49:14PM +0300, Valentin Zagura wrote: We are going to use a OpenBSD system in a PCI-DSS compliant environment. Is there any way we can prove to our PCI-DSS assessor that the OpenBSD image we use for our installation can be checked so that it is the correct one (is not modified in a malicious way by a third party) ? Probably not what you want to hear, but starting with http://www.openbsd.org/orders.html is usually an excellent idea in this context. Verifiably delivered from a trusted source. A https link to some kind of ISO checksum or something similar (but using strong cryptography) I think would do it, but I could not find any (except a line in the FAQ stating If the men in black suits are out to get you, they're going to get you. which is not the case :) ) It's possible some of the more prominent entries on http://www.openbsd.org/support.html could be persuaded to provide something like that (M:Tier comes to mind, but why are they not on that page?) in exchange for a reasonable fee. But again, for -RELEASE, the CD sets are a good starting point. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Iso image integrity verification
On Thu, Sep 12, 2013 at 07:52:22PM +0300, Valentin Zagura wrote: I thought if we buy the CDs we WILL get a solid evidentuary path from commit to our hands. So this isn't the case? You'll be safe enough.
Re: Iso image integrity verification
Can the project wire an explosive booby trap inside the CD box to ensure that any sneaky postman is blown away by the awesomeness of openBSD ? (for a decent supplementary fee of course) On Thu, Sep 12, 2013 at 6:56 PM, Kenneth R Westerback kwesterb...@rogers.com wrote: On Thu, Sep 12, 2013 at 07:52:22PM +0300, Valentin Zagura wrote: There is no entity that owns or can be held responsible for the code, or is capable of providing a solid evidentuary path from commit to your hands. I thought if we buy the CDs we WILL get a solid evidentuary path from commit to our hands. So this isn't the case? Physical email is as susceptible to MITM attacks as network connections. I know a story of laptops entering the mail system and car springs coming out the other end in the same box. :-) CDs will give you the best evidentuary path available. Compiling everything yourself with a compiler and hardware you built from piles of dirt in a clean room would be better. And then you still have to worry about nano technology being slipped into the dirt. Ken On Wed, Sep 11, 2013 at 1:58 PM, Peter N. M. Hansteen pe...@bsdly.net wrote: On Wed, Sep 11, 2013 at 01:49:14PM +0300, Valentin Zagura wrote: We are going to use a OpenBSD system in a PCI-DSS compliant environment. Is there any way we can prove to our PCI-DSS assessor that the OpenBSD image we use for our installation can be checked so that it is the correct one (is not modified in a malicious way by a third party) ? Probably not what you want to hear, but starting with http://www.openbsd.org/orders.html is usually an excellent idea in this context. Verifiably delivered from a trusted source. A https link to some kind of ISO checksum or something similar (but using strong cryptography) I think would do it, but I could not find any (except a line in the FAQ stating If the men in black suits are out to get you, they're going to get you. which is not the case :) ) It's possible some of the more prominent entries on http://www.openbsd.org/support.html could be persuaded to provide something like that (M:Tier comes to mind, but why are they not on that page?) in exchange for a reasonable fee. But again, for -RELEASE, the CD sets are a good starting point. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. -- - () ascii ribbon campaign - against html e-mail /\
Iso image integrity verification
Hi, We are going to use a OpenBSD system in a PCI-DSS compliant environment. Is there any way we can prove to our PCI-DSS assessor that the OpenBSD image we use for our installation can be checked so that it is the correct one (is not modified in a malicious way by a third party) ? A https link to some kind of ISO checksum or something similar (but using strong cryptography) I think would do it, but I could not find any (except a line in the FAQ stating If the men in black suits are out to get you, they're going to get you. which is not the case :) ) Thanks, Valentin Zagura
Re: Iso image integrity verification
The sha256 file located in the directory with the installxx.iso image has the sha256 checksum for all of the files in that directory. On Sep 11, 2013, at 5:49 AM, Valentin Zagura put...@gmail.com wrote: Hi, We are going to use a OpenBSD system in a PCI-DSS compliant environment. Is there any way we can prove to our PCI-DSS assessor that the OpenBSD image we use for our installation can be checked so that it is the correct one (is not modified in a malicious way by a third party) ? A https link to some kind of ISO checksum or something similar (but using strong cryptography) I think would do it, but I could not find any (except a line in the FAQ stating If the men in black suits are out to get you, they're going to get you. which is not the case :) ) Thanks, Valentin Zagura
Re: Iso image integrity verification
Yes, we know, but that file can also be easily compromised if it's not available for download with a secure protocol (HTTPS) On Wed, Sep 11, 2013 at 1:59 PM, Stan Gammons s_gamm...@charter.net wrote: The sha256 file located in the directory with the installxx.iso image has the sha256 checksum for all of the files in that directory. On Sep 11, 2013, at 5:49 AM, Valentin Zagura put...@gmail.com wrote: Hi, We are going to use a OpenBSD system in a PCI-DSS compliant environment. Is there any way we can prove to our PCI-DSS assessor that the OpenBSD image we use for our installation can be checked so that it is the correct one (is not modified in a malicious way by a third party) ? A https link to some kind of ISO checksum or something similar (but using strong cryptography) I think would do it, but I could not find any (except a line in the FAQ stating If the men in black suits are out to get you, they're going to get you. which is not the case :) ) Thanks, Valentin Zagura
Re: Iso image integrity verification
On Wed, Sep 11, 2013 at 03:17:20PM +0300, Valentin Zagura wrote: Yes, we know, but that file can also be easily compromised if it's not available for download with a secure protocol (HTTPS) So get the CD. You'll support the project as well. -Otto On Wed, Sep 11, 2013 at 1:59 PM, Stan Gammons s_gamm...@charter.net wrote: The sha256 file located in the directory with the installxx.iso image has the sha256 checksum for all of the files in that directory. On Sep 11, 2013, at 5:49 AM, Valentin Zagura put...@gmail.com wrote: Hi, We are going to use a OpenBSD system in a PCI-DSS compliant environment. Is there any way we can prove to our PCI-DSS assessor that the OpenBSD image we use for our installation can be checked so that it is the correct one (is not modified in a malicious way by a third party) ? A https link to some kind of ISO checksum or something similar (but using strong cryptography) I think would do it, but I could not find any (except a line in the FAQ stating If the men in black suits are out to get you, they're going to get you. which is not the case :) ) Thanks, Valentin Zagura
Re: Iso image integrity verification
+1 on this, to make sure that your OpenBSD Distribution is legit, get the CD, support the project! what more could you ask for ;) On Wed, Sep 11, 2013 at 4:58 AM, Peter N. M. Hansteen pe...@bsdly.netwrote: On Wed, Sep 11, 2013 at 01:49:14PM +0300, Valentin Zagura wrote: We are going to use a OpenBSD system in a PCI-DSS compliant environment. Is there any way we can prove to our PCI-DSS assessor that the OpenBSD image we use for our installation can be checked so that it is the correct one (is not modified in a malicious way by a third party) ? Probably not what you want to hear, but starting with http://www.openbsd.org/orders.html is usually an excellent idea in this context. Verifiably delivered from a trusted source. A https link to some kind of ISO checksum or something similar (but using strong cryptography) I think would do it, but I could not find any (except a line in the FAQ stating If the men in black suits are out to get you, they're going to get you. which is not the case :) ) It's possible some of the more prominent entries on http://www.openbsd.org/support.html could be persuaded to provide something like that (M:Tier comes to mind, but why are they not on that page?) in exchange for a reasonable fee. But again, for -RELEASE, the CD sets are a good starting point. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. -- () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments Disclaimer: http://goldmark.org/jeff/stupid-disclaimers/
Re: Iso image integrity verification
I love the stickers to enclose the box when getting a CD release, probably easy to forge but so cool :-) On Wed, Sep 11, 2013 at 9:00 AM, Beavis pfu...@gmail.com wrote: +1 on this, to make sure that your OpenBSD Distribution is legit, get the CD, support the project! what more could you ask for ;) On Wed, Sep 11, 2013 at 4:58 AM, Peter N. M. Hansteen pe...@bsdly.net wrote: On Wed, Sep 11, 2013 at 01:49:14PM +0300, Valentin Zagura wrote: We are going to use a OpenBSD system in a PCI-DSS compliant environment. Is there any way we can prove to our PCI-DSS assessor that the OpenBSD image we use for our installation can be checked so that it is the correct one (is not modified in a malicious way by a third party) ? Probably not what you want to hear, but starting with http://www.openbsd.org/orders.html is usually an excellent idea in this context. Verifiably delivered from a trusted source. A https link to some kind of ISO checksum or something similar (but using strong cryptography) I think would do it, but I could not find any (except a line in the FAQ stating If the men in black suits are out to get you, they're going to get you. which is not the case :) ) It's possible some of the more prominent entries on http://www.openbsd.org/support.html could be persuaded to provide something like that (M:Tier comes to mind, but why are they not on that page?) in exchange for a reasonable fee. But again, for -RELEASE, the CD sets are a good starting point. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. -- () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments Disclaimer: http://goldmark.org/jeff/stupid-disclaimers/ -- - () ascii ribbon campaign - against html e-mail /\
Re: Iso image integrity verification
Thanks for the suggestion, we will probably order the CD. But on the other hand, I hope that you realize that people in some countries (Iran, China, Egypt, Syria) would not have this possibility and they could be more affected by a compromise than we would be (they might probably pay with their lives) and I hope you guys are also thinking of them. Thanks, Valentin Zagura On Wed, Sep 11, 2013 at 1:58 PM, Peter N. M. Hansteen pe...@bsdly.netwrote: On Wed, Sep 11, 2013 at 01:49:14PM +0300, Valentin Zagura wrote: We are going to use a OpenBSD system in a PCI-DSS compliant environment. Is there any way we can prove to our PCI-DSS assessor that the OpenBSD image we use for our installation can be checked so that it is the correct one (is not modified in a malicious way by a third party) ? Probably not what you want to hear, but starting with http://www.openbsd.org/orders.html is usually an excellent idea in this context. Verifiably delivered from a trusted source. A https link to some kind of ISO checksum or something similar (but using strong cryptography) I think would do it, but I could not find any (except a line in the FAQ stating If the men in black suits are out to get you, they're going to get you. which is not the case :) ) It's possible some of the more prominent entries on http://www.openbsd.org/support.html could be persuaded to provide something like that (M:Tier comes to mind, but why are they not on that page?) in exchange for a reasonable fee. But again, for -RELEASE, the CD sets are a good starting point. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Iso image integrity verification
So you publish something on a HTTPS page, which means that when the browser says green padlock, it only says: this site was using a key signed by someone who in turn was signed by someone out of a few hundred CAs in a list which include companies in scary countries*. That will help a lot. *) Please exchange the list of scary countries to whatever scares you in your particular example. For Syria it could be the US, for US it could be Syria. Or some other combination of opposition. 2013/9/11 Valentin Zagura put...@gmail.com Thanks for the suggestion, we will probably order the CD. But on the other hand, I hope that you realize that people in some countries (Iran, China, Egypt, Syria) would not have this possibility and they could be more affected by a compromise than we would be (they might probably pay with their lives) and I hope you guys are also thinking of them. Thanks, Valentin Zagura On Wed, Sep 11, 2013 at 1:58 PM, Peter N. M. Hansteen pe...@bsdly.net wrote: On Wed, Sep 11, 2013 at 01:49:14PM +0300, Valentin Zagura wrote: We are going to use a OpenBSD system in a PCI-DSS compliant environment. Is there any way we can prove to our PCI-DSS assessor that the OpenBSD image we use for our installation can be checked so that it is the correct one (is not modified in a malicious way by a third party) ? Probably not what you want to hear, but starting with http://www.openbsd.org/orders.html is usually an excellent idea in this context. Verifiably delivered from a trusted source. A https link to some kind of ISO checksum or something similar (but using strong cryptography) I think would do it, but I could not find any (except a line in the FAQ stating If the men in black suits are out to get you, they're going to get you. which is not the case :) ) It's possible some of the more prominent entries on http://www.openbsd.org/support.html could be persuaded to provide something like that (M:Tier comes to mind, but why are they not on that page?) in exchange for a reasonable fee. But again, for -RELEASE, the CD sets are a good starting point. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. -- May the most significant bit of your life be positive.
Re: Iso image integrity verification
also means somebody paid a lot of money for that green bar On 09/11/2013 04:46 PM, Janne Johansson wrote: So you publish something on a HTTPS page, which means that when the browser says green padlock, it only says: this site was using a key signed by someone who in turn was signed by someone out of a few hundred CAs in a list which include companies in scary countries*. That will help a lot. *) Please exchange the list of scary countries to whatever scares you in your particular example. For Syria it could be the US, for US it could be Syria. Or some other combination of opposition. 2013/9/11 Valentin Zagura put...@gmail.com Thanks for the suggestion, we will probably order the CD. But on the other hand, I hope that you realize that people in some countries (Iran, China, Egypt, Syria) would not have this possibility and they could be more affected by a compromise than we would be (they might probably pay with their lives) and I hope you guys are also thinking of them. Thanks, Valentin Zagura On Wed, Sep 11, 2013 at 1:58 PM, Peter N. M. Hansteen pe...@bsdly.net wrote: On Wed, Sep 11, 2013 at 01:49:14PM +0300, Valentin Zagura wrote: We are going to use a OpenBSD system in a PCI-DSS compliant environment. Is there any way we can prove to our PCI-DSS assessor that the OpenBSD image we use for our installation can be checked so that it is the correct one (is not modified in a malicious way by a third party) ? Probably not what you want to hear, but starting with http://www.openbsd.org/orders.html is usually an excellent idea in this context. Verifiably delivered from a trusted source. A https link to some kind of ISO checksum or something similar (but using strong cryptography) I think would do it, but I could not find any (except a line in the FAQ stating If the men in black suits are out to get you, they're going to get you. which is not the case :) ) It's possible some of the more prominent entries on http://www.openbsd.org/support.html could be persuaded to provide something like that (M:Tier comes to mind, but why are they not on that page?) in exchange for a reasonable fee. But again, for -RELEASE, the CD sets are a good starting point. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. Mit freundlichen Grüßen Robert Garrett Senior System Engineer Technical Projects Solutions -- InterNetX GmbH Maximilianstr. 6 93047 Regensburg Germany Tel. +49 941 59559-480 Fax +49 941 59559-245 www.internetx.com www.facebook.com/InterNetX www.twitter.com/InterNetX Geschäftsführer/CEO: Thomas Mörz Amtsgericht Regensburg, HRB 7142
Re: Iso image integrity verification
That could also mean This is THE openbsd.org site if you're using eff ssl observatory. On Wed, Sep 11, 2013 at 5:46 PM, Janne Johansson icepic...@gmail.comwrote: So you publish something on a HTTPS page, which means that when the browser says green padlock, it only says: this site was using a key signed by someone who in turn was signed by someone out of a few hundred CAs in a list which include companies in scary countries*. That will help a lot. *) Please exchange the list of scary countries to whatever scares you in your particular example. For Syria it could be the US, for US it could be Syria. Or some other combination of opposition. 2013/9/11 Valentin Zagura put...@gmail.com Thanks for the suggestion, we will probably order the CD. But on the other hand, I hope that you realize that people in some countries (Iran, China, Egypt, Syria) would not have this possibility and they could be more affected by a compromise than we would be (they might probably pay with their lives) and I hope you guys are also thinking of them. Thanks, Valentin Zagura On Wed, Sep 11, 2013 at 1:58 PM, Peter N. M. Hansteen pe...@bsdly.net wrote: On Wed, Sep 11, 2013 at 01:49:14PM +0300, Valentin Zagura wrote: We are going to use a OpenBSD system in a PCI-DSS compliant environment. Is there any way we can prove to our PCI-DSS assessor that the OpenBSD image we use for our installation can be checked so that it is the correct one (is not modified in a malicious way by a third party) ? Probably not what you want to hear, but starting with http://www.openbsd.org/orders.html is usually an excellent idea in this context. Verifiably delivered from a trusted source. A https link to some kind of ISO checksum or something similar (but using strong cryptography) I think would do it, but I could not find any (except a line in the FAQ stating If the men in black suits are out to get you, they're going to get you. which is not the case :) ) It's possible some of the more prominent entries on http://www.openbsd.org/support.html could be persuaded to provide something like that (M:Tier comes to mind, but why are they not on that page?) in exchange for a reasonable fee. But again, for -RELEASE, the CD sets are a good starting point. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. -- May the most significant bit of your life be positive.
Re: Iso image integrity verification
On Wed, Sep 11, 2013 at 05:36:45PM +0300, Valentin Zagura wrote: Thanks for the suggestion, we will probably order the CD. But on the other hand, I hope that you realize that people in some countries (Iran, China, Egypt, Syria) would not have this possibility and they could be more affected by a compromise than we would be (they might probably pay with their lives) and I hope you guys are also thinking of them. Thanks, Valentin Zagura Do your homework. There are specifically companies that deal with OpenBSD in such countries, most specially the ones who can't deal with the US because of embargoes...
Re: Iso image integrity verification
And from that we can deduce what? $evil_country can't spend $10k to be able to intercept and silently MITM all https? 2013/9/11 InterNetX - Robert Garrett robert.garr...@internetx.com also means somebody paid a lot of money for that green bar On 09/11/2013 04:46 PM, Janne Johansson wrote: So you publish something on a HTTPS page, which means that when the browser says green padlock, it only says: this site was using a key signed by someone who in turn was signed by someone out of a few hundred CAs in a list which include companies in scary countries*. That will help a lot. *) Please exchange the list of scary countries to whatever scares you in your particular example. For Syria it could be the US, for US it could be Syria. Or some other combination of opposition. 2013/9/11 Valentin Zagura put...@gmail.com Thanks for the suggestion, we will probably order the CD. But on the other hand, I hope that you realize that people in some countries (Iran, China, Egypt, Syria) would not have this possibility and they could be more affected by a compromise than we would be (they might probably pay with their lives) and I hope you guys are also thinking of them. Thanks, Valentin Zagura On Wed, Sep 11, 2013 at 1:58 PM, Peter N. M. Hansteen pe...@bsdly.net wrote: On Wed, Sep 11, 2013 at 01:49:14PM +0300, Valentin Zagura wrote: We are going to use a OpenBSD system in a PCI-DSS compliant environment. Is there any way we can prove to our PCI-DSS assessor that the OpenBSD image we use for our installation can be checked so that it is the correct one (is not modified in a malicious way by a third party) ? Probably not what you want to hear, but starting with http://www.openbsd.org/orders.**htmlhttp://www.openbsd.org/orders.html is usually an excellent idea in this context. Verifiably delivered from a trusted source. A https link to some kind of ISO checksum or something similar (but using strong cryptography) I think would do it, but I could not find any (except a line in the FAQ stating If the men in black suits are out to get you, they're going to get you. which is not the case :) ) It's possible some of the more prominent entries on http://www.openbsd.org/**support.htmlhttp://www.openbsd.org/support.html could be persuaded to provide something like that (M:Tier comes to mind, but why are they not on that page?) in exchange for a reasonable fee. But again, for -RELEASE, the CD sets are a good starting point. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. Mit freundlichen Grüßen Robert Garrett Senior System Engineer Technical Projects Solutions -- InterNetX GmbH Maximilianstr. 6 93047 Regensburg Germany Tel. +49 941 59559-480 Fax +49 941 59559-245 www.internetx.com www.facebook.com/InterNetX www.twitter.com/InterNetX Geschäftsführer/CEO: Thomas Mörz Amtsgericht Regensburg, HRB 7142 -- May the most significant bit of your life be positive.
Re: Iso image integrity verification
On 2013/09/11 16:46, Janne Johansson wrote: So you publish something on a HTTPS page, which means that when the browser says green padlock, it only says: this site was using a key signed by someone who in turn was signed by someone out of a few hundred CAs in a list which include companies in scary countries*. That will help a lot. Also it says nothing about the contents of the *files* on that site...
Re: Iso image integrity verification
I think you are missing two very important points that are addressed in the official documentation and have been pointed out to you by other respondents: 1. what you are asking for provides NO real added security, and perhaps just the opposite through FALSE SENSE of security, and 2. the fact that other projects choose to offer such ineffective solutions does not mean that it is the right thing to do -- and OpenBSD is notorious for doing The Right Thing(TM) however unpopular that may be. P.S. (to regulars and moderators) Does this discussion really belong on tech or is this more in line with misc@ noise? On 11 Sep 2013 at 20:53, Valentin Zagura wrote: I don't think I'm more paranoid than the average considering that Debian has a way to do this (http://www.debian.org/CD/verify), fedora has a way to do this (https://fedoraproject.org/verify), even Freebsd has a way to do this ( https://www.freebsd.org/releases/9.1R/announce.html). The thought of being more paranoid than an OpenBSD guy is not very comfortable :) On Wed, Sep 11, 2013 at 8:13 PM, Daniel Bolgheroni dan...@bolgh.eng.brwrote: On Wed, Sep 11, 2013 at 03:17:20PM +0300, Valentin Zagura wrote: Yes, we know, but that file can also be easily compromised if it's not available for download with a secure protocol (HTTPS) If you're paranoid, build your own hardware from the ground up, including designing your own CPU and complementary circuits, download all the sources, audit them all, compile and then run. You can't be fooled by wrong measurements of security.
Re: Iso image integrity verification
I don't think I'm more paranoid than the average considering that Debian has a way to do this (http://www.debian.org/CD/verify), fedora has a way to do this (https://fedoraproject.org/verify), even Freebsd has a way to do this ( https://www.freebsd.org/releases/9.1R/announce.html). The thought of being more paranoid than an OpenBSD guy is not very comfortable :) On Wed, Sep 11, 2013 at 8:13 PM, Daniel Bolgheroni dan...@bolgh.eng.brwrote: On Wed, Sep 11, 2013 at 03:17:20PM +0300, Valentin Zagura wrote: Yes, we know, but that file can also be easily compromised if it's not available for download with a secure protocol (HTTPS) If you're paranoid, build your own hardware from the ground up, including designing your own CPU and complementary circuits, download all the sources, audit them all, compile and then run. You can't be fooled by wrong measurements of security.
Re: Iso image integrity verification
There's literally the same thing on the mirror? http://ftp.openbsd.org/pub/OpenBSD/snapshots/amd64/SHA256 On Wed, Sep 11, 2013 at 1:53 PM, Valentin Zagura put...@gmail.com wrote: I don't think I'm more paranoid than the average considering that Debian has a way to do this (http://www.debian.org/CD/verify), fedora has a way to do this (https://fedoraproject.org/verify), even Freebsd has a way to do this ( https://www.freebsd.org/releases/9.1R/announce.html). The thought of being more paranoid than an OpenBSD guy is not very comfortable :) On Wed, Sep 11, 2013 at 8:13 PM, Daniel Bolgheroni dan...@bolgh.eng.brwrote: On Wed, Sep 11, 2013 at 03:17:20PM +0300, Valentin Zagura wrote: Yes, we know, but that file can also be easily compromised if it's not available for download with a secure protocol (HTTPS) If you're paranoid, build your own hardware from the ground up, including designing your own CPU and complementary circuits, download all the sources, audit them all, compile and then run. You can't be fooled by wrong measurements of security.
Re: Iso image integrity verification
On Wed, Sep 11, 2013 at 01:57:22PM -0400, Brandon Mercer wrote: There's literally the same thing on the mirror? http://ftp.openbsd.org/pub/OpenBSD/snapshots/amd64/SHA256 This discussion is probably more suited for misc@, but as Brandon wrote, SHA256 checksums are on all the mirrors. If you don't trust your local ftp.openbsdmirror.ccTLD, it might be worth fetching the sets and then grabbing the SHA256 file directly from ftp.openbsd.org. -Bryan.
Re: Iso image integrity verification
On Wed, Sep 11, 2013 at 03:17:20PM +0300, Valentin Zagura wrote: Yes, we know, but that file can also be easily compromised if it's not available for download with a secure protocol (HTTPS) If you're paranoid, build your own hardware from the ground up, including designing your own CPU and complementary circuits, download all the sources, audit them all, compile and then run. You can't be fooled by wrong measurements of security.
Re: Iso image integrity verification
maintaining a mirror and a cvs sync tree is quite good too. morevover you cloud have some https on your mirror On Wed, Sep 11, 2013 at 1:53 PM, Valentin Zagura put...@gmail.com wrote: I don't think I'm more paranoid than the average considering that Debian has a way to do this (http://www.debian.org/CD/verify), fedora has a way to do this (https://fedoraproject.org/verify), even Freebsd has a way to do this ( https://www.freebsd.org/releases/9.1R/announce.html). The thought of being more paranoid than an OpenBSD guy is not very comfortable :) On Wed, Sep 11, 2013 at 8:13 PM, Daniel Bolgheroni dan...@bolgh.eng.br wrote: On Wed, Sep 11, 2013 at 03:17:20PM +0300, Valentin Zagura wrote: Yes, we know, but that file can also be easily compromised if it's not available for download with a secure protocol (HTTPS) If you're paranoid, build your own hardware from the ground up, including designing your own CPU and complementary circuits, download all the sources, audit them all, compile and then run. You can't be fooled by wrong measurements of security. -- - () ascii ribbon campaign - against html e-mail /\
Re: Iso image integrity verification
If I were a dissident in one of those countries, I would not trust a third party with my life (but maybe I'm too paranoid). AFAIK OpenBSD is Canada, not US, but again, I might be wrong.
Re: Iso image integrity verification
On Wed, Sep 11, 2013 at 08:53:50PM +0300, Valentin Zagura wrote: I don't think I'm more paranoid than the average considering that Debian has a way to do this (http://www.debian.org/CD/verify), fedora has a way to do this (https://fedoraproject.org/verify), even Freebsd has a way to do this ( https://www.freebsd.org/releases/9.1R/announce.html). So you're saying that less paranoid projects are doing it, so why doesn't OpenBSD join the crowd and provide some fuzzy feel good but pointless security theatre? :-) The thought of being more paranoid than an OpenBSD guy is not very comfortable :) Don't worry. You're apparently not paranoid enough yet. The true practical paranoid does not waste time on such mummery. Ken On Wed, Sep 11, 2013 at 8:13 PM, Daniel Bolgheroni dan...@bolgh.eng.brwrote: On Wed, Sep 11, 2013 at 03:17:20PM +0300, Valentin Zagura wrote: Yes, we know, but that file can also be easily compromised if it's not available for download with a secure protocol (HTTPS) If you're paranoid, build your own hardware from the ground up, including designing your own CPU and complementary circuits, download all the sources, audit them all, compile and then run. You can't be fooled by wrong measurements of security.
Re: Iso image integrity verification
On Wed, Sep 11, 2013 at 08:42:46PM +0300, Valentin Zagura wrote: The idea was to display a checksum of the files on such a https page. Like for example https://www.freebsd.org/releases/9.1R/announce.html at the bottom of the page. On Wed, Sep 11, 2013 at 7:18 PM, Stuart Henderson st...@openbsd.org wrote: On 2013/09/11 16:46, Janne Johansson wrote: So you publish something on a HTTPS page, which means that when the browser says green padlock, it only says: this site was using a key signed by someone who in turn was signed by someone out of a few hundred CAs in a list which include companies in scary countries*. That will help a lot. Add to that most of the top-level CAs are U.S. based and just as likely to bend over as Surprizon, USFest, Microslop, etc. the certificates they issue are probably not worth a damn much less those issued by intermediate CAs. Also it says nothing about the contents of the *files* on that site... You can PGP clearsign webpages. It's kind of cool but how many people are actually going to verify them? Maybe if there was a Firefox plugin grin
Re: Iso image integrity verification
I was saying that other projects do it in a way they feel comfortable with and maybe you will find a way to do it that you are comfortable with. Using https was one simple idea. I understand that you don't think that this adds any value but maybe there are other ways like signing with PGP, maybe using SSH somehow or having Theo de Raadt saying the SHA checksums on a video on youtube at each release :) or some other simple and effective way that you are comfortable with. I just wanted to point out that one can not easely show his security assessor that it has the right images using some industry standard ways, or someone living in a country that has an oppressive government and would download the image through tor could have some problems if the exit node is malicious. If you feel that any kind of verification is futile, it's ok, that would not stop us from buying the CDs. On Wed, Sep 11, 2013 at 10:32 PM, Kenneth R Westerback kwesterb...@rogers.com wrote: On Wed, Sep 11, 2013 at 08:53:50PM +0300, Valentin Zagura wrote: I don't think I'm more paranoid than the average considering that Debian has a way to do this (http://www.debian.org/CD/verify), fedora has a way to do this (https://fedoraproject.org/verify), even Freebsd has a way to do this ( https://www.freebsd.org/releases/9.1R/announce.html). So you're saying that less paranoid projects are doing it, so why doesn't OpenBSD join the crowd and provide some fuzzy feel good but pointless security theatre? :-) The thought of being more paranoid than an OpenBSD guy is not very comfortable :) Don't worry. You're apparently not paranoid enough yet. The true practical paranoid does not waste time on such mummery. Ken On Wed, Sep 11, 2013 at 8:13 PM, Daniel Bolgheroni dan...@bolgh.eng.br wrote: On Wed, Sep 11, 2013 at 03:17:20PM +0300, Valentin Zagura wrote: Yes, we know, but that file can also be easily compromised if it's not available for download with a secure protocol (HTTPS) If you're paranoid, build your own hardware from the ground up, including designing your own CPU and complementary circuits, download all the sources, audit them all, compile and then run. You can't be fooled by wrong measurements of security.
Re: Iso image integrity verification
On 11 September 2013 20:42, Valentin Zagura put...@gmail.com wrote: The idea was to display a checksum of the files on such a https page. Like for example https://www.freebsd.org/releases/9.1R/announce.html at the bottom of the page. Not sure whether this is already proposed but here's my two cents: why not to check SHA256 sums from the various mirrors and perform the comparison? -- Cheers, Ville Valkonen
Re: Iso image integrity verification
On 2013/09/12 00:55, Ville Valkonen wrote: Not sure whether this is already proposed but here's my two cents: why not to check SHA256 sums from the various mirrors and perform the comparison? -- Cheers, Ville Valkonen How does this help prove that the files haven't been tampered with? If someone malicious is sitting close to you in your network path, they can just as easily pretend to be all the mirrors as they can pretend to be just one of them.