Re: integrity of commercial CD set
On Thu, Jan 15, 2015 at 3:27 PM, Enos D'Andrea temp4282138...@edlabs.it wrote: On 14/01/2015 17:03, mar...@martinbrandenburg.com wrote: [...] you trust Theo and OpenBSD because you have no better option. Don't pretend you increase your security by proving the software came from a source you can't prove is trustworthy. [...] More than Theo himself, what makes me trust OpenBSD is its stable, clean, open and essential code reviewed by a very skilled community. That's why I go the extra mile(s) to ensure running *that* code. off-topic Security is about pushing attacks out of your attackers' ability or price range. [...] Are you willing to go to the effort that defending against your outlined attack requires? Being my current line of work, yes. Not that I or my clients have anything malicious to hide, but some government agencies and vendors seem to have lost touch with reality and/or ethics. The discussion went off topic. I was just after signed CD checksums, to raise the security of my physical delivery on par with that of the source code. I think the attitude of the team here is that they want us to take the responsibility of (re-)bootstrapping our trust chains ourselves. Never mind: I will make do with downloading an ISO, while the kid within me enjoys the boxed CD set (which, save missing CD checksums for paranoid security people, is very nice indeed). Actually, since you have the packages etc. on the CDs, you can save yourself quite a bit of bandwidth, just downloading the net-install ISO and checking the checksum the mirror advertises. (And comparing the checksums found on five other randomly selected mirrors.) Big-name Linux projects, the packages in your DVD are old by the time you get them. Not so with openbsd. Once you have the base system installed, signify checks things for you. (Under the control of various scripts.) /off-topic Many thanks to Theo and the others for your advice and opinions. Regards -- Enos D'Andrea -- Joel Rees Be careful when you look at conspiracy. Look first in your own heart, and ask yourself if you are not your own worst enemy. Arm yourself with knowledge of yourself, as well.
Re: integrity of commercial CD set
Sometimes I wish mailing lists having a like button ;) On Wed, Jan 14, 2015 at 6:30 PM, Jack Woehr jwo...@softwoehr.com wrote: Theo de Raadt wrote: Finding them inside the global shipping system is easier than you think One of the joys of growing old is watching the really bad sci fi you read as a youth all come true :) -- Jack Woehr # There's too much emphasis on things Box 51, Golden CO 80402 # like pawn structure in modern chess. http://www.softwoehr.com # Checkmate ends the game. - N. Short
Re: integrity of commercial CD set
I bought a can of this paint from a hardware store up in Lake Louise last week. On Wed, 14 Jan 2015, Theo de Raadt wrote: On 2015-01-14, mar...@martinbrandenburg.com mar...@martinbrandenburg.com wrote: Buying a CD in my case includes a 5.000 mile trip through multiple five-eyes nations, whose overzealous three letter agencies officially intercept physical shipments to install backdoors and hardware implants. Where have you heard that? Part of the Snowden revelations. Have you been living under a rock for the past 18 months? -- Christian naddy Weisgerber na...@mips.inka.de They are not regularly intercepting CD shipments and replacing the CDs. It would not be unusual for an intelligence agency to attempt to intercept particular mails for particular people, but they can't do it at scale secretly. Finding them inside the global shipping system is easier than you think, because the CDs labels are printed using the radioactive paint they gave us.
Re: integrity of commercial CD set
I bought a can of this paint from a hardware store up in Lake Louise last week. We already knew that.
Re: integrity of commercial CD set
Please how is one supposed to verify the integrity of an official OpenBSD 5.6 commercial CD set, bought on the OpenBSD store and received by physical mail? [...] Each directory on the CD is signed using signify and the 5.6 keys listed at http://www.openbsd.org/56.html [...] Thanks, but I was hoping for a method that would also verify the CD boot process, and that would not require downloading and installing a second image or trusting the CD to verify itself. Don't see a nice way of doing what you want. On a side note, CD #2 (amd64, powerpc, song) includes more than 15Mb of space not directly allocated in files (excluding the audio track): The ISO format that allows an audio track after a data track unfortunately requires a pretty significant gap, and a pad after the audio. I've lost hair over this. Really wish I had access to a CD expert who could help me improve this. So you've hashed the whole CDs. There are very few people who will do this as a verification method, so few that it feels unreasonable.
Re: integrity of commercial CD set
On 14/01/2015 17:03, mar...@martinbrandenburg.com wrote: [...] you trust Theo and OpenBSD because you have no better option. Don't pretend you increase your security by proving the software came from a source you can't prove is trustworthy. [...] More than Theo himself, what makes me trust OpenBSD is its stable, clean, open and essential code reviewed by a very skilled community. That's why I go the extra mile(s) to ensure running *that* code. off-topic Security is about pushing attacks out of your attackers' ability or price range. [...] Are you willing to go to the effort that defending against your outlined attack requires? Being my current line of work, yes. Not that I or my clients have anything malicious to hide, but some government agencies and vendors seem to have lost touch with reality and/or ethics. The discussion went off topic. I was just after signed CD checksums, to raise the security of my physical delivery on par with that of the source code. Never mind: I will make do with downloading an ISO, while the kid within me enjoys the boxed CD set (which, save missing CD checksums for paranoid security people, is very nice indeed). /off-topic Many thanks to Theo and the others for your advice and opinions. Regards -- Enos D'Andrea
Re: integrity of commercial CD set
On 2015-01-14, mar...@martinbrandenburg.com mar...@martinbrandenburg.com wrote: Buying a CD in my case includes a 5.000 mile trip through multiple five-eyes nations, whose overzealous three letter agencies officially intercept physical shipments to install backdoors and hardware implants. Where have you heard that? Part of the Snowden revelations. Have you been living under a rock for the past 18 months? -- Christian naddy Weisgerber na...@mips.inka.de
Re: integrity of commercial CD set
Enos D'Andrea temp4282138...@edlabs.it wrote: On 14/01/2015 12:24, Stefan Sperling wrote: Bootstrapping trust is always going to be hard no matter what we do and how hard we try. [...] Now the answer has become buy a CD and cross-check it with signify and it's still not enough. [...] paranoia Buying a CD in my case includes a 5.000 mile trip through multiple five-eyes nations, whose overzealous three letter agencies officially intercept physical shipments to install backdoors and hardware implants. Cross-checking of OpenBSD commercial CD sets at present can only be partial, as no official full checksums seem to be provided. Even cross-checking *all* files referenced by the ISO filesystem would still allow a malicious boot sector to directly reference unallocated space. Let's call a spade a spade: the worst-case scenario is an APT intercepting the shipment of a commercial CD set, substitute one or more CDs and repackage it. Extremely unlikely for the average person, not-so-much for IT security consultants with important clients. /paranoia Regards -- Enos D'Andrea Where have you heard that? Intercepting physical mail secretly is really hard, especially if you don't want the post office to know about it. Think of everyone who would need to know. Anyone who doesn't know would be trying to get the package correctly delivered. Best case you plant somebody (multiple people; imagine if your plant was assigned to something else on the critical day) in the destination post office. It's extremely unlikely for anyone. Travel to Canada and receive it there. Oh wait, Canada is really friendly with all the governments you're scared of. Hopefully you don't live in one of these nations. Why are you not scared of your own government? They pose the greatest threat to your liberty. And since this software is developed out of Canada, how do you know it can be trusted to begin with? Why do you trust Theo exactly? He seems like a nice guy, and he's done a very good job with OpenBSD, but you don't know him. If he were a secret agent, that would be exactly what he'd want you to think. No, you trust Theo and OpenBSD because you have no better option. Don't pretend you increase your security by proving the software came from a source you can't prove is trustworthy. You'd do better to audit the source. Security is about pushing attacks out of your attackers' ability or price range. If your attackers' ability and price range is greater than what you're willing to expend on security, you're compromised. Are you willing to go to the effort that defending against your outlined attack requires? Probably not. Unless you're very very important, you eliminate the possibility of distribution attack by getting signify keys of CDs. -- Martin
Re: integrity of commercial CD set
Christian Weisgerber na...@mips.inka.de wrote: On 2015-01-14, mar...@martinbrandenburg.com mar...@martinbrandenburg.com wrote: Buying a CD in my case includes a 5.000 mile trip through multiple five-eyes nations, whose overzealous three letter agencies officially intercept physical shipments to install backdoors and hardware implants. Where have you heard that? Part of the Snowden revelations. Have you been living under a rock for the past 18 months? -- Christian naddy Weisgerber na...@mips.inka.de They are not regularly intercepting CD shipments and replacing the CDs. It would not be unusual for an intelligence agency to attempt to intercept particular mails for particular people, but they can't do it at scale secretly. -- Martin
Re: integrity of commercial CD set
On Wed, Jan 14, 2015 at 02:32:07PM +0100, Enos D'Andrea wrote: Buying a CD in my case includes a 5.000 mile trip through multiple five-eyes nations, whose overzealous three letter agencies officially intercept physical shipments to install backdoors and hardware implants. ^ Cross-checking of OpenBSD commercial CD sets at present can only be partial, as no official full checksums seem to be provided. Even cross-checking *all* files referenced by the ISO filesystem would still allow a malicious boot sector to directly reference unallocated space. No need to worry. They won't need to mess with the CDs since your hardware is already bugged ;) Let's call a spade a spade: the worst-case scenario is an APT intercepting the shipment of a commercial CD set, substitute one or more CDs and repackage it. Extremely unlikely for the average person, not-so-much for IT security consultants with important clients. I understand where you're coming from, but what you're getting at is out of scope of this project. Questions which tickle someone into writing code to fix a problem are always well received. But if your problem is targeted surveillance, then sorry, we simply can't fix that any better than anyone else can, and we certainly can't fix it by adding more code to the CD verification process. Your scenario presents a political problem, not a technical one. If you believe that targeted surveillance won't work on you if you run a verified install of OpenBSD, you're fooling yourself.
Re: integrity of commercial CD set
On 2015-01-14, mar...@martinbrandenburg.com mar...@martinbrandenburg.com wrote: Buying a CD in my case includes a 5.000 mile trip through multiple five-eyes nations, whose overzealous three letter agencies officially intercept physical shipments to install backdoors and hardware implants. Where have you heard that? Part of the Snowden revelations. Have you been living under a rock for the past 18 months? -- Christian naddy Weisgerber na...@mips.inka.de They are not regularly intercepting CD shipments and replacing the CDs. It would not be unusual for an intelligence agency to attempt to intercept particular mails for particular people, but they can't do it at scale secretly. Finding them inside the global shipping system is easier than you think, because the CDs labels are printed using the radioactive paint they gave us.
Re: integrity of commercial CD set
Theo de Raadt wrote: Finding them inside the global shipping system is easier than you think One of the joys of growing old is watching the really bad sci fi you read as a youth all come true :) -- Jack Woehr # There's too much emphasis on things Box 51, Golden CO 80402 # like pawn structure in modern chess. http://www.softwoehr.com # Checkmate ends the game. - N. Short
Re: integrity of commercial CD set
On Wed, Jan 14, 2015 at 10:49:01AM +0100, Enos D'Andrea wrote: Thanks, but I was hoping for a method that would also verify the CD boot process, and that would not require downloading and installing a second image or trusting the CD to verify itself. Bootstrapping trust is always going to be hard no matter what we do and how hard we try. Since releases have been signed (since 5.4) people have been asking for even more verification than they used to ask for. This puzzles me. Before signify the answer to the trust problem was buy a CD and most paranoid people went with that. Now the answer has become buy a CD and cross-check it with signify and it's still not enough. What's next, should we invite everyone to Theo's house to run a collective install fest from his NFS server? From the developer point of view it seems to be more a problem of managing expectations rather than a technical one. :-/ Speaking of which: Are you sure you can trust the hardware you're booting this CD on? Is it by chance a laptop that supports Intel vPro? In this case it likely runs SOAP/TLS(OpenSSL)/Kerberos code in firmware and the OS can't make any hard guarantees about the safety of your machine anyway: https://software.intel.com/sites/default/files/71/eb/mngstages.jpg In other words, if you really want to argue trust down to the very last bit the discussion becomes pointless very quickly. It is never going to be perfect.
Re: integrity of commercial CD set
On 12/01/2015 20:34, Theo de Raadt wrote: Please how is one supposed to verify the integrity of an official OpenBSD 5.6 commercial CD set, bought on the OpenBSD store and received by physical mail? [...] Each directory on the CD is signed using signify and the 5.6 keys listed at http://www.openbsd.org/56.html [...] Thanks, but I was hoping for a method that would also verify the CD boot process, and that would not require downloading and installing a second image or trusting the CD to verify itself. On a side note, CD #2 (amd64, powerpc, song) includes more than 15Mb of space not directly allocated in files (excluding the audio track): # mount -o ro /dev/sr0 /mnt/cdrom # df -B KB /dev/sr0 Filesystem 1kB-blocks Used Available Use% Mounted on /dev/sr0 630047kB 630047kB 0kB 100% /mnt/cdrom # du -B KB -s /mnt/cdrom/ 614111kB/mnt/cdrom/ For the records: # sha256sum /dev/sr0 #CD1 a9958a206d7acb12a4b544f5df301261a92c4bec06b85c3964dd834ef622a22a # cat /dev/sr0 cd2.iso #CD2 cat: /dev/sr0: Input/output error # du -b cd2.iso 630345728 # sha256sum cd2.iso 72f2201021168c9132bea3e6ebf1fe250b394528c3c766ace2556a614bc8dd7e # sha256sum /dev/sr0 #CD3 466e4f4c0506711bcbb4bd31601f0fb16c154df2e52c4d9596c9fa91efeddee4 Regards -- Enos D'Andrea
Re: integrity of commercial CD set
Thanks, but I was hoping for a method that would also verify the CD boot process, and that would not require downloading and installing a second image or trusting the CD to verify itself. Next time, it is better to ask what you hope for. You asked how to check and you got the answer, then you moved to something else ...
Re: integrity of commercial CD set
On 14/01/2015 12:24, Stefan Sperling wrote: Bootstrapping trust is always going to be hard no matter what we do and how hard we try. [...] Now the answer has become buy a CD and cross-check it with signify and it's still not enough. [...] paranoia Buying a CD in my case includes a 5.000 mile trip through multiple five-eyes nations, whose overzealous three letter agencies officially intercept physical shipments to install backdoors and hardware implants. Cross-checking of OpenBSD commercial CD sets at present can only be partial, as no official full checksums seem to be provided. Even cross-checking *all* files referenced by the ISO filesystem would still allow a malicious boot sector to directly reference unallocated space. Let's call a spade a spade: the worst-case scenario is an APT intercepting the shipment of a commercial CD set, substitute one or more CDs and repackage it. Extremely unlikely for the average person, not-so-much for IT security consultants with important clients. /paranoia Regards -- Enos D'Andrea
integrity of commercial CD set
Hello, Please how is one supposed to verify the integrity of an official OpenBSD 5.6 commercial CD set, bought on the OpenBSD store and received by physical mail? Those CD images (with multiple platforms on the same CD) do not seem to be available for download. Their checksums (provided mine are not corrupted) are not even indexed by major search engines. Thanks, Regards -- Enos D'Andrea
Re: integrity of commercial CD set
Please how is one supposed to verify the integrity of an official OpenBSD 5.6 commercial CD set, bought on the OpenBSD store and received by physical mail? Those CD images (with multiple platforms on the same CD) do not seem to be available for download. Their checksums (provided mine are not corrupted) are not even indexed by major search engines. Each directory on the CD is signed using signify and the 5.6 keys listed at http://www.openbsd.org/56.html As a shortcut, you can compare the the CD 5.6/amd64/SHA256.sig to http://ftp.openbsd.org/pub/OpenBSD/5.6/amd64/SHA256.sig, but do run signify to verify the other files.