Re: [dera...@cvs.openbsd.org: Re: I would like to send this to misc@ and security-announce@, from me.]

[Toni Mueller]

Hi,

On Thu, 30.04.2009 at 11:21:50 -0600, Bob Beck b...@openbsd.org wrote:
   The best place to get OpenBSD is from an official CD set, produced in
 a secured location

FWIW, I have what I think are official CDs, and they contain OS code
dated 2009-02-28 22:41 UTC. This means the official code was produced
two months before the release date.


-- 
Kind regards,
--Toni++

Re: [dera...@cvs.openbsd.org: Re: I would like to send this to misc@ and security-announce@, from me.]

[Bob Beck]

  e.g. ftp://mirrors.nic.funet.fi/ftp.openbsd.org/pub/OpenBSD/
 
 I'll make a bulk check of the mirrors that haven't got 4.5 yet
 sometime soon and remind them to update their rsync inclusion
 lists. I'll give it a bit longer because some are probably
 still trying to fetch the release.
 

And there is a big difference between a mirror that is behind, and a
mirror that is providing you with something that is not what it
purports to be.

Re: [dera...@cvs.openbsd.org: Re: I would like to send this to misc@ and security-announce@, from me

[Artur Grabowski]

rembrandt rembra...@jpberlin.de writes:

 :words:

Here's a nickel, kid. Buy yourself a better tinfoil hat.

//art

Re: [dera...@cvs.openbsd.org: Re: I would like to send this to misc@ and security-announce@, from me.]

[Lars Nooden]

Mike Belopuhov wrote:
 C'mon, ftp.kd86.com was delisted from the ftp.html page on Mon Apr 6.
 Can you just stop bashing Wim?  It doesn't make anyone happier (except
 Theo probably).  

+1

 Or maybe we should rush searching the whole fscking
 internet for the incorrect OpenBSD mirrors?  

e.g. ftp://mirrors.nic.funet.fi/ftp.openbsd.org/pub/OpenBSD/

-Lars

Re: [dera...@cvs.openbsd.org: Re: I would like to send this to misc@ and security-announce@, from me.]

[Stuart Henderson]

On 2009-05-05, Lars Nooden lars.cura...@gmail.com wrote:
 Mike Belopuhov wrote:
 Or maybe we should rush searching the whole fscking
 internet for the incorrect OpenBSD mirrors?  

 e.g. ftp://mirrors.nic.funet.fi/ftp.openbsd.org/pub/OpenBSD/

I'll make a bulk check of the mirrors that haven't got 4.5 yet
sometime soon and remind them to update their rsync inclusion
lists. I'll give it a bit longer because some are probably
still trying to fetch the release.

Re: [dera...@cvs.openbsd.org: Re: I would like to send this to misc@ and security-announce@, from me.]

[Mischa Diehm]

On Mon, May 04, 2009 at 01:38:16PM -0600, Bob Beck wrote:
   Look dude, that ftp site made something available before any of the
 second level mirrors were even opened up to other sites to retreive
 it. Deliberate action was taken to release something early without
 mirroring it from a credible source. Judging by the contents, not all
 of it was exactly 4.5. This is cause for concern to anyone using the
 mirror. 

How many unofficial ftp servers are there on this dangerous
internet which are or might or could be having wrong packages? This is
what ftp.html is all about right? Why is there a list of official
mirrors anyway?

   It's not like the operator of the site could have done this
 *accidentally* - This showed some kind of deliberate intent to release
 something early, and they obviously didn't seem too concerned if it
 was 100% correct. I don't know the reason, and I don't care to. All I know
 is that when we see it, that says danger. 

This is the german coast gard. We are thinking... That's ridiculous.
 
   Mirroring is based upon trust. Whoever's running that site obviously
 decided to go rogue and do something goofy.  I don't care who mirrors
 openbsd, but I expect them to actually mirror it through authorized
 channels, not put something up early that is deceptive to the users
 and potentially harmful.  When we *SEE* evidence of this being done, not
 telling the user community is simply irresponsible. 

great reasoning. Now I get it! The word I was missing is trust.
I almost forgot: In god we trust. Thanks for the reminder.

 * Mike Belopuhov mi...@lucifier.net [2009-05-04 04:55]:
  C'mon, ftp.kd86.com was delisted from the ftp.html page on Mon Apr 6.
  Can you just stop bashing Wim?  It doesn't make anyone happier (except
  Theo probably).  Or maybe we should rush searching the whole fscking
  internet for the incorrect OpenBSD mirrors?  Chill out, dudes.
  
  On Thu, Apr 30, 2009 at 11:21 -0600, Bob Beck wrote:

 Users are cautioned about rogue ftp sites claiming to have OpenBSD.

 The best place to get OpenBSD is from an official CD set, produced in
   a secured location

 It has come to our attention that some ftp sites (ftp.kd85.com) which
   are not official OpenBSD mirrors are purporting to serve OpenBSD 4.5
   at this time. We have noted that what is actually present in the 4.5
   directory is not 4.5, but rather a late development cycle snapshot which
   they have moved into place claiming it is 4.5. 

 While we have no problem with anyone mirroring OpenBSD for the good 
   of the user community, we do believe that people who offer up the wrong
   thing are being deceptive and will hurt the userbase - particularly when
   the packages being offered up are not the release versions. 

 please ensure you look at http://www.openbsd.org/ftp.html when
   choosing to do an ftp install, and don't be fooled by someone phishing
   for your ftp traffic.
  
 
 -- 
 #!/usr/bin/perl
 if ((not 0  not 1) !=  (! 0  ! 1)) {
print Larry and Tom must smoke some really primo stuff...\n; 
 }
 

-- 
Eigentum verpflichtet. Sein Gebrauch soll zugleich dem Wohle der
Allgemeinheit dienen. (Art. 14 II GG)

Re: [dera...@cvs.openbsd.org: Re: I would like to send this to misc@ and security-announce@, from me.]

[Theo de Raadt]

 On Mon, May 04, 2009 at 01:38:16PM -0600, Bob Beck wrote:
  Look dude, that ftp site made something available before any of the
  second level mirrors were even opened up to other sites to retreive
  it. Deliberate action was taken to release something early without
  mirroring it from a credible source. Judging by the contents, not all
  of it was exactly 4.5. This is cause for concern to anyone using the
  mirror. 
 
 How many unofficial ftp servers are there on this dangerous
 internet which are or might or could be having wrong packages? This is
 what ftp.html is all about right? Why is there a list of official
 mirrors anyway?

We provide a service out of the goodness of our hearts.

You accept how we do it, and you will shut up, or less service will be
provided in the future.

If you don't like it, run something else.

Re: [dera...@cvs.openbsd.org: Re: I would like to send this to misc@ and security-announce@, from me.]

[SJP Lists]

2009/5/5 Mischa Diehm m...@mailq.de:
 On Mon, May 04, 2009 at 01:38:16PM -0600, Bob Beck wrote:
   Look dude, that ftp site made something available before any of the
 second level mirrors were even opened up to other sites to retreive
 it. Deliberate action was taken to release something early without
 mirroring it from a credible source. Judging by the contents, not all
 of it was exactly 4.5. This is cause for concern to anyone using the
 mirror.

 How many unofficial ftp servers are there on this dangerous
 internet which are or might or could be having wrong packages? This is
 what ftp.html is all about right? Why is there a list of official
 mirrors anyway?

This was a special case though, since kd85.com was previously listed
as hosting a second level mirror.

Surely it deserves special mention, since so many people would have
developed a lot of trust in that mirror.

Re: [dera...@cvs.openbsd.org: Re: I would like to send this to misc@ and security-announce@, from me.]

[Mike Belopuhov]

C'mon, ftp.kd86.com was delisted from the ftp.html page on Mon Apr 6.
Can you just stop bashing Wim?  It doesn't make anyone happier (except
Theo probably).  Or maybe we should rush searching the whole fscking
internet for the incorrect OpenBSD mirrors?  Chill out, dudes.

On Thu, Apr 30, 2009 at 11:21 -0600, Bob Beck wrote:
  
   Users are cautioned about rogue ftp sites claiming to have OpenBSD.
  
   The best place to get OpenBSD is from an official CD set, produced in
 a secured location
  
   It has come to our attention that some ftp sites (ftp.kd85.com) which
 are not official OpenBSD mirrors are purporting to serve OpenBSD 4.5
 at this time. We have noted that what is actually present in the 4.5
 directory is not 4.5, but rather a late development cycle snapshot which
 they have moved into place claiming it is 4.5. 
  
   While we have no problem with anyone mirroring OpenBSD for the good 
 of the user community, we do believe that people who offer up the wrong
 thing are being deceptive and will hurt the userbase - particularly when
 the packages being offered up are not the release versions. 
  
   please ensure you look at http://www.openbsd.org/ftp.html when
 choosing to do an ftp install, and don't be fooled by someone phishing
 for your ftp traffic.

Re: [dera...@cvs.openbsd.org: Re: I would like to send this to misc@ and security-announce@, from me.]

[Bob Beck]

Look dude, that ftp site made something available before any of the
second level mirrors were even opened up to other sites to retreive
it. Deliberate action was taken to release something early without mirroring it
from a credible source. Judging by the contents, not all of it was exactly 4.5. 
This is
cause for concern to anyone using the mirror. 

It's not like the operator of the site could have done this
*accidentally* - This showed some kind of deliberate intent to release
something early, and they obviously didn't seem too concerned if it
was 100% correct. I don't know the reason, and I don't care to. All I know
is that when we see it, that says danger. 

Mirroring is based upon trust. Whoever's running that site obviously
decided to go rogue and do something goofy.  I don't care who mirrors
openbsd, but I expect them to actually mirror it through authorized
channels, not put something up early that is deceptive to the users
and potentially harmful.  When we *SEE* evidence of this being done, not
telling the user community is simply irresponsible. 

-Bob

* Mike Belopuhov mi...@lucifier.net [2009-05-04 04:55]:
 C'mon, ftp.kd86.com was delisted from the ftp.html page on Mon Apr 6.
 Can you just stop bashing Wim?  It doesn't make anyone happier (except
 Theo probably).  Or maybe we should rush searching the whole fscking
 internet for the incorrect OpenBSD mirrors?  Chill out, dudes.
 
 On Thu, Apr 30, 2009 at 11:21 -0600, Bob Beck wrote:
   
  Users are cautioned about rogue ftp sites claiming to have OpenBSD.
   
  The best place to get OpenBSD is from an official CD set, produced in
  a secured location
   
  It has come to our attention that some ftp sites (ftp.kd85.com) which
  are not official OpenBSD mirrors are purporting to serve OpenBSD 4.5
  at this time. We have noted that what is actually present in the 4.5
  directory is not 4.5, but rather a late development cycle snapshot which
  they have moved into place claiming it is 4.5. 
   
  While we have no problem with anyone mirroring OpenBSD for the good 
  of the user community, we do believe that people who offer up the wrong
  thing are being deceptive and will hurt the userbase - particularly when
  the packages being offered up are not the release versions. 
   
  please ensure you look at http://www.openbsd.org/ftp.html when
  choosing to do an ftp install, and don't be fooled by someone phishing
  for your ftp traffic.
 

-- 
#!/usr/bin/perl
if ((not 0  not 1) !=  (! 0  ! 1)) {
   print Larry and Tom must smoke some really primo stuff...\n; 
}

Re: [dera...@cvs.openbsd.org: Re: I would like to send this to misc@ and security-announce@, from me.]

[J.C. Roberts]

On Thu, 30 Apr 2009 11:21:50 -0600 Bob Beck b...@openbsd.org wrote:

  
   Users are cautioned about rogue ftp sites claiming to have
 OpenBSD. 
   The best place to get OpenBSD is from an official CD set,
 produced in a secured location
  
   It has come to our attention that some ftp sites
 (ftp.kd85.com) which are not official OpenBSD mirrors are purporting
 to serve OpenBSD 4.5 at this time. We have noted that what is
 actually present in the 4.5 directory is not 4.5, but rather a late
 development cycle snapshot which they have moved into place claiming
 it is 4.5. 
   While we have no problem with anyone mirroring OpenBSD for
 the good of the user community, we do believe that people who offer
 up the wrong thing are being deceptive and will hurt the userbase -
 particularly when the packages being offered up are not the release
 versions. 
   please ensure you look at http://www.openbsd.org/ftp.html
 when choosing to do an ftp install, and don't be fooled by someone
 phishing for your ftp traffic.
  
  
 


Wow! The depths that these scumbags will go is amazing, but I kinda 
figured something might be wrong when I logged into FTP and saw:

.
.
.
.
.
.
.
.
.
.
.
.
.
. NOTICE: NSFW!
.
.
.
.
.
.
.
.
.
.
.
.


331 Guest login ok, send your email address as password.
230- 
230-   _   _    __  _  _ _
230-  / ___ \   |  _ \|  ___|/ __ \| | / |/ |  ___|
230- / /  / /___  ___   | |_) | |_  | |  )_| |/ /| (___ | |_
230-/ /  / / __ \/ _ \/ __ \|  _ | |_| | |  __| |   \___ \| |_|
230-   / /__/ / /_/ /  __/ / / /| |_) | |___| |__) | |\ \ ) | |___
230-   \_/ .___/\___/_/ /_/ |/|_|\/|_| \_|_/|_|
230-/_/
230-  /  \  \  /\  \  The proactively insecure Anus-like
230- |   `.  || :   \ Orifice System.
230- `|  || |   | Please visit the OpenBECKSE web site
230- \| //  \\\   \  :  |   at http://www.openbeckse.org/
230-  `\/  -~~  ~--__| \.'  |
230-  \\-~V ~-_\|   / All transfers are logged, if you don't
230-   \_   \  _.-.\|   : like this policy, disconnect now!
230-\\// _ __ (___  \   |
230- \  .   __)_  ___ (_ | /
230-  \ |___)/   \ (_|_/  OpenBECKSE 4.5 is available for order!
230-  /\|   )|  (___  /\  You can order a CD of OpenBECKSE from
230- |  (   _)\__/  // _/ / \ http://www.openbeckse.org/orders.html
230- |   \  |_  \\__//(__/  | CD sales are important to support the
230- |\   \___)  `--- --'   /|  continued development of the project.
230- '.__\/_   _.'
230-  \ / |  | \/
230-  || /\ |   |  Hearing him scream like a 
230-  :   / | | \   :   little girl when he had to hack 
230-  |   :  \_/\_/ :   |   in NFS was priceless  --phessler 
230-  VK. |   |   |  |  |   |
230- 
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp 


-- 
J.C. Roberts

Re: [dera...@cvs.openbsd.org: Re: I would like to send this to misc@ and security-announce@, from me.]

[ropers]

2009/5/1 Bob Beck b...@openbsd.org:

 Print
 Pro forma invoice
 Date: 01.05.2009
 For
 GANDI SAS
 15, place de la Nation
 F-75011 Paris
 France
 RCS Paris B. 423 093 459
 SIRET 423 093 459 00034
 APE 6311Z - Capital de 7.622EUR
 NTVA FR 81 423 093 459
 fact...@gandi.net   Customer

 Bob Beck
 XX
 Alberta
 Edmonton
 Canada
 Telephone : XX
 Email : b...@obtuse.com


  Product   Description Owner   Amount
 openbeckse.org  Create   (3 years)  Bob Beck$45.00
 Price excl. tax $45.00
 Price Incl. tax $45.00

Your FTP server is currently offline. As of this writing, it doesn't
even get as far as the welcome banner:

 $ ftp ftp.openbeckse.org
 ftp: ftp.openbeckse.org: Unknown host
 ftp quit

 $ ftp openbeckse.org
 ftp: connect: Connection timed out
 ftp quit

regards,
--ropers

Re: [dera...@cvs.openbsd.org: Re: I would like to send this to misc@ and security-announce@, from me.]

[FRLinux]

On Thu, Apr 30, 2009 at 6:21 PM, Bob Beck b...@openbsd.org wrote:
The best place to get OpenBSD is from an official CD set, produced
in
 a secured location

Received my official CD set today, thank you all for your hard work!

Steph