Re: Trusting the Installation

[Илья Шипицин]

we tried those certs. they are not trusted by mobile devices.
and those certificates are free only for 3 months (you are supposed to buy
them after that).

so, it's marketing stuff, not a real deal.

5 MARTA 2012 G. 13:49 POLXZOWATELX Hugo Osvaldo Barrera 
h...@osvaldobarrera.com.ar NAPISAL:

 On 2012-03-04 07:05, P P;Q Q  P(P8P?P8Q P8P= wrote:
  if you mean public SSL certs, it's about $500/year.
  are you willing to pay for SSL certs ?
 
  I can do the rest. I have installed tens ssl-enabled services.

 Slightly OT: StartSSL offers free certificates trusted by every browser,
 so you're just exagerating - a lot.

 --
 Hugo Osvaldo Barrera

Re: Trusting the Installation

[Fritz Wuehler]

 On Sunday 04 March 2012 12:12:19 Anonymous Remailer (austria) wrote:
   the reason is you can download source code, look at it, make sure for
   yourself there's no backdoors, build your own ISO from source code
  
  You can but nobody does. If the entire OpenBSD team can't finish a complete
  audit of OpenBSD in one release cycle how long do you suppose it would take
  one person to do that? Not very practical.
  
  
 
 If someone thinks he has to audit the whole tree, he is not practical
 already. It is not difficult to get a trusted source rep and compare the
 downloaded source with that and investigate the differences if they think
 it is needed. 

What is trusted? Until some trusted group or person audits the source and
signs it there is nothing to compare anything to.

 If they don't even trust the source code on the DVD, they have bigger
 problems than just secure downloads.

Agreed, just arguing against the absurd idea quoted at the top.

Re: Trusting the Installation

[Hugo Osvaldo Barrera]

On 2012-03-05 06:08, iLXQ {IPICIN wrote:
 we tried those certs. they are not trusted by mobile devices.
 and those certificates are free only for 3 months (you are supposed to
 buy them after that).
 
 so, it's marketing stuff, not a real deal.

That's totally wrong. They last a year, and you can get a new one
(again, for free) after they expire.
I'm not sure what mobile device distrusts them, most do.  And how often
do you download OpenBSD ISOs from mobile devices?

-- 
Hugo Osvaldo Barrera

Re: Trusting the Installation

[Rudolf Leitgeb]

Am Montag, 5. MC$rz 2012, 10:12:02 schrieb PP;QQ P(P8P?P8QP8P=:
 P.S. I'm not a paranoic, but I respect people to be paranoic if they want
 to.

You can be paranoid about the sources and binaries all you want, but you still
don't know the CPU which executes all that code. Even if Intel/AMD would give
you full access to their CPU blue prints, the chip foundry could add things
you
would not notice.

That's the reason why companies which make secure encryption devices would
never trust any CPU/OS combo. Depending on paranoia they offer you either
an FPGA based solution or a hard wired one from logic ICs.

And even if you create the most trusted device, using nothing but 100 year
old
relays and passive components, you are still prone to the we will whack you
with
a wrench if you don't give me your keys attack. Very, very effective.

Re: Trusting the Installation

[Henning Brauer]

* Rudolf Leitgeb rudolf.leit...@gmx.at [2012-03-05 12:01]:
 That's the reason why companies which make secure encryption devices would
 never trust any CPU/OS combo. Depending on paranoia they offer you either
 an FPGA based solution or a hard wired one from logic ICs.

dream on.

-- 
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/

Re: Trusting the Installation

[Илья Шипицин]

I'd agree that 100% paranoic will never trust hardware vendor as well. Only
own manufactured components should be used in conjunction with md5/sha1
checksum evaluation and source code audit.

5 MARTA 2012 G. 17:00 POLXZOWATELX Rudolf Leitgeb
rudolf.leit...@gmx.atNAPISAL:

 Am Montag, 5. MC$rz 2012, 10:12:02 schrieb P P;Q Q  P(P8P?P8Q P8P=:
  P.S. I'm not a paranoic, but I respect people to be paranoic if they want
  to.

 You can be paranoid about the sources and binaries all you want, but you
 still
 don't know the CPU which executes all that code. Even if Intel/AMD would
 give
 you full access to their CPU blue prints, the chip foundry could add things
 you
 would not notice.

 That's the reason why companies which make secure encryption devices would
 never trust any CPU/OS combo. Depending on paranoia they offer you either
 an FPGA based solution or a hard wired one from logic ICs.

 And even if you create the most trusted device, using nothing but 100 year
 old
 relays and passive components, you are still prone to the we will whack
 you
 with
 a wrench if you don't give me your keys attack. Very, very effective.

Re: Trusting the Installation

[Rudolf Leitgeb]

Am Montag, 5. Mdrz 2012, 12:36:56 schrieb Henning Brauer:
 * Rudolf Leitgeb rudolf.leit...@gmx.at [2012-03-05 12:01]:
  That's the reason why companies which make secure encryption devices
would
  never trust any CPU/OS combo. Depending on paranoia they offer you either
  an FPGA based solution or a hard wired one from logic ICs.

 dream on.

Feel free to trust an Intel Core 2 :)

Theo, for whatever reason, doesn't 

Re: Trusting the Installation

[Henning Brauer]

* Rudolf Leitgeb rudolf.leit...@gmx.at [2012-03-05 13:21]:
 Am Montag, 5. Mdrz 2012, 12:36:56 schrieb Henning Brauer:
  * Rudolf Leitgeb rudolf.leit...@gmx.at [2012-03-05 12:01]:
   That's the reason why companies which make secure encryption devices
 would
   never trust any CPU/OS combo. Depending on paranoia they offer you either
   an FPGA based solution or a hard wired one from logic ICs.
 
  dream on.
 
 Feel free to trust an Intel Core 2 :)

you completely missed the point of my remark.

most secure encryption devices on the market run linux. their
security is snake oil. you don't wanna know what I have seen (and I
can't talk about it in most cases)...

-- 
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/

Re: Trusting the Installation

[Rudolf Leitgeb]

Am Montag, 5. Mdrz 2012, 13:30:14 schrieb Henning Brauer:

 you completely missed the point of my remark.

 most secure encryption devices on the market run linux. their
 security is snake oil. you don't wanna know what I have seen (and I
 can't talk about it in most cases)...

This mailing list is not about snake oil products on sale somewhere.
The post I replied to asked how one can be sure he runs trusted
software and my reply was it doesn't help you if you aren't 100%
sure your hardware is kosher. And for all practical purposes you can't.

One doesn't have to be 100% paranoid to distrust hardware. Look where
almost all desktop and laptop CPUs come from. And where these devices
plus their peripherals are made.

And again: even 100% secure hardwaresoftware won't protect you
against extortion/torture/whatever means to get that piece of info.

Re: Trusting the Installation

[Steffen Daode Nurpmeso]

Rudolf Leitgeb wrote [2012-03-05 13:51+0100]:
 Look where almost all desktop and laptop CPUs come from.
 And where these devices plus their peripherals are made.

Oh yes!  You really just can't trust America.  Really.

--steffen

Re: Trusting the Installation

[Nomen Nescio]

 This mailing list is not about snake oil products on sale somewhere.
 The post I replied to asked how one can be sure he runs trusted
 software and my reply was it doesn't help you if you aren't 100%
 sure your hardware is kosher. And for all practical purposes you can't.

True but I think it should be enough for most people if the OpenBSD team
posts hashes or sigs on their sites and you download from a mirror and check
against those hashes or sigs. If someone has enough power to p0wn the
OpenBSD site as well as various mirrors you may as well quit while you're
ahead.

(Yes I realize they already do that. Apparently the OP does not realize that)

Re: Trusting the Installation

[Martin Schröder]

2012/3/5 PP;QQ P(P8P?P8QP8P= chipits...@gmail.com:
 I'd agree that 100% paranoic will never trust hardware vendor as well. Only
 own manufactured components should be used in conjunction with md5/sha1

md5 - YMMD :-)

Re: Trusting the Installation

[Hugo Osvaldo Barrera]

On 2012-02-29 01:13, Nico Kadel-Garcia wrote:
 This just came up in the Scientific Linux mailing list. While checksums are
 useful, they're not helpful if both the checksum and the file itself are
 corrupted. Someone (namely me!) also pointed out the possibility of
 manipulating the FTP or HTTP transmission en route, and I pointed out the
 risk of a Trojan infested mirror, Bittorrent, or other popular network
 access source. It's why I'm happy to use Bittorrent to get ISO's in a
 speedy fashion, but *ALWAYS* check the checksums against the original
 source when download is complete.

I had never though of this.  Using torrents for the file itself, and
HTTP for the checksum seems to be quite secure (at least compared to the
alternatives).  Especially if the torrent file have hundeds of seeders.

-- 
Hugo Osvaldo Barrera

Re: Trusting the Installation

[Илья Шипицин]

29 FEWRALQ 2012 G. 8:44 POLXZOWATELX Nathan Stiles
stiles.nat...@gmail.comNAPISAL:

 Hello,
 I've recently installed 5.0 and based upon my experience
 I expected a checksum to be posted for the ISO.
 Also I've noticed that HTTPS isn't implemented on openbsd.org.
 I was also expecting the checksum to be served over HTTPS.


if you mean public SSL certs, it's about $500/year.
are you willing to pay for SSL certs ?

I can do the rest. I have installed tens ssl-enabled services.



 I'm sure theres a good reason why this isn't necessary?


the reason is you can download source code, look at it, make sure for
yourself there's no backdoors, build your own ISO from source code

I wonder why you are not doing that with every ISO (which you prefer to
download via torrent).


 I want to check the files I've downloaded against something?
 Obviously I can check a few random mirrors to ensure
 that files are identical.  What are others doing?


other are doing what they want :-)
it's an opensource. you can also do what you want.



 Thanks,
 Nathan

Re: Trusting the Installation

[Anonymous Remailer (austria)]

 the reason is you can download source code, look at it, make sure for
 yourself there's no backdoors, build your own ISO from source code

You can but nobody does. If the entire OpenBSD team can't finish a complete
audit of OpenBSD in one release cycle how long do you suppose it would take
one person to do that? Not very practical.

Re: Trusting the Installation

[Martin Schröder]

2012/3/4 PP;QQ P(P8P?P8QP8P= chipits...@gmail.com:
 the reason is you can download source code, look at it, make sure for
 yourself there's no backdoors, build your own ISO from source code

Who does that? Did _you_ check the code?

Best
   Martin

Re: Trusting the Installation

[etechlist]

On Sun, Mar 04, 2012 at 12:12:19PM +0100, Anonymous Remailer (austria) wrote:
  the reason is you can download source code, look at it, make sure for
  yourself there's no backdoors, build your own ISO from source code
 
 You can but nobody does. If the entire OpenBSD team can't finish a complete
 audit of OpenBSD in one release cycle how long do you suppose it would take
 one person to do that? Not very practical.

He obviously is not providing any useful input but pretending to be a
pro. 

Re: Trusting the Installation

[Renzo Fabriek]

On Sunday 04 March 2012 12:12:19 Anonymous Remailer (austria) wrote:
  the reason is you can download source code, look at it, make sure for
  yourself there's no backdoors, build your own ISO from source code
 
 You can but nobody does. If the entire OpenBSD team can't finish a complete
 audit of OpenBSD in one release cycle how long do you suppose it would take
 one person to do that? Not very practical.
 
 

If someone thinks he has to audit the whole tree, he is not practical already. 
It is not difficult to get a trusted source rep and compare the downloaded 
source with that and investigate the differences if they think it is needed. If 
they don't even trust the source code on the DVD, they have bigger problems 
than just secure downloads.

Re: Trusting the Installation

[Илья Шипицин]

I do not check the code :-)

but every paranoid user who doesn't trust to ISP (they could swap ISO
image), who doesn't trust to public SSL companies (they are known to sell
google certificate to Iranian goverment), who doesn't trust post office
(they could swap CDs), who doesn't trust to developers (they can leave
backdoor in code)  can do that.

it is open source, you can do whatever you want actually.

P.S. I'm not a paranoic, but I respect people to be paranoic if they want
to.

4 PP0QQP0 2012 P3. 18:07 P?PP;QP7PP2P0QP5P;Q Martin SchrC6der
mar...@oneiros.deP=P0P?P8Q
P0P;:

 2012/3/4 P P;Q Q  P(P8P?P8Q P8P= chipits...@gmail.com:
  the reason is you can download source code, look at it, make sure for
  yourself there's no backdoors, build your own ISO from source code

 Who does that? Did _you_ check the code?

 Best
Martin

Re: Trusting the Installation

[Hugo Osvaldo Barrera]

On 2012-03-04 07:05, PP;QQ P(P8P?P8QP8P= wrote:
 if you mean public SSL certs, it's about $500/year.
 are you willing to pay for SSL certs ?
 
 I can do the rest. I have installed tens ssl-enabled services.

Slightly OT: StartSSL offers free certificates trusted by every browser,
so you're just exagerating - a lot.

-- 
Hugo Osvaldo Barrera

Re: Trusting the Installation

[Lars Hansson]

On Wed, Feb 29, 2012 at 10:44 AM, Nathan Stiles stiles.nat...@gmail.com wrote:
 Also I've noticed that HTTPS isn't implemented on openbsd.org.

Why would it be? There is no user login or accout information
exchanged with openbsd.org.
Are you worrying that someone would, almost magically, insert
malicious code in the ISO
while you download it?
There's good paranoia and bad paranoia...

Cheers,
Lars

Re: Trusting the Installation

[bofh]

On Tue, Feb 28, 2012 at 10:11 PM, Nick Holland
n...@holland-consulting.net wrote:
 On 02/28/12 21:43, Nathan Stiles wrote:
 Hello,
 Also I've noticed that HTTPS isn't implemented on openbsd.org.

 buy a CD.
 Really.

 The chains of rust you were putting your trust in has flaws.

I'm hoping Nathan saw that a bunch of root cert owners got 0wned and
all their certs cannot be trusted any more, especially since those
certs have been used in man-in-the-middle attacks.


--
http://www.glumbert.com/media/shift
http://www.youtube.com/watch?v=tGvHNNOLnCk
This officer's men seem to follow him merely out of idle curiosity.
-- Sandhurst officer cadet evaluation.
Securing an environment of Windows platforms from abuse - external or
internal - is akin to trying to install sprinklers in a fireworks
factory where smoking on the job is permitted.  -- Gene Spafford
learn french:  http://www.youtube.com/watch?v=30v_g83VHK4

Trusting the Installation

[Nathan Stiles]

Hello,
I've recently installed 5.0 and based upon my experience
I expected a checksum to be posted for the ISO.
Also I've noticed that HTTPS isn't implemented on openbsd.org.
I was also expecting the checksum to be served over HTTPS.
I'm sure theres a good reason why this isn't necessary?
I want to check the files I've downloaded against something?
Obviously I can check a few random mirrors to ensure
that files are identical.  What are others doing?

Thanks,
Nathan

Re: Trusting the Installation

[Nick Holland]

On 02/28/12 21:43, Nathan Stiles wrote:
 Hello,
 I've recently installed 5.0 and based upon my experience
 I expected a checksum to be posted for the ISO.

And it is.  Imagine that.

 Also I've noticed that HTTPS isn't implemented on openbsd.org.
 I was also expecting the checksum to be served over HTTPS.
 I'm sure theres a good reason why this isn't necessary?
 I want to check the files I've downloaded against something?
 Obviously I can check a few random mirrors to ensure
 that files are identical.  What are others doing?

buy a CD.
Really.

The chains of rust you were putting your trust in has flaws.

Nick.

Re: Trusting the Installation

[Nico Kadel-Garcia]

On Tue, Feb 28, 2012 at 9:44 PM, Nathan Stiles stiles.nat...@gmail.comwrote:

 Hello,
 I've recently installed 5.0 and based upon my experience
 I expected a checksum to be posted for the ISO.
 Also I've noticed that HTTPS isn't implemented on openbsd.org.
 I was also expecting the checksum to be served over HTTPS.
 I'm sure theres a good reason why this isn't necessary?
 I want to check the files I've downloaded against something?
 Obviously I can check a few random mirrors to ensure
 that files are identical.  What are others doing?

 Thanks,
 Nathan

There is a SHA256 file published in the same directory, which lists
checksums of the ISO's and other files.

This just came up in the Scientific Linux mailing list. While checksums are
useful, they're not helpful if both the checksum and the file itself are
corrupted. Someone (namely me!) also pointed out the possibility of
manipulating the FTP or HTTP transmission en route, and I pointed out the
risk of a Trojan infested mirror, Bittorrent, or other popular network
access source. It's why I'm happy to use Bittorrent to get ISO's in a
speedy fashion, but *ALWAYS* check the checksums against the original
source when download is complete.

Even a shipped CD has some subtle, secondary risks: if I put that copy in
my software box and put the ISO image online locally for building virtual
hosts (which I've done ion the last year), what prevents some weasel at
work from replacing my ISO? Yes, I trust the people I work with, but
assuring the provenance of an ISO image can be a useful bit of extra
certainty. This is especially the case when your local mirror is *not* as
secure as you might like.

Re: Trusting the Installation

[Nicolai]

On Tue, Feb 28, 2012 at 09:44:15PM -0500, Nathan Stiles wrote:

 Obviously I can check a few random mirrors to ensure
 that files are identical.  What are others doing?

Buying CDs.  It's not just a donation as some characterize it.  You
get multiple architectures, initial source and ports trees, and loads of
packages.  Having the official CDs not only funds the project but also
saves you a bunch of time on installs and upgrades.

Nicolai

Re: Trusting the Installation

[Tomas Bodzar]

On Wed, Feb 29, 2012 at 3:44 AM, Nathan Stiles stiles.nat...@gmail.com
wrote:
 Hello,
 I've recently installed 5.0 and based upon my experience
 I expected a checksum to be posted for the ISO.

They are

 Also I've noticed that HTTPS isn't implemented on openbsd.org.

 $ host openbsd.org
openbsd.org has address 199.185.137.3
openbsd.org mail is handled by 10 cvs.openbsd.org.
openbsd.org mail is handled by 6 shear.ucar.edu.

$ host www.openbsd.org
www.openbsd.org has address 142.244.12.42

use www.openbsd.org , reasons why are in archives (hint - it's not
security/privacy related)

 I was also expecting the checksum to be served over HTTPS.

Some exact reason for that? Especially regarding a lot of issues and
flaws discovered during last months/years in various implementations
of SSL/certificates/CAs? BTW it's open source project and there's eg.
CVS web where anyone can see code. If you are really interesting
target for someone then checksums served over HTTPS can slow him down
only by seconds.

 I'm sure theres a good reason why this isn't necessary?
 I want to check the files I've downloaded against something?
 Obviously I can check a few random mirrors to ensure
 that files are identical. B What are others doing?

Eg. with snapshots there are times when checksums are not correct on
mirrors and still snasphots are correct (details in FAQ).


 Thanks,
 Nathan

Re: Trusting the Installation

[Jiri B]

On Tue, Feb 28, 2012 at 09:44:15PM -0500, Nathan Stiles wrote:
 Hello,
 I've recently installed 5.0 and based upon my experience
 I expected a checksum to be posted for the ISO.
 Also I've noticed that HTTPS isn't implemented on openbsd.org.
 I was also expecting the checksum to be served over HTTPS.
 I'm sure theres a good reason why this isn't necessary?
 I want to check the files I've downloaded against something?
 Obviously I can check a few random mirrors to ensure
 that files are identical.  What are others doing?

man release

jirib

Re: Trusting the Installation

[Janne Johansson]

2012/2/29 Tomas Bodzar tomas.bod...@gmail.com:
 On Wed, Feb 29, 2012 at 3:44 AM, Nathan Stiles stiles.nat...@gmail.com
 I was also expecting the checksum to be served over HTTPS.

 Some exact reason for that? Especially regarding a lot of issues and
 flaws discovered during last months/years in various implementations
 of SSL/certificates/CAs?

[...]

  What are others doing?

Other, like the rest of the internet are using those certificate
authorities (all 600+ of them?) as if they work, and make users
believe that since my browser says Chunghwa Telecom or NetLock
Halozatbiztonsagi Kft.is to be trusted, mylocalbank.com showing one of
their certs must be fine and dandy

Doing what others do isn't always adding to real security.

As everyone says, buying the CD is a solution for the really paranoid.
Going to a BSD conference where obsd devs and affiliates sell such CDs
even mitigate the evil post office CD-swapper issue.
If you aren't ready to shell out the bucks for one CD set, then it
can't really be important.

--
 To our sweethearts and wives.  May they never meet. -- 19th century toast