Hi,
We are going to use a OpenBSD system in a PCI-DSS compliant environment.
Is there any way we can prove to our PCI-DSS assessor that the OpenBSD
image we use for our installation can be checked so that it is the correct
one (is not modified in a malicious way by a third party) ?
A https link
The sha256 file located in the directory with the installxx.iso image has the
sha256 checksum for all of the files in that directory.
On Sep 11, 2013, at 5:49 AM, Valentin Zagura put...@gmail.com wrote:
Hi,
We are going to use a OpenBSD system in a PCI-DSS compliant environment.
Is there
Yes, we know, but that file can also be easily compromised if it's not
available for download with a secure protocol (HTTPS)
On Wed, Sep 11, 2013 at 1:59 PM, Stan Gammons s_gamm...@charter.net wrote:
The sha256 file located in the directory with the installxx.iso image has
the sha256 checksum
On Wed, Sep 11, 2013 at 03:17:20PM +0300, Valentin Zagura wrote:
Yes, we know, but that file can also be easily compromised if it's not
available for download with a secure protocol (HTTPS)
So get the CD. You'll support the project as well.
-Otto
On Wed, Sep 11, 2013 at 1:59 PM,
+1 on this, to make sure that your OpenBSD Distribution is legit, get the
CD, support the project! what more could you ask for ;)
On Wed, Sep 11, 2013 at 4:58 AM, Peter N. M. Hansteen pe...@bsdly.netwrote:
On Wed, Sep 11, 2013 at 01:49:14PM +0300, Valentin Zagura wrote:
We are going to use
I love the stickers to enclose the box when getting a CD release, probably
easy to forge but so cool :-)
On Wed, Sep 11, 2013 at 9:00 AM, Beavis pfu...@gmail.com wrote:
+1 on this, to make sure that your OpenBSD Distribution is legit, get the
CD, support the project! what more could you ask
Thanks for the suggestion, we will probably order the CD.
But on the other hand, I hope that you realize that people in some
countries (Iran, China, Egypt, Syria) would not have this possibility and
they could be more affected by a compromise than we would be (they might
probably pay with their
So you publish something on a HTTPS page, which means that when the browser
says green padlock, it only says: this site was using a key signed by
someone who in turn was signed by someone out of a few hundred CAs in a
list which include companies in scary countries*. That will help a lot.
*)
also means somebody paid a lot of money for that green bar
On 09/11/2013 04:46 PM, Janne Johansson wrote:
So you publish something on a HTTPS page, which means that when the browser
says green padlock, it only says: this site was using a key signed by
someone who in turn was signed by someone
That could also mean This is THE openbsd.org site if you're using eff ssl
observatory.
On Wed, Sep 11, 2013 at 5:46 PM, Janne Johansson icepic...@gmail.comwrote:
So you publish something on a HTTPS page, which means that when the
browser says green padlock, it only says: this site was using a
On Wed, Sep 11, 2013 at 05:36:45PM +0300, Valentin Zagura wrote:
Thanks for the suggestion, we will probably order the CD.
But on the other hand, I hope that you realize that people in some
countries (Iran, China, Egypt, Syria) would not have this possibility and
they could be more affected
And from that we can deduce what?
$evil_country can't spend $10k to be able to intercept and silently MITM
all https?
2013/9/11 InterNetX - Robert Garrett robert.garr...@internetx.com
also means somebody paid a lot of money for that green bar
On 09/11/2013 04:46 PM, Janne Johansson wrote:
On 2013/09/11 16:46, Janne Johansson wrote:
So you publish something on a HTTPS page, which means that when the browser
says green padlock, it only says: this site was using a key signed by
someone who in turn was signed by someone out of a few hundred CAs in a
list which include companies in
I think you are missing two very important points that are addressed in
the official documentation and have been pointed out to you by other
respondents:
1. what you are asking for provides NO real added security, and perhaps
just the opposite through FALSE SENSE of security, and
2. the fact
I don't think I'm more paranoid than the average considering that Debian
has a way to do this (http://www.debian.org/CD/verify), fedora has a way to
do this (https://fedoraproject.org/verify), even Freebsd has a way to do
this ( https://www.freebsd.org/releases/9.1R/announce.html).
The thought of
There's literally the same thing on the mirror?
http://ftp.openbsd.org/pub/OpenBSD/snapshots/amd64/SHA256
On Wed, Sep 11, 2013 at 1:53 PM, Valentin Zagura put...@gmail.com wrote:
I don't think I'm more paranoid than the average considering that Debian
has a way to do this
On Wed, Sep 11, 2013 at 01:57:22PM -0400, Brandon Mercer wrote:
There's literally the same thing on the mirror?
http://ftp.openbsd.org/pub/OpenBSD/snapshots/amd64/SHA256
This discussion is probably more suited for misc@, but as Brandon wrote,
SHA256 checksums are on all the mirrors. If you
On Wed, Sep 11, 2013 at 03:17:20PM +0300, Valentin Zagura wrote:
Yes, we know, but that file can also be easily compromised if it's not
available for download with a secure protocol (HTTPS)
If you're paranoid, build your own hardware from the ground up,
including designing your own CPU and
maintaining a mirror and a cvs sync tree is quite good too.
morevover you cloud have some https on your mirror
On Wed, Sep 11, 2013 at 1:53 PM, Valentin Zagura put...@gmail.com wrote:
I don't think I'm more paranoid than the average considering that Debian
has a way to do this
If I were a dissident in one of those countries, I would not trust a third
party with my life (but maybe I'm too paranoid).
AFAIK OpenBSD is Canada, not US, but again, I might be wrong.
On Wed, Sep 11, 2013 at 08:53:50PM +0300, Valentin Zagura wrote:
I don't think I'm more paranoid than the average considering that Debian
has a way to do this (http://www.debian.org/CD/verify), fedora has a way to
do this (https://fedoraproject.org/verify), even Freebsd has a way to do
this (
On Wed, Sep 11, 2013 at 08:42:46PM +0300, Valentin Zagura wrote:
The idea was to display a checksum of the files on such a https page.
Like for example https://www.freebsd.org/releases/9.1R/announce.html at the
bottom of the page.
On Wed, Sep 11, 2013 at 7:18 PM, Stuart Henderson
If I want this on FreeBSD i am alone, but here...
So this code check the fingerprint, and does not bother to save it, because
it is never used , and that s good :-)
I read the code a bit:
pf.c : around line 3232
- - - - - -
case IPPROTO_TCP:
PF_TEST_ATTRIB(((r-flagset th-th_flags) !=
I was saying that other projects do it in a way they feel comfortable with
and maybe you will find a way to do it that you are comfortable with.
Using https was one simple idea. I understand that you don't think that
this adds any value but maybe there are other ways like signing with PGP,
maybe
Since no one presented a case why sending from INADDR_ANY is a good
thing[tm], make it clear that it won't work.
The ifconfig(8) diff generates this output:
$ sudo ifconfig pflow0 up
$ ifconfig pflow0
pflow0: flags=1UP mtu 1492
priority: 0
pflow: sender: INVALID receiver:
On 11 September 2013 20:42, Valentin Zagura put...@gmail.com wrote:
The idea was to display a checksum of the files on such a https page.
Like for example https://www.freebsd.org/releases/9.1R/announce.html at the
bottom of the page.
Not sure whether this is already proposed but here's my two
On 2013/09/12 00:55, Ville Valkonen wrote:
Not sure whether this is already proposed but here's my two cents: why
not to check SHA256 sums from the various mirrors and perform the
comparison?
--
Cheers,
Ville Valkonen
How does this help prove that the files haven't been tampered with?
On Tue, Aug 27, 2013 at 01:39:14PM +0200, Martin Pieuchot wrote:
On 26/08/13(Mon) 13:36, Mike Belopuhov wrote:
hi,
in order to make our life a bit easier and prevent rogue
accesses to the routing table from the hardware interrupt
context violating all kinds of spl assumptions we would
On Thu, Aug 29, 2013 at 11:20:56AM +0200, Martin Pieuchot wrote:
On 27/08/13(Tue) 10:44, Kenneth R Westerback wrote:
On Tue, Aug 27, 2013 at 03:38:49PM +0200, Martin Pieuchot wrote:
So I started to play with the routine table and I'm slowly trying to
unify the various code paths to add
29 matches
Mail list logo