Re: Iso image integrity verification
Security itself is not the primary issue here. The issue is to easily prove an assessor without reasonable doubt that you are running the right thing. They will not worry about governments trying to break in with MITM signed ssl or about armies breaking in with the tanks. But they would worry about me not building the image the right way, someone tampering with the image or leaving the door unlocked at the server room. Also, they require people to take responsibility for the thing they do (in this case, CD images). On Fri, Sep 13, 2013 at 1:56 AM, Kenneth R Westerback kwesterb...@rogers.com wrote: On Thu, Sep 12, 2013 at 07:52:22PM +0300, Valentin Zagura wrote: There is no entity that owns or can be held responsible for the code, or is capable of providing a solid evidentuary path from commit to your hands. I thought if we buy the CDs we WILL get a solid evidentuary path from commit to our hands. So this isn't the case? Physical email is as susceptible to MITM attacks as network connections. I know a story of laptops entering the mail system and car springs coming out the other end in the same box. :-) CDs will give you the best evidentuary path available. Compiling everything yourself with a compiler and hardware you built from piles of dirt in a clean room would be better. And then you still have to worry about nano technology being slipped into the dirt. Ken On Wed, Sep 11, 2013 at 1:58 PM, Peter N. M. Hansteen pe...@bsdly.net wrote: On Wed, Sep 11, 2013 at 01:49:14PM +0300, Valentin Zagura wrote: We are going to use a OpenBSD system in a PCI-DSS compliant environment. Is there any way we can prove to our PCI-DSS assessor that the OpenBSD image we use for our installation can be checked so that it is the correct one (is not modified in a malicious way by a third party) ? Probably not what you want to hear, but starting with http://www.openbsd.org/orders.html is usually an excellent idea in this context. Verifiably delivered from a trusted source. A https link to some kind of ISO checksum or something similar (but using strong cryptography) I think would do it, but I could not find any (except a line in the FAQ stating If the men in black suits are out to get you, they're going to get you. which is not the case :) ) It's possible some of the more prominent entries on http://www.openbsd.org/support.html could be persuaded to provide something like that (M:Tier comes to mind, but why are they not on that page?) in exchange for a reasonable fee. But again, for -RELEASE, the CD sets are a good starting point. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Iso image integrity verification
Hi, We are going to use a OpenBSD system in a PCI-DSS compliant environment. Is there any way we can prove to our PCI-DSS assessor that the OpenBSD image we use for our installation can be checked so that it is the correct one (is not modified in a malicious way by a third party) ? A https link to some kind of ISO checksum or something similar (but using strong cryptography) I think would do it, but I could not find any (except a line in the FAQ stating If the men in black suits are out to get you, they're going to get you. which is not the case :) ) Thanks, Valentin Zagura
Re: Iso image integrity verification
Yes, we know, but that file can also be easily compromised if it's not available for download with a secure protocol (HTTPS) On Wed, Sep 11, 2013 at 1:59 PM, Stan Gammons s_gamm...@charter.net wrote: The sha256 file located in the directory with the installxx.iso image has the sha256 checksum for all of the files in that directory. On Sep 11, 2013, at 5:49 AM, Valentin Zagura put...@gmail.com wrote: Hi, We are going to use a OpenBSD system in a PCI-DSS compliant environment. Is there any way we can prove to our PCI-DSS assessor that the OpenBSD image we use for our installation can be checked so that it is the correct one (is not modified in a malicious way by a third party) ? A https link to some kind of ISO checksum or something similar (but using strong cryptography) I think would do it, but I could not find any (except a line in the FAQ stating If the men in black suits are out to get you, they're going to get you. which is not the case :) ) Thanks, Valentin Zagura
Re: Iso image integrity verification
Thanks for the suggestion, we will probably order the CD. But on the other hand, I hope that you realize that people in some countries (Iran, China, Egypt, Syria) would not have this possibility and they could be more affected by a compromise than we would be (they might probably pay with their lives) and I hope you guys are also thinking of them. Thanks, Valentin Zagura On Wed, Sep 11, 2013 at 1:58 PM, Peter N. M. Hansteen pe...@bsdly.netwrote: On Wed, Sep 11, 2013 at 01:49:14PM +0300, Valentin Zagura wrote: We are going to use a OpenBSD system in a PCI-DSS compliant environment. Is there any way we can prove to our PCI-DSS assessor that the OpenBSD image we use for our installation can be checked so that it is the correct one (is not modified in a malicious way by a third party) ? Probably not what you want to hear, but starting with http://www.openbsd.org/orders.html is usually an excellent idea in this context. Verifiably delivered from a trusted source. A https link to some kind of ISO checksum or something similar (but using strong cryptography) I think would do it, but I could not find any (except a line in the FAQ stating If the men in black suits are out to get you, they're going to get you. which is not the case :) ) It's possible some of the more prominent entries on http://www.openbsd.org/support.html could be persuaded to provide something like that (M:Tier comes to mind, but why are they not on that page?) in exchange for a reasonable fee. But again, for -RELEASE, the CD sets are a good starting point. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Iso image integrity verification
That could also mean This is THE openbsd.org site if you're using eff ssl observatory. On Wed, Sep 11, 2013 at 5:46 PM, Janne Johansson icepic...@gmail.comwrote: So you publish something on a HTTPS page, which means that when the browser says green padlock, it only says: this site was using a key signed by someone who in turn was signed by someone out of a few hundred CAs in a list which include companies in scary countries*. That will help a lot. *) Please exchange the list of scary countries to whatever scares you in your particular example. For Syria it could be the US, for US it could be Syria. Or some other combination of opposition. 2013/9/11 Valentin Zagura put...@gmail.com Thanks for the suggestion, we will probably order the CD. But on the other hand, I hope that you realize that people in some countries (Iran, China, Egypt, Syria) would not have this possibility and they could be more affected by a compromise than we would be (they might probably pay with their lives) and I hope you guys are also thinking of them. Thanks, Valentin Zagura On Wed, Sep 11, 2013 at 1:58 PM, Peter N. M. Hansteen pe...@bsdly.net wrote: On Wed, Sep 11, 2013 at 01:49:14PM +0300, Valentin Zagura wrote: We are going to use a OpenBSD system in a PCI-DSS compliant environment. Is there any way we can prove to our PCI-DSS assessor that the OpenBSD image we use for our installation can be checked so that it is the correct one (is not modified in a malicious way by a third party) ? Probably not what you want to hear, but starting with http://www.openbsd.org/orders.html is usually an excellent idea in this context. Verifiably delivered from a trusted source. A https link to some kind of ISO checksum or something similar (but using strong cryptography) I think would do it, but I could not find any (except a line in the FAQ stating If the men in black suits are out to get you, they're going to get you. which is not the case :) ) It's possible some of the more prominent entries on http://www.openbsd.org/support.html could be persuaded to provide something like that (M:Tier comes to mind, but why are they not on that page?) in exchange for a reasonable fee. But again, for -RELEASE, the CD sets are a good starting point. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. -- May the most significant bit of your life be positive.
Re: Iso image integrity verification
I don't think I'm more paranoid than the average considering that Debian has a way to do this (http://www.debian.org/CD/verify), fedora has a way to do this (https://fedoraproject.org/verify), even Freebsd has a way to do this ( https://www.freebsd.org/releases/9.1R/announce.html). The thought of being more paranoid than an OpenBSD guy is not very comfortable :) On Wed, Sep 11, 2013 at 8:13 PM, Daniel Bolgheroni dan...@bolgh.eng.brwrote: On Wed, Sep 11, 2013 at 03:17:20PM +0300, Valentin Zagura wrote: Yes, we know, but that file can also be easily compromised if it's not available for download with a secure protocol (HTTPS) If you're paranoid, build your own hardware from the ground up, including designing your own CPU and complementary circuits, download all the sources, audit them all, compile and then run. You can't be fooled by wrong measurements of security.
Re: Iso image integrity verification
If I were a dissident in one of those countries, I would not trust a third party with my life (but maybe I'm too paranoid). AFAIK OpenBSD is Canada, not US, but again, I might be wrong.
Re: Iso image integrity verification
I was saying that other projects do it in a way they feel comfortable with and maybe you will find a way to do it that you are comfortable with. Using https was one simple idea. I understand that you don't think that this adds any value but maybe there are other ways like signing with PGP, maybe using SSH somehow or having Theo de Raadt saying the SHA checksums on a video on youtube at each release :) or some other simple and effective way that you are comfortable with. I just wanted to point out that one can not easely show his security assessor that it has the right images using some industry standard ways, or someone living in a country that has an oppressive government and would download the image through tor could have some problems if the exit node is malicious. If you feel that any kind of verification is futile, it's ok, that would not stop us from buying the CDs. On Wed, Sep 11, 2013 at 10:32 PM, Kenneth R Westerback kwesterb...@rogers.com wrote: On Wed, Sep 11, 2013 at 08:53:50PM +0300, Valentin Zagura wrote: I don't think I'm more paranoid than the average considering that Debian has a way to do this (http://www.debian.org/CD/verify), fedora has a way to do this (https://fedoraproject.org/verify), even Freebsd has a way to do this ( https://www.freebsd.org/releases/9.1R/announce.html). So you're saying that less paranoid projects are doing it, so why doesn't OpenBSD join the crowd and provide some fuzzy feel good but pointless security theatre? :-) The thought of being more paranoid than an OpenBSD guy is not very comfortable :) Don't worry. You're apparently not paranoid enough yet. The true practical paranoid does not waste time on such mummery. Ken On Wed, Sep 11, 2013 at 8:13 PM, Daniel Bolgheroni dan...@bolgh.eng.br wrote: On Wed, Sep 11, 2013 at 03:17:20PM +0300, Valentin Zagura wrote: Yes, we know, but that file can also be easily compromised if it's not available for download with a secure protocol (HTTPS) If you're paranoid, build your own hardware from the ground up, including designing your own CPU and complementary circuits, download all the sources, audit them all, compile and then run. You can't be fooled by wrong measurements of security.