Re: Code signing in OpenBSD

[Martin Schröder]

2007/12/5, Marco Peereboom [EMAIL PROTECTED]:
 have you ever wondered why openbsd doesn't do binary updates?

And what are package updates?

Does pkg_add -u even check an e.g. md5 or does it trust the server?

Best
   Martin

Re: hoststated - some questions

[Pierre-Yves Ritschard]

[sent to wrong list]

 Also hoststatectl reload does not work for me.
 
 [EMAIL PROTECTED] root# hoststatectl reload
 command failed
 
 Expected behavior?
 

Unfortunately, yes.
reload currently does not work for layer7 (relay) configurations.
it should be available before 4.3 though.

Re: Code signing in OpenBSD

[Rui Miguel Silva Seabra]

On Thu, Dec 06, 2007 at 12:37:19PM +0800, Lars Hansson wrote:
 On Dec 6, 2007 2:46 AM, Rui Miguel Silva Seabra [EMAIL PROTECTED] wrote:
  Come on... twice a year and get the benefit of not being excluded from
  company policies which require digital signature of software downloaded
  through the internet.
 
 It's not really OpenBSD's problem that some companies implement pointless
 security policies.

I'm not discussing wether its pointless or not, maybe you don't want
OpenBSD to be used at all?

Rui

-- 
Grudnuk demand sustenance!
Today is Setting Orange, the 48th day of The Aftermath in the YOLD 3173
+ No matter how much you do, you never do enough -- unknown
+ Whatever you do will be insignificant,
| but it is very important that you do it -- Gandhi
+ So let's do it...?

Re: Code signing in OpenBSD

[Rui Miguel Silva Seabra]

On Wed, Dec 05, 2007 at 02:23:41PM -0600, Marco Peereboom wrote:
 blah blah blah
 
 have you ever wondered why openbsd doesn't do binary updates?

I'm not talking about updates, I can read C.

 maybe you are now going to be able to figure out why we don't need
 complex signing mechanisms.

You're ignoring that it is perhaps quite insane to expect anyone to
verify every single line of code, and a (so far very much deserved)
trust is given to the developers. Which is why I would very much like to
be absolutely sure the CD I bought brought the release the developers
intended to publish.

This is not about downloading OpenBSD, but of having a quite measurable
degree of trust that what you have is what you were supposed to have.

Btw, it would be much better to use a hashing algorithm stronger
than MD5, even on the file signed by an OpenPGP or X.509 certificate.

Rui

-- 
Wibble.
Today is Setting Orange, the 48th day of The Aftermath in the YOLD 3173
+ No matter how much you do, you never do enough -- unknown
+ Whatever you do will be insignificant,
| but it is very important that you do it -- Gandhi
+ So let's do it...?

Re: Code signing in OpenBSD

[Hannah Schroeter]

Hi!

On Wed, Dec 05, 2007 at 12:15:01PM -0500, bofh wrote:
On Dec 5, 2007 11:46 AM, new_guy [EMAIL PROTECTED] wrote:
 Can you dismiss PKI and the benefits that OpenPGP signatures provide to your
 user community? Knowing that xyz binary is signed by OpenBSD for
 distribution or abc email came from an official OpenBSD source is a good
 thing. Trojaned binaries and forged emails happen. PKI can help mitigate
 this. The benefit of PKI is widely known and accepted and does not need to
 be rehashed here. I'm surprised that OpenBSD (the most secure OS I know of)
 does not use it, that's all I'm saying. I also thought there would be a real
 reason for not doing so and there may in fact be and I may just be unaware
 of it.

What are the risks you are trying to address?

One risk would be the plans of online surveillance of computers e.g.
in Germany. One way to install surveillance even on OpenBSD would be to
actively interfere with the internet connection with the surveilled
person, in the man-in-the-middle sense, and inject trojanned code
(Bundestrojaner) into the updates of the victim.

Using OpenBSD CDs doesn't protect the victim from attacks like that
that much because many people need ports/packages and to get fixes one
virtually has to use -current most of the time, and to update -current,
one often uses snapshots over non-secured transfers (ftp, rsync, source
via cvsync/cvsup). The only exception I know of is anoncvs via ssh,
but then, the CDs, IIRC, don't even ship with a known_hosts file for
the anoncvs servers.

As the talk about those online surveillance plans includes talk about
tailored attacks for each victim, they could investigate which OS one
uses and which ways of updating, so they could tailor their attack
vector appropriately.

Yes, *I*'d be vulnerable. I'd be not if I had a public key (and anoncvs
known_hosts file) from CD, perhaps also cvsync with cryprographic
integrity protection and public key (fingerprints) from CD, etc.

So the online surveillance stuff would perhaps not only affect Windoze
boxen as some people would come to think, even though the installation
of a trojan is, of course, usually much easier for Windoze than for
OpenBSD (or even a Linux installation if people with some skills operate
them).

Yes, of course cryptographic integrity protection wouldn't secure
OpenBSD against all kinds of attack vectors, but against *some*. Yes, it
comes at a cost. And I don't know whether the cost is really worth
while...

But I question whether it's really sound to just dismiss it beforehand.

[...]

Kind regards,

Hannah.

Re: Code signing in OpenBSD

[Hannah Schroeter]

Hi!

On Wed, Dec 05, 2007 at 01:24:49PM -0700, Bob Beck wrote:
   If you want a secure binary. buy an official CD.. This is
what most people do.  PKI requires infrastructure that would cost OpenBSD
money and developer time. Official CD's keep OpenBSD alive. 

Doesn't help you if you want fixes for ports/packages or even the base
OS. Once you want that, you have to update over the net, and as I said
in my other mail, here you have no clear protection. Or do the CDs at
least carry a known_hosts file for the anoncvs servers, inbetween?

[...]

Kind regards,

Hannah.

Re: Code signing in OpenBSD

[Hannah Schroeter]

Hi!

On Wed, Dec 05, 2007 at 06:46:15PM -0500, STeve Andre' wrote:
[...]

You know, you're descending into a recursive loop of if, if, if... and
it never ends.  OF COURSE if someone breaks into the site they could
do things--once you've lost control of your site all bets are off.  I dare
say that someone breaking into a site might find all the appropriate
tools to re-sign things, too, and do the spoof that way.

If I released code with cryptographic signatures, I'd not leave a secret
key file, nor a passphrase on the servers with the master web/ftp
site. I'd sign on a box you can't access from the master site (nor
the mirrors). So, no, the attacker would *not* gain access to signing
tools (ok, yes, the tools, perhaps, like gpg or openssl, but not the
key material).

--STeve Andre'

Kind regards,

Hannah.

Re: Code signing in OpenBSD

[Lars Noodén]

Hannah Schroeter wrote:
...
 As the talk about those online surveillance plans includes talk about
 tailored attacks for each victim, they could investigate which OS one
 uses and which ways of updating, so they could tailor their attack
 vector appropriately.
...

Some of this is mitigated in that when using OpenBSD, the connections to
the repositories is signed.  Though, it looks like HTTP transfers are
not, and there is the question of getting the initial installation
packages.

If the installation process (from the purchased CDs) had a list of the
public keys for the official mirror sites, then that would go a long
way.  Having the installation process pre-load the keys into the data
for the ssh, ftp and afs clients would be even fancier.

-Lars

Re: Code signing in OpenBSD

[Stuart Henderson]

On 2007/12/06 13:12, Lars Noodin wrote:
 
 If the installation process (from the purchased CDs) had a list of the
 public keys for the official mirror sites, then that would go a long
 way.

That would make it rather hard to revoke a key if there ever
was a problem.

Re: Code signing in OpenBSD

[Hannah Schroeter]

Hi!

On Thu, Dec 06, 2007 at 11:23:37AM +, Stuart Henderson wrote:
On 2007/12/06 13:12, Lars Noodin wrote:

 If the installation process (from the purchased CDs) had a list of the
 public keys for the official mirror sites, then that would go a long
 way.

That would make it rather hard to revoke a key if there ever
was a problem.

Key revocation lists in some form? If it's gpg/OpenPGP, instruct users
to update from keyservers, one will notice when there're
incompatibilities between the key from CD and the one from the
keyserver, but one will also get the revocation from the keyserver. And
if one buys every CD, there's the time window of half a year even
without a key revocation infrastructure.

Kind regards,

Hannah.

Re: Code signing in OpenBSD

[Hannah Schroeter]

Hi!

On Thu, Dec 06, 2007 at 01:12:02PM +0200, Lars Noodin wrote:
Hannah Schroeter wrote:
...
 As the talk about those online surveillance plans includes talk about
 tailored attacks for each victim, they could investigate which OS one
 uses and which ways of updating, so they could tailor their attack
 vector appropriately.
...

Some of this is mitigated in that when using OpenBSD, the connections to
the repositories is signed.  Though, it looks like HTTP transfers are
not, and there is the question of getting the initial installation
packages.

Have I missed something? Last time I checked, it was plain http/ftp for
retrieving the base tarballs as well as the packages.

[...]

Kind regards,

Hannah.

Re: /var/log/messages permissions in 4.2

[Nick Holland]

Douglas A. Tutty wrote:
 On Tue, Dec 04, 2007 at 02:30:28PM -0800, Bryan Irvine wrote:
  What would be the rationale for 640? ;)
 
 Well according to cvs log:
 it can be easily changed if you like it another way. millert,
 
 So I guess one rationale might be as simple as because  ;)
 
 
 Does anything get posted to the log that a normal user should not see?
 I suppose it depends on the machine's context.  Can traffic analysis on
 the log be used to determine what another user is doing any more than
 watching top?  If you're concerned about normal users reading logs, you
 need to look at those logs and determine why you are concerned and 
 determine the implcations of those concerns.
 
 Doug.

The other question:

Does the stuff there need to be seen so often that administrative users
might be tempted to do a sudo -s over sudo more ..., and then do
something stupid that would have been a non-event if they weren't root?

Difficult to maintain does NOT equal secure.
Difficult to maintain usually means improperly maintained, and that
usually means insecure.

IF you are producing messages output that the general users should NOT
be seeing, go ahead, change the access permissions!  If you look at the
number of systems that either have
 1) only administrative users or
 2) have nothing secret going to /var/log/messages
you have probably covered the vast majority of OpenBSD systems.  So, I
don't want to see the vast majority of systems made more difficult to
administer and perhaps prompting the user to live as root more than
needed.

Glancing through the /var/log/messages files on a few of my machines,
I found nothing I wouldn't be more than happy to post to the Internet,
other than the rather anemic specs might be a bit embarrassing, but I
found that I was glad I didn't have to have root privs to look at
them.

Nick.

Open BSD Physical Storage

[Shachi Rai]

Hi,

Currently I am facing a small problem in OpenBSD. I want to get the
information about the total physical Storage and the partition table
(mounted and unmounted). Please let me know if there is any way out for 
getting this information.


-- 
View this message in context: 
http://www.nabble.com/Open-BSD-Physical-Storage-tf4956022.html#a14192231
Sent from the openbsd user - misc mailing list archive at Nabble.com.

PF and queuing question

[Stefan Castille]

hey,

I have a question on how to best limit traffic with pf. The main
goal is not so much to limit bandwidth to a lower point all the
time but more to prevent a runaway process (or user) from
drowning the rest.

Since i do not have the means for extensive testing i hope to
get some pointers before going down a path that would only waste
time and resources. I have the following situation (simplified):

/-vlan1  ==1Gb== desktops
internet ==512Kb==bge0 PF

\-vlan2  ==1Gb== production

I want to make sure production has at least 256Kb both upload as
download on the internet connection.

1) I know it will not stop flooding of the line by 3rd parties. This is 
not the goal
of the rules. The goal is to prevent a download initiated by a server or 
user

from taking up all the download bandwidth

2) I was thinking of using a shared queue on vlan1 and vlan2 but I could 
not find

any documentation whether that is possible at all.
Would the following work and actually limit download traffic? If not 
then I guess
I will have to create separate download queues of max 400Kb so ensure at 
least

some bandwidth remains for the other side.

altq on bge0 cbq bandwidth 512Kb queue { ext-prod,  ext-desktop }
altq on vlan1 cbq bandwidth 1Gb queue { download, default-desktop }
altq on vlan2 cbq bandwidth 1Gb queue { download, default-prod }
queue download bandwidth 512Kb  { download_prod, download_desktop }
queue download_prod bandwidth 50% priority 3 cbq(borrow)
queue download_desktop bandwidth 50% priority 1 cbq(borrow)
pass in quick on bge0 from any to production keep state queue 
download_prod

pass out quick on vlan2 from any to production keep state queue ext-prod
pass in quick on vlan2 from production to any keep state queue ext-prod
pass out quick on vlan2 from production to any keep state queue 
download_prod
pass in quick on bge0 from any to desktop keep state queue 
download_desktop

pass out quick on vlan2 from any to desktop keep state queue ext-desktop
pass in quick on vlan2 from desktop to any keep state queue ext-desktop
pass out quick on vlan2 from desktop to any keep state queue 
download_desktop



Is this idea going in the right direction or is there a much better way 
to do this?


Thanks,
Stefan

Re: Open BSD Physical Storage

[Hannah Schroeter]

Hi!

On Thu, Dec 06, 2007 at 05:21:08AM -0800, Shachi Rai wrote:
Currently I am facing a small problem in OpenBSD. I want to get the
information about the total physical Storage and the partition table
(mounted and unmounted). Please let me know if there is any way out for 
getting this information.

I don't exactly understand what you really want. But I guess you want to
check which disks exist: grep '^[sw]d' /var/run/dmesg.log (I guess that
should cover most disk devices, save for very exotic stuff and floppy
disks).

For exact information, see fdisk(8), disklabel(8), and df(1). For
potential mounts, see fstab(5), for actual mounts, see mount(8).

Kind regards,

Hannah.

Re: Open BSD Physical Storage

[Josh Grosse]

On Thu, 6 Dec 2007 05:21:08 -0800 (PST), Shachi Rai wrote
 Hi,
 
 Currently I am facing a small problem in OpenBSD. I want to get the
 information about the total physical Storage and the partition table
 
 (mounted and unmounted). Please let me know if there is any way out 
 for getting this information.

Disklabel information, which includes the physical drive (partition c) can be
obtained from the disklabel(8) command.  If the drive has non-OpenBSD MBR
partitions, *and* the disklabel was built after those MBR partitions were
created, they will have assigned partitions in the disklabel.

Show, in gigabytes, the layout of SCSI drive #0:

# disklabel -p g sd0

Show, in megabytes, the layout of IDE/ATA drive #1:

# disklabel -p m wd1

Show, in gigabytes/megabytes/kilobytes as needed, the capacity and current
utilization of all mounted disks:

$ df -h

Re: Open BSD Physical Storage

[Shachi Rai]

Hi,

Great to see  your reply,

I would like to explain you in detail,

I am currently writing a java code which tries to find out the total
physical storage of an OpenBSD machine. Infact I would like to know the
complete partition table in an OPenBSD machine.

I have gone through the disklabel and fdisk command but both these command
take the device name as a parameter. So my first question would be to know
all the devices which are attached and may or may not be mounted. Once this
is obtained, I would run the above commands to get the information about
each device.

Or 

Is there any option which would directly give the complete physical storage
information.

Hannah Schroeter wrote:
 
 Hi!
 
 On Thu, Dec 06, 2007 at 05:21:08AM -0800, Shachi Rai wrote:
Currently I am facing a small problem in OpenBSD. I want to get the
information about the total physical Storage and the partition table
(mounted and unmounted). Please let me know if there is any way out for 
getting this information.
 
 I don't exactly understand what you really want. But I guess you want to
 check which disks exist: grep '^[sw]d' /var/run/dmesg.log (I guess that
 should cover most disk devices, save for very exotic stuff and floppy
 disks).
 
 For exact information, see fdisk(8), disklabel(8), and df(1). For
 potential mounts, see fstab(5), for actual mounts, see mount(8).
 
 Kind regards,
 
 Hannah.
 
 
 

-- 
View this message in context: 
http://www.nabble.com/Open-BSD-Physical-Storage-tf4956022.html#a14192828
Sent from the openbsd user - misc mailing list archive at Nabble.com.

Re: Open BSD Physical Storage

[Alexander Hall]

Shachi Rai wrote:

Hi,

Great to see  your reply,

I would like to explain you in detail,

I am currently writing a java code which tries to find out the total
physical storage of an OpenBSD machine. Infact I would like to know the
complete partition table in an OPenBSD machine.

I have gone through the disklabel and fdisk command but both these command
take the device name as a parameter. So my first question would be to know
all the devices which are attached and may or may not be mounted. Once this
is obtained, I would run the above commands to get the information about
each device.


Try `sysctl -n hw.disknames'

then run disklabel on each of them

That might give you what you want.

/Alexander

Re: Open BSD Physical Storage

[Josh Grosse]

On Thu, 6 Dec 2007 05:57:17 -0800 (PST), Shachi Rai wrote
 ...So my first question would be 
 to know all the devices which are attached...

$ sysctl hw.disknames

 .. and may or may not be 
 mounted

$ df

Re: Code signing in OpenBSD

[Lars Noodén]

Hannah Schroeter wrote:
 ...
 AFS is also encrypted, but unless its used to
 get all the tarballs and make them accessible locally (e.g. make a cd)
 it's not a help during the installation.
 
 I don't know enough about AFS to say anything about how to secure it
 from the beginning on.

I'm not very knowledgeable, but have been looking at the documenation
lately:
http://www.openafs.org/pages/doc/AdminGuide/auagd007.htm#HDRWQ75

 ...
 Given the existence of Windows servers (aka compromised machines) on
 many networks, there are many chances for traffic to be intercepted,
 often even DNS.  So man-in-the-middle attacks appear to be theoretically
 easy during the first part of an OpenBSD network installation.
 
 Yes, alas. And especially, for government legal interception, where
 they could legally enlist help from ISPs.

So, intentional (corporate or government agreement with ISP) or
unintentional (use of M$ on ISP DNS server), could allow the initial
installation to become compromised, perhaps in a hard-to-detect way.

None of this seems to be solved in the installation guide:
http://openbsd.org/faq/faq4.html

Again, it looks like it might come down to keys or fingerprints and that
the network install might be depreciated.  Rather, download, verify,
then install.

-Lars

Re: Open BSD Physical Storage

[Stuart Henderson]

On 2007/12/06 05:57, Shachi Rai wrote:
 I have gone through the disklabel and fdisk command but both these command
 take the device name as a parameter. So my first question would be to know
 all the devices which are attached and may or may not be mounted.

sysctl hw.disknames

Re: Code signing in OpenBSD

[bofh]

At this point, it's probably a good idea to point out there's a paper
called Trusting Trust about your everyday C compiler...


On 12/6/07, Lars Noodin [EMAIL PROTECTED] wrote:
 Hannah Schroeter wrote:
  ...
  AFS is also encrypted, but unless its used to
  get all the tarballs and make them accessible locally (e.g. make a cd)
  it's not a help during the installation.
 
  I don't know enough about AFS to say anything about how to secure it
  from the beginning on.

 I'm not very knowledgeable, but have been looking at the documenation
 lately:
   http://www.openafs.org/pages/doc/AdminGuide/auagd007.htm#HDRWQ75

  ...
  Given the existence of Windows servers (aka compromised machines) on
  many networks, there are many chances for traffic to be intercepted,
  often even DNS.  So man-in-the-middle attacks appear to be theoretically
  easy during the first part of an OpenBSD network installation.
 
  Yes, alas. And especially, for government legal interception, where
  they could legally enlist help from ISPs.

 So, intentional (corporate or government agreement with ISP) or
 unintentional (use of M$ on ISP DNS server), could allow the initial
 installation to become compromised, perhaps in a hard-to-detect way.

 None of this seems to be solved in the installation guide:
   http://openbsd.org/faq/faq4.html

 Again, it looks like it might come down to keys or fingerprints and that
 the network install might be depreciated.  Rather, download, verify,
 then install.

 -Lars




--
http://www.glumbert.com/media/shift
http://www.youtube.com/watch?v=tGvHNNOLnCk
This officer's men seem to follow him merely out of idle curiosity.
-- Sandhurst officer cadet evaluation.
Securing an environment of Windows platforms from abuse - external or
internal - is akin to trying to install sprinklers in a fireworks
factory where smoking on the job is permitted.  -- Gene Spafford

Re: Code signing in OpenBSD

[Douglas A. Tutty]

On Thu, Dec 06, 2007 at 11:48:55AM +0100, Hannah Schroeter wrote:
 
 One risk would be the plans of online surveillance of computers e.g.
 in Germany. One way to install surveillance even on OpenBSD would be to
 actively interfere with the internet connection with the surveilled
 person, in the man-in-the-middle sense, and inject trojanned code
 (Bundestrojaner) into the updates of the victim.

Using software from any source without interference from an
all-pervasive government is a very special, but unfortunatly today, a
very real issue for many people around the world.  To be secure, you
have to get pieces of the puzzle over multiple paths.  It all can't come
via the net since then you're open to man-in-the-middle.  

Key-revocation announcements could come over the net (via an announce
list) but the new key would then have to come over a second channel.

One second-channel option is the q6mth CD issue, which could include a
new public key and e.g. known-hosts fingerprints.  This is vulnerable to
a very determined man-in-the-middle who can replicate and then alter the
CD before it arrives to you in the mail.

Another option is a trusted courier flying to Alberta and get a CD from
the OpenBSD store  (yeah, right).

In fact, likely any other technological option (e.g. an answering
machine in Alberta that spits out the alphanumerics of the current
master public key) is still suceptible.

If every piece of information you receive is filter through your
government, is there any hand-shaking protocol that can allow you to
establish a verified information connection (not necessarily encrypted)?
I don't think so.

Sure, Debian has signed .debs that use gpg as a back end (the system is
called apt-key), it relies on you trusting the fist key that you get
from them.  Since Debian doesn't actually mail out its own CDs,
everything is off its mirrors.  apt-key only 'protects' you from a later
man-in-the-middle.

I think that this is the central 'problem' that people are dancing
around.  

Personally, if this thread is to continue, I would like to see it move
from a Why doesn't OpenBSD do things this way? to a What are the
threat models for OpenBSD identity theft and how can we protect
ourselves?.

Doug.

Re: Code signing in OpenBSD

[Lars Noodén]

bofh wrote:
 At this point, it's probably a good idea to point out there's a paper
 called Trusting Trust about your everyday C compiler...

Yeah.  It recently disappeared from the ACM's web site after 11+ years
of availability:
http://www.acm.org/classics/oct95/
There is, fortunately, the author's copy:
http://cm.bell-labs.com/who/ken/trust.html

There is an interesting follow up:
http://www.dwheeler.com/trusting-trust/
summary of the followup:
 http://www.schneier.com/blog/archives/2006/01/countering_trus.html

The bottom line, however, is that having and using the source is not
optional.

Thus, patches are provided in OpenBSD as source...

But, starting from an initial set of some binaries is adequate for many
uses, just as long as we can make reasonably sure that those binaries
come from who they are supposed to / we expect them to.

The install process ought to be fairly clear about the origin,
authenticity and integrity of those initial binaries.  No need to build
on more of a sand foundation than necessary.

-Lars

Re: /var/log/messages permissions in 4.2

[Douglas A. Tutty]

On Thu, Dec 06, 2007 at 07:05:07AM -0500, Nick Holland wrote:
 Douglas A. Tutty wrote:
  On Tue, Dec 04, 2007 at 02:30:28PM -0800, Bryan Irvine wrote:
   What would be the rationale for 640? ;)
  
  Well according to cvs log:
  it can be easily changed if you like it another way. millert,
  
  So I guess one rationale might be as simple as because  ;)
  
  Does anything get posted to the log that a normal user should not see?
  I suppose it depends on the machine's context.  Can traffic analysis on
  the log be used to determine what another user is doing any more than
  watching top?  If you're concerned about normal users reading logs, you
  need to look at those logs and determine why you are concerned and 
  determine the implcations of those concerns.
 
 The other question:
 
 Does the stuff there need to be seen so often that administrative users
 might be tempted to do a sudo -s over sudo more ..., and then do
 something stupid that would have been a non-event if they weren't root?
 
 Difficult to maintain does NOT equal secure.
 Difficult to maintain usually means improperly maintained, and that
 usually means insecure.
 
 IF you are producing messages output that the general users should NOT
 be seeing, go ahead, change the access permissions!  If you look at the
 number of systems that either have
  1) only administrative users or
  2) have nothing secret going to /var/log/messages
 you have probably covered the vast majority of OpenBSD systems.  So, I
 don't want to see the vast majority of systems made more difficult to
 administer and perhaps prompting the user to live as root more than
 needed.
 
 Glancing through the /var/log/messages files on a few of my machines,
 I found nothing I wouldn't be more than happy to post to the Internet,
 other than the rather anemic specs might be a bit embarrassing, but I
 found that I was glad I didn't have to have root privs to look at
 them.

I think you may have overstated things a bit.  They are readable by
group wheel.  Anyone who you could set up with sudo to read the logs
could be in group wheel.  Unless you have layers of admins, but then you
would probably add an 'adm' group and change the file's group from wheel
to adm.

Doug.

Re: Code signing in OpenBSD

[Lars Noodén]

Douglas A. Tutty wrote:
 Using software from any source without interference from an
 all-pervasive government is a very special,...

It's not all about governments.  Corporate espionage is probably a
larger, more active threat, especially to OpenBSD.

cui bono?

If we assume for the sake of argument that the printed CDs are ok, then
there is at least one method for distributing keys and/or building a web
of trust.

-Lars

Re: OpenBSD4.1 IPSEC - transport_send_messages: giving up on exchange

[Marcus Andree]

We've got similar problems about a year ago, when we deployed a
massive installation of vpn/ipsec clients based on isakmpd.

When testing the client robustness to a series of events, like physically
disconnecting network cables, simulating power failures and such, we
saw the same pattern.

Our solution was to use an external program to send simple icmp
packets to our internal network and restart isakmpd once detecting
the tunnel is down.

A web search has showed us that tunnel recreation is complex and
frequently involves non-standard implemmentations. Sometimes, this
process fails and it should be considered an external watchdog to
be on the safe side.

So we cooked an in-house solution using monit to restart isakmpd in
case of failure. Obviously you'll need to define a simple set of rules
to classify a connection as failed.

snip

 Okey, all vpn comes up normally but.. the problem is:
 At random time, the tunnel turn down and dont come up again !


snip

Re: Code signing in OpenBSD

[bofh]

You forgot one option.  Invite Theo to give a talk, and ask him to
bring the CDs.  If you can't trust Theo's CDs, all hope is lost.

Just need to make sure there're some mountains around for Theo to go
climb.  If you live on a flatland, then, sorry, you're doomed.


On 12/6/07, Douglas A. Tutty [EMAIL PROTECTED] wrote:
 On Thu, Dec 06, 2007 at 11:48:55AM +0100, Hannah Schroeter wrote:

  One risk would be the plans of online surveillance of computers e.g.
  in Germany. One way to install surveillance even on OpenBSD would be to
  actively interfere with the internet connection with the surveilled
  person, in the man-in-the-middle sense, and inject trojanned code
  (Bundestrojaner) into the updates of the victim.

 Using software from any source without interference from an
 all-pervasive government is a very special, but unfortunatly today, a
 very real issue for many people around the world.  To be secure, you
 have to get pieces of the puzzle over multiple paths.  It all can't come
 via the net since then you're open to man-in-the-middle.

 Key-revocation announcements could come over the net (via an announce
 list) but the new key would then have to come over a second channel.

 One second-channel option is the q6mth CD issue, which could include a
 new public key and e.g. known-hosts fingerprints.  This is vulnerable to
 a very determined man-in-the-middle who can replicate and then alter the
 CD before it arrives to you in the mail.

 Another option is a trusted courier flying to Alberta and get a CD from
 the OpenBSD store  (yeah, right).

 In fact, likely any other technological option (e.g. an answering
 machine in Alberta that spits out the alphanumerics of the current
 master public key) is still suceptible.

 If every piece of information you receive is filter through your
 government, is there any hand-shaking protocol that can allow you to
 establish a verified information connection (not necessarily encrypted)?
 I don't think so.

 Sure, Debian has signed .debs that use gpg as a back end (the system is
 called apt-key), it relies on you trusting the fist key that you get
 from them.  Since Debian doesn't actually mail out its own CDs,
 everything is off its mirrors.  apt-key only 'protects' you from a later
 man-in-the-middle.

 I think that this is the central 'problem' that people are dancing
 around.

 Personally, if this thread is to continue, I would like to see it move
 from a Why doesn't OpenBSD do things this way? to a What are the
 threat models for OpenBSD identity theft and how can we protect
 ourselves?.

 Doug.




-- 
http://www.glumbert.com/media/shift
http://www.youtube.com/watch?v=tGvHNNOLnCk
This officer's men seem to follow him merely out of idle curiosity.
-- Sandhurst officer cadet evaluation.
Securing an environment of Windows platforms from abuse - external or
internal - is akin to trying to install sprinklers in a fireworks
factory where smoking on the job is permitted.  -- Gene Spafford

Re: HP ProLiant DL320 v. Sun Fire V125

[Kai Mosebach]

Hi,

sorry for the late response, the mail just got marked as junk :(


KM enabling acpi

  How exactly do you do it?
  Mine acpi-related lines are


its already in the default kernel, not sure if its enabled by default.

# config -ef /bsd.mp
...
ukc enable acpi
414 acpi0 enabled



KM enabling write cache for wd0 in the system with:
KM # atactl wd0 writecacheenable

  Where  do  you  put  these  command?  For now I just ran it manually (and
tested  the  result).  I  think  it makes sense to activate the write cache
before  checking (and possibly recovering) RAIDframe devices, but rc.secure
and  rc.local  are  being called after that. Is it a good idea to put these
atactl commands to /etc/rc right before #Configure ccd devices line?


i ran it manually as well, and i guess you're right, even though i would 
not touch /etc/rc, since its part of the core system and i guess its not 
supposed to be changed by the user
dunno if there is a sysctl and or other way to enable it at boot time, 
maybe also config -ef /bsd?



KM Compaq iLO rev 0x03 at pci6 dev 4 function 0 not configured
KM Compaq iLO rev 0x03 at pci6 dev 4 function 2 not configured
KM uhci4 at pci6 dev 4 function 4 Hewlett-Packard USB rev 0x00: apic 8 int 
23 (irq 11)
KM Hewlett-Packard IPMI rev 0x00 at pci6 dev 4 function 6 not configured
KM usb1 at uhci4: USB revision 1.0
KM uhub1 at usb1 Hewlett-Packard UHCI root hub rev 1.00/1.00 addr 1

  Did  you  do  something special about uhci*? Mine is giving errors on two
computers already. Sometimes it even crashes to ddb:


maybe try to disable it in the kernel config

# config -ef /bsd.mp
...
ukc disable uhci
139 uhci* disabled


  Also, does iLO 2 Remote Console (a Java one) work for you?


we dont use it. sorry.

Best Kai

Re: Code signing in OpenBSD

[bofh]

That's why I always hand enter, in binary, by toggling switches on the
front of my box[1] when I start a new system.


[1]. What, you never pressed the power button


On 12/6/07, Lars Noodin [EMAIL PROTECTED] wrote:
 bofh wrote:
  At this point, it's probably a good idea to point out there's a paper
  called Trusting Trust about your everyday C compiler...

 Yeah.  It recently disappeared from the ACM's web site after 11+ years
 of availability:
   http://www.acm.org/classics/oct95/
 There is, fortunately, the author's copy:
   http://cm.bell-labs.com/who/ken/trust.html

 There is an interesting follow up:
   http://www.dwheeler.com/trusting-trust/
 summary of the followup:
  http://www.schneier.com/blog/archives/2006/01/countering_trus.html

 The bottom line, however, is that having and using the source is not
 optional.

 Thus, patches are provided in OpenBSD as source...

 But, starting from an initial set of some binaries is adequate for many
 uses, just as long as we can make reasonably sure that those binaries
 come from who they are supposed to / we expect them to.

 The install process ought to be fairly clear about the origin,
 authenticity and integrity of those initial binaries.  No need to build
 on more of a sand foundation than necessary.

 -Lars



--
http://www.glumbert.com/media/shift
http://www.youtube.com/watch?v=tGvHNNOLnCk
This officer's men seem to follow him merely out of idle curiosity.
-- Sandhurst officer cadet evaluation.
Securing an environment of Windows platforms from abuse - external or
internal - is akin to trying to install sprinklers in a fireworks
factory where smoking on the job is permitted.  -- Gene Spafford

Re: Code signing in OpenBSD

[Marco Peereboom]

hitler already

On Thu, Dec 06, 2007 at 05:24:40PM +0200, Lars Nood??n wrote:
 Douglas A. Tutty wrote:
  Using software from any source without interference from an
  all-pervasive government is a very special,...
 
 It's not all about governments.  Corporate espionage is probably a
 larger, more active threat, especially to OpenBSD.
 
   cui bono?
 
 If we assume for the sake of argument that the printed CDs are ok, then
 there is at least one method for distributing keys and/or building a web
 of trust.
 
 -Lars

softraid todo

[Marco Peereboom]

Several people have asked me about what the softraid todo is.  I
published such a list at: http://www.peereboom.us/softraid_todo.txt
It isn't 100% complete but has most major and minor items.

Re: Code signing in OpenBSD

[Gilbert Fernandes]

On Thu, Dec 06, 2007 at 09:08:56AM -0600, Marco Peereboom wrote:

 hitler already

Here is yours :

++
| 1 Godwin point |
++

Bye

-- 
unzip ; strip ; touch ; grep ; find ; finger ; mount ; fsck ; more ;
yes ; fsck ; umount ; sleep

Re: Code signing in OpenBSD

[Jason George]

  Come on... twice a year and get the benefit of not being excluded from
  company policies which require digital signature of software downloaded
  through the internet.
 
 It's not really OpenBSD's problem that some companies implement pointless
 security policies.

I'm not discussing wether its pointless or not, maybe you don't want
OpenBSD to be used at all?

You make it sound like OpenBSD is a vendor that is actively marketing to these 
companies and that cannot make a sale because it is not meeting a specific set 
of criteria in your requirements docs.

Tell you what.  I am sure there are a number of individuals on the list who 
own or work at companies that would be more than happy to provide your 
employer with a custom-built set of installation binaries and packages, signed 
for your digital pleasure.  I expect bi-annual costs, including overhead like 
lawyers, errors and omissions insurance, etc, to run mid-5-figures per 
release.  Minimum 5 release contract.  Expect much re-writing of contract 
clauses.  If there is indeed that much value derived in your organization from 
the use of OpenBSD, then this will be a paltry sum to pay.

I am fairly confident that Oracle and Sun and SAP likely aren't PKI'ing their 
updates from their websites.  Oh wait.  Are those excluded from the company 
policy because you have a contract in place?  

I went through a similar policy a few years ago while doing Sarbanes-Oxley 
consulting.  The lawyers and auditors were screaming for validation of free 
software, like Perl.  After many months of having tantrums, they, along with 
management, finally realized that going down this path would be tantamount to 
try to chip away all the morter keeping a brick building together.  The 
effects on the integrity of the structure (corporate, in this case) would be 
too great to keep pursuing this line of thought.  That policy was abandoned 
because it was costing more to implement than the perceived risks they 
believed they could mitigate. (i.e. - they had to think in practical terms)

Shortly afterward, I went back to steel-toed-boots engineering, where risks 
models really matter because you're trying to ensure that people don't get 
killed, that the environment doesn't get polluted, that you don't destroy 
assets and that you don't impact production.  Digital signatures are pretty 
irrelevant when you need to be concerned about an explosion that could 
potentially wipe out a few hundred million in infrastructure in the space of a 
few city blocks.  Or when an H2S leak can kill you and your crew in the matter 
of a few breaths. 

If it's that important, shut up and hack.  Or otherwise just shut up.

Re: Code signing in OpenBSD

[Jeff I. Ragland]

On 06 NN5N: 2007, at 5:39 NN, bofh wrote:


You forgot one option.  Invite Theo to give a talk, and ask him to
bring the CDs.  If you can't trust Theo's CDs, all hope is lost.


And how would you know that it is indeed Theo and not someone that
looks like him? I think that blood samples and DNA tests is the only
way to go here.





Just need to make sure there're some mountains around for Theo to go
climb.  If you live on a flatland, then, sorry, you're doomed.


On 12/6/07, Douglas A. Tutty [EMAIL PROTECTED] wrote:

On Thu, Dec 06, 2007 at 11:48:55AM +0100, Hannah Schroeter wrote:


One risk would be the plans of online surveillance of computers
e.g.
in Germany. One way to install surveillance even on OpenBSD would
be to
actively interfere with the internet connection with the surveilled
person, in the man-in-the-middle sense, and inject trojanned code
(Bundestrojaner) into the updates of the victim.


Using software from any source without interference from an
all-pervasive government is a very special, but unfortunatly today, a
very real issue for many people around the world.  To be secure, you
have to get pieces of the puzzle over multiple paths.  It all can't
come
via the net since then you're open to man-in-the-middle.

Key-revocation announcements could come over the net (via an announce
list) but the new key would then have to come over a second channel.

One second-channel option is the q6mth CD issue, which could
include a
new public key and e.g. known-hosts fingerprints.  This is
vulnerable to
a very determined man-in-the-middle who can replicate and then
alter the
CD before it arrives to you in the mail.

Another option is a trusted courier flying to Alberta and get a CD
from
the OpenBSD store  (yeah, right).

In fact, likely any other technological option (e.g. an answering
machine in Alberta that spits out the alphanumerics of the current
master public key) is still suceptible.

If every piece of information you receive is filter through your
government, is there any hand-shaking protocol that can allow you to
establish a verified information connection (not necessarily
encrypted)?
I don't think so.

Sure, Debian has signed .debs that use gpg as a back end (the
system is
called apt-key), it relies on you trusting the fist key that you get
from them.  Since Debian doesn't actually mail out its own CDs,
everything is off its mirrors.  apt-key only 'protects' you from a
later
man-in-the-middle.

I think that this is the central 'problem' that people are dancing
around.

Personally, if this thread is to continue, I would like to see it
move
from a Why doesn't OpenBSD do things this way? to a What are the
threat models for OpenBSD identity theft and how can we protect
ourselves?.

Doug.





--
http://www.glumbert.com/media/shift
http://www.youtube.com/watch?v=tGvHNNOLnCk
This officer's men seem to follow him merely out of idle curiosity.
-- Sandhurst officer cadet evaluation.
Securing an environment of Windows platforms from abuse - external or
internal - is akin to trying to install sprinklers in a fireworks
factory where smoking on the job is permitted.  -- Gene Spafford

Re: A necessary evil: snmpd(8) and snmpctl(8)

[Insan Praja SW]

On Wed, 05 Dec 2007 22:32:45 +0700, Jason George [EMAIL PROTECTED]  
wrote:



Hi!

I just imported snmpd(8) and snmpctl(8), an initial attempt to
implement a new SNMP daemon for OpenBSD.  SNMP is the Simple Network
Management Protocol and it is still very commonly used in corporate
networks, by network vendors, and in network management systems (NMS).

SNMP is very essential for me since I'm using it at work; our security
appliances based on OpenBSD need to integrate into various SNMP
scenarios.  We had to use net-snmp for this; the BSD license is good
but the code is very bad and full of ancient cruft and portability
glue.  Then there were many problems with the net-snmp port in
OpenBSD, people reported 90% CPU usage on -misc, crashes, bugs, ...it
was just a pain.


Thank you!  Thank you!  Thank you!



Well, finally.. my net-snmp 5.4p1 on 4.2 box keeps dying.. 5.4.1 eating my  
cpus.. how can we test it?


--
Using Opera's revolutionary e-mail client: http://www.opera.com/mail/

Re: Code signing in OpenBSD

[bofh]

Code signing by blood.  ISAGN.


Sorry marc - had to do it


On 12/6/07, Jeff I. Ragland [EMAIL PROTECTED] wrote:

 On 06 Dej 2007, at 5:39 LL, bofh wrote:

  You forgot one option.  Invite Theo to give a talk, and ask him to
  bring the CDs.  If you can't trust Theo's CDs, all hope is lost.

 And how would you know that it is indeed Theo and not someone that
 looks like him? I think that blood samples and DNA tests is the only
 way to go here.


 
 
  Just need to make sure there're some mountains around for Theo to go
  climb.  If you live on a flatland, then, sorry, you're doomed.
 
 
  On 12/6/07, Douglas A. Tutty [EMAIL PROTECTED] wrote:
  On Thu, Dec 06, 2007 at 11:48:55AM +0100, Hannah Schroeter wrote:
 
  One risk would be the plans of online surveillance of computers
  e.g.
  in Germany. One way to install surveillance even on OpenBSD would
  be to
  actively interfere with the internet connection with the surveilled
  person, in the man-in-the-middle sense, and inject trojanned code
  (Bundestrojaner) into the updates of the victim.
 
  Using software from any source without interference from an
  all-pervasive government is a very special, but unfortunatly today, a
  very real issue for many people around the world.  To be secure, you
  have to get pieces of the puzzle over multiple paths.  It all can't
  come
  via the net since then you're open to man-in-the-middle.
 
  Key-revocation announcements could come over the net (via an announce
  list) but the new key would then have to come over a second channel.
 
  One second-channel option is the q6mth CD issue, which could
  include a
  new public key and e.g. known-hosts fingerprints.  This is
  vulnerable to
  a very determined man-in-the-middle who can replicate and then
  alter the
  CD before it arrives to you in the mail.
 
  Another option is a trusted courier flying to Alberta and get a CD
  from
  the OpenBSD store  (yeah, right).
 
  In fact, likely any other technological option (e.g. an answering
  machine in Alberta that spits out the alphanumerics of the current
  master public key) is still suceptible.
 
  If every piece of information you receive is filter through your
  government, is there any hand-shaking protocol that can allow you to
  establish a verified information connection (not necessarily
  encrypted)?
  I don't think so.
 
  Sure, Debian has signed .debs that use gpg as a back end (the
  system is
  called apt-key), it relies on you trusting the fist key that you get
  from them.  Since Debian doesn't actually mail out its own CDs,
  everything is off its mirrors.  apt-key only 'protects' you from a
  later
  man-in-the-middle.
 
  I think that this is the central 'problem' that people are dancing
  around.
 
  Personally, if this thread is to continue, I would like to see it
  move
  from a Why doesn't OpenBSD do things this way? to a What are the
  threat models for OpenBSD identity theft and how can we protect
  ourselves?.
 
  Doug.
 
 
 
 
  --
  http://www.glumbert.com/media/shift
  http://www.youtube.com/watch?v=tGvHNNOLnCk
  This officer's men seem to follow him merely out of idle curiosity.
  -- Sandhurst officer cadet evaluation.
  Securing an environment of Windows platforms from abuse - external or
  internal - is akin to trying to install sprinklers in a fireworks
  factory where smoking on the job is permitted.  -- Gene Spafford
 




-- 
http://www.glumbert.com/media/shift
http://www.youtube.com/watch?v=tGvHNNOLnCk
This officer's men seem to follow him merely out of idle curiosity.
-- Sandhurst officer cadet evaluation.
Securing an environment of Windows platforms from abuse - external or
internal - is akin to trying to install sprinklers in a fireworks
factory where smoking on the job is permitted.  -- Gene Spafford

Hoststated + overload

[dane johansen]

Hey All,

I was wondering is it possible to use pf + max-src-conn-rate + overload with
hoststated? In manual there is nothing about that, but maybe if you define
tables in hoststated, but not a service and in PF you use just rdr with
hoststated tables (something similar to spamd tables?). Anyone has any ideas
on that?

Dane

Re: Code signing in OpenBSD

[Douglas A. Tutty]

On Thu, Dec 06, 2007 at 09:39:35AM -0600, bofh wrote:
 You forgot one option.  Invite Theo to give a talk, and ask him to
 bring the CDs.  If you can't trust Theo's CDs, all hope is lost.

He doesn't have to bring the CDs, just in the speach give the MD5 (or
other more secure [sha?} sum for an .iso file made from those CDs.  Buy
the CD, create an image, calc the md5.  Compare with Theo's speach.

Doug.

Re: Code signing in OpenBSD

[Douglas A. Tutty]

On Thu, Dec 06, 2007 at 05:24:40PM +0200, Lars Nood??n wrote:
 Douglas A. Tutty wrote:
  Using software from any source without interference from an
  all-pervasive government is a very special,...
 
 It's not all about governments.  Corporate espionage is probably a
 larger, more active threat, especially to OpenBSD.

True, but a single source of corporate espionage can't attack the mail,
phone, fax, and internet (e.g. ftp) all at the same time.

 
   cui bono?
 
 If we assume for the sake of argument that the printed CDs are ok, then
 there is at least one method for distributing keys and/or building a web
 of trust.
 
 -Lars
 
Doug.

Re: Code signing in OpenBSD

[Daniel Bosk]

Hi!

On Thu, Dec 06, 2007 at 11:23:37AM +, Stuart Henderson wrote:
On 2007/12/06 13:12, Lars Noodin wrote:

 If the installation process (from the purchased CDs) had a list of the
 public keys for the official mirror sites, then that would go a long
 way.

That would make it rather hard to revoke a key if there ever
was a problem.

Key revocation lists in some form? If it's gpg/OpenPGP, instruct users
to update from keyservers, one will notice when there're
incompatibilities between the key from CD and the one from the
keyserver, but one will also get the revocation from the keyserver. And
if one buys every CD, there's the time window of half a year even
without a key revocation infrastructure.

Kind regards,

Hannah.

Why not start selling public key lists from the order site, then
those who care can order one (or more) CD(s) and a separately
delivered (set of) public key lists (in sealed envelopes). Otherwise
ordering CDs will suffice.

When a key is revoked (announced somewhere) or incompatibilities
occur order a new (set of) list(s).

Then there is the problem of the lists being replaced by some new
list by the postman, thus ordering a set of lists instead of only one.
Have them delivered by different couriers, if all of them replaces the
list you will probably know.

Now, that will require a lot of work, and a lot of money (a lot of fuss
for a piece of paper) to scare most people off. Problem solved.

Brad, you really did start some thread. Starting with a rather
innocent question. Interesting reading though.


My best to all of you,

  Daniel

Re: Code signing in OpenBSD

[Jacob Yocom-Piatt]

bofh wrote:

Code signing by blood.  ISAGN.


Sorry marc - had to do it

  



what if theo is a person of interest, has his endpoint surveilled and 
his key and passphrase are compromised? if somebody stole a pint of 
blood, that could go a long way in your proposed plan...


short of having a web of trust, meeting people in person to sign their 
keys and assuming private keys and passphrases have not been 
compromised, you're pretty much SOL here. best bet is to use anoncvs and 
verify your cvs server's public key in person, but even that is a PITA. 
if massive databases of key fingerprint collisions exist MITM is very 
real even with a key fingerprint, multiple fingerprints make this much 
harder.


if anyone has a non-trivial quantum computer or remote viewing really 
works, the gig is pretty much up anyhow.


 jy-p cinches his tinfoil hat and returns to following the yellow brick 
road... 




On 12/6/07, Jeff I. Ragland [EMAIL PROTECTED] wrote:
  

On 06 Dej 2007, at 5:39 LL, bofh wrote:



You forgot one option.  Invite Theo to give a talk, and ask him to
bring the CDs.  If you can't trust Theo's CDs, all hope is lost.
  

And how would you know that it is indeed Theo and not someone that
looks like him? I think that blood samples and DNA tests is the only
way to go here.




Just need to make sure there're some mountains around for Theo to go
climb.  If you live on a flatland, then, sorry, you're doomed.


On 12/6/07, Douglas A. Tutty [EMAIL PROTECTED] wrote:
  

On Thu, Dec 06, 2007 at 11:48:55AM +0100, Hannah Schroeter wrote:



One risk would be the plans of online surveillance of computers
e.g.
in Germany. One way to install surveillance even on OpenBSD would
be to
actively interfere with the internet connection with the surveilled
person, in the man-in-the-middle sense, and inject trojanned code
(Bundestrojaner) into the updates of the victim.
  

Using software from any source without interference from an
all-pervasive government is a very special, but unfortunatly today, a
very real issue for many people around the world.  To be secure, you
have to get pieces of the puzzle over multiple paths.  It all can't
come
via the net since then you're open to man-in-the-middle.

Key-revocation announcements could come over the net (via an announce
list) but the new key would then have to come over a second channel.

One second-channel option is the q6mth CD issue, which could
include a
new public key and e.g. known-hosts fingerprints.  This is
vulnerable to
a very determined man-in-the-middle who can replicate and then
alter the
CD before it arrives to you in the mail.

Another option is a trusted courier flying to Alberta and get a CD
from
the OpenBSD store  (yeah, right).

In fact, likely any other technological option (e.g. an answering
machine in Alberta that spits out the alphanumerics of the current
master public key) is still suceptible.

If every piece of information you receive is filter through your
government, is there any hand-shaking protocol that can allow you to
establish a verified information connection (not necessarily
encrypted)?
I don't think so.

Sure, Debian has signed .debs that use gpg as a back end (the
system is
called apt-key), it relies on you trusting the fist key that you get
from them.  Since Debian doesn't actually mail out its own CDs,
everything is off its mirrors.  apt-key only 'protects' you from a
later
man-in-the-middle.

I think that this is the central 'problem' that people are dancing
around.

Personally, if this thread is to continue, I would like to see it
move
from a Why doesn't OpenBSD do things this way? to a What are the
threat models for OpenBSD identity theft and how can we protect
ourselves?.

Doug.




--
http://www.glumbert.com/media/shift
http://www.youtube.com/watch?v=tGvHNNOLnCk
This officer's men seem to follow him merely out of idle curiosity.
-- Sandhurst officer cadet evaluation.
Securing an environment of Windows platforms from abuse - external or
internal - is akin to trying to install sprinklers in a fireworks
factory where smoking on the job is permitted.  -- Gene Spafford

Re: Code signing in OpenBSD

[Lars Noodén]

Ted Unangst wrote:
 give it a rest guys.

Ted says everything is ok.  We can pack up and call it a day, knowing
that everything's settled once and for all.

Seriously, if the process has been already worked out, then point to
where it is  written up.  Maybe we're not looking in the right part of
the FAQ.

-Lars

Re: Code signing in OpenBSD

[Ted Unangst]

give it a rest guys.

has anyone ever actually been the victim of some
government/corporate/the man attack where they slipped trojan
openbsd binaries to you?

do you have any idea how hard it really is to mount such an attack?
without being detected?  and what's the trojan going to do?  copy all
your secrets to their national citizen oppression center?  how do they
get their nefarious packets through your firewall without notice?

i've download openbsd onto various machines from at least 5 mirrors
using 9 isps in 5 countries over the course of 7 years.  and you're
telling me that every single time, somebody out there was feeding me
the bad bits?  because if they screwed up even a single time, i could
use the good machine to detect the tainted ones.  get real.

Re: Code signing in OpenBSD

[Jason George]

Since this thread is both TOP and BOTTOM posted, I am going UPPER MIDDLE post.


bofh wrote:
 Code signing by blood.  ISAGN.


 Sorry marc - had to do it

   


what if theo is a person of interest, has his endpoint surveilled and 
his key and passphrase are compromised? if somebody stole a pint of 
blood, that could go a long way in your proposed plan...

short of having a web of trust, meeting people in person to sign their 
keys and assuming private keys and passphrases have not been 
compromised, you're pretty much SOL here. best bet is to use anoncvs and 
verify your cvs server's public key in person, but even that is a PITA. 
if massive databases of key fingerprint collisions exist MITM is very 
real even with a key fingerprint, multiple fingerprints make this much 
harder.

if anyone has a non-trivial quantum computer or remote viewing really 
works, the gig is pretty much up anyhow.

 jy-p cinches his tinfoil hat and returns to following the yellow brick 
road... 


Like Keyser Soze, Theo has neither blood nor DNA.  Except for me at beer last 
night, no one has ever seen Theo.

So everyone's point is moot.




 On 12/6/07, Jeff I. Ragland [EMAIL PROTECTED] wrote:
   
 On 06 Dej 2007, at 5:39 LL, bofh wrote:

 
 You forgot one option.  Invite Theo to give a talk, and ask him to
 bring the CDs.  If you can't trust Theo's CDs, all hope is lost.
   
 And how would you know that it is indeed Theo and not someone that
 looks like him? I think that blood samples and DNA tests is the only
 way to go here.


 
 Just need to make sure there're some mountains around for Theo to go
 climb.  If you live on a flatland, then, sorry, you're doomed.


 On 12/6/07, Douglas A. Tutty [EMAIL PROTECTED] wrote:
   
 On Thu, Dec 06, 2007 at 11:48:55AM +0100, Hannah Schroeter wrote:

 
 One risk would be the plans of online surveillance of computers
 e.g.
 in Germany. One way to install surveillance even on OpenBSD would
 be to
 actively interfere with the internet connection with the surveilled
 person, in the man-in-the-middle sense, and inject trojanned code
 (Bundestrojaner) into the updates of the victim.
   
 Using software from any source without interference from an
 all-pervasive government is a very special, but unfortunatly today, a
 very real issue for many people around the world.  To be secure, you
 have to get pieces of the puzzle over multiple paths.  It all can't
 come
 via the net since then you're open to man-in-the-middle.

 Key-revocation announcements could come over the net (via an announce
 list) but the new key would then have to come over a second channel.

 One second-channel option is the q6mth CD issue, which could
 include a
 new public key and e.g. known-hosts fingerprints.  This is
 vulnerable to
 a very determined man-in-the-middle who can replicate and then
 alter the
 CD before it arrives to you in the mail.

 Another option is a trusted courier flying to Alberta and get a CD
 from
 the OpenBSD store  (yeah, right).

 In fact, likely any other technological option (e.g. an answering
 machine in Alberta that spits out the alphanumerics of the current
 master public key) is still suceptible.

 If every piece of information you receive is filter through your
 government, is there any hand-shaking protocol that can allow you to
 establish a verified information connection (not necessarily
 encrypted)?
 I don't think so.

 Sure, Debian has signed .debs that use gpg as a back end (the
 system is
 called apt-key), it relies on you trusting the fist key that you get
 from them.  Since Debian doesn't actually mail out its own CDs,
 everything is off its mirrors.  apt-key only 'protects' you from a
 later
 man-in-the-middle.

 I think that this is the central 'problem' that people are dancing
 around.

 Personally, if this thread is to continue, I would like to see it
 move
 from a Why doesn't OpenBSD do things this way? to a What are the
 threat models for OpenBSD identity theft and how can we protect
 ourselves?.

 Doug.


 
 --
 http://www.glumbert.com/media/shift
 http://www.youtube.com/watch?v=tGvHNNOLnCk
 This officer's men seem to follow him merely out of idle curiosity.
 -- Sandhurst officer cadet evaluation.
 Securing an environment of Windows platforms from abuse - external or
 internal - is akin to trying to install sprinklers in a fireworks
 factory where smoking on the job is permitted.  -- Gene Spafford

Re: Code signing in OpenBSD

[Eric Furman]

On Thu, 6 Dec 2007 09:51:16 -0500, Douglas A. Tutty
[EMAIL PROTECTED] said:
 Personally, if this thread is to continue, I would like to see it move
 from a Why doesn't OpenBSD do things this way? to a What are the
 threat models for OpenBSD identity theft and how can we protect
 ourselves?.

Please don't. I am getting tired of deleting this stupid thread.
The project has been around for more than ten years.
Do you think the devs are so completely clueless about
security that they haven't already thought about this?
Actually, a couple of the devs have already spoken up
on this topic and gave you the answer so please shut up already.
Sorry for adding to the talk talk talking, but people like Theo
actually read all this crap and it's wasting their time.

Re: Code signing in OpenBSD

[Bob Beck]

 do you have any idea how hard it really is to mount such an attack?
 without being detected?  and what's the trojan going to do?  copy all
 your secrets to their national citizen oppression center?  how do they
 get their nefarious packets through your firewall without notice?

Of course they won't do that. The US government has rules about
what it can collect and put in it's own databases and use. Forward thinking
people put careful rules in place preventing the government from legally
playing big brother...

Of course it has no such rules about what data in private databases
it can in retrieve and use. The brownshirts can pretty much go in there
and get anything they want anytime. Forward thinking people kind of had
the blinders on about that one. 

Wow that Google toolbar sure is nice... ;)

-Bob

Re: Code signing in OpenBSD

[Marco Peereboom]

HITLER AND MORE HITLER

On Thu, Dec 06, 2007 at 08:28:21PM +0200, Lars Nood??n wrote:
 Ted Unangst wrote:
  give it a rest guys.
 
 Ted says everything is ok.  We can pack up and call it a day, knowing
 that everything's settled once and for all.
 
 Seriously, if the process has been already worked out, then point to
 where it is  written up.  Maybe we're not looking in the right part of
 the FAQ.
 
 -Lars

Re: Code signing in OpenBSD

[Christopher Linn]

there seems to be a fine, pink mist in the air.  some time ago 
the matter comprising this mist was a live and healthy horse.

On Thu, Dec 06, 2007 at 12:39:39PM -0600, Marco Peereboom wrote:
 HITLER AND MORE HITLER
 
 On Thu, Dec 06, 2007 at 08:28:21PM +0200, Lars Nood??n wrote:
  Ted Unangst wrote:
   give it a rest guys.
  
  Ted says everything is ok.  We can pack up and call it a day, knowing
  that everything's settled once and for all.
  
  Seriously, if the process has been already worked out, then point to
  where it is  written up.  Maybe we're not looking in the right part of
  the FAQ.
  
  -Lars

-- 
Christopher Linn celinn at mtu.edu  | By no means shall either the CEC
System Administrator II   | or MTU be held in any way liable
  Center for Experimental Computation | for any opinions or conjecture I
Michigan Technological University | hold to or imply to hold herein.

Re: Code signing in OpenBSD

[Lars Noodén]

Ok.  So Christopher, Marco, and Ted have spoken up to inform the list
that they do not know an answer.

Christopher Linn wrote:
 there seems to be a fine, pink mist in the air. ...

To be sure the topic has been covered earlier, but
just where are there relevant message archives, presentations or
documents finding a practical solution to the problem of getting an
initial set of binaries?

-Lars

Re: Code signing in OpenBSD

[STeve Andre']

On Thursday 06 December 2007 05:52:46 Hannah Schroeter wrote:
 Hi!

 On Wed, Dec 05, 2007 at 06:46:15PM -0500, STeve Andre' wrote:
 [...]
 
 You know, you're descending into a recursive loop of if, if, if... and
 it never ends.  OF COURSE if someone breaks into the site they could
 do things--once you've lost control of your site all bets are off.  I dare
 say that someone breaking into a site might find all the appropriate
 tools to re-sign things, too, and do the spoof that way.

 If I released code with cryptographic signatures, I'd not leave a secret
 key file, nor a passphrase on the servers with the master web/ftp
 site. I'd sign on a box you can't access from the master site (nor
 the mirrors). So, no, the attacker would *not* gain access to signing
 tools (ok, yes, the tools, perhaps, like gpg or openssl, but not the
 key material).

 --STeve Andre'

 Kind regards,

 Hannah.

Heh--you're intelligent.  But I know of two places where everything was
stored on the one machine, and I think one of those sites still hasn't
gotten it through their heads that this isn't a good idea.

--STeve Andre'

Re: Skype on the OpenBSD

[michael hamerski]

 Lars NoodC)n [EMAIL PROTECTED] wrote:

http://forum.skype.com/index.php?showtopic=95261


I have no intention of refueling this debate but I found this an
interesting read some time ago:

paper by Garfinkel

http://skypetips.internetvisitation.org/files/VoIP%20and%20Skype.pdf

your link is mostly about Ubuntu users concerned that skype reads
/etc/password and greps their .mozilla  profiles for proxy settings,
which when all is said and done is probably the least of their
worries.

as for other posts, openwengo does not currently support encryption,
and is developed partly by a French company, last I heard French
governments were not exactly friendly towards strong crypto. also,
wengo do have a vested interest in bashing skype.

cheers,

mike

Re: Code signing in OpenBSD

[Marco Peereboom]

On Thu, Dec 06, 2007 at 09:39:59PM +0200, Lars Nood??n wrote:
 Ok.  So Christopher, Marco, and Ted have spoken up to inform the list
 that they do not know an answer.

You can't possibly be this dense.  Let me try to spell it out.  YOU see
an issue WE don't.  That makes YOU responsible for fixing it.  All
reasons have been given to you why this is not even remotely a good idea
however you keep coming back for more.  So again you care we don't; how
does that make that OUR responsibility?

 
 Christopher Linn wrote:
  there seems to be a fine, pink mist in the air. ...
 
 To be sure the topic has been covered earlier, but
 just where are there relevant message archives, presentations or
 documents finding a practical solution to the problem of getting an
 initial set of binaries?

You can't.  Either get over it or use an operating system with a trusted
vendor like Microsoft or Apple.  That pesky Open Source stuff can't be
trusted because its on the internets.

 
 -Lars

Hardware recommendations for OpenBSD carp router/firewall machines

[Matthew Dempsky]

Does anyone have recommendations on server hardware for setting up a
redundant OpenBSD firewall?  Right now our network handles several
million HTTP requests per day, and we expect that to continue growing.
I expect a simple pair of Dell rackmounted servers should handle this
easily, but I thought I'd solicit feedback from the firewall experts
on misc@ first. :-)

Thanks!

alpha server hardware (AS1200) available for donation in Munich area

[Robert Urban]

Hi Folks,

I'm back again.

I have two AS1200 (AlphaServers) to donate.  They're nice machines, but I
don't use them.  One has two 400MHz CPUs (B3007-AA) and 512MB RAM, the other
has one 533MHz CPU (B3007-CA) and 256MB RAM.

They have lots of disks internally (2 and 4GB drives). They have several
SCSI controllers installed and are in fact set up to operate as a TruCluster
with shared storage, which is housed on two BA356 StorageWorks shelves
stuffed with 2 and 4GB drives.  If someone were interested in running this
as a TruCluster, I also have two MemoryChannel cards and a cable.
TruCluster  traditionally uses MemoryChannel as its cluster interconnect.
It can, however, use a standard ethernet P2P connection. Each system has
two 100mbit ethernet controllers installed.

The boxes are also fitted with redundant power supplies.

Dimensions of a AS1200: height=47cm, width=36cm, depth=60cm

For a photo see (one system is stacked on top of the other!):
http://www.spielwiese.de/rob/Pictures/as1200-1000x1504.jpg

I live in Munich, and posting them would be prohibitively expensive, I suspect.

any interest? If yes, please contact me ASAP.

Rob Urban


Here is the output of show config for each system:
dual-400MHz config:
--
P00show config
   Digital Equipment Corporation
 AlphaServer 1200

 Console V5.7-4  OpenVMS PALcode V1.21-2, Digital UNIX PALcode V1.23-2

 Module  Type RevName
 System Motherboard  0   mthrbrd0
 Memory  512 MB DIMM 0   mem0
 CPU (4MB Cache) 30001   cpu0
 CPU (4MB Cache) 30001   cpu1
 Bridge (IOD0/IOD1)  600  0032   iod0/iod1
 PCI Motherboard a   saddle0

 Bus 0  iod0 (PCI0)
 Slot   Option Name  Type RevName
 1  PCEB 4828086  0015   pceb0
 2  S3 Trio64/Trio32 88115333 0044   vga0
 3  DECchip 21140-AA 910110020   tulip0
 4  DEC KZPSA81011   pks0

 Bus 1  pceb0 (EISA Bridge connected to iod0, slot 1)
 Slot   Option Name  Type RevName

 Bus 0  iod1 (PCI1)
 Slot   Option Name  Type RevName
 1  NCR 53C810   110000002   ncr0
 2  QLogic ISP10X0   10201077 0005   isp0
 3  NCR 53C810   110000002   ncr1
 4  DE600-AA 12298086 0008   ei0

single-533MHz config:
--
P00show config
   Compaq Computer Corporation
 AlphaServer 1200

 Console V6.0-4  OpenVMS PALcode V1.21-2, Digital UNIX PALcode V1.23-2

 Module  Type RevName
 System Motherboard  0   mthrbrd0
 Memory   64 MB DIMM 0   mem0
 Memory   64 MB DIMM 0   mem1
 Memory   64 MB DIMM 0   mem2
 Memory   64 MB DIMM 0   mem3
 CPU (4MB Cache) 30003   cpu0
 Bridge (IOD0/IOD1)  600  0032   iod0/iod1
 PCI Motherboard a   saddle0

 Bus 0  iod0 (PCI0)
 Slot   Option Name  Type RevName
 1  PCEB 4828086  0015   pceb0
 2  S3 Trio64/Trio32 88115333 0054   vga0
 3  DE500-BA 191011   0030   tulip0
 4  DEC KZPSA81011   pks0

 Bus 1  pceb0 (EISA Bridge connected to iod0, slot 1)
 Slot   Option Name  Type RevName

 Bus 0  iod1 (PCI1)
 Slot   Option Name  Type RevName
 1  NCR 53C810   110000002   ncr0
 2  QLogic ISP10X0   10201077 0005   isp0
 3  DEC PCI MC   181011   000E   mc0
 4  DE600-AA 12298086 0008   ei0

Re: Intel(R) Core(TM)2 Duo CPU E6550 freeze on core 2 duo

[Constantine A. Murenin]

On 06/12/2007, Benoit Chesneau [EMAIL PROTECTED] wrote:
 Hi all,

 HAve currently problem with a server based on Intel(R) Core(TM)2 Duo CPU
 E6550
 with a Realtek 8168 ( re(4) ). It freeze after some random time.  I
 don't know why.
 No log about it. I tried to :
 - enable acpi
 - force the carde in 100baseTX


 But without any success yet. Hard to test anyway because this is a
 remote machine
 and can't check it from the rescue mode since this rescue mode is under
 freebsd.

 Any idee ? Anyone used such machine yet ? Here is a dmesg :
 http://babilu.metavers.net/dmesg/dmesg_enlil_20071206.txt

http://kerneltrap.org/mailarchive/openbsd-misc/2007/10/21/349821
http://cvs.openbsd.org/cgi-bin/query-pr-wrapper?full=yesnumbers=5504

No patch yet. As these boxes are pretty popular, if someone writes
one, they'll be a hero. :)

C.

Re: Code signing in OpenBSD

[new_guy]

Daniel Bosk wrote:
 
 Brad, you really did start some thread. Starting with a rather
 innocent question. Interesting reading though.
 
 My best to all of you,
 
   Daniel
 

Thanks, I love OpenBSD. I see the lack of signed code and signed
communication as a potential security issue. It *has* happened to other
projects and I'd hate to see it happen to OpenBSD. I'd love to see PKI
(specifically developer key pairs) incorporated into OpenBSD at some
point... it's such a great project that produces a great product! Whatever
happens, I will continue buying the CDs, T-shirts and telling my IT buddies
to use it!!!

All the best,

A guy who claims to be Brad Tilley :)

-- 
View this message in context: 
http://www.nabble.com/Code-signing-in-OpenBSD-tf4947207.html#a14204037
Sent from the openbsd user - misc mailing list archive at Nabble.com.

serial switch available for donation (Munich)

[Robert Urban]

Hi Folks,

I have an ancient, but fully functional pizza-box like device from Pan
Dacom (V.24 Umschalter), which has 9 DB25 female connectors on the back,
and 8 toggle pushbuttons on the front. One of the DB25 connectors is the
input, and is connected to one or more of the other eight DB25 connectors,
depending on which buttons are toggled on on the front.

any interest?

Rob Urban

reporting of flowd data

[Thomas Börnert]

hi list,

i'm looking for a reporting tool that can read the
output of /var/log/flowd or the ascii data of flowd-reader.

has anyone an idea ?

thanks

thomas

Note on pfctl: cannot allocate memory from spamd-setup

[Steve Shockley]

I'm running spamd in blacklist mode, and it started running out of 
memory today.  It turns out the lists are getting close to the default 
limit:


# /usr/libexec/spamd-setup -b -d
Getting http://www.openbsd.org/spamd/traplist.gz
blacklist uatraps 157348 entries
Getting http://www.openbsd.org/spamd/nixspam.gz
blacklist nixspam 40035 entries
Getting http://www.openbsd.org/spamd/chinacidr.txt.gz
blacklist china 431 entries
Getting http://www.openbsd.org/spamd/koreacidr.txt.gz
blacklist korea 270 entries

That comes to 198084, and the default is 20.

One solution is to put:

set limit table-entries [value]

in pf.conf.

Re: Code signing in OpenBSD

[Travers Buda]

Paranoia is a disease...  it distorts your thinking and your logical
faculty.  I'd be more concerned about THAT if I were in your position.

It's stupid to rework the infrastructure to support signing,
especially considering the benefits (none.) Plus, you have to trust
the OpenBSD developers (GASP!) And think of all the other ways you
could be compromised, which most are much easier to implement.

Hardware keyloggers
Social engineers
Bad passwords
Physical Security?
etc.

And just what are they going to get?  Do you have some sort of
cloak-and-dagger data on your box?

-- 
Travers Buda

Re: Skype on the OpenBSD

[William Graeber]

I'm running wengo 2.1.2, and under the security tab on the
configuration page there is an option for call encryption -
WengoPhone can encrypt calls using the AES 128-bits encryption system
and Diffie-Hellman for key exchange.

seeking hardware token recommendations

[Jacob Yocom-Piatt]

would like to lock random users out of the services that are hosted on 
machines here and remember LLNL, etc, using a RSA secureID to effect 
this back in the day: you had to enter your secureID string before being 
able to ssh into your user account through the firewall. i am aware that 
the secureID uses a closed-source algorithm to generate its codes and is 
thus, IMO, not a desirable solution. the goal is to allow only users 
with (1) a hardware token and (2) the correct passwords to access 
services (IMAPS, etc) on openbsd machines.


a list of OTPs would be sufficient if i didn't think i'd end up 
regularly issuing new lists to users. if there is any good solution of 
the sort i describe above, i would appreciate pointers from more 
knowledgeable folks.


cheers,
jake

--

Doctor Listing

[Francis Y Rosella]

Here's what we're offering for this week:

Current Doctors in the USA 

788,217 in total * 17,132 emails

34 primary and secondary specialties

16 different sortable fields


Pharmaceutical Companies in the US
47,000 personal emails and names of decision makers

American Hospital Directory
Full data for all the major positions in more than 7k facilities

Extensive List of Dentists in the US
A complete Database or dentists and related services (valued at $399)

Listing of US Chiropractors
Complete data for all chiropractors in the US (a $250 value)


Price for this week only =  
$398 for all 5 datasets

reply to:  [EMAIL PROTECTED]

  

valid thru Dec 7