Trustico CEO Emailed Many Keys Stupidly: 20k https certificates compromised and revoked

[Charlie Eddy]

https://mobile.twitter.com/svblxyz/status/969220402768736258
Please comment on this exciting bad news.
Here is another link for your convenience:
https://news.ycombinator.com/item?id=16485801

Cheers

Re: Supermicro SuperServer E200-9A

[Charlie Eddy]

Mihai,

Your extrapolation is the only issue here as OP did not describe a linear
causal relationship.

See below.

> I want to build a OpenBSD firewall. And I have bought a Supermicro
> SuperServer E200-9A. There is installed a A2SDi-4C-HLN4F motherboard in
it.

On Tue, Feb 27, 2018 at 11:01 AM, Rupert Gallagher <r...@protonmail.com>
wrote:

> I did not purchase the board, yet. The OP did. And he did well. Both Linux
> and FreeBSD run on it.
>
> ‐‐‐ Original Message ‐‐‐
>
> On 27 February 2018 4:22 PM, Charlie Eddy <charlie.e...@occipital.com>
> wrote:
>
> > Rupert, I strongly suggest you actively search as quickly as possible as
> > Stuart suggested, or return your product. Not the first time this has
> > happened so don't take it personally.
>

Re: Supermicro SuperServer E200-9A

[Charlie Eddy]

great news then

On Mon, Feb 26, 2018 at 3:26 PM, Rupert Gallagher 
wrote:

> Note on passing: the C2000 are officially retired and discontinued.
>
> Sent from ProtonMail Mobile
>
> On Mon, Feb 26, 2018 at 23:21, Stuart Henderson 
> wrote:
>
> > On 2018-02-26, OpenBSD user wrote: > Hello > > I want to build a OpenBSD
> firewall. And I have bought a Supermicro > SuperServer E200-9A. There is
> installed a A2SDi-4C-HLN4F motherboard in it. > > I'm trying to installed
> OpenBSD 6.2 on it, but I have some problems. > > First I tried to boot it
> from an usb stick and thought I could use the > installed keyboard to
> control the installation. But under the boot > process and before I could
> type "i" for install, it had turned the > keyboard off. > > Then I tried to
> control the installation from the IPMI port. I can > control the
> installation through it, but when I'm went to configure the > NIC's there
> is only a VLAN installed. Beside the IPMI port there is also > 4 other
> NIC's installed on the motherboard. And I can't see them. I type > "done"
> but when the installation come to the installed hdd, there is > none to
> choose between. > > I have visit the manufacturer site, but there isn't any
> drivers to any *BSD. > > I have googled for other who have problems, but I
> can't find any solutions. > > How do I installed OpenBSD 6.2 on the E200-9A
> ? > > Please help. > > Thanks in advance > > This machine has a lot of
> rather new hardware in (C3000 Denverton) and is really not at all supported
> yet. I found a dmesg from RAMDISK_CD on one of these and it's full of
> failure starting with being unable to enable acpi (so interrupt routing and
> other things aren't working), plus we haven't even got skeleton pcidevs
> entries for most of the devices (ahci, nic, etc). Realistically, at the
> moment, I'd say the best chances of getting this machine supported are if
> you can get similar hardware in the hands of a developer if there is anyone
> with interest, skills and time to look into it, remote debugging of a
> system in this state is going to be slow and painful.. OpenBSD 6.2-current
> (RAMDISK_CD) #379: Wed Jan 24 12:58:41 MST 2018 dera...@amd64.openbsd.org:
> /usr/src/sys/al mem = 4250882048 (4053MB) avail mem = 4118294528 (3927MB)
> mainbus0 at root bios0 at mainbus0: SMBIOS rev. 3.0 @ 0x7f0c7000 (31
> entries) bios0: vendor American Megatrends Inc. version "1.0" date
> 08/02/2017 bios0: Supermicro Super Server acpi0 at bios0: rev 2, can't
> enable ACPI cpu0 at mainbus0: (uniprocessor) cpu0: Intel(R) Atom(TM) CPU
> C3338 @ 1.50: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,
> CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,
> PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,
> CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,
> AES,XSAVE,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,3DNOWP,PERF,
> ITSC,FSGSBASE,SMEP,ERMS,MPX,RDSEED,SMAP,CLFLUSHOPT,PT,SHA,SENSOR,ARAT
> cpu0: 2MB 64b/line 16-way L2 cache cpu0: cannot disable silicon debug cpu0:
> mwait min=64, max=64, C-substates=0.2.0.2, IBE pci0 at mainbus0 bus 0
> 0:31:5: mem address conflict 0xfe01/0x1000 pchb0 at pci0 dev 0 function
> 0 vendor "Intel", unknown product 0x1980 rev 0x11 pchb1 at pci0 dev 4
> function 0 vendor "Intel", unknown product 0x19a1 rev 0x11 vendor "Intel",
> unknown product 0x19a2 (class system subclass root complex event, rev 0x11)
> at pci0 dev 5 function 0 not configured ppb0 at pci0 dev 10 function 0
> vendor "Intel", unknown product 0x19a5 rev 0x11 pci1 at ppb0 bus 1 ppb1 at
> pci0 dev 17 function 0 vendor "Intel", unknown product 0x19ab rev 0x11 pci2
> at ppb1 bus 2 ppb2 at pci2 dev 0 function 0 "ASPEED Technology AST1150 PCI"
> rev 0x03 pci3 at ppb2 bus 3 "ASPEED Technology AST2000" rev 0x30 at pci3
> dev 0 function 0 not configured vendor "Intel", unknown product 0x19ac
> (class system subclass miscellaneous, rev 0x11) at pci0 dev 18 function 0
> not configured ahci0 at pci0 dev 19 function 0 vendor "Intel", unknown
> product 0x19b2 rev 0x11: unable to map interrupt ahci1 at pci0 dev 20
> function 0 vendor "Intel", unknown product 0x19c2 rev 0x11: unable to map
> interrupt xhci0 at pci0 dev 21 function 0 vendor "Intel", unknown product
> 0x19d0 rev 0x11: couldn't map interrupt ppb3 at pci0 dev 22 function 0
> vendor "Intel", unknown product 0x19d1 rev 0x11 pci4 at ppb3 bus 4 vendor
> "Intel", unknown product 0x15e5 (class network subclass ethernet, rev 0x11)
> at pci4 dev 0 function 0 not configured vendor "Intel", unknown product
> 0x15e5 (class network subclass ethernet, rev 0x11) at pci4 dev 0 function 1
> not configured ppb4 at pci0 dev 23 function 0 vendor "Intel", unknown
> product 0x19d2 rev 0x11 pci5 at ppb4 bus 5 vendor "Intel", unknown product
> 0x15e5 (class network subclass ethernet, rev 0x11) at pci5 dev 0 function 0
> not configured vendor "Intel", unknown product 0x15e5 (class network
> subclass ethernet, rev 0x11) at pci5 

Re: Supermicro SuperServer E200-9A

[Charlie Eddy]

I would "bump" the issue for this specific case, but I think it is a very
laughable mistake to argue over the definition of new.

Rupert, I strongly suggest you actively search as quickly as possible as
Stuart suggested, or return your product. Not the first time this has
happened so don't take it personally.

It would also be cool if someone has:

1) A contact list of devs who are chill and want to program new things such
as a Supermicro
SuperServer E200-9A with an A2SDi-4C-HLN4F motherboard in it.

2) A specific recommendation for an alternative device that will provide
similar sweet functionality.

My idea of (2) is one of the following:
https://www.openbsd.org/octeon.html
https://www.openbsd.org/sgi.html
... but I could be totally wrong, I am not that smart and very busy.

Regards,
Charlie

On Tue, Feb 27, 2018 at 5:51 AM, Stuart Henderson 
wrote:

> On 2018/02/27 08:30, Rupert Gallagher wrote:
> > Not new at all.
> >
> > https://www.servethehome.com/intel-atom-c3338-benchmarks-
> why-denverton-is-so-sweet/
> >
> > https://www.servethehome.com/intel-atom-c3558-linux-
> benchmarks-and-review/
> >
> > https://www.servethehome.com/
> > intel-atom-c3958-16-core-top-end-embedded-qat-linux-
> benchmarks-and-review/
>
> Launch date q3 '17 is pretty new.
>
> > Sent from ProtonMail Mobile
> >
> >
> > On Mon, Feb 26, 2018 at 23:21, Stuart Henderson 
> wrote:
> >
> > On 2018-02-26, OpenBSD user wrote: > Hello > > I want to build a
> OpenBSD firewall. And I
> > have bought a Supermicro > SuperServer E200-9A. There is installed a
> A2SDi-4C-HLN4F
> > motherboard in it. > > I'm trying to installed OpenBSD 6.2 on it,
> but I have some problems.
> > > > First I tried to boot it from an usb stick and thought I could
> use the > installed
> > keyboard to control the installation. But under the boot > process
> and before I could type
> > "i" for install, it had turned the > keyboard off. > > Then I tried
> to control the
> > installation from the IPMI port. I can > control the installation
> through it, but when I'm
> > went to configure the > NIC's there is only a VLAN installed. Beside
> the IPMI port there is
> > also > 4 other NIC's installed on the motherboard. And I can't see
> them. I type > "done"
> > but when the installation come to the installed hdd, there is > none
> to choose between. > >
> > I have visit the manufacturer site, but there isn't any drivers to
> any *BSD. > > I have
> > googled for other who have problems, but I can't find any solutions.
> > > How do I installed
> > OpenBSD 6.2 on the E200-9A ? > > Please help. > > Thanks in advance
> > > This machine has a
> > lot of rather new hardware in (C3000 Denverton) and is really not at
> all supported yet. I
> > found a dmesg from RAMDISK_CD on one of these and it's full of
> failure starting with being
> > unable to enable acpi (so interrupt routing and other things aren't
> working), plus we
> > haven't even got skeleton pcidevs entries for most of the devices
> (ahci, nic, etc).
> > Realistically, at the moment, I'd say the best chances of getting
> this machine supported
> > are if you can get similar hardware in the hands of a developer if
> there is anyone with
> > interest, skills and time to look into it, remote debugging of a
> system in this state is
> > going to be slow and painful.. OpenBSD 6.2-current (RAMDISK_CD)
> #379: Wed Jan 24 12:58:41
> > MST 2018 dera...@amd64.openbsd.org:/usr/src/sys/al mem = 4250882048
> (4053MB) avail mem =
> > 4118294528 (3927MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev.
> 3.0 @ 0x7f0c7000 (31
> > entries) bios0: vendor American Megatrends Inc. version "1.0" date
> 08/02/2017 bios0:
> > Supermicro Super Server acpi0 at bios0: rev 2, can't enable ACPI
> cpu0 at mainbus0:
> > (uniprocessor) cpu0: Intel(R) Atom(TM) CPU C3338 @ 1.50:
> > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,
> CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,
> PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,
> CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,
> AES,XSAVE,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,3DNOWP,PERF,
> ITSC,FSGSBASE,SMEP,ERMS,MPX,RDSEED,SMAP,CLFLUSHOPT,PT,SHA,SENSOR,ARAT
> > cpu0: 2MB 64b/line 16-way L2 cache cpu0: cannot disable silicon
> debug cpu0: mwait min=64,
> > max=64, C-substates=0.2.0.2, IBE pci0 at mainbus0 bus 0 0:31:5: mem
> address conflict
> > 0xfe01/0x1000 pchb0 at pci0 dev 0 function 0 vendor "Intel",
> unknown product 0x1980 rev
> > 0x11 pchb1 at pci0 dev 4 function 0 vendor "Intel", unknown product
> 0x19a1 rev 0x11 vendor
> > "Intel", unknown product 0x19a2 (class system subclass root complex
> event, rev 0x11) at
> > pci0 dev 5 function 0 not configured ppb0 at pci0 dev 10 function 0
> vendor "Intel", unknown
> > product 0x19a5 rev 0x11 pci1 at ppb0 bus 1 ppb1 at pci0 

Re: Why is so slow the download speed in OpenBSD?

[Charlie Eddy]

Nice!

>From Stefan's mail:
>"In the current implementation, the wifi layer selects a transmit rate
based
>on the number of frame transmission retries reported by wpi(4) firmware."

That's the "automatically selected optimal media type", comme ci comme ca
defined w/r/t the strictness of your definition.

>"If you find that one of these commands makes it work as fast as it does on
>Windows, we can conclude that the problem is with OpenBSD's rate selection
>algorithm. This algorithm is very old and dates from a time when wifi
networks
>were much less densly deployed."

It looks like OpenBSD is like driving a beautiful old car.
Malfunction doesn't make sense to say even though existing properties of
the OS and existing properties of the world aren't making it easy.

On Wed, Feb 14, 2018 at 1:47 PM, Zsolt Kantor 
wrote:

>
>
> Now, I just switched to OpenBSD, and executed the commands as you wrote
> down. AND IT WORKS!
> You have more in depth network knowledge than me, so I just will write
> down what I did, and I have also some questions related to that media
> option of the ifconfig (which I, to be honest don't really understand).
> So, I used the same mirror (https://ftp2.eu.openbsd.org/
> pub/OpenBSD/6.2/amd64/) for testing and used only wget for downloads.
> With wget the download speed is a bit higher compared to firefox or
> chromium, I think because wget is more 'light', command line tool, more
> optimized (probably the code is more clear), firefox and chromium opens
> slower maybe also bloat in code, so the download rate is also less.
> Now back to the point. I logged in to Xfce, I opened a terminal with two
> tabs, one for normal user, to execute the downloads, with the following
> command: 'wget https://ftp2.eu.openbsd.org/pub/OpenBSD/6.2/amd64/
> install62.fs', and one for root user to use ifconfig to make those
> settings. After every ifconfig change, I switched to the normal user tab
> and started the download process (sometimes, when I saw some unusual
> fluctuation I interrupted the download process and started again, waited a
> while to see what happens, than if the download process was not stable I
> waited a little to be just sure, after that started the process again and
> so on, to have a more precise report).
> Here are the test results:
> OFDM6: max: 1.30MB/s, min: 700KB/s (this config. is not stable, sometimes
> drops from 1.20MB/s to 700KB and back)
> OFDM9: average: 1.45MB/s (more stable, do not drops above 1.30MB)
> OFDM12: quite stable as with OFDM9, sometimes reaches a max. of 1.70MB/s
> OFDM18: stable, average: 1.50MB (I saw also 1.80MB/s for fractions of
> seconds)
> OFDM24: At the first try was not stable, fluctuated between 900KB/s and
> 1.70Mb/s, at the second try it was stable, avg: 1.55MB/s (for fractions of
> seconds 1.80MB/s), at the third, fourth . . . tries was stable, avg: 1.60MB
> OFDM36: quiet stable, avg: 1.55MB/s
> OFDM48: not so stable, 700KB/s, 800KB/s, rarely reaches  1000KB/s (but
> immediately drops)
> OFDM54: not stable at all, between 700KB and 900KB (sometimes reaches
> 1.1MB/s, rarely drops down to 300KB/s), the avg. rate is 700-750KB.
>
> These for the tests. Now, I have a few questions. In the ifconfig manual
> at the media option states that if it is used with no arguments displays
> all available media. In my case it looks like this:
>
> supported media:
> media autoselect
> media autoselect mediaopt monitor
> media autoselect mode 11a
> media autoselect mode 11a mediaopt monitor
> media autoselect mode 11b
> media autoselect mode 11b mediaopt monitor
> media autoselect mode 11g
> media autoselect mode 11g mediaopt monitor
>
> But what you proposed to me to try is OFDM6, 9, 12 . . . In the supported
> media list I don't find those types, why?
>
> The second question is: now theoretically the problem is solved, to be
> honest I have no clue about media types, radio frequencies and such things,
> but based on my tests it's need to be corrected something in OpenBSD
> related to this issue? Or it is more like a user side configuration? If
> somebody would ask me I think the optimal media type should ne
> automatically selected by the system (driver, firmware . . . I don't know
> who's in charge for this), and not by the user (after the system is
> installed).
> That's all, thanks again. For me the problem is solved. You need to decide
> if this is a malfunction or not.
>
> Thanks again.
>
>
>
>
> On Wednesday, February 14, 2018 9:36 PM, Zsolt Kantor <
> zsoltkan...@yahoo.co.uk> wrote:
>
>
>
> You told me a very interesting thing, and I need to admit that I did not
> thought about this (although in the past I wrote some ping program using
> sockets, so I have a basic knowledge about networking in general). I will
> try that, but right now I need to resolve other things (not related to
> OpenBSD), I also thought to do some wireshark tests in  Win and BSD and
> check the traffic, the packets, and the times between the packets sent 

Re: considering a move to OpenBSD

[Charlie Eddy]

Thanks Daniel. Definitely the correct answer.

On Thu, Feb 8, 2018 at 4:07 PM, Daniel Bolgheroni <dan...@bolgh.eng.br>
wrote:

> On Thu, Feb 08, 2018 at 09:41:20PM +, Charlie Eddy wrote:
> > hello misc,
> >
> > I am considering a move to OpenBSD, since I subscribed to this mailing
> list
> > some time ago (~few months). I want to take advantage of security.
> >
> > However, a programmer who I know personally and respect considers OpenBSD
> > to be old-school, in a negative sense. He recommends Arch Linux as
> > superior, because more new. Does the difference boil down to one's
> > definition of free software, and then compliance with that definition?
> >
> > I have read up on this a lot, and this is a serious question. I have
> heard
> > that it is unimportant what *nix you're on after a few years of using one
> > or the other, in terms of functionality. I am interested in embedded
> > devices. I think that bends the needle towards Arch, but the security of
> > OpenBSD is also attractive. What considerations should I take into
> account?
>
> I don't think that, if you ask the same question on an Arch Linux
> mailing list, people will suggest you to run OpenBSD. Since you're on an
> OpenBSD mailing list, the odds are people here will... nevermind.
>
> There are a lot (really, a lot) of things you should consider.
> Honestly, these opiniated, one-sentence answers like these should ring
> bells on your head, and work as an alert (because it's newer? really?).
>
> That being said, the mindset of "going to shop" when choosing software
> (e.g. comparing project features to see which one "offers more for the
> lowest price") is just wrong. What do you really need? "Embedded",
> "security" or any single-worded reason won't say much.
>
> No words here will spare you the work you have to do by yourself. Install
> it and put it to work. Then, then take your own conclusions.
>
> --
> db
>

considering a move to OpenBSD

[Charlie Eddy]

hello misc,

I am considering a move to OpenBSD, since I subscribed to this mailing list
some time ago (~few months). I want to take advantage of security.

However, a programmer who I know personally and respect considers OpenBSD
to be old-school, in a negative sense. He recommends Arch Linux as
superior, because more new. Does the difference boil down to one's
definition of free software, and then compliance with that definition?

I have read up on this a lot, and this is a serious question. I have heard
that it is unimportant what *nix you're on after a few years of using one
or the other, in terms of functionality. I am interested in embedded
devices. I think that bends the needle towards Arch, but the security of
OpenBSD is also attractive. What considerations should I take into account?

Regards,
Charlie

Re: OpenBSD Foundation on HTTPS

[Charlie Eddy]

Hello Jonathan Thornburg,

That is quite simple. The post will work.

https://www.ic.gc.ca/app/scr/cc/CorporationsCanada/fdrlCrpDtls.html?corpId=4409612

Regards,

On Wed, Feb 7, 2018 at 6:42 AM, Jeroen  wrote:

> With HTTPS, can you be sure that the server isn't comprimised? With or
> without HTTPS, it's always a good idea to check wether the address is
> correct (a foundation has to be registered and at other places).
>
> On Wed, 2018-02-07 at 14:40 +0100, Jonathan Thornburg wrote:
> > From  http://www.openbsdfoundation.org/donations.html :
> > >  Donations may be made by cheque in CAD/EUR/USD funds to:
> > >
> > > The OpenBSD Foundation
> > > 8101 160 Street
> > > Edmonton, Alberta, Canada
> > > T5R 2G9
> >
> > Without https, how can one verify that that is the correct address?
> >
> >
>
>

Re: OpenBSD Foundation on HTTPS

[Charlie Eddy]

thank you for providing that email address, case closed as far as I'm
concerned

Re: OpenBSD Foundation on HTTPS

[Charlie Eddy]

"Can I update the value of "hosted_button_id" and
send you to my Paypal account ?"

this

is much cleaner, more logical, more formal, and more sensible than

"No need to have this one https type really there isn't any information
you enter on it..."

On Tue, Feb 6, 2018 at 1:10 PM, Denis Fondras  wrote:

> > If you actually donate and click on any links there you would see it
> > bring you to a secure page.
> >
>
> But is this the right link ? Can I update the value of "hosted_button_id"
> and
> send you to my Paypal account ?
>
> Denis
>
>

Re: OpenBSD Foundation on HTTPS

[Charlie Eddy]

agreed - using HTTP instead of HTTPS is a great way to encourage that
activity, and since I love having my head in the sand like an ostrich I
encourage us to not encrypt the donation links to the most secure operating
system available to the public. That way we can't donate securely to the
foundation we support - the sand is great from down here

On Tue, Feb 6, 2018 at 3:32 AM, Hess THR  wrote:

> troll on
>
> hey, yeah, you are absolutely right!
>
> no one would ever modify (since plain http) the example.:
>
> http://www.openbsdfoundation.org/donations.html
>
> page, where are the PayPal donation links, bitcoin donation links are,
> without anybody noticing!
>
> Why would someone do something like this? we live in a perfect world
> without bad people! yay pink ponies!
>
> troll off
>
>
> > Sent: Tuesday, February 06, 2018 at 12:23 PM
> > From: "Ian Sutton" 
> > To: "Hess THR" 
> > Cc: "misc@OpenBSD.org" 
> > Subject: Re: OpenBSD Foundation on HTTPS
> >
> > Hi,
> >
> > There is no need. There is nothing secret on those web servers, there
> > is no logical reason to encrypt it. This issue has been discussed to
> > death. Please check archives.
> >
> > Ian
> >
> > On Tue, Feb 6, 2018 at 4:03 AM, Hess THR  wrote:
> > > Hello,
> > >
> > > because HTTPS increases the authenticity, integrity, privacy:
> https://en.wikipedia.org/wiki/HTTPS
> > >
> > > going to apache/iis/nginx/linux will not increase "security". since
> they have very buggy code.
> > >
> > > but for HTTPS, luckily, OpenBSD has LibreSSL. Or are we not trusting
> the code in the base?
> > >
> > >
> > >> Sent: Friday, December 15, 2017 at 12:11 PM
> > >> From: "Vivek Vinod" 
> > >> To: "Hess THR" 
> > >> Subject: Re: OpenBSD Foundation on HTTPS
> > >>
> > >> 1) Why do you want https support?
> > >> 2) Most websites use IIS, Apache or Nginx. Maybe you should suggest
> we shift to IIS as well? Wait, I guess more people use Linux, so we should
> stop using OpenBSD all together.
> > >>
> > >>
> > >> -Original Message-
> > >> From:  on behalf of Hess THR <
> hessnovth...@mail.com>
> > >> Date: Friday, 15 December 2017 at 4:20 PM
> > >> To: , 
> > >> Subject: OpenBSD Foundation on HTTPS
> > >>
> > >> Hello, Just noticed that the: http://www.openbsdfoundation.org/
> doesn't
> > >> supports HTTPS, while in 2017 Dec, ~70% of the websites does:
> > >> https://letsencrypt.org/stats/#percent-pageloads Can we have
> HTTPS for
> > >> the OpenBSD Foundation? Which Official OpenBSD related domain
> hasn't got
> > >> HTTPS yet? I whish you happy holidays and again, Thanks for all
> the work!
> > >> BTW, wow:
> > >> https://www.reddit.com/r/Bitcoin/comments/7jj0oa/im_
> donating_5057_btc_to_charitable_causes/dr6q6tj/?context=3
> > >>
> > >
> >
>
>

Re: Disable external USB devices

[Charlie Eddy]

oh and lastly to understand a bit more about why you don't need to be an
ultrasmart blackhat:
even USB keyboards are dangerous and lots of things can pretend to be usb
https://www.youtube.com/watch?v=00A36VABIA4

and postscript:
for a usb firewall, so to speak, https://wiki.wireshark.org/CaptureSetup/USB
Can probably get it done with usbmon and libpcap. Could get a poc in scapy
Probably iptables can be reused
Prevent both rubber duckies and packet injection attacks against bluetooth
mice that are seen as keyboards

On Wed, Jan 24, 2018 at 4:40 PM, Charlie Eddy <charlie.e...@occipital.com>
wrote:

> Hi stefan,
> i asked this a bit ago (or similar)
> 1. https://usbguard.github.io/
> 2. you can just disable USB ports or controller in BIOS, but that's not
> exciting at all.
> 3. this diff, which one person used once:
>
> Index: sys/dev/usb/uhub.c
> ===
> RCS file: /cvs/src/sys/dev/usb/uhub.c,v
> retrieving revision 1.89
> diff -u -p -u -r1.89 uhub.c
> --- sys/dev/usb/uhub.c  2 Sep 2016 09:14:59 -   1.89
> +++ sys/dev/usb/uhub.c  1 Jan 2017 22:52:53 -
> @@ -55,6 +55,9 @@
>  #define DEVNAME(sc)((sc)->sc_dev.dv_xname)
> +/* controls enabling/disabling of USB bus probing */
> +int busprobe = 1;
> +
>  struct uhub_softc {
> struct device   sc_dev; /* base device */
> struct usbd_device  *sc_hub;/* USB device */
> @@ -439,6 +442,9 @@ uhub_explore(struct usbd_device *dev)
> usbd_clear_port_feature(sc->sc_hub, port,
> UHF_C_PORT_LINK_STATE);
> }
> +
> +   if (!busprobe)
> +   return (0);
> /* Recursive explore. */
> if (up->device != NULL && up->device->hub != NULL)
> Index: sys/dev/usb/usb.c
> ===
> RCS file: /cvs/src/sys/dev/usb/usb.c,v
> retrieving revision 1.111
> diff -u -p -u -r1.111 usb.c
> --- sys/dev/usb/usb.c   18 May 2016 18:28:58 -  1.111
> +++ sys/dev/usb/usb.c   1 Jan 2017 22:52:53 -
> @@ -87,6 +87,8 @@ int   usb_noexplore = 0;
>  #define DPRINTFN(n,x)
>  #endif
> +extern int busprobe;
> +
>  struct usb_softc {
> struct devicesc_dev;/* base device */
> struct usbd_bus  *sc_bus;   /* USB controller */
> @@ -607,6 +609,14 @@ usbioctl(dev_t devt, u_long cmd, caddr_t
>  #endif
> break;
>  #endif /* USB_DEBUG */
> +   case USB_GET_BUS_PROBE:
> +   *(unsigned int *)data = busprobe;
> +   break;
> +   case USB_SET_BUS_PROBE:
> +   if ((error = suser(curproc, 0)) != 0)
> +   return (error);
> +   busprobe = !!*(unsigned int *)data;
> +   break;
> case USB_REQUEST:
> {
> struct usb_ctl_request *ur = (void *)data;
> Index: sys/dev/usb/usb.h
> ===
> RCS file: /cvs/src/sys/dev/usb/usb.h,v
> retrieving revision 1.57
> diff -u -p -u -r1.57 usb.h
> --- sys/dev/usb/usb.h   19 Jun 2016 22:13:07 -  1.57
> +++ sys/dev/usb/usb.h   1 Jan 2017 22:52:53 -
> @@ -760,6 +760,8 @@ struct usb_device_stats {
>  #define USB_DEVICE_GET_CDESC   _IOWR('U', 6, struct usb_device_cdesc)
>  #define USB_DEVICE_GET_FDESC   _IOWR('U', 7, struct usb_device_fdesc)
>  #define USB_DEVICE_GET_DDESC   _IOWR('U', 8, struct usb_device_ddesc)
> +#define USB_GET_BUS_PROBE  _IOR ('U', 9,  unsigned int)
> +#define USB_SET_BUS_PROBE  _IOW ('U', 10, unsigned int)
>  /* Generic HID device */
>  #define USB_GET_REPORT_DESC_IOR ('U', 21, struct usb_ctl_report_desc)
> Index: usr.sbin/usbdevs/usbdevs.8
> ===
> RCS file: /cvs/src/usr.sbin/usbdevs/usbdevs.8,v
> retrieving revision 1.9
> diff -u -p -u -r1.9 usbdevs.8
> --- usr.sbin/usbdevs/usbdevs.8  26 Jun 2008 05:42:21 -  1.9
> +++ usr.sbin/usbdevs/usbdevs.8  1 Jan 2017 22:52:53 -
> @@ -39,6 +39,7 @@
>  .Op Fl dv
>  .Op Fl a Ar addr
>  .Op Fl f Ar dev
> +.Op Fl p Ns Op Ar on | off
>  .Sh DESCRIPTION
>  .Nm
>  prints a listing of all USB devices connected to the system
> @@ -53,6 +54,10 @@ Only print information about the device
>  Show the device drivers associated with each device.
>  .It Fl f Ar dev
>  Only print information for the given USB controller.
> +.It Fl p Ns Op Ar on | off
> +Enable or disable USB bus probing.  The default
> +is
> +.Ar on .
>  .It Fl v
>  Be verbose.
>  .El
> Index: usr.sbin/usbdevs/u

Re: Disable external USB devices

[Charlie Eddy]

Hi stefan,
i asked this a bit ago (or similar)
1. https://usbguard.github.io/
2. you can just disable USB ports or controller in BIOS, but that's not
exciting at all.
3. this diff, which one person used once:

Index: sys/dev/usb/uhub.c
===
RCS file: /cvs/src/sys/dev/usb/uhub.c,v
retrieving revision 1.89
diff -u -p -u -r1.89 uhub.c
--- sys/dev/usb/uhub.c  2 Sep 2016 09:14:59 -   1.89
+++ sys/dev/usb/uhub.c  1 Jan 2017 22:52:53 -
@@ -55,6 +55,9 @@
 #define DEVNAME(sc)((sc)->sc_dev.dv_xname)
+/* controls enabling/disabling of USB bus probing */
+int busprobe = 1;
+
 struct uhub_softc {
struct device   sc_dev; /* base device */
struct usbd_device  *sc_hub;/* USB device */
@@ -439,6 +442,9 @@ uhub_explore(struct usbd_device *dev)
usbd_clear_port_feature(sc->sc_hub, port,
UHF_C_PORT_LINK_STATE);
}
+
+   if (!busprobe)
+   return (0);
/* Recursive explore. */
if (up->device != NULL && up->device->hub != NULL)
Index: sys/dev/usb/usb.c
===
RCS file: /cvs/src/sys/dev/usb/usb.c,v
retrieving revision 1.111
diff -u -p -u -r1.111 usb.c
--- sys/dev/usb/usb.c   18 May 2016 18:28:58 -  1.111
+++ sys/dev/usb/usb.c   1 Jan 2017 22:52:53 -
@@ -87,6 +87,8 @@ int   usb_noexplore = 0;
 #define DPRINTFN(n,x)
 #endif
+extern int busprobe;
+
 struct usb_softc {
struct devicesc_dev;/* base device */
struct usbd_bus  *sc_bus;   /* USB controller */
@@ -607,6 +609,14 @@ usbioctl(dev_t devt, u_long cmd, caddr_t
 #endif
break;
 #endif /* USB_DEBUG */
+   case USB_GET_BUS_PROBE:
+   *(unsigned int *)data = busprobe;
+   break;
+   case USB_SET_BUS_PROBE:
+   if ((error = suser(curproc, 0)) != 0)
+   return (error);
+   busprobe = !!*(unsigned int *)data;
+   break;
case USB_REQUEST:
{
struct usb_ctl_request *ur = (void *)data;
Index: sys/dev/usb/usb.h
===
RCS file: /cvs/src/sys/dev/usb/usb.h,v
retrieving revision 1.57
diff -u -p -u -r1.57 usb.h
--- sys/dev/usb/usb.h   19 Jun 2016 22:13:07 -  1.57
+++ sys/dev/usb/usb.h   1 Jan 2017 22:52:53 -
@@ -760,6 +760,8 @@ struct usb_device_stats {
 #define USB_DEVICE_GET_CDESC   _IOWR('U', 6, struct usb_device_cdesc)
 #define USB_DEVICE_GET_FDESC   _IOWR('U', 7, struct usb_device_fdesc)
 #define USB_DEVICE_GET_DDESC   _IOWR('U', 8, struct usb_device_ddesc)
+#define USB_GET_BUS_PROBE  _IOR ('U', 9,  unsigned int)
+#define USB_SET_BUS_PROBE  _IOW ('U', 10, unsigned int)
 /* Generic HID device */
 #define USB_GET_REPORT_DESC_IOR ('U', 21, struct usb_ctl_report_desc)
Index: usr.sbin/usbdevs/usbdevs.8
===
RCS file: /cvs/src/usr.sbin/usbdevs/usbdevs.8,v
retrieving revision 1.9
diff -u -p -u -r1.9 usbdevs.8
--- usr.sbin/usbdevs/usbdevs.8  26 Jun 2008 05:42:21 -  1.9
+++ usr.sbin/usbdevs/usbdevs.8  1 Jan 2017 22:52:53 -
@@ -39,6 +39,7 @@
 .Op Fl dv
 .Op Fl a Ar addr
 .Op Fl f Ar dev
+.Op Fl p Ns Op Ar on | off
 .Sh DESCRIPTION
 .Nm
 prints a listing of all USB devices connected to the system
@@ -53,6 +54,10 @@ Only print information about the device
 Show the device drivers associated with each device.
 .It Fl f Ar dev
 Only print information for the given USB controller.
+.It Fl p Ns Op Ar on | off
+Enable or disable USB bus probing.  The default
+is
+.Ar on .
 .It Fl v
 Be verbose.
 .El
Index: usr.sbin/usbdevs/usbdevs.c
===
RCS file: /cvs/src/usr.sbin/usbdevs/usbdevs.c,v
retrieving revision 1.25
diff -u -p -u -r1.25 usbdevs.c
--- usr.sbin/usbdevs/usbdevs.c  22 Dec 2015 08:36:40 -  1.25
+++ usr.sbin/usbdevs/usbdevs.c  1 Jan 2017 22:52:53 -
@@ -30,14 +30,15 @@
  * POSSIBILITY OF SUCH DAMAGE.
  */
+#include 
+#include 
+#include 
+#include 
+#include 
 #include 
 #include 
 #include 
-#include 
-#include 
 #include 
-#include 
-#include 
 #include 
 #ifndef nitems
@@ -46,21 +47,23 @@
 #define USBDEV "/dev/usb"
-int verbose = 0;
-int showdevs = 0;
+int verbose;
+int showdevs;
+int getprobe;
+int setprobe;
 void usage(void);
 void usbdev(int f, int a, int rec);
 void usbdump(int f);
 void dumpone(char *name, int f, int addr);
-int main(int, char **);
+void busprobe(int f, unsigned int probe);
 extern char *__progname;
 void
 usage(void)
 {
-   fprintf(stderr, "usage: %s [-dv] [-a addr] [-f dev]\n", __progname);
+   fprintf(stderr, "usage: %s [-dv] [-a addr] [-f dev] [-p[on |
off]]\n", __progname);
exit(1);
 }
@@ -177,6 +180,21 @@ dumpone(char *name, int f, int addr)
 

USB Firewall

[Charlie Eddy]

Hello,

Is there a method to detect and halt additional USB devices being added
after initializing connections? Concerned about widespread vulnerability of
keystroke injection.

After a failed checksum: What options remain?

[Charlie Eddy]

Hello,

Privateinternetaccess.org supplies secure VPNs. Their Windows installer
(v75) has a SHA256 result that does not match what is supplied on their
website.

Fucking terrible "security" solution, is it not?

As a prospective user of OpenBSD, I would hope that this never occurs, and
that free software would fulfill its promises. I am considering switching
to OpenBSD, but am afraid that I will be overcome by the difficulty of
learning Linux commands. I am not incompetent and willing to read code and
manpages, just timid, about this "big change."

As part of considering OpenBSD adoption, I am extremely focused on
security. However, trivial and fundamental issues are difficult to work
around.

My conclusion that the privateinternetaccess.org security solution is
terrible is not necessarily well-founded. The checksum could be modified
for these reasons:

- file was messed with in transit to me
- incompetent administrators did not update the checksum when they updated
the file

I suspect the latter, and unless my support ticket currently opened with
Private Internet Access is resolved to my satisfaction I will be forced to
use a free software solution. I am patient, but intolerant of stupidity.
The determination remains to be made.

GNUPG is my first step towards a cryptographically secure future. However,
in downloading it, I am confronted by a serious problem. They state the
following:

Comparing Checksums
If you are not able to use an old version of GnuPG, you can still verify
the file's SHA-1 checksum. This is less secure, because if someone modified
the files as they were transferred to you, it would not be much more effort
to modify the checksums that you see on this webpage. As such, if you use
this method, you should compare the checksums with those in release
announcement. This is sent to the gnupg-announce mailing list (among
others), which is widely mirrored. Don't use the mailing list archive on
this website, but find the announcement on several other websites and make
sure the checksum is consistent. This makes it more difficult for an
attacker to trick you into installing a modified version of the software.

As a result, I obtained an SSL/TLS server test to determine whether they
would be exposed to MITM despite their https:// prefix due to no
implementation of HSTS.

GNUPG is HSTSecure. Private Internet Access is not, another flaw in their
system.

However, the classic Orwellian security problem cannot be solved in this
case. The serious problem is that HSTS does not prevent a first-time user
from being MitM'd when they visit the site, and I may have been attacked
every single time. I have not yet verified the SHA1 sum in the archives --
are they correctly in stating that this is the best method?

How can I positively verify an OpenBSD install is secure? How can
implementing secure processes begin? Do I need to write my own checker from
scratch to know that things are operating properly? That's a joke, but it's
not that funny, is it?

If a user on a compromised device installs an operating system with
privilege separation, pledges could still be meaningless. What is the
correct way to wear a tinfoil hat?

Regards

Re: Kernel memory leaking on Intel CPUs?

[Charlie Eddy]

Excuse me, I can support the far-seeing generalities in the message you
linked but am confused about the specifics. It looks like processor hangs,
and deadlock, and poorly documented page table handling by the MMU, are
concrete issues specified.

Respectfully: Are there any direct links to Meltdown or Spectre founded in
the bugs noted in these errata? Or, is this a straw man argument against a
chip manufacturer?

If there are not any direct links, but the argument against Intel itself
still stands, is that because there are other chip manufacturers who have
proven that it is possible to write unexploitable code?

Please let me know.

2018-01-10 3:21 GMT-08:00 Zbyszek Żółkiewski :

> 10 years passed, Theo de Raadt: https://marc.info/?l=openbsd-
> misc=118296441702631
>
> _
> Zbyszek Żółkiewski
>
> >
> > https://spectreattack.com/
> >
>
>

Re: obligatory leaving letter

[Charlie Eddy]

Can someone advise what occurred in NetBSD re this user?

Re: [cwm] list all available items

[Charlie Eddy]

Just a note that cwm is an old welsh word for a mountain pass, one of the
few OED words with no vowel

Re: ASLR: How Robust is the Randomness?

[Charlie Eddy]

Hello all,

As a newcomer to this list, I would like a recommendation on further
reading about this specific topic. I am unable to understand it, where
normally I have some comprehension of what is going on.

Thanks,
Charlie

On Tue, Nov 28, 2017 at 10:19 AM,  wrote:

> theo wrote:
> > That interpretation is wrong.
>
> Could be, I'm no genius :)
>
> > You don't understand fork+exec.
>
> Wha?
>
> > There
> > is no decision to stop using an address space after failure. Instead,
> > address spaces are intentionally split ahead of time to ensure a
> > specific pointer value is only valid in one process image. Other
> > similar load-images have unique layouts with unique pointer values.
> > So when failure happens, there is no other context where crash-learned
> > information can be reapplied in a non-crashed process image with the
> > same mapping.
>
> Uhm, how do I put this...
>
> In the old model, if an attack causes a specific child to crash, and it
> has been created using a simple fork, the parent, and all other
> children -- past, present, and future -- will *continue to use* the
> address space{, layout} that is common to them all.
>
> In the new situation, children do an exec immediately, before
> interacting with the peer. Hence, the addr space gets randomized, and
> it will not be like the parent's, or like that of any other children
> (given sufficient entropy).
>
> Hence, repeating the same attack will most likely fail.
>
> What is the part that I don't understand?
>
> > Don't change my words.
>
> Sorry, didn't mean to. It was a mere suggestion.
>
> > It is over your head. Or learn to read. Or learn to not reply before
> > you think.
>
> Criticism is welcome. Unwarranted preconceptions are not.
>
> (hmm, now what makes a preconception 'unwarranted'...?)
>
> --schaafuit.
>
>

session security on OpenBSD vs popular options

[Charlie Eddy]

Hello,

Please let me know how to find information on OpenBSD security as it
relates to web browser sessions.

For instance, I am aware that some attack vectors depend on browser
connections with OS components. What security flaws exist that OpenBSD
specifically is able to address?

Thanks,
Charlie Eddy

Re: is there something missing in pledge?

[Charlie Eddy]

I don't know how much Dutch Theo may or may not have but this is the
funniest OpenBSD discussion ever