Re: OpenBSD 4.1 Torrents
Why do you ask this every release? Why wasn't the answer last time good enough for you? On Tue, May 08, 2007 at 02:35:37AM +0200, Sebastian Rother wrote: Guys if you realy care about security why does nobody asks about using gzsig. Even useable for the packages... Kind regards, Sebastian
Re: OpenBSD 4.1 Torrents
On Tue, 8 May 2007 07:28:32 -0500 Marco Peereboom [EMAIL PROTECTED] wrote: Why do you ask this every release? Why wasn't the answer last time good enough for you? You missed the point. I didn`t asked but mentioned gzsig as alternativ to MD5-Hashes and other things wich are mentioned in the thread. Kind regards, Sebastian
Re: OpenBSD 4.1 Torrents
2007/5/7, Adam Hawes [EMAIL PROTECTED]: MD5 is proven weak. It's possible to take almost any file and its MD5 then create an identically sized file with the same hash in a reasonable time. This can be used to pass out an arbitrary CD image that completely trashes the contents of your hard disk. It doesn't even need to be OpenBSD on the CD. Your mixing collision and preimage attacks. The former are possible, the latter not. Still, it's certainly time to switch to something better. PGP comes to mind... Best Martin
Re: OpenBSD 4.1 Torrents
On Mon, May 07, 2007 at 11:57:50AM +0200, Martin Schr?der wrote: 2007/5/7, Adam Hawes [EMAIL PROTECTED]: MD5 is proven weak. It's possible to take almost any file and its MD5 then create an identically sized file with the same hash in a reasonable time. This can be used to pass out an arbitrary CD image that completely trashes the contents of your hard disk. It doesn't even need to be OpenBSD on the CD. Your mixing collision and preimage attacks. The former are possible, the latter not. Still, it's certainly time to switch to something better. PGP comes to mind... Best Martin Not specifically to you, Martin.. - Instead of writing silly emails about theoretical md5 attacks and wasting everyones time, how about sending a damn patch to tech@ that 'fixes' it? MD5 sums are meant to be used for verification of a downloaded file in case of transmit errors. If you own ftp.openbsd.org and upload trojaned binaries, how hard is it to update the damn checksums file? It's like rocket sience, yes!! Really hard! But, but, but, i'm clever, i will use checksums from another server!!1! Yes, of course, the only problem is that these other servers rsync in 2-8 hour intervals, which is a very tiny window to detect anything. Even if you do, it's highly questionable that you will be clever enough to ask yourself why they updated the filesets and run a bindiff on them to check if it is trojaned or a legitimate update. When was the last commit to any of these projects from you guys: http://netbsd-soc.sourceforge.net/projects/bpg/TODO http://openpgp.nominet.org.uk/cgi-bin/trac.cgi hmm? Btw, pgp requires a working web of trust, it's not secure just because you can sign something. Joe Cracker can easily generate a key with Theo de Raadt [EMAIL PROTECTED] and provides you with signed filesets. Who steps up to organise key signing parties, worldwide? SCNR, Tobias
Re: OpenBSD 4.1 Torrents
On 5/7/07, Tobias Ulmer [EMAIL PROTECTED] wrote: Btw, pgp requires a working web of trust, it's not secure just because you can sign something. Joe Cracker can easily generate a key with Theo de Raadt [EMAIL PROTECTED] and provides you with signed filesets. Who steps up to organise key signing parties, worldwide? Easy enough, distributed on the CDROM you buy at release time. :) DS
Re: OpenBSD 4.1 Torrents
Guys if you realy care about security why does nobody asks about using gzsig. Even useable for the packages... Kind regards, Sebastian
Re: OpenBSD 4.1 Torrents
Um, can you site a single *real world* example of where md5 sums have been co-opted in any way? Yes, md5 now has a weakness, but really, are there any cases of anyone having actually exploited it? It's that kind of attitude that is responsible for probably more than half of the breaches that happen. Show me someone who wants to attack _my_ company; there's nothing here worth getting! Attackers don't care. They'll often exploit something for the sake of having done it. They don't see a company (usually). They see a machine they can gain control of and use for their own means. MD5 is proven weak. It's possible to take almost any file and its MD5 then create an identically sized file with the same hash in a reasonable time. This can be used to pass out an arbitrary CD image that completely trashes the contents of your hard disk. It doesn't even need to be OpenBSD on the CD. This isn't about IF the problem will occur, but WHEN! There is a known exploit and anybody who doesn't take steps to mitigate that now is just crazy (or lazy). The original point is that BitTorrent makes it easy to seed this kind of crap. Torrent not an official source, but you can easily create OpenBSD-4.1.torrent from your new file with a matching MD5 to the official and sit back and laugh as people start posting to the openbsd forums j00 1337 BSD h4x0rz are w4nx0rz for 3r4z1ng my d15k5 I'm not an expert on this, but I do read. Enlightenment is encouraged if I'm missing something here. Explains the paragraph above :) Cheers, Adam
Re: OpenBSD 4.1 Torrents
On 5/6/07, Adam Hawes [EMAIL PROTECTED] wrote: Um, can you site a single *real world* example of where md5 sums have been co-opted in any way? Yes, md5 now has a weakness, but really, are there any cases of anyone having actually exploited it? That is not my point. My point is that if MD5 is weak, attackers *will* begin to exploit such a weakness. This isn't about IF the problem will occur, but WHEN! There is a known exploit and anybody who doesn't take steps to mitigate that now is just crazy (or lazy). Cryptographic attacks grow easier as time goes on. The attack is improved, the cost of a CPU cycle goes down... We need to change to SHA256 or SHA512 now instead of when script kitties will regularly be forging MD5 hashes.
Re: OpenBSD 4.1 Torrents
Open Phugu wrote: From a project that has always placed security before everything, I do not understand the motivation behind not using a secure algorithm such as SHA-256 or SHA-512. Maybe they just understand the security implications better than you do. --- Lars Hansson
Re: OpenBSD 4.1 Torrents
Open Phugu wrote: On 5/6/07, Adam Hawes [EMAIL PROTECTED] wrote: Um, can you site a single *real world* example of where md5 sums have been co-opted in any way? Yes, md5 now has a weakness, but really, are there any cases of anyone having actually exploited it? That is not my point. My point is that if MD5 is weak, attackers *will* begin to exploit such a weakness. This isn't about IF the problem will occur, but WHEN! There is a known exploit and anybody who doesn't take steps to mitigate that now is just crazy (or lazy). Cryptographic attacks grow easier as time goes on. The attack is improved, the cost of a CPU cycle goes down... We need to change to SHA256 or SHA512 now instead of when script kitties will regularly be forging MD5 hashes. remember that collisions != arbitrary code can be inserted unless attacker has control over the good files. search the archives.
Re: OpenBSD 4.1 Torrents
Just out of curiosity... Is it logical to use an OS for the intense focus on security and correctness, yet download the binaries from a random person on a mailing list instead of any official source with reasonable file integrity checking process in place? From: http://toolbar.netcraft.com/site_report?url=ftp.openbsd.org Site http://ftp.openbsd.org Reverse DNS openbsd.sunsite.ualberta.ca Netblock Owner IP address OS Web Server Last changed University of Alberta 1030 General Services Building Edmonton CA 129.128.5.191 Solaris Apache/1.3.34 Unix PHP/4.4.2 mod_perl/1.27 17-Apr-2007 What a security!! FYI: Trojaned version of OpenSSH package has been found to reside on ftp.openbsd.org's server. http://www.mavetju.org/unix/openssh-trojan.php http://www.openssh.org/txt/trojan.adv Are you remember? -- JS
Re: OpenBSD 4.1 Torrents
On Sat, May 05, 2007 at 12:43:34PM +0200, Justin Smith wrote: Just out of curiosity... Is it logical to use an OS for the intense focus on security and correctness, yet download the binaries from a random person on a mailing list instead of any official source with reasonable file integrity checking process in place? From: http://toolbar.netcraft.com/site_report?url=ftp.openbsd.org Site http://ftp.openbsd.org Reverse DNS openbsd.sunsite.ualberta.ca Netblock OwnerIP address OS Web Server Last changed University of Alberta 1030 General Services Building Edmonton CA129.128.5.191 Solaris Apache/1.3.34 Unix PHP/4.4.2 mod_perl/1.27 17-Apr-2007 What a security!! FYI: Trojaned version of OpenSSH package has been found to reside on ftp.openbsd.org's server. http://www.mavetju.org/unix/openssh-trojan.php http://www.openssh.org/txt/trojan.adv Are you remember? -- JS Yes but it's still an official source. It's a static server that has some level of attention by an admin team. Contrast that with whatever guy puts up a torrent tracker and posts on a mailing list. Getting from the solaris box at www. and hey man download openbsd from me is not the same thing.
Re: OpenBSD 4.1 Torrents
Speaking of this, when will the OpenBSD project begin to post SHA256 hashes to the ftp sites. MD5 is dead: these two files are different and yet have the same MD5 hash. http://www.cits.rub.de/imperia/md/content/magnus/letter_of_rec.ps http://www.cits.rub.de/imperia/md/content/magnus/order.ps Great. Could you please show me the link to files that have the same length and MD5 as those in the 4.1 release?
Re: OpenBSD 4.1 Torrents
On Fri, May 04, 2007 at 10:34:33AM -0400, John Fiore wrote: | Speaking of this, when will the OpenBSD project begin to post SHA256 | hashes | to the ftp sites. MD5 is dead: these two files are different and yet | have the same | MD5 hash. | http://www.cits.rub.de/imperia/md/content/magnus/letter_of_rec.ps | http://www.cits.rub.de/imperia/md/content/magnus/order.ps | | | Great. Could you please show me the link to files that have the same length | and MD5 as those in the 4.1 release? Dont forget that they should also be valid gzip'ed tar archives, and (to properly use as an attack vector) extract to just about the same set of files (with your trojaned binaries) as the originals. Good luck ! Paul 'WEiRD' de Weerd -- [++-]+++.+++[---].+++[+ +++-].++[-]+.--.[-] http://www.weirdnet.nl/ [demime 1.01d removed an attachment of type application/pgp-signature]
Re: OpenBSD 4.1 Torrents
On 2007/05/04 17:03, Paul de Weerd wrote: Dont forget that they should also be valid gzip'ed tar archives that makes things *significantly* easier: valid gzip + random crap = valid gzip
Re: OpenBSD 4.1 Torrents
On 5/4/07, John Fiore [EMAIL PROTECTED] wrote: Speaking of this, when will the OpenBSD project begin to post SHA256 hashes to the ftp sites. MD5 is dead: these two files are different and yet have the same MD5 hash. http://www.cits.rub.de/imperia/md/content/magnus/letter_of_rec.ps http://www.cits.rub.de/imperia/md/content/magnus/order.ps Great. Could you please show me the link to files that have the same length and MD5 as those in the 4.1 release? That means nothing. If the OpenBSD project used a CRC16 to verify integrity, your argument would still hold. What matters is the ease of finding colliding files. While finding a file that has the same MD5 as an official file is hard, it seems ridiculous, to trust the security of downloaded files using an algorithm that is known to be insecure. From a project that has always placed security before everything, I do not understand the motivation behind not using a secure algorithm such as SHA-256 or SHA-512.
Re: OpenBSD 4.1 Torrents
Great. Could you please show me the link to files that have the same length and MD5 as those in the 4.1 release? That means nothing. If the OpenBSD project used a CRC16 to verify integrity, your argument would still hold. I wasn't aware that I made an argument. I simply asked a question, and the reason why you're unable to answer the question is that it is still hard to find collisions to the files in the 4.1 release in a way that it is not hard to find collisions in .exe's, scripts, postscript documents (which are themselves code to be interpreted by printers), etc. everything, I do not understand the motivation behind not using a secure algorithm such as SHA-256 or SHA-512. Your point is taken, however, can you illustrate the threat against which the stronger hash is to protect? If the threat is that someone will redirect you to a fake openbsd.org (through DNS cache poisoning, etc.), the stronger hash offers no protection. If there's a man in the middle, it similarly offers you no more protection, and the same is true if someone manages to hack openbsd.org and upload different binaries. I agree that there are stronger cryptographic hashes, but should they really make you sleep better at night? You used phrases such as known to be insecure and MD5 is dead. My question is dead for what purpose?. MD4 is certainly more insecure than MD5, yet I suspect that many of us use rsync daily and don't give it another thought.
Re: OpenBSD 4.1 Torrents
On Friday 04 May 2007 13:46:12 Open Phugu wrote: On 5/4/07, John Fiore [EMAIL PROTECTED] wrote: Speaking of this, when will the OpenBSD project begin to post SHA256 hashes to the ftp sites. MD5 is dead: these two files are different and yet have the same MD5 hash. http://www.cits.rub.de/imperia/md/content/magnus/letter_of_rec.ps http://www.cits.rub.de/imperia/md/content/magnus/order.ps Great. Could you please show me the link to files that have the same length and MD5 as those in the 4.1 release? That means nothing. If the OpenBSD project used a CRC16 to verify integrity, your argument would still hold. What matters is the ease of finding colliding files. While finding a file that has the same MD5 as an official file is hard, it seems ridiculous, to trust the security of downloaded files using an algorithm that is known to be insecure. From a project that has always placed security before everything, I do not understand the motivation behind not using a secure algorithm such as SHA-256 or SHA-512. Um, can you site a single *real world* example of where md5 sums have been co-opted in any way? Yes, md5 now has a weakness, but really, are there any cases of anyone having actually exploited it? Note that the ports are using better hashes for 4.1-current. I'll bet that the the 4.2 release will too, because its the right thing to do, but it isn't a flaming emergency. I'm not an expert on this, but I do read. Enlightenment is encouraged if I'm missing something here. --STeve Andre'
Re: OpenBSD 4.1 Torrents
On 5/4/07, John Fiore [EMAIL PROTECTED] wrote: Your point is taken, however, can you illustrate the threat against which the stronger hash is to protect? If the threat is that someone will redirect you to a fake openbsd.org (through DNS cache poisoning, etc.), the stronger hash offers no protection. If there's a man in the middle, it similarly offers you no more protection, and the same is true if someone manages to hack openbsd.org and upload different binaries. You are completely correct. A stronger hash will do nothing against such an attack. However, my argument was that since attacks on MD5 will just be easier as cryptanalytic techniques improve and CPU time becomes cheaper, it makes no sense to keep using it when stronger hashes are available.
Re: OpenBSD 4.1 Torrents
If you participate on this list, buy the cds. This isn't your flavor of the week linux distro. On 5/2/07, Matiss Miglans [EMAIL PROTECTED] wrote: I think there is checksums only for base system, without X, source, ports, packages, etc Or, I don't know where they find. Open Phugu wrote: On 5/2/07, Mike Erdely [EMAIL PROTECTED] wrote: On Wed, May 02, 2007 at 08:07:10PM -0400, Clint M. Sand wrote: On Tue, May 01, 2007 at 02:33:50PM -0700, andrew fresh wrote: http://openbsd.somedomain.net/index.php?version=4.1 Just out of curiosity... Is it logical to use an OS for the intense focus on security and correctness, yet download the binaries from a random person on a mailing list instead of any official source with reasonable file integrity checking process in place? Seems odd that people would use OpenBSD because they trust the code, yet download the binaries from random torrents on the internet. man 1 cksum ftp://ftp5.usa.openbsd.org/pub/OpenBSD/4.1/i386/CKSUM Seems odd that people would use OpenBSD because they trust the code, yet use a CRC32 to verify the integrity of said operating system. Speaking of this, when will the OpenBSD project begin to post SHA256 hashes to the ftp sites. MD5 is dead: these two files are different and yet have the same MD5 hash. http://www.cits.rub.de/imperia/md/content/magnus/letter_of_rec.ps http://www.cits.rub.de/imperia/md/content/magnus/order.ps
Re: OpenBSD 4.1 Torrents
Hello! On Tue, May 01, 2007 at 02:33:50PM -0700, andrew fresh wrote: Probably everyone knows already, but I just wanted to get the word out that there are OpenBSD 4.1 torrents now on the torrent site: http://openbsd.somedomain.net/index.php?version=4.1 So far they are mostly just the files off of the CDs, but as I get synced up, the package torrents will update. And again, I'll d/l and then seed some of them for a while, at least to upload more than I've downloaded. Kind regards, Hannah.
Re: OpenBSD 4.1 Torrents
just remember to make a donation to the OpenBSD project if you chose to acquire OpenBSD via any download site. g.day diana
Re: OpenBSD 4.1 Torrents
On Tue, May 01, 2007 at 02:33:50PM -0700, andrew fresh wrote: Probably everyone knows already, but I just wanted to get the word out that there are OpenBSD 4.1 torrents now on the torrent site: http://openbsd.somedomain.net/index.php?version=4.1 So far they are mostly just the files off of the CDs, but as I get synced up, the package torrents will update. l8rZ, -- andrew - ICQ# 253198 - Jabber: [EMAIL PROTECTED] BOFH excuse of the day: The Borg tried to assimilate your system. Resistance is futile. Just out of curiosity... Is it logical to use an OS for the intense focus on security and correctness, yet download the binaries from a random person on a mailing list instead of any official source with reasonable file integrity checking process in place? Seems odd that people would use OpenBSD because they trust the code, yet download the binaries from random torrents on the internet.
Re: OpenBSD 4.1 Torrents
On Wed, May 02, 2007 at 08:07:10PM -0400, Clint M. Sand wrote: On Tue, May 01, 2007 at 02:33:50PM -0700, andrew fresh wrote: http://openbsd.somedomain.net/index.php?version=4.1 Just out of curiosity... Is it logical to use an OS for the intense focus on security and correctness, yet download the binaries from a random person on a mailing list instead of any official source with reasonable file integrity checking process in place? Seems odd that people would use OpenBSD because they trust the code, yet download the binaries from random torrents on the internet. man 1 cksum ftp://ftp5.usa.openbsd.org/pub/OpenBSD/4.1/i386/CKSUM FWIW: I know Andrew and he's trustworthy. But am I? :) -ME
Re: OpenBSD 4.1 Torrents
On 5/2/07, Mike Erdely [EMAIL PROTECTED] wrote: On Wed, May 02, 2007 at 08:07:10PM -0400, Clint M. Sand wrote: On Tue, May 01, 2007 at 02:33:50PM -0700, andrew fresh wrote: http://openbsd.somedomain.net/index.php?version=4.1 Just out of curiosity... Is it logical to use an OS for the intense focus on security and correctness, yet download the binaries from a random person on a mailing list instead of any official source with reasonable file integrity checking process in place? Seems odd that people would use OpenBSD because they trust the code, yet download the binaries from random torrents on the internet. man 1 cksum ftp://ftp5.usa.openbsd.org/pub/OpenBSD/4.1/i386/CKSUM Seems odd that people would use OpenBSD because they trust the code, yet use a CRC32 to verify the integrity of said operating system. Speaking of this, when will the OpenBSD project begin to post SHA256 hashes to the ftp sites. MD5 is dead: these two files are different and yet have the same MD5 hash. http://www.cits.rub.de/imperia/md/content/magnus/letter_of_rec.ps http://www.cits.rub.de/imperia/md/content/magnus/order.ps
Re: OpenBSD 4.1 Torrents
I think there is checksums only for base system, without X, source, ports, packages, etc Or, I don't know where they find. Open Phugu wrote: On 5/2/07, Mike Erdely [EMAIL PROTECTED] wrote: On Wed, May 02, 2007 at 08:07:10PM -0400, Clint M. Sand wrote: On Tue, May 01, 2007 at 02:33:50PM -0700, andrew fresh wrote: http://openbsd.somedomain.net/index.php?version=4.1 Just out of curiosity... Is it logical to use an OS for the intense focus on security and correctness, yet download the binaries from a random person on a mailing list instead of any official source with reasonable file integrity checking process in place? Seems odd that people would use OpenBSD because they trust the code, yet download the binaries from random torrents on the internet. man 1 cksum ftp://ftp5.usa.openbsd.org/pub/OpenBSD/4.1/i386/CKSUM Seems odd that people would use OpenBSD because they trust the code, yet use a CRC32 to verify the integrity of said operating system. Speaking of this, when will the OpenBSD project begin to post SHA256 hashes to the ftp sites. MD5 is dead: these two files are different and yet have the same MD5 hash. http://www.cits.rub.de/imperia/md/content/magnus/letter_of_rec.ps http://www.cits.rub.de/imperia/md/content/magnus/order.ps
OpenBSD 4.1 Torrents
Probably everyone knows already, but I just wanted to get the word out that there are OpenBSD 4.1 torrents now on the torrent site: http://openbsd.somedomain.net/index.php?version=4.1 So far they are mostly just the files off of the CDs, but as I get synced up, the package torrents will update. l8rZ, -- andrew - ICQ# 253198 - Jabber: [EMAIL PROTECTED] BOFH excuse of the day: The Borg tried to assimilate your system. Resistance is futile.