Re: new OpenSSL flaws
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I do not believe that they, are specifically ignoring OpenBSD, I believe they are ignoring the BSDS in general. Perhaps someone notified FreeBSD but nobody notified the DragonflBSD team either. On 06/05/2014 09:27 PM, Theo de Raadt wrote: > There are two main open-source processes for dealing with discovery of > security issues and disclosure of that information to the greater > community. > > - One common process is that generally followed by OpenBSD. In this > proocess a bug is found, and a fix is commited as soon as the > improvement is known to good. Then if an asssement has been done, and > it is determined to be important, disclosure occurs, of course after > the commit is already public. Everyone including the vendors had the > opportunity to get the information in a fair and equal way. > > - The other main process used by some open source groups, is to > quarantine important repairs. A fix is firsst disclosed all affected > parties, or at least the right concerned subset. This creates a delay > before information availability, but the coordination is intended to > provide a benefit. Everyone generally gets the information in a fair > and equal way. > > Both processses have their place. Each software group has their own > limitations and needs which will drive their selection. > > > Is clear that the second process -- intending to also take an ethical > path for disclosure -- should not specifically exclude a part of the > community. > > > Unfortunately I find myself believing reports that the OpenSSL people > intentionally asked others for quarantine, and went out of their way > to ensure this information would not come to OpenBSD and LibreSSL. > > There, I've said it. > -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTkWpWAAoJEMrvovfl62c8xQMH/R/bLRaZMW3qwRqdLp/ZdXk4 mR48+AzYga+Pz45UZApdVPPOhvsOy0lLXlNJFWGGcAfrucZKN94P8enKuhWztgel EINhbFSlxnW3HbvCeOJt1O9xhciW2RJRE9ii669Wfsx+FmceU9sSBWNcQljDFOTJ d4sHPa+EQ88Xs7DCOwDAB8iMlhk9lJcnbGPkscAoBQlv8vjjiU1GGbJYcgCvQ6Gr sp6ts3mNscEx9NtXOGo/D7gWgIrAZTwW8Ni6NtuE4LnKoBAUY4oA4wXb/1gF/8/G hljNyLMVBJKYBySzt1Q+g+ifBsJg3xGCi00tjASIusjXcQFO55zcRfQ65ZHFAPg= =u19g -END PGP SIGNATURE-
Re: Iso image integrity verification
The real problem here is that in order to be added to certain lists of trusted PKI providers, you must be audited by security Assessors one of the things they look for is proof that the software your using isnt tampered with. It appears the OP is trying to solve that issue. EVEN using the CD is not enough to convince some of these people that the software is genuine and untampered with. pgp signed sha256 keys in a public accessible place should do it. Though it would seem to me, that if the sha signature is the same on all the mirrors through openbsds distribution channels that would be verification enough. As then you would have to break into a lot of systems ran by very pedantic, system admins in order to change it on all of them. But let me repeat it isnt the OPS idea of security that is important, its the idea of the people they are paying a lot of money to, and the rules implemented by such companies as Microsoft that are important here. RG On 09/11/2013 10:10 PM, Valentin Zagura wrote: I was saying that other projects do it in a way they feel comfortable with and maybe you will find a way to do it that you are comfortable with. Using https was one simple idea. I understand that you don't think that this adds any value but maybe there are other ways like signing with PGP, maybe using SSH somehow or having Theo de Raadt saying the SHA checksums on a video on youtube at each release :) or some other simple and effective way that you are comfortable with. I just wanted to point out that one can not easely show his security assessor that it has the right images using some "industry standard" ways, or someone living in a country that has an oppressive government and would download the image through tor could have some problems if the exit node is malicious. If you feel that any kind of verification is futile, it's ok, that would not stop us from buying the CDs. On Wed, Sep 11, 2013 at 10:32 PM, Kenneth R Westerback < kwesterb...@rogers.com> wrote: On Wed, Sep 11, 2013 at 08:53:50PM +0300, Valentin Zagura wrote: I don't think I'm more paranoid than the average considering that Debian has a way to do this (http://www.debian.org/CD/verify), fedora has a way to do this (https://fedoraproject.org/verify), even Freebsd has a way to do this ( https://www.freebsd.org/releases/9.1R/announce.html). So you're saying that less paranoid projects are doing it, so why doesn't OpenBSD join the crowd and provide some fuzzy feel good but pointless security theatre? :-) The thought of being more paranoid than an OpenBSD guy is not very comfortable :) Don't worry. You're apparently not paranoid enough yet. The true practical paranoid does not waste time on such mummery. Ken On Wed, Sep 11, 2013 at 8:13 PM, Daniel Bolgheroni On Wed, Sep 11, 2013 at 03:17:20PM +0300, Valentin Zagura wrote: Yes, we know, but that file can also be easily compromised if it's not available for download with a secure protocol (HTTPS) If you're paranoid, build your own hardware from the ground up, including designing your own CPU and complementary circuits, download all the sources, audit them all, compile and then run. You can't be fooled by wrong measurements of security.
Re: Iso image integrity verification
also means somebody paid a lot of money for that green bar On 09/11/2013 04:46 PM, Janne Johansson wrote: So you publish something on a HTTPS page, which means that when the browser says "green padlock", it only says: "this site was using a key signed by someone who in turn was signed by someone out of a few hundred CAs in a list which include companies in scary countries*". That will help a lot. *) Please exchange the list of scary countries to whatever scares you in your particular example. For Syria it could be the US, for US it could be Syria. Or some other combination of opposition. 2013/9/11 Valentin Zagura Thanks for the suggestion, we will probably order the CD. But on the other hand, I hope that you realize that people in some countries (Iran, China, Egypt, Syria) would not have this possibility and they could be more affected by a compromise than we would be (they might probably pay with their lives) and I hope you guys are also thinking of them. Thanks, Valentin Zagura On Wed, Sep 11, 2013 at 1:58 PM, Peter N. M. Hansteen wrote: On Wed, Sep 11, 2013 at 01:49:14PM +0300, Valentin Zagura wrote: We are going to use a OpenBSD system in a PCI-DSS compliant environment. Is there any way we can prove to our PCI-DSS assessor that the OpenBSD image we use for our installation can be checked so that it is the correct one (is not modified in a malicious way by a third party) ? Probably not what you want to hear, but starting with http://www.openbsd.org/orders.html is usually an excellent idea in this context. Verifiably delivered from a trusted source. A https link to some kind of ISO checksum or something similar (but using strong cryptography) I think would do it, but I could not find any (except a line in the FAQ stating "If the men in black suits are out to get you, they're going to get you." which is not the case :) ) It's possible some of the more prominent entries on http://www.openbsd.org/support.html could be persuaded to provide something like that (M:Tier comes to mind, but why are they not on that page?) in exchange for a reasonable fee. But again, for -RELEASE, the CD sets are a good starting point. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. Mit freundlichen Grüßen Robert Garrett Senior System Engineer Technical Projects & Solutions -- InterNetX GmbH Maximilianstr. 6 93047 Regensburg Germany Tel. +49 941 59559-480 Fax +49 941 59559-245 www.internetx.com www.facebook.com/InterNetX www.twitter.com/InterNetX Geschäftsführer/CEO: Thomas Mörz Amtsgericht Regensburg, HRB 7142
