Re: Code signing in OpenBSD

2007/12/5, Marco Peereboom [EMAIL PROTECTED]: have you ever wondered why openbsd doesn't do binary updates? And what are package updates? Does pkg_add -u even check an e.g. md5 or does it trust the server? Best Martin

Re: hoststated - some questions

[sent to wrong list] Also hoststatectl reload does not work for me. [EMAIL PROTECTED] root# hoststatectl reload command failed Expected behavior? Unfortunately, yes. reload currently does not work for layer7 (relay) configurations. it should be available before 4.3 though.

Re: Code signing in OpenBSD

On Thu, Dec 06, 2007 at 12:37:19PM +0800, Lars Hansson wrote: On Dec 6, 2007 2:46 AM, Rui Miguel Silva Seabra [EMAIL PROTECTED] wrote: Come on... twice a year and get the benefit of not being excluded from company policies which require digital signature of software downloaded through the

Re: Code signing in OpenBSD

On Wed, Dec 05, 2007 at 02:23:41PM -0600, Marco Peereboom wrote: blah blah blah have you ever wondered why openbsd doesn't do binary updates? I'm not talking about updates, I can read C. maybe you are now going to be able to figure out why we don't need complex signing mechanisms. You're

Re: Code signing in OpenBSD

Hi! On Wed, Dec 05, 2007 at 12:15:01PM -0500, bofh wrote: On Dec 5, 2007 11:46 AM, new_guy [EMAIL PROTECTED] wrote: Can you dismiss PKI and the benefits that OpenPGP signatures provide to your user community? Knowing that xyz binary is signed by OpenBSD for distribution or abc email came from

Re: Code signing in OpenBSD

Hi! On Wed, Dec 05, 2007 at 01:24:49PM -0700, Bob Beck wrote: If you want a secure binary. buy an official CD.. This is what most people do. PKI requires infrastructure that would cost OpenBSD money and developer time. Official CD's keep OpenBSD alive. Doesn't help you if you want fixes

Re: Code signing in OpenBSD

Hi! On Wed, Dec 05, 2007 at 06:46:15PM -0500, STeve Andre' wrote: [...] You know, you're descending into a recursive loop of if, if, if... and it never ends. OF COURSE if someone breaks into the site they could do things--once you've lost control of your site all bets are off. I dare say that

Re: Code signing in OpenBSD

Hannah Schroeter wrote: ... As the talk about those online surveillance plans includes talk about tailored attacks for each victim, they could investigate which OS one uses and which ways of updating, so they could tailor their attack vector appropriately. ... Some of this is mitigated in

Re: Code signing in OpenBSD

On 2007/12/06 13:12, Lars Noodin wrote: If the installation process (from the purchased CDs) had a list of the public keys for the official mirror sites, then that would go a long way. That would make it rather hard to revoke a key if there ever was a problem.

Re: Code signing in OpenBSD

Hi! On Thu, Dec 06, 2007 at 11:23:37AM +, Stuart Henderson wrote: On 2007/12/06 13:12, Lars Noodin wrote: If the installation process (from the purchased CDs) had a list of the public keys for the official mirror sites, then that would go a long way. That would make it rather hard to

Re: Code signing in OpenBSD

Hi! On Thu, Dec 06, 2007 at 01:12:02PM +0200, Lars Noodin wrote: Hannah Schroeter wrote: ... As the talk about those online surveillance plans includes talk about tailored attacks for each victim, they could investigate which OS one uses and which ways of updating, so they could tailor their

Re: /var/log/messages permissions in 4.2

Douglas A. Tutty wrote: On Tue, Dec 04, 2007 at 02:30:28PM -0800, Bryan Irvine wrote: What would be the rationale for 640? ;) Well according to cvs log: it can be easily changed if you like it another way. millert, So I guess one rationale might be as simple as because ;) Does

Open BSD Physical Storage

Hi, Currently I am facing a small problem in OpenBSD. I want to get the information about the total physical Storage and the partition table (mounted and unmounted). Please let me know if there is any way out for getting this information. -- View this message in context:

PF and queuing question

hey, I have a question on how to best limit traffic with pf. The main goal is not so much to limit bandwidth to a lower point all the time but more to prevent a runaway process (or user) from drowning the rest. Since i do not have the means for extensive testing i hope to get some pointers

Re: Open BSD Physical Storage

Hi! On Thu, Dec 06, 2007 at 05:21:08AM -0800, Shachi Rai wrote: Currently I am facing a small problem in OpenBSD. I want to get the information about the total physical Storage and the partition table (mounted and unmounted). Please let me know if there is any way out for getting this

Re: Open BSD Physical Storage

On Thu, 6 Dec 2007 05:21:08 -0800 (PST), Shachi Rai wrote Hi, Currently I am facing a small problem in OpenBSD. I want to get the information about the total physical Storage and the partition table (mounted and unmounted). Please let me know if there is any way out for getting this

Re: Open BSD Physical Storage

Hi, Great to see your reply, I would like to explain you in detail, I am currently writing a java code which tries to find out the total physical storage of an OpenBSD machine. Infact I would like to know the complete partition table in an OPenBSD machine. I have gone through the disklabel

Re: Open BSD Physical Storage

Shachi Rai wrote: Hi, Great to see your reply, I would like to explain you in detail, I am currently writing a java code which tries to find out the total physical storage of an OpenBSD machine. Infact I would like to know the complete partition table in an OPenBSD machine. I have gone

Re: Open BSD Physical Storage

On Thu, 6 Dec 2007 05:57:17 -0800 (PST), Shachi Rai wrote ...So my first question would be to know all the devices which are attached... $ sysctl hw.disknames .. and may or may not be mounted $ df

Re: Code signing in OpenBSD

Hannah Schroeter wrote: ... AFS is also encrypted, but unless its used to get all the tarballs and make them accessible locally (e.g. make a cd) it's not a help during the installation. I don't know enough about AFS to say anything about how to secure it from the beginning on. I'm not

Re: Open BSD Physical Storage

On 2007/12/06 05:57, Shachi Rai wrote: I have gone through the disklabel and fdisk command but both these command take the device name as a parameter. So my first question would be to know all the devices which are attached and may or may not be mounted. sysctl hw.disknames

Re: Code signing in OpenBSD

At this point, it's probably a good idea to point out there's a paper called Trusting Trust about your everyday C compiler... On 12/6/07, Lars Noodin [EMAIL PROTECTED] wrote: Hannah Schroeter wrote: ... AFS is also encrypted, but unless its used to get all the tarballs and make them

Re: Code signing in OpenBSD

On Thu, Dec 06, 2007 at 11:48:55AM +0100, Hannah Schroeter wrote: One risk would be the plans of online surveillance of computers e.g. in Germany. One way to install surveillance even on OpenBSD would be to actively interfere with the internet connection with the surveilled person, in the

Re: Code signing in OpenBSD

bofh wrote: At this point, it's probably a good idea to point out there's a paper called Trusting Trust about your everyday C compiler... Yeah. It recently disappeared from the ACM's web site after 11+ years of availability: http://www.acm.org/classics/oct95/ There is, fortunately, the

Re: /var/log/messages permissions in 4.2

On Thu, Dec 06, 2007 at 07:05:07AM -0500, Nick Holland wrote: Douglas A. Tutty wrote: On Tue, Dec 04, 2007 at 02:30:28PM -0800, Bryan Irvine wrote: What would be the rationale for 640? ;) Well according to cvs log: it can be easily changed if you like it another way. millert, So

Re: Code signing in OpenBSD

Douglas A. Tutty wrote: Using software from any source without interference from an all-pervasive government is a very special,... It's not all about governments. Corporate espionage is probably a larger, more active threat, especially to OpenBSD. cui bono? If we assume for the sake

Re: OpenBSD4.1 IPSEC - transport_send_messages: giving up on exchange

We've got similar problems about a year ago, when we deployed a massive installation of vpn/ipsec clients based on isakmpd. When testing the client robustness to a series of events, like physically disconnecting network cables, simulating power failures and such, we saw the same pattern. Our

Re: Code signing in OpenBSD

You forgot one option. Invite Theo to give a talk, and ask him to bring the CDs. If you can't trust Theo's CDs, all hope is lost. Just need to make sure there're some mountains around for Theo to go climb. If you live on a flatland, then, sorry, you're doomed. On 12/6/07, Douglas A. Tutty

Re: HP ProLiant DL320 v. Sun Fire V125

Hi, sorry for the late response, the mail just got marked as junk :( KM enabling acpi How exactly do you do it? Mine acpi-related lines are its already in the default kernel, not sure if its enabled by default. # config -ef /bsd.mp ... ukc enable acpi 414 acpi0 enabled KM enabling

Re: Code signing in OpenBSD

That's why I always hand enter, in binary, by toggling switches on the front of my box[1] when I start a new system. [1]. What, you never pressed the power button On 12/6/07, Lars Noodin [EMAIL PROTECTED] wrote: bofh wrote: At this point, it's probably a good idea to point out there's a

Re: Code signing in OpenBSD

hitler already On Thu, Dec 06, 2007 at 05:24:40PM +0200, Lars Nood??n wrote: Douglas A. Tutty wrote: Using software from any source without interference from an all-pervasive government is a very special,... It's not all about governments. Corporate espionage is probably a larger, more

softraid todo

Several people have asked me about what the softraid todo is. I published such a list at: http://www.peereboom.us/softraid_todo.txt It isn't 100% complete but has most major and minor items.

Re: Code signing in OpenBSD

On Thu, Dec 06, 2007 at 09:08:56AM -0600, Marco Peereboom wrote: hitler already Here is yours : ++ | 1 Godwin point | ++ Bye -- unzip ; strip ; touch ; grep ; find ; finger ; mount ; fsck ; more ; yes ; fsck ; umount ; sleep

Re: Code signing in OpenBSD

Come on... twice a year and get the benefit of not being excluded from company policies which require digital signature of software downloaded through the internet. It's not really OpenBSD's problem that some companies implement pointless security policies. I'm not discussing wether its

Re: Code signing in OpenBSD

On 06 NN5N: 2007, at 5:39 NN, bofh wrote: You forgot one option. Invite Theo to give a talk, and ask him to bring the CDs. If you can't trust Theo's CDs, all hope is lost. And how would you know that it is indeed Theo and not someone that looks like him? I think that blood samples and

Re: A necessary evil: snmpd(8) and snmpctl(8)

On Wed, 05 Dec 2007 22:32:45 +0700, Jason George [EMAIL PROTECTED] wrote: Hi! I just imported snmpd(8) and snmpctl(8), an initial attempt to implement a new SNMP daemon for OpenBSD. SNMP is the Simple Network Management Protocol and it is still very commonly used in corporate networks, by

Re: Code signing in OpenBSD

Code signing by blood. ISAGN. Sorry marc - had to do it On 12/6/07, Jeff I. Ragland [EMAIL PROTECTED] wrote: On 06 Dej 2007, at 5:39 LL, bofh wrote: You forgot one option. Invite Theo to give a talk, and ask him to bring the CDs. If you can't trust Theo's CDs, all hope is lost. And

Hoststated + overload

Hey All, I was wondering is it possible to use pf + max-src-conn-rate + overload with hoststated? In manual there is nothing about that, but maybe if you define tables in hoststated, but not a service and in PF you use just rdr with hoststated tables (something similar to spamd tables?). Anyone

Re: Code signing in OpenBSD

On Thu, Dec 06, 2007 at 09:39:35AM -0600, bofh wrote: You forgot one option. Invite Theo to give a talk, and ask him to bring the CDs. If you can't trust Theo's CDs, all hope is lost. He doesn't have to bring the CDs, just in the speach give the MD5 (or other more secure [sha?} sum for an

Re: Code signing in OpenBSD

On Thu, Dec 06, 2007 at 05:24:40PM +0200, Lars Nood??n wrote: Douglas A. Tutty wrote: Using software from any source without interference from an all-pervasive government is a very special,... It's not all about governments. Corporate espionage is probably a larger, more active threat,

Re: Code signing in OpenBSD

Hi! On Thu, Dec 06, 2007 at 11:23:37AM +, Stuart Henderson wrote: On 2007/12/06 13:12, Lars Noodin wrote: If the installation process (from the purchased CDs) had a list of the public keys for the official mirror sites, then that would go a long way. That would make it rather hard to

Re: Code signing in OpenBSD

bofh wrote: Code signing by blood. ISAGN. Sorry marc - had to do it what if theo is a person of interest, has his endpoint surveilled and his key and passphrase are compromised? if somebody stole a pint of blood, that could go a long way in your proposed plan... short of having a

Re: Code signing in OpenBSD

Ted Unangst wrote: give it a rest guys. Ted says everything is ok. We can pack up and call it a day, knowing that everything's settled once and for all. Seriously, if the process has been already worked out, then point to where it is written up. Maybe we're not looking in the right part of

Re: Code signing in OpenBSD

give it a rest guys. has anyone ever actually been the victim of some government/corporate/the man attack where they slipped trojan openbsd binaries to you? do you have any idea how hard it really is to mount such an attack? without being detected? and what's the trojan going to do? copy all

Re: Code signing in OpenBSD

Since this thread is both TOP and BOTTOM posted, I am going UPPER MIDDLE post. bofh wrote: Code signing by blood. ISAGN. Sorry marc - had to do it what if theo is a person of interest, has his endpoint surveilled and his key and passphrase are compromised? if somebody stole a pint

Re: Code signing in OpenBSD

On Thu, 6 Dec 2007 09:51:16 -0500, Douglas A. Tutty [EMAIL PROTECTED] said: Personally, if this thread is to continue, I would like to see it move from a Why doesn't OpenBSD do things this way? to a What are the threat models for OpenBSD identity theft and how can we protect ourselves?.

Re: Code signing in OpenBSD

do you have any idea how hard it really is to mount such an attack? without being detected? and what's the trojan going to do? copy all your secrets to their national citizen oppression center? how do they get their nefarious packets through your firewall without notice? Of course

Re: Code signing in OpenBSD

HITLER AND MORE HITLER On Thu, Dec 06, 2007 at 08:28:21PM +0200, Lars Nood??n wrote: Ted Unangst wrote: give it a rest guys. Ted says everything is ok. We can pack up and call it a day, knowing that everything's settled once and for all. Seriously, if the process has been already

Re: Code signing in OpenBSD

there seems to be a fine, pink mist in the air. some time ago the matter comprising this mist was a live and healthy horse. On Thu, Dec 06, 2007 at 12:39:39PM -0600, Marco Peereboom wrote: HITLER AND MORE HITLER On Thu, Dec 06, 2007 at 08:28:21PM +0200, Lars Nood??n wrote: Ted Unangst

Re: Code signing in OpenBSD

Ok. So Christopher, Marco, and Ted have spoken up to inform the list that they do not know an answer. Christopher Linn wrote: there seems to be a fine, pink mist in the air. ... To be sure the topic has been covered earlier, but just where are there relevant message archives, presentations or

Re: Code signing in OpenBSD

On Thursday 06 December 2007 05:52:46 Hannah Schroeter wrote: Hi! On Wed, Dec 05, 2007 at 06:46:15PM -0500, STeve Andre' wrote: [...] You know, you're descending into a recursive loop of if, if, if... and it never ends. OF COURSE if someone breaks into the site they could do things--once

Re: Skype on the OpenBSD

Lars NoodC)n [EMAIL PROTECTED] wrote: http://forum.skype.com/index.php?showtopic=95261 I have no intention of refueling this debate but I found this an interesting read some time ago: paper by Garfinkel http://skypetips.internetvisitation.org/files/VoIP%20and%20Skype.pdf your link

Re: Code signing in OpenBSD

On Thu, Dec 06, 2007 at 09:39:59PM +0200, Lars Nood??n wrote: Ok. So Christopher, Marco, and Ted have spoken up to inform the list that they do not know an answer. You can't possibly be this dense. Let me try to spell it out. YOU see an issue WE don't. That makes YOU responsible for fixing

Hardware recommendations for OpenBSD carp router/firewall machines

Does anyone have recommendations on server hardware for setting up a redundant OpenBSD firewall? Right now our network handles several million HTTP requests per day, and we expect that to continue growing. I expect a simple pair of Dell rackmounted servers should handle this easily, but I thought

alpha server hardware (AS1200) available for donation in Munich area

Hi Folks, I'm back again. I have two AS1200 (AlphaServers) to donate. They're nice machines, but I don't use them. One has two 400MHz CPUs (B3007-AA) and 512MB RAM, the other has one 533MHz CPU (B3007-CA) and 256MB RAM. They have lots of disks internally (2 and 4GB drives). They have several

Re: Intel(R) Core(TM)2 Duo CPU E6550 freeze on core 2 duo

On 06/12/2007, Benoit Chesneau [EMAIL PROTECTED] wrote: Hi all, HAve currently problem with a server based on Intel(R) Core(TM)2 Duo CPU E6550 with a Realtek 8168 ( re(4) ). It freeze after some random time. I don't know why. No log about it. I tried to : - enable acpi - force the carde

Re: Code signing in OpenBSD

Daniel Bosk wrote: Brad, you really did start some thread. Starting with a rather innocent question. Interesting reading though. My best to all of you, Daniel Thanks, I love OpenBSD. I see the lack of signed code and signed communication as a potential security issue. It *has*

serial switch available for donation (Munich)

Hi Folks, I have an ancient, but fully functional pizza-box like device from Pan Dacom (V.24 Umschalter), which has 9 DB25 female connectors on the back, and 8 toggle pushbuttons on the front. One of the DB25 connectors is the input, and is connected to one or more of the other eight DB25

reporting of flowd data

hi list, i'm looking for a reporting tool that can read the output of /var/log/flowd or the ascii data of flowd-reader. has anyone an idea ? thanks thomas

Note on pfctl: cannot allocate memory from spamd-setup

I'm running spamd in blacklist mode, and it started running out of memory today. It turns out the lists are getting close to the default limit: # /usr/libexec/spamd-setup -b -d Getting http://www.openbsd.org/spamd/traplist.gz blacklist uatraps 157348 entries Getting

Re: Code signing in OpenBSD

Paranoia is a disease... it distorts your thinking and your logical faculty. I'd be more concerned about THAT if I were in your position. It's stupid to rework the infrastructure to support signing, especially considering the benefits (none.) Plus, you have to trust the OpenBSD developers

Re: Skype on the OpenBSD

I'm running wengo 2.1.2, and under the security tab on the configuration page there is an option for call encryption - WengoPhone can encrypt calls using the AES 128-bits encryption system and Diffie-Hellman for key exchange.

seeking hardware token recommendations

would like to lock random users out of the services that are hosted on machines here and remember LLNL, etc, using a RSA secureID to effect this back in the day: you had to enter your secureID string before being able to ssh into your user account through the firewall. i am aware that the

Doctor Listing

Here's what we're offering for this week: Current Doctors in the USA 788,217 in total * 17,132 emails 34 primary and secondary specialties 16 different sortable fields Pharmaceutical Companies in the US 47,000 personal emails and names of decision makers American Hospital Directory Full