Yes, the MITM was DPD. Great currier. I recommand it to everyone. NOT!
^courier
^ recommend
:-p
Commercial software is the same. They make it clear that no promises are
made that the software is fit for any particular purpose in the EULA. My
assumption is making such a promise would hold them accountable when it
failed, and I doubt any company would find it profitable to invest in
enough QA
I think you're in trouble. Some of the software on the openbsd CDs was written
by me,
and I never made any promises it's safe to use on an important
server. Not that you should trust me even if I did make such a promise.
It's software you're getting from the Internet. Made by people from the
Int
People,
Let me mention my sadness at trying to research this.
1. The PCI-DDS v 2.0 pdf is behind a click through that proports to create
a binding legal contract. So the boilerplate looked okay but there was a
warning about the document mayhaps being a controlled munition. I was
irritated and j
We've all expressed reasonable doubt. In the US you can be assured
that the USPS will open, scan, read, and deliver your mail. So it's
reasonable to believe that they may also tamper with your openbsd
CD's. Just buy the disks, let this thread die along with the stupidity
of PCI-DSS (which I've danc
On Fri, Sep 13, 2013 at 11:13:36AM +0300, Valentin Zagura wrote:
> Security itself is not the primary issue here. The issue is to easily prove
> an assessor "without reasonable doubt" that you are running the right thing.
> They will not worry about governments trying to break in with MITM signed
>
* Valentin Zagura [2013-09-13 10:15]:
> Security itself is not the primary issue here. The issue is to easily prove
> an assessor "without reasonable doubt" that you are running the right thing.
> They will not worry about governments trying to break in with MITM signed
> ssl or about armies break
Security itself is not the primary issue here. The issue is to easily prove
an assessor "without reasonable doubt" that you are running the right thing.
They will not worry about governments trying to break in with MITM signed
ssl or about armies breaking in with the tanks. But they would worry abo
On Fri, Sep 13, 2013 at 10:32:43AM +0300, Paul Irofti wrote:
> > Yes, the MITM was DPD. Great currier. I recommand it to everyone. NOT!
>^courier
the two aren't necessarily mutually exclusive ;)
- P
--
Peter N. M. Hansteen, member of the first RFC 1149 implement
> Yes, the MITM was DPD. Great currier. I recommand it to everyone. NOT!
^courier
> Physical email is as susceptible to MITM attacks as network connections. I
> know a story of laptops entering the mail system and car springs coming
> out the other end in the same box. :-)
Yes, the MITM was DPD. Great currier. I recommand it to everyone. NOT!
Can the project wire an explosive booby trap inside the CD box to ensure
that any sneaky postman is blown away by the awesomeness of openBSD ?
(for a decent supplementary fee of course)
On Thu, Sep 12, 2013 at 6:56 PM, Kenneth R Westerback <
kwesterb...@rogers.com> wrote:
> On Thu, Sep 12, 2013
On Thu, Sep 12, 2013 at 07:52:22PM +0300, Valentin Zagura wrote:
>
> I thought if we buy the CDs we WILL get "a solid evidentuary path from
> commit to" our hands.
>
> So this isn't the case?
You'll be safe enough.
On Thu, Sep 12, 2013 at 07:52:22PM +0300, Valentin Zagura wrote:
> > There is no entity
> > that owns or can be held responsible for the code, or is capable
> > of providing a solid evidentuary path from commit to your hands.
>
> I thought if we buy the CDs we WILL get "a solid evidentuary path fr
On Thu, Sep 12, 2013 at 09:22:51AM -0400, Kenneth R Westerback wrote:
> On Thu, Sep 12, 2013 at 10:49:30AM +0200, InterNetX - Robert Garrett wrote:
> > The real problem here is that in order to be added to certain lists
> > of trusted PKI providers, you must be audited by security Assessors
> > on
> There is no entity
> that owns or can be held responsible for the code, or is capable
> of providing a solid evidentuary path from commit to your hands.
I thought if we buy the CDs we WILL get "a solid evidentuary path from
commit to" our hands.
So this isn't the case?
On Wed, Sep 11, 2013
On Thu, Sep 12, 2013 at 10:49:30AM +0200, InterNetX - Robert Garrett wrote:
> The real problem here is that in order to be added to certain lists
> of trusted PKI providers, you must be audited by security Assessors
> one of the things they look for is proof that the software your
> using isnt tamp
The real problem here is that in order to be added to certain lists of
trusted PKI providers, you must be audited by security Assessors one of
the things they look for is proof that the software your using isnt
tampered with.
It appears the OP is trying to solve that issue. EVEN using the CD i
On 2013/09/12 00:55, Ville Valkonen wrote:
> Not sure whether this is already proposed but here's my two cents: why
> not to check SHA256 sums from the various mirrors and perform the
> comparison?
>
> --
> Cheers,
> Ville Valkonen
>
How does this help prove that the files haven't been tampered
On 11 September 2013 20:42, Valentin Zagura wrote:
> The idea was to display a checksum of the files on such a https page.
> Like for example https://www.freebsd.org/releases/9.1R/announce.html at the
> bottom of the page.
Not sure whether this is already proposed but here's my two cents: why
not
I was saying that other projects do it in a way they feel comfortable with
and maybe you will find a way to do it that you are comfortable with.
Using https was one simple idea. I understand that you don't think that
this adds any value but maybe there are other ways like signing with PGP,
maybe us
On Wed, Sep 11, 2013 at 08:42:46PM +0300, Valentin Zagura wrote:
> The idea was to display a checksum of the files on such a https page.
> Like for example https://www.freebsd.org/releases/9.1R/announce.html at the
> bottom of the page.
>
>
> On Wed, Sep 11, 2013 at 7:18 PM, Stuart Henderson wro
On Wed, Sep 11, 2013 at 08:53:50PM +0300, Valentin Zagura wrote:
> I don't think I'm more paranoid than the average considering that Debian
> has a way to do this (http://www.debian.org/CD/verify), fedora has a way to
> do this (https://fedoraproject.org/verify), even Freebsd has a way to do
> this
If I were a dissident in one of those countries, I would not trust a third
party with my life (but maybe I'm too paranoid).
AFAIK OpenBSD is Canada, not US, but again, I might be wrong.
The idea was to display a checksum of the files on such a https page.
Like for example https://www.freebsd.org/releases/9.1R/announce.html at the
bottom of the page.
On Wed, Sep 11, 2013 at 7:18 PM, Stuart Henderson wrote:
> On 2013/09/11 16:46, Janne Johansson wrote:
> > So you publish somethi
maintaining a mirror and a cvs sync tree is quite good too.
morevover you cloud have some https on your mirror
On Wed, Sep 11, 2013 at 1:53 PM, Valentin Zagura wrote:
> I don't think I'm more paranoid than the average considering that Debian
> has a way to do this (http://www.debian.org/CD/veri
Almost. The difference is that all the others use strong cryptography
(https or GnuPG in Debian case) to ensure that the signatures you get are
actually from them.
On Wed, Sep 11, 2013 at 8:57 PM, Brandon Mercer
wrote:
> There's literally the same thing on the mirror?
> http://ftp.openbsd.org/pu
On Wed, Sep 11, 2013 at 03:17:20PM +0300, Valentin Zagura wrote:
> Yes, we know, but that file can also be easily compromised if it's not
> available for download with a secure protocol (HTTPS)
If you're paranoid, build your own hardware from the ground up,
including designing your own CPU and com
On Wed, Sep 11, 2013 at 01:57:22PM -0400, Brandon Mercer wrote:
> There's literally the same thing on the mirror?
> http://ftp.openbsd.org/pub/OpenBSD/snapshots/amd64/SHA256
This discussion is probably more suited for misc@, but as Brandon wrote,
SHA256 checksums are on all the mirrors. If you don
There's literally the same thing on the mirror?
http://ftp.openbsd.org/pub/OpenBSD/snapshots/amd64/SHA256
On Wed, Sep 11, 2013 at 1:53 PM, Valentin Zagura wrote:
> I don't think I'm more paranoid than the average considering that Debian
> has a way to do this (http://www.debian.org/CD/verify), fe
I don't think I'm more paranoid than the average considering that Debian
has a way to do this (http://www.debian.org/CD/verify), fedora has a way to
do this (https://fedoraproject.org/verify), even Freebsd has a way to do
this ( https://www.freebsd.org/releases/9.1R/announce.html).
The thought of
I think you are missing two very important points that are addressed in
the official documentation and have been pointed out to you by other
respondents:
1. what you are asking for provides NO real added security, and perhaps
just the opposite through FALSE SENSE of security, and
2. the fact t
The easier solution is probably just to build it from source. The
documentation on the site is quite good.
On Wed, Sep 11, 2013 at 12:18 PM, Stuart Henderson wrote:
> On 2013/09/11 16:46, Janne Johansson wrote:
>> So you publish something on a HTTPS page, which means that when the browser
>> says
On 2013/09/11 16:46, Janne Johansson wrote:
> So you publish something on a HTTPS page, which means that when the browser
> says "green padlock", it only says: "this site was using a key signed by
> someone who in turn was signed by someone out of a few hundred CAs in a
> list which include compani
And from that we can deduce what?
$evil_country can't spend $10k to be able to intercept and silently MITM
all https?
2013/9/11 InterNetX - Robert Garrett
> also means somebody paid a lot of money for that green bar
>
>
> On 09/11/2013 04:46 PM, Janne Johansson wrote:
>
>> So you publish somet
On Wed, Sep 11, 2013 at 05:36:45PM +0300, Valentin Zagura wrote:
> Thanks for the suggestion, we will probably order the CD.
>
> But on the other hand, I hope that you realize that people in some
> countries (Iran, China, Egypt, Syria) would not have this possibility and
> they could be more affec
That could also mean "This is THE openbsd.org site" if you're using eff ssl
observatory.
On Wed, Sep 11, 2013 at 5:46 PM, Janne Johansson wrote:
> So you publish something on a HTTPS page, which means that when the
> browser says "green padlock", it only says: "this site was using a key
> signed
also means somebody paid a lot of money for that green bar
On 09/11/2013 04:46 PM, Janne Johansson wrote:
So you publish something on a HTTPS page, which means that when the browser
says "green padlock", it only says: "this site was using a key signed by
someone who in turn was signed by someone
So you publish something on a HTTPS page, which means that when the browser
says "green padlock", it only says: "this site was using a key signed by
someone who in turn was signed by someone out of a few hundred CAs in a
list which include companies in scary countries*". That will help a lot.
*)
Thanks for the suggestion, we will probably order the CD.
But on the other hand, I hope that you realize that people in some
countries (Iran, China, Egypt, Syria) would not have this possibility and
they could be more affected by a compromise than we would be (they might
probably pay with their li
I love the stickers to enclose the box when getting a CD release, probably
easy to forge but so cool :-)
On Wed, Sep 11, 2013 at 9:00 AM, Beavis wrote:
> +1 on this, to make sure that your OpenBSD Distribution is legit, get the
> CD, support the project! what more could you ask for ;)
>
>
> On
+1 on this, to make sure that your OpenBSD Distribution is legit, get the
CD, support the project! what more could you ask for ;)
On Wed, Sep 11, 2013 at 4:58 AM, Peter N. M. Hansteen wrote:
> On Wed, Sep 11, 2013 at 01:49:14PM +0300, Valentin Zagura wrote:
>
> > We are going to use a OpenBSD sy
On Wed, Sep 11, 2013 at 03:17:20PM +0300, Valentin Zagura wrote:
> Yes, we know, but that file can also be easily compromised if it's not
> available for download with a secure protocol (HTTPS)
So get the CD. You'll support the project as well.
-Otto
>
> On Wed, Sep 11, 2013 at 1:59 PM,
Yes, we know, but that file can also be easily compromised if it's not
available for download with a secure protocol (HTTPS)
On Wed, Sep 11, 2013 at 1:59 PM, Stan Gammons wrote:
> The sha256 file located in the directory with the installxx.iso image has
> the sha256 checksum for all of the files
The sha256 file located in the directory with the installxx.iso image has the
sha256 checksum for all of the files in that directory.
On Sep 11, 2013, at 5:49 AM, Valentin Zagura wrote:
> Hi,
>
> We are going to use a OpenBSD system in a PCI-DSS compliant environment.
> Is there any way we ca
On Wed, Sep 11, 2013 at 01:49:14PM +0300, Valentin Zagura wrote:
> We are going to use a OpenBSD system in a PCI-DSS compliant environment.
> Is there any way we can prove to our PCI-DSS assessor that the OpenBSD
> image we use for our installation can be checked so that it is the correct
> one (
Hi,
We are going to use a OpenBSD system in a PCI-DSS compliant environment.
Is there any way we can prove to our PCI-DSS assessor that the OpenBSD
image we use for our installation can be checked so that it is the correct
one (is not modified in a malicious way by a third party) ?
A https link to
47 matches
Mail list logo
