OpenBSD is a fucking joke!

Today OpenBSD 5.4 has been released ^[1], also known as ``the most secure operating system ever'', or at least that's what the NSA wants you to think!
Did you ever tried to install OBSD? no? well, it's pretty simple: you first go to http://openbsd.org (sorry, no TLS) and click on "Getting releases", then choose some mirror from the list of http, ftp or CVS servers, and now if you want to check the integrity of your download look the SHA256 file that you got from the same place..... wait, what?..
Yup, that is, enterprise security technique! who needs any DSA/RSA signed hash when you can trust: your LAN, your ISP, the tier1 route til the mirror, the mirror itself, and the fUCKING WHOLE INTERNET.

This is fucking ridiculous, do not trust what the media says, OpenBSD is a fucking joke!

__________________

[1] - http://www.openbsd.org/54.html

and now if you want to check the integrity of your download look the SHA256 file that you got from the same place

http://mirrors.nycbug.org/pub/OpenBSD/5.4/amd64/
http://mirrors.nycbug.org/pub/OpenBSD/5.4/amd64/SHA256
Like this?

You could connect to the CVS repo using SSH, but if you already have the SHA256 checksum and the original file, why download it through HTTPS when you can compare the checksums?

>>1
Then do a favor, and pay for OBSD's CA, if we can trust it, or proposition that you maintain the self signed CA's of all the mirrors.

*Because every client has TLS and SSL support, you know⸮ And it's not like a SHA256 checksum on all mirrors are not the same, and PGP is not included on the checksum list⸮ Too bad every has a HTTP, FTP, and CVS client in their handy OS⸮

But does openbsd.org have a tor domain/gateway?

Plus, for a reason, OpenBSD is hosted in Canada, not USA, so that it does not go against the Arms Trade Treaties. Imagine if it was hosted in the USA! Why would we warn against download of USA mirrors‽

>>2
for two reasons:
-if someone is MITMing is trivial for [i]them[/i] to modify your download on the fly (using Subterfuge, Scapy, etc.) and rehash those files (ie a new SHA256 file with new checksums that matches the backdoored system)
-the owner of the mirror (or someone who compromised the server) could give you a modified version as well, the only problem then is that you can check easily the checksums in other mirrors...

The whole idea of using digital signatures is to avoid all these problems: with signed packages you know exactly who is giving you the binaries/sources and that those file were not been modified.

>>3
Of course a CA would not offer the final solution here (btw CAcert.org is free) but then someone could sign the cert, and publish the SHA256 file of every release inside the OBSD website (so they dont have to sign *EVERY* release).

and PGP is not included on the checksum list

sorry, do you mean that there is a pgp signed checksum list? where?
It's funny because they only provide SSH fingerprints for the CVS mirrors, but not for the "official" CVS server in Canada.

And what happened with all the IPSEC backdoor drama? it's not completely related with the original post but after Snowdens latest allegations what de Raadt was claiming (about the US govt pushing a buggy code) looks much more real, so I would be surprised that all these weakly design for obtaining OBSD is being enforced by the NSA.
</paranoid>

http://www.openbsd.org/faq/faq3.html#Verify

Wow. Such a great project ruined by idiotic management decisions.

>>5

The OpenBSD project does not digitally sign releases. The above command only detects accidental damage, not malicious tampering. If [b]the men in black suits[/b] are out to get you, they're going to get you.

the final conclusion is that openbsd is a honeypot os

>>1-5
Hashes are used to check for corruption, not tampering.

>>7
huh? that's exactly the problem we are talking about: the checksums (SHA256 hashes) are not signed

>>6

If [b]the men in black suits[/b] are out to get you, they're going to get you.

Idiots that overestimate those ``black suit men'' and due to their cowardly and idiotic actions end up giving them more power to be able to ``get you''.

>>5-6,9
The same argument could be used to do away with fixing security holes.

OpenBSD is a fucking jerk!

>>4,9

rehash those files (ie a new SHA256 file with new checksums that matches the backdoored system)

Then they would be really wanting infect everything. I can see that happening on popular files and sites, but OpenBSD?
But you bring a good point. I really thought OpenBSD offered PGP signatures for their OS, even their packages. I guess I don't follow the OpenBSD news as much.

What F.L.O.S.S. do you recommend then? I've been a FreeBSD fan since I learned of F.L.O.S.S., and they are moving in the right direction.

If you like, suggest your concerns to the OpenBSD mailing list:
http://www.openbsd.org/mail.html
I agree with your concerns.

>>11
Lots of people are. So what, does that mean the code and practices are sublime?

F-f-f-f-f-ucking finally:
https://svnweb.freebsd.org/ports?view=revision&revision=334937

- pkg repo can now take new arguments:
pkg repo [path] [rsa_key|'signing_command: <command>']
This allow calling external command to perform the signing and
pass the checksum to be signed in the command stdin.

That's it, I am going all in to FreeBSD As if I wasn't already Laters peeps! I will be so busy using it, I will rarely have time to reply here. Like I even reply here often, lol.

>>11
Oh yeah? Well De Raat called, and he's running out of you!

I think they are going to implement crypto in their site and software soon:

Mike Belopuhov (mikeb@) of .vantronix secure systems "OpenBSD: Where crypto is going?"

http://undeadly.org/cgi?action=article&sid=20131126113154
http://tech.yandex.ru/events/yagosti/ruBSD/

YOU are a joke!!!!!!!

In all seriousness, is there any way to make sure a malicious individual isn't messing with your OpenBSD packages? Is there any way to get package signing or an equivalent alternative working with OpenBSD? I really don't want to go to FreeBSD, because OpenBSD is so much simpler.

My OpenBSD server uptime 366 days and few hours. And I have 3 of these puppies running. The only time 1 of them crashed or died was because of faulty hdd. Never been hacked, never had issues and i run many many services on my net.

I know Theo personally and I like him...

Whoever made this thread should let everyone know their real name, phone number, and address

Theo makes his information public, available and anyone can call or visit him anytime

If the person that made this thread does that, I wonder if he will have people on his door asking for a free openbsd cd or possibly there for other reasons?

I for one would;

1. take down your entire net, forever
2. take over you freebsd machines in a few minutes
3. make your phone line never work again
4. cut off all power to your house and place of busines
5. make you afraid to drive in any car newer than 1990
6. make you afraid to leave your house without your possy (that is if you have friends)

now do the right thing, take down this thread, and file a civil claim against Theo and OpenBSD if you have legal grievances

Otherwise once the community finds out who you are, you will only then figure out how many people like Theo and how many people like you (my how many lights turn on, on your routers, switches, servers, computers, laptops, tvs, telephones, cell phones, cars)

>>18
NSA ``tough guy'' shill detected.

>>18
A compromised system can still silently work against you. It doesn't necessarily crash or open its doors to any random hacker. But it can still log what you are doing and sit and wait for commands from the controller of your system. In addition, the announcement of an identity behind a claim does not affect the validity of the claim. Instead it introduces other complications, like the little hacker war you hinted at. This wouldn't be mature and would do nothing to resolve the problem being discussed. So in short, back to /g/, ``please''!!.

>>18

OpenBSD is the next "Elusive Joe".

>>19
Fuck off with your epic ``shill'' meme back to /g/, please/

>>22
I never could believe that there is a person as braindead as you

>>22
Fuck off with your ``Fuck off with your ``Fuck off with your ``Fuck off with your ``Fuck off with your ``Fuck off with your ``Fuck off with your ``Fuck off with your ``Fuck off with your ``Fuck off with your ``Fuck off with your ``Fuck off with your ``Fuck off with your ``Fuck off with your ``Fuck off with your ``Fuck off with your ``Fuck off wi***Monadic stack pointer overflow

>>23
The ``detected'' wordmaymay comes from the imagereddits as well.

How about we stop this pointless chain of rants and you make some good programming related posts?

>>25
Friendly reminder that you are from /g/ and everyone knows that

and you make some good programming related posts?

I do, how about you?

>>26

That post isn't programming related.
This post isn't either. Stop shitposting.

>>27
That post isn't programming related.
This post isn't either. Stop shitposting.

shitposting

this word is a imagereddit maymay

>>17
man sudo && man sha256

And with ZFS on FreeBSD now, you can do integrity checks on all your files.

PS I haven't been here in a while.

>>29
I was under the impression that they don't sign their packages.

>>29

Integrity checks aren't the problem.

Yes, I can check a downloaded package against a SHA256 hash, but can I be sure that both the package and the checksum haven't been compromised? The only way to be completely sure is to have signed packages, which OpenBSD doesn't have right now, as far as I know.

>>31
In principle, I agree with you, but I'm also willing to bet $10 that your web of trust is such that a network-omnipotent attacker could ensure with reasonable probability that you get the wrong version of De Raadt's public key.

>>32
In the short term certainly, but not long term. When a key is provided, detecting a mtm reduces to finding a key collision in your web of trust. You may be mtmed at one point, but eventually, at some point between you and the owner of the key, a collision will crop up and someone will say something about it.

>>33
Fair enough. A n->oo limit is usable.

>>32
That would be too risky for any intelligence agency; it's too easy to verify if the fingerprint you got from a keyserver is ok since most people go to (eg) computer congress where you can check it in person

Why worry about checksums when there are backdoors already?

http://marc.info/?l=openbsd-tech&m=129236621626462&w=2

>>35

most people go to (eg) computer congress

Nope. That's the point - most people don't actually verify their web of trust in person.

I think some small steps are being taken now to have signed packages in OpenBSD:

http://www.tedunangst.com/flak/post/signify

>>38
There's been a new wave of people and companies adopting encryption lately, probably due to the recent controversy. 2014 will be a good year for cypherpunks. Maybe things aren't in such a dismal state after all.

good old /prog/, always exactly predicting trends before the javascript-infested sites like cnet and whatever shit

http://marc.info/?l=openbsd-misc&amp;m=138972987203440&amp;w=2