Return Styles: Pseud0ch, Terminal, Valhalla, NES, Geocities, Blue Moon.

Pages: 1-40 41-

OpenBSD is a fucking joke!

Name: Anonymous 2013-11-03 6:52

Today OpenBSD 5.4 has been released ^[1], also known as ``the most secure operating system ever'', or at least that's what the NSA wants you to think!
Did you ever tried to install OBSD? no? well, it's pretty simple: you first go to http://openbsd.org (sorry, no TLS) and click on "Getting releases", then choose some mirror from the list of http, ftp or CVS servers, and now if you want to check the integrity of your download look the SHA256 file that you got from the same place..... wait, what?..
Yup, that is, enterprise security technique! who needs any DSA/RSA signed hash when you can trust: your LAN, your ISP, the tier1 route til the mirror, the mirror itself, and the fUCKING WHOLE INTERNET.

This is fucking ridiculous, do not trust what the media says, OpenBSD is a fucking joke!

__________________

[1] - http://www.openbsd.org/54.html

Name: Anonymous 2013-11-03 13:39

and now if you want to check the integrity of your download look the SHA256 file that you got from the same place

http://mirrors.nycbug.org/pub/OpenBSD/5.4/amd64/
http://mirrors.nycbug.org/pub/OpenBSD/5.4/amd64/SHA256
Like this?

You could connect to the CVS repo using SSH, but if you already have the SHA256 checksum and the original file, why download it through HTTPS when you can compare the checksums?

Name: Anonymous 2013-11-03 16:02

>>1
Then do a favor, and pay for OBSD's CA, if we can trust it, or proposition that you maintain the self signed CA's of all the mirrors.

*Because every client has TLS and SSL support, you know⸮ And it's not like a SHA256 checksum on all mirrors are not the same, and PGP is not included on the checksum list⸮ Too bad every has a HTTP, FTP, and CVS client in their handy OS⸮

But does openbsd.org have a tor domain/gateway?

Plus, for a reason, OpenBSD is hosted in Canada, not USA, so that it does not go against the Arms Trade Treaties. Imagine if it was hosted in the USA! Why would we warn against download of USA mirrors‽

Name: Anonymous 2013-11-03 21:11

>>2
for two reasons:
-if someone is MITMing is trivial for [i]them[/i] to modify your download on the fly (using Subterfuge, Scapy, etc.) and rehash those files (ie a new SHA256 file with new checksums that matches the backdoored system)
-the owner of the mirror (or someone who compromised the server) could give you a modified version as well, the only problem then is that you can check easily the checksums in other mirrors...

The whole idea of using digital signatures is to avoid all these problems: with signed packages you know exactly who is giving you the binaries/sources and that those file were not been modified.

>>3
Of course a CA would not offer the final solution here (btw CAcert.org is free) but then someone could sign the cert, and publish the SHA256 file of every release inside the OBSD website (so they dont have to sign *EVERY* release).

and PGP is not included on the checksum list

sorry, do you mean that there is a pgp signed checksum list? where?
It's funny because they only provide SSH fingerprints for the CVS mirrors, but not for the "official" CVS server in Canada.

And what happened with all the IPSEC backdoor drama? it's not completely related with the original post but after Snowdens latest allegations what de Raadt was claiming (about the US govt pushing a buggy code) looks much more real, so I would be surprised that all these weakly design for obtaining OBSD is being enforced by the NSA.
</paranoid>

Name: Anonymous 2013-11-03 22:06

http://www.openbsd.org/faq/faq3.html#Verify

Wow. Such a great project ruined by idiotic management decisions.

Name: Anonymous 2013-11-03 22:29

>>5

The OpenBSD project does not digitally sign releases. The above command only detects accidental damage, not malicious tampering. If [b]the men in black suits[/b] are out to get you, they're going to get you.

the final conclusion is that openbsd is a honeypot os

Name: Anonymous 2013-11-03 22:36

>>1-5
Hashes are used to check for corruption, not tampering.

Name: Anonymous 2013-11-03 22:49

>>7
huh? that's exactly the problem we are talking about: the checksums (SHA256 hashes) are not signed

Name: Anonymous 2013-11-04 0:28

>>6

If [b]the men in black suits[/b] are out to get you, they're going to get you.

Idiots that overestimate those ``black suit men'' and due to their cowardly and idiotic actions end up giving them more power to be able to ``get you''.

Name: Anonymous 2013-11-04 0:44

>>5-6,9
The same argument could be used to do away with fixing security holes.

Name: Anonymous 2013-11-04 2:28

OpenBSD is a fucking jerk!

Name: Attitude¬⇒Soft Dist 2013-11-04 3:12

>>4,9

rehash those files (ie a new SHA256 file with new checksums that matches the backdoored system)

Then they would be really wanting infect everything. I can see that happening on popular files and sites, but OpenBSD?
But you bring a good point. I really thought OpenBSD offered PGP signatures for their OS, even their packages. I guess I don't follow the OpenBSD news as much.

What F.L.O.S.S. do you recommend then? I've been a FreeBSD fan since I learned of F.L.O.S.S., and they are moving in the right direction.

If you like, suggest your concerns to the OpenBSD mailing list:
http://www.openbsd.org/mail.html
I agree with your concerns.

>>11
Lots of people are. So what, does that mean the code and practices are sublime?

Name: pkgng 1.2 final 2013-12-04 21:52

F-f-f-f-f-ucking finally:
https://svnweb.freebsd.org/ports?view=revision&revision=334937

- pkg repo can now take new arguments:
pkg repo [path] [rsa_key|'signing_command: <command>']
This allow calling external command to perform the signing and
pass the checksum to be signed in the command stdin.

That's it, I am going all in to FreeBSD As if I wasn't already Laters peeps! I will be so busy using it, I will rarely have time to reply here. Like I even reply here often, lol.

Name: Anonymous 2013-12-08 17:42

>>11
Oh yeah? Well De Raat called, and he's running out of you!

Name: Anonymous 2013-12-10 3:06

I think they are going to implement crypto in their site and software soon:

Mike Belopuhov (mikeb@) of .vantronix secure systems "OpenBSD: Where crypto is going?"

http://undeadly.org/cgi?action=article&sid=20131126113154
http://tech.yandex.ru/events/yagosti/ruBSD/

Name: Anonymous 2013-12-13 13:00

YOU are a joke!!!!!!!

Name: Anonymous 2013-12-22 2:40

In all seriousness, is there any way to make sure a malicious individual isn't messing with your OpenBSD packages? Is there any way to get package signing or an equivalent alternative working with OpenBSD? I really don't want to go to FreeBSD, because OpenBSD is so much simpler.

Name: Anonymous 2013-12-22 4:36

My OpenBSD server uptime 366 days and few hours. And I have 3 of these puppies running. The only time 1 of them crashed or died was because of faulty hdd. Never been hacked, never had issues and i run many many services on my net.

I know Theo personally and I like him...

Whoever made this thread should let everyone know their real name, phone number, and address

Theo makes his information public, available and anyone can call or visit him anytime

If the person that made this thread does that, I wonder if he will have people on his door asking for a free openbsd cd or possibly there for other reasons?

I for one would;

1. take down your entire net, forever
2. take over you freebsd machines in a few minutes
3. make your phone line never work again
4. cut off all power to your house and place of busines
5. make you afraid to drive in any car newer than 1990
6. make you afraid to leave your house without your possy (that is if you have friends)

now do the right thing, take down this thread, and file a civil claim against Theo and OpenBSD if you have legal grievances

Otherwise once the community finds out who you are, you will only then figure out how many people like Theo and how many people like you (my how many lights turn on, on your routers, switches, servers, computers, laptops, tvs, telephones, cell phones, cars)

Name: Anonymous 2013-12-22 7:01

>>18
NSA ``tough guy'' shill detected.

Name: Anonymous 2013-12-22 7:22

>>18
A compromised system can still silently work against you. It doesn't necessarily crash or open its doors to any random hacker. But it can still log what you are doing and sit and wait for commands from the controller of your system. In addition, the announcement of an identity behind a claim does not affect the validity of the claim. Instead it introduces other complications, like the little hacker war you hinted at. This wouldn't be mature and would do nothing to resolve the problem being discussed. So in short, back to /g/, ``please''!!.

Name: Anonymous 2013-12-22 18:03

>>18

OpenBSD is the next "Elusive Joe".

Name: Anonymous 2013-12-23 23:41

>>19
Fuck off with your epic ``shill'' meme back to /g/, please/

Name: VIPPER 2013-12-24 10:09

>>22
I never could believe that there is a person as braindead as you

Name: Anonymous 2013-12-27 2:40

>>22
Fuck off with your ``Fuck off with your ``Fuck off with your ``Fuck off with your ``Fuck off with your ``Fuck off with your ``Fuck off with your ``Fuck off with your ``Fuck off with your ``Fuck off with your ``Fuck off with your ``Fuck off with your ``Fuck off with your ``Fuck off with your ``Fuck off with your ``Fuck off with your ``Fuck off wi***Monadic stack pointer overflow

Name: Anonymous 2013-12-27 15:22

>>23
The ``detected'' wordmaymay comes from the imagereddits as well.

How about we stop this pointless chain of rants and you make some good programming related posts?

Name: VIPPER 2013-12-27 16:27

>>25
Friendly reminder that you are from /g/ and everyone knows that

and you make some good programming related posts?

I do, how about you?

Name: Anonymous 2013-12-28 4:54

>>26

That post isn't programming related.
This post isn't either. Stop shitposting.

Name: VIPPER 2013-12-28 14:36

>>27
That post isn't programming related.
This post isn't either. Stop shitposting.

shitposting

this word is a imagereddit maymay

Name: Anonymous 2013-12-31 19:50

>>17
man sudo && man sha256

And with ZFS on FreeBSD now, you can do integrity checks on all your files.

PS I haven't been here in a while.

Name: Anonymous 2014-01-01 2:12

>>29
I was under the impression that they don't sign their packages.

Name: Anonymous 2014-01-01 2:56

>>29

Integrity checks aren't the problem.

Yes, I can check a downloaded package against a SHA256 hash, but can I be sure that both the package and the checksum haven't been compromised? The only way to be completely sure is to have signed packages, which OpenBSD doesn't have right now, as far as I know.

Name: Anonymous 2014-01-02 7:36

>>31
In principle, I agree with you, but I'm also willing to bet $10 that your web of trust is such that a network-omnipotent attacker could ensure with reasonable probability that you get the wrong version of De Raadt's public key.

Name: Anonymous 2014-01-02 8:13

>>32
In the short term certainly, but not long term. When a key is provided, detecting a mtm reduces to finding a key collision in your web of trust. You may be mtmed at one point, but eventually, at some point between you and the owner of the key, a collision will crop up and someone will say something about it.

Name: Anonymous 2014-01-02 15:49

>>33
Fair enough. A n->oo limit is usable.

Name: Anonymous 2014-01-07 20:13

>>32
That would be too risky for any intelligence agency; it's too easy to verify if the fingerprint you got from a keyserver is ok since most people go to (eg) computer congress where you can check it in person

Name: Anonymous 2014-01-08 1:53

Why worry about checksums when there are backdoors already?

http://marc.info/?l=openbsd-tech&m=129236621626462&w=2

Name: Anonymous 2014-01-08 12:42

>>35

most people go to (eg) computer congress

Nope. That's the point - most people don't actually verify their web of trust in person.

Name: Anonymous 2014-01-10 2:11

I think some small steps are being taken now to have signed packages in OpenBSD:

http://www.tedunangst.com/flak/post/signify

Name: Anonymous 2014-01-10 10:46

>>38
There's been a new wave of people and companies adopting encryption lately, probably due to the recent controversy. 2014 will be a good year for cypherpunks. Maybe things aren't in such a dismal state after all.

Name: Anonymous 2014-01-17 22:54

good old /prog/, always exactly predicting trends before the javascript-infested sites like cnet and whatever shit

http://marc.info/?l=openbsd-misc&m=138972987203440&w=2

Name: Anonymous 2014-01-17 23:26

>>40
Fuck off, Marc.

Name: Anonymous 2014-01-18 1:47

>>41

I'm not marc, i'm just some guy, all the big news aggregators are linking to that marc.info sites where it says that OpenBSD is short on funding. All this weeks after /prog/ said OpenBSD was a "fucking joke". I could have linked to a reddit page too, but judging from past events on this board, that would have been extremely distasteful and worthy of deletion and banning.

In any event, I'm sorry if I my post didn't match your quality standards.

Name: Anonymous 2014-01-18 2:06

>>42
Relax it's a joke ;) Marc likes to link us to his blog for advertising dollars

Name: Anonymous 2014-01-18 2:27

Could any nice /prog/rider post this thread on Reddit and Hacker News?

Name: Anonymous 2014-01-18 2:36

>>44
Why?

Name: Anonymous 2014-01-18 5:35

>>45
because they thing they are so smarth, but they don't know the truth!

Name: Anonymous 2014-01-18 15:03

>>46

You know I was saying the same thing to your mom the other day whilst I was ravaging her anus!

Name: Anonymous 2014-01-18 16:23

not sure if this site should be posted to reddit, it would blow the cover and we would soon be invaded by san francisco javascript programmers. No more Scheme and Lisp, all hipstr.js and ruby on rails !

Name: Anonymous 2014-01-18 19:02

>>48
This site isn't Web3.0 enough. They'd never stay.

Name: Anonymous 2014-01-19 4:11

rerererereverse necrooooo

Name: Anonymous 2014-01-19 8:27

http://marc.info/?l=openbsd-misc&m=138972987203440&w=2

List: openbsd-misc Subject: Re: Request for Funding our Electricity From: Bob Beck <beck () openbsdfoundation ! org> Date: 2014-01-14 20:03:37 Just to bring this issue back to the forefront. In light of shrinking funding, we do need to look for a source to cover project expenses. If need be the OpenBSD Foundation can be involved in receiving donations to cover project electrical costs. But the fact is right now, OpenBSD will shut down if we do not have the funding to keep the lights on. If you or a company you know are able to assist us, it would be greatly appreciated, but right now we are looking at a significant funding shortfall for the upcoming year - Meaning the project won't be able to cover 20 thousand dollars in electrical expenses before being able to use money for other things. That sort of situation is not sustainable.

Name: Anonymous 2014-01-19 21:18

new development today

http://bsd.slashdot.org/story/14/01/19/0124202/openbsd-moving-towards-signed-packages-based-on-d-j-bernstein-crypto

It's official: 'we are moving towards signed packages,' says Theo de Raadt on the misc@ mailing list. This is shortly after a new utility, signify, was committed into the base tree. The reason a new utility had to be written in the first place is that gnupg is too big to fit on the floppy discs, which are still a supported installation medium for OpenBSD. Signatures are based on the Ed25519 public-key signature system from D. J. Bernstein and co., and his public domain code once again appears in the base tree of OpenBSD, only a few weeks after some other DJB inventions made it into the nearby OpenSSH as well.

I guess /prog/ is really on to what's going on in the computing industry. Or maybe mr. de raadt reads /prog/

Name: VIPPER 2014-01-20 4:25

>>52
b-but-but If the men in black suits are out to get you, they're going to get you., why theo changed opinion [spoiler];_;[/spoiler] (that was a shitty joke, I hoppe you enjoyed)

The reason a new utility had to be written in the first place is that gnupg is too big to fit on the floppy discs

awwwww

Name: Anonymous 2014-01-20 4:56

>>53
Men in black are only interested in UFOs and ETs. Theo cant even get his government (overt or covert) agencies right.

Name: Anonymous 2014-01-20 14:02

>>54
To be fair to Theo, the men in black are very different from the men in black suits (although both of them wear black suits).

Name: Anonymous 2014-01-20 15:09

>>53
I like how they are all for backward compatibility and do not go the Microsoft/Apple/etc bullshit way of "YOU HAVE TO BUY A NEW COMPUTER AND OPERATING SYSTEM EVERY YEAR TO DARE CALL YOURSELF A 'GEEK', IF YOU RUN XP YOU'RE LIVING IN THE PAST AND ARE A LOOSER HURF DURF TURF. EVERYONE NEEDS AT LEAST 200 GB OF RAM AND A 1 THZ PROCESSOR".

Name: Anonymous 2014-01-20 20:37

>>56
Please go back to where you came from.

Name: Anonymous 2014-03-30 1:38

Rejoice, gentlemen, for OpenBSD 5.5 will have tedu's package signing system:

http://www.openbsd.org/55.html

Releases and packages are now cryptographically signed with the signify(1) utility.

Name: Anonymous 2014-03-30 10:59

>>58
so openbsd is serious now?

Name: Anonymous 2014-03-30 15:35

>>59
OpenBSD has always been serious.

Name: Anonymous 2014-03-30 16:07

>>60
>>6 could've fooled me!

Name: Anonymous 2014-03-30 18:03

>>61
A blind monkey could fool you.

Name: Anonymous 2014-04-01 0:16

Well, I guess it's okay. OpenBSD has finally gotten around to putting up a ``NO TRESPASSING'' sign on its lawn (pun intended). Thank goodness, I can take it seriously now.

Name: Anonymous 2014-05-01 21:57

OpenBSD 5.5 has been released, and it has package signing with tedu's signify tool.

Name: Anonymous 2014-05-02 11:41

Does this thing have network drivers and XMonad support?

Name: Anonymous 2014-05-03 5:26

>>66
hax my anus

Name: Anonymous 2014-05-03 8:14

>>66
^self_haxed

Name: Anonymous 2017-01-20 19:10

>>62
rekt