Code signing in OpenBSD

On Dec 5, 2007 2:23 PM, Ted Unangst <ted.unangst@...> wrote:
> On 12/5/07, Rui Miguel Silva Seabra <rms@...> wrote:
> > Come on... twice a year and get the benefit of not being excluded from
> > company policies which require digital signature of software downloaded
> > through the internet.
>
> sign it yourself, then download it.  problem solved.
>

Buy the CDs?

blah blah blah

have you ever wondered why openbsd doesn't do binary updates?

maybe you are now going to be able to figure out why we don't need
complex signing mechanisms.

On Wed, Dec 05, 2007 at 06:46:01PM +0000, Rui Miguel Silva Seabra wrote:

> Can you dismiss PKI and the benefits that OpenPGP signatures provide to your
> user community? Knowing that xyz binary is signed by OpenBSD for
> distribution or abc email came from an official OpenBSD source is a good
> thing. Trojaned binaries and forged emails happen. PKI can help mitigate
> this. The benefit of PKI is widely known and accepted and does not need to
> be rehashed here. I'm surprised that OpenBSD (the most secure OS I know of)
> does not use it, that's all I'm saying. I also thought there would be a real
> reason for not doing so and there may in fact be and I may just be unaware
> of it.


        If you want a secure binary. buy an official CD.. This is
what most people do.  PKI requires infrastructure that would cost OpenBSD
money and developer time. Official CD's keep OpenBSD alive.

        Oh wait, we should devote resources to people who care about
security, just not enough to spend $50 on it..   Yeah. I'll get right
on that.

        -Bob

>        If you want a secure binary. buy an official CD.. This is
> what most people do.  PKI requires infrastructure that would cost OpenBSD
> money and developer time. Official CD's keep OpenBSD alive.
>
>        Oh wait, we should devote resources to people who care about
> security, just not enough to spend $50 on it..   Yeah. I'll get right
> on that.


I do buy CDs. T-shirts too. I also donate. You guys live up to the
reputation :)

On Wed, Dec 05, 2007 at 11:23:28AM -0800, Ted Unangst wrote:
> On 12/5/07, Rui Miguel Silva Seabra <rms@...> wrote:
> > Come on... twice a year and get the benefit of not being excluded from
> > company policies which require digital signature of software downloaded
> > through the internet.
>
> sign it yourself, then download it.  problem solved.

Forgive them, for they know not what they say... *sigh* :)

Rui

--

Today is Prickle-Prickle, the 47th day of The Aftermath in the YOLD 3173
+ No matter how much you do, you never do enough -- unknown
+ Whatever you do will be insignificant,
| but it is very important that you do it -- Gandhi
+ So let's do it...?

On Dec 5, 2007, at 7:46 PM, Rui Miguel Silva Seabra wrote:
>
> I don't see what is the problem with blessing a fingerprint of the
> binaries with a PKI signature, which would mean that *these* are the
> binaries the devs intended to release.

Who would sign the binaries?
Would each package maintainer sign his own packages?
Does Theo have to sign each package?
I don't see a problem in having signatures for software but I do see
problems in creating and maintaining an infrastructure for these  
signatures.
And what would you gain?
What guarantees would these signatures give you?
You can verify package consistency with md5 sums.

If you are paranoid, why would you trust the devs? You would just  
compile
the software yourself. But only after reading each line of code of  
course.


Floor Terra

On Wed, 5 Dec 2007 08:46:16 -0800 (PST), new_guy wrote:

>Can you dismiss PKI and the benefits that OpenPGP signatures provide to your
>user community? Knowing that xyz binary is signed by OpenBSD for
>distribution or abc email came from an official OpenBSD source is a good
>thing. Trojaned binaries and forged emails happen. PKI can help mitigate
>this. The benefit of PKI is widely known and accepted and does not need to
>be rehashed here. I'm surprised that OpenBSD (the most secure OS I know of)
>does not use it, that's all I'm saying. I also thought there would be a real
>reason for not doing so and there may in fact be and I may just be unaware
>of it.

Hmm, you have a financial interest in a CA? Or you just believe you
know more about PKI security than Schneier does?

http://www.schneier.com/paper-pki.html

Now tell us all why you would trust PKI so absolutely.


Rod/

Me...a skeptic?  I trust you have proof.

But, my god, you're asking people to do actual work?  Goddamn it, you
aren't doing your bit to improve the ease of use of people using
openbsd.  Where's the one click gui to install everything that I want
(but only what I want and nothing more!)?  It is positively
embarassing that I have to use a text based installer when my linux
lusing friends can use a mouse and click install (never mind that I
get it done in a quarter of the time they do - but they have a pretty
gui, and it's even skinnable!!!!!!!!)

Why, I tell you, if you can just make openbsd more like windows,
you'll get a lot more users!!!!!!!!!!!!!!!!  Don't you care about
market share?  (Cue Theo's story about the VC who tried to dotcom-ize
openbsd :-))

Oh, by the way, can I have some dancing girls to come hold my hands as
I install it.

Maybe the faq needs a prequel in front of it - if you are not willing
to do the work, don't use openbsd.

Tongue in cheek

On 12/5/07, Marco Peereboom <slash@...> wrote:

--
http://www.glumbert.com/media/shift
http://www.youtube.com/watch?v=tGvHNNOLnCk
"This officer's men seem to follow him merely out of idle curiosity."
-- Sandhurst officer cadet evaluation.
"Securing an environment of Windows platforms from abuse - external or
internal - is akin to trying to install sprinklers in a fireworks
factory where smoking on the job is permitted."  -- Gene Spafford

Bob Beck-2 wrote:

        If you want a secure binary. buy an official CD.. This is
what most people do.  PKI requires infrastructure that would cost OpenBSD
money and developer time. Official CD's keep OpenBSD alive.

        Oh wait, we should devote resources to people who care about
security, just not enough to spend $50 on it..   Yeah. I'll get right
on that.

        -Bob

One last thought. You insinuate in this post that I do not buy CDs or support OpenBSD. I claim that I do. There is a person listed by my name on the donations page... but since I was not given the opportunity to digitally sign my donation ;) I could just be impersonating that person. How is that for irony? I'll go away now.

Thanks,
Brad

On 12/5/07, bofh <goodb0fh@...> wrote:
>
> Why, I tell you, if you can just make openbsd more like windows,
> you'll get a lot more users!!!!!!!!!!!!!!!!  Don't you care about
> market share?  (Cue Theo's story about the VC who tried to dotcom-ize
> openbsd :-))

Oh? What story is that? I can't google it.

> Maybe the faq needs a prequel in front of it - if you are not willing
> to do the work, don't use openbsd.

Doesn't it already have that, pretty much?

-Nick

That's irrelevant (the impersonating bit).

What you have to understand is this - this is not a commercial
venture, nor is openbsd looking to grow marketshare or ease of use or
anything.  This is a project by developers for themselves.

Yes, they do sell CDs and so on to help support the project, and yes
they have users that they support.  But the moment the users become
annoying and passes a certain threshold (which are different for
different developers) those users become lusers (not saying you are
one, btw).

So, look at their objectives - does using pki solve anything for them?
 No, not really.  Signing source code that goes into the tree - does
it help?  No, if an intruder got in, they would have gotten the key
anyway.  Signing binaries?  What's on the primary server is considered
authoritative.  Or you can compile your own.  Binary updates?  Don't
do it.  Mirrors - they currently use MD5 which is cheap and fast and
good enough.

So, to put in a complicated pki and so on would add overhead that is
really useless to the developers.  It may benefit some users.  But
does the benefit outweigh the cost?  Not currently, according to the
developers.

Now, if you're willing to fund it, and do the work, and manages to
gain Theo's trust, then you get to do it.  But else, I don't really
see the devs taking on this additional work for fun.  And ultimately
that's what they're doing - having fun.

Now, it could be that tomorrow one of the devs catches the pki bug -
then suddenly, all these can and will happen.  But I doubt it.





On 12/5/07, new_guy <byte8bits@...> wrote:

--
http://www.glumbert.com/media/shift
http://www.youtube.com/watch?v=tGvHNNOLnCk
"This officer's men seem to follow him merely out of idle curiosity."
-- Sandhurst officer cadet evaluation.
"Securing an environment of Windows platforms from abuse - external or
internal - is akin to trying to install sprinklers in a fireworks
factory where smoking on the job is permitted."  -- Gene Spafford

On Wed, Dec 05, 2007, STeve Andre' wrote:

> Yes, one can dismiss the "benefits".  Think about what an MD5 (or any
> other cyptographic) checksum means.  If the OpenBSD site publishes
> that list, how does something more complicated help?

> Answer: it doesn't.

Wrong.

If someone cracks a website, then he can put up a modified binary
and a modified MD5 checksum. Creating a (digital) signature (with
the right key) is significantly more complex.

Using CDs to distribute the code make the attack of course rather
complicated.

Someone actually did the former with sendmail.org (to distribute a
version of sendmail with a backdoor).  The problem was only noted
because users checked the (digital) signature.

On Wednesday 05 December 2007 18:22:19 Claus Assmann wrote:
You know, you're descending into a recursive loop of "if, if, if..." and
it never ends.  OF COURSE if someone breaks into the site they could
do things--once you've lost control of your site all bets are off.  I dare
say that someone breaking into a site might find all the appropriate
tools to re-sign things, too, and do the spoof that way.

--STeve Andre'

Claus Assmann wrote:
>
> Wrong.
>
> If someone cracks a website, then he can put up a modified binary
> and a modified MD5 checksum.

This is silly. You mean that you get the checksums and the
associated binaries from the *SAME* website?

On Dec 5, 2007 7:15 PM, Tony Abernethy <tony@...> wrote:
> Claus Assmann wrote:
> >
> > Wrong.
> >
> > If someone cracks a website, then he can put up a modified binary
> > and a modified MD5 checksum.
>
> This is silly. You mean that you get the checksums and the
> associated binaries from the *SAME* website?

You're probably being sarcastic, but in the case of the master site,
it doesn't matter, because all the slaves probably rsync from the
master anyway.


--
http://www.glumbert.com/media/shift
http://www.youtube.com/watch?v=tGvHNNOLnCk
"This officer's men seem to follow him merely out of idle curiosity."
-- Sandhurst officer cadet evaluation.
"Securing an environment of Windows platforms from abuse - external or
internal - is akin to trying to install sprinklers in a fireworks
factory where smoking on the job is permitted."  -- Gene Spafford

On Wed, Dec 05, 2007 at 08:46:16AM -0800, new_guy wrote:

> Can you dismiss PKI

Seems they do.

The problem of signing code does not remove the problem
of checking the signature.

When you sign code and when you ask developers to do so,
they need to own some private key which will let you check
on the other side with a public key.

This private key will have to be very protected. Now,
what happens if there's a problem and that key is lost
or stolen ? And more specifically, what will happen if this
very trouble happens and no ones does see it ? The key can
be stolen without anyone knowing and then ? Of course, a
blatant and direct hack will be detected but someone who does
steal a private key is very cautious in acting as if the key
is still secure (exactly like the Allies were able to decipher
Enigma encoded messages because of re-use of IV-alike blocks
by german submarine crypto responsables or predictible IV-alike
according to the date on calendar : the Allies could read a lot
but did not act on most and let some ships go down because they
needed that secret, being able to decipher, to be kept a secret
in order to remain a strategical advantage).

You have two main things here. The code signing can be used
in the developing process to only let developers add code
(this would be another layer over the authentication that already
does exist when they do cvs commits to the OpenBSD source tree)
and that's Theo (and his developers) choice. If the technology
is available and if those clever guys dont use it, I think there's
a *hint* there. History has proven Theo and his folks do know
a lot about security and especially its culture.

Then, you have the distribution itself. Having the hashes
stored at the same place as the files itself is not the best
thing because if someone is able to change a file on a FTP
(be it an official or non official ftp repository) I would hope
this cracker will be clever enough to also update the hash files.

Having the hashes being signed in some way could help if they
are stored at the same place as binary or sources files, and if
it's a writable media. Ok. Why not. But how many people are
really going to download sources and/or binaries and have
a gnupg locally installed PLUS having the public key that goes
with the signing private key and are going to check ? Very, very
few.

If you want this to work, it has to be automated. Otherwise,
it's going to be a lot of work, a lot of time spent by people
that are quite busy and not for a lot of people on the other
side that will really use it.

And here comes the head of the nightmare snake we all know
about : implementation.

Security is a good thing to have. Ideas that can improve it
too. But implementation is critical, as it's very often a weak
point to attack (remember Netscape's PRNG generator used
to attack its SSL ?)

And if I remember correctly, Theo often said that if you do
think a feature is missing, you should code and shut up and
when it's working, tell the people about "hey guys I did start
from OpenBSD and did this and that to improve the distribution
security, how about using it now since it works and it's a real
friendly license ?"

I do not think thus that adding signing to sources will help
that much and if it does, the openbsd devs will do it if it's
really a good thing (openbsd, openssh.. those guys fucking
now what they are doing man..)

Signing the hashes could help but you do know very few
people are really going to check those.

And when you do binary installation, you have hashes of the
packages (source and binary) that are used and automatically
checked when using ports. This is good because it is systematic
and automated. But the problem of trust remains : a signature
proves nothing. It just tells you that a package is indeed
signed by someone you probably dont personally know and you
should ask yourself if you trust him/her.

And if it comes to a trust problem, well don't use it.
History did prove them right and serious and that's enough
for me.

And I trust my backups first or before anything else.

--
unzip ; strip ; touch ; grep ; find ; finger ; mount ; fsck ; more ;
yes ; fsck ; umount ; sleep

bofh wrote:
You know something is wrong when the checksum changes when
the files have not changed ;-)

On Thu, 06 Dec 2007 02:35:38 +0100, Gilbert Fernandes
<gilbert.fernandes0902@...> wrote:


> Signing the hashes could help but you do know very few
> people are really going to check those.

Or you pull the MD5s from another source than your packages,
not bloody likely that the two different sites you've selected
for download has both been hacked.
This does not protect against the master site being owned though,
though I guess that'd be noticed and announced.


Easy thing is to use the CDs though, just as people has already
stated. =)



--
Using Opera's revolutionary e-mail client: http://www.opera.com/mail/

On Thu, Dec 06, 2007 at 04:03:48AM +0100, Linus Sw?las wrote:

> Or you pull the MD5s from another source than your packages,
> not bloody likely that the two different sites you've selected
> for download has both been hacked.
> This does not protect against the master site being owned though,
> though I guess that'd be noticed and announced.

Having this being the default on ports could be a good
thing perhaps. The script would download the package
from a FTP and hashes from another one. But the hashes
are already stored inside the folder of the package on the
ports.. so to what use ?

Sources that get downloaded are hashed and the value compared
to the one stored by the package maintainer.

And you have to trust this person to be serious. And even
if he is, if he grabs the latest version of sources for XYZ
and those got a hole non published (far, far more easy to
use tools to check sources for potential holes to use rather
than go hack their repositories...) that won't change anything.

Security is a link as Bruce Schneier explained, and it will
break at its weakest point. And if it breaks anywhere, the
whole thing can go down.

Thus, security is a constant process. You select a good
quality operating system (a BSD for example) and you don't
install anything on it eyes closed. And you do backups.
And you store them in a media not connected to anything.
And you use various tools to check everything (firewall,
rootkit checker, arp tool, etc. etc. ad nauseum).

It's really an education.

And if you are cautious with backups and make it part
of your current life, when shit happens you have solutions.

And if shit can happen, it will.. :)

--
unzip ; strip ; touch ; grep ; find ; finger ; mount ; fsck ; more ;
yes ; fsck ; umount ; sleep

On Wed, Dec 05, 2007, STeve Andre' wrote:
> On Wednesday 05 December 2007 18:22:19 Claus Assmann wrote:

> > Someone actually did the former with sendmail.org (to distribute a
> > version of sendmail with a backdoor).  The problem was only noted
> > because users checked the (digital) signature.

> You know, you're descending into a recursive loop of "if, if, if..." and
> it never ends.  OF COURSE if someone breaks into the site they could
> do things--once you've lost control of your site all bets are off.  I dare
                                                   ^^^^^^^^^^^^^^^^

Hmm, did you read what I wrote?

The breakin was detected due to the digital signature.


Anyway, it's obviously up to the OpenBSD developers what they do.