OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: integrity of commercial CD set

From: Enos D'Andrea (temp4282138782edlabs.it)
Date: Thu Jan 15 2015 - 00:27:08 CST


On 14/01/2015 17:03, martinmartinbrandenburg.com wrote:
> [...] you trust Theo and OpenBSD because you have no better option.
> Don't pretend you increase your security by proving the software came
> from a source you can't prove is trustworthy. [...]

More than Theo himself, what makes me trust OpenBSD is its stable,
clean, open and essential code reviewed by a very skilled community.
That's why I go the extra mile(s) to ensure running *that* code.

<off-topic>

> Security is about pushing attacks out of your attackers' ability or
> price range. [...] Are you willing to go to the effort that defending
> against your outlined attack requires?

Being my current line of work, yes. Not that I or my clients have
anything malicious to hide, but some government agencies and vendors
seem to have lost touch with reality and/or ethics.

The discussion went off topic. I was just after signed CD checksums, to
raise the security of my physical delivery on par with that of the
source code. Never mind: I will make do with downloading an ISO, while
the kid within me enjoys the boxed CD set (which, save missing CD
checksums for paranoid security people, is very nice indeed).

</off-topic>

Many thanks to Theo and the others for your advice and opinions.

Regards

--
Enos D'Andrea