From owner-freebsd-chat@FreeBSD.ORG  Sat Jun 21 13:44:01 2003
Return-Path: <owner-freebsd-chat@FreeBSD.ORG>
Delivered-To: freebsd-chat@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id BA23237B401
	for <chat@freebsd.org>; Sat, 21 Jun 2003 13:44:01 -0700 (PDT)
Received: from ucthpx.uct.ac.za (ucthpx.uct.ac.za [137.158.128.1])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 04A5443F3F
	for <chat@freebsd.org>; Sat, 21 Jun 2003 13:44:01 -0700 (PDT)
	(envelope-from mwest@ucthpx.uct.ac.za)
Received: from mwest by ucthpx.uct.ac.za with local (Exim 4.14)
	id 19TpDJ-000Fnm-Jw; Sat, 21 Jun 2003 22:43:57 +0200
Date: Sat, 21 Jun 2003 22:43:57 +0200
From: Matthew West <mwest@uct.ac.za>
To: Colin Percival <colin.percival@wadham.ox.ac.uk>
Message-ID: <20030621204357.GA60681@ucthpx.uct.ac.za>
References: <5.0.2.1.1.20030621175853.02c92e00@popserver.sfu.ca>
	<20030621163835.GA18653@tulip.epweb.co.za>
	<5.0.2.1.1.20030621175853.02c92e00@popserver.sfu.ca>
	<5.0.2.1.1.20030621193449.02c91ce8@popserver.sfu.ca>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <5.0.2.1.1.20030621193449.02c91ce8@popserver.sfu.ca>
User-Agent: Mutt/1.4i
Sender: Matthew West <mwest@ucthpx.uct.ac.za>
cc: chat@freebsd.org
cc: ultraviolet@epweb.co.za
Subject: Re: Cryptographically enabled ports tree.
X-BeenThere: freebsd-chat@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Non technical items related to the community
	<freebsd-chat.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-chat>,
	<mailto:freebsd-chat-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-chat>
List-Post: <mailto:freebsd-chat@freebsd.org>
List-Help: <mailto:freebsd-chat-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-chat>,
	<mailto:freebsd-chat-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 21 Jun 2003 20:44:02 -0000

On Sat, Jun 21, 2003 at 07:38:38PM +0100, Colin Percival wrote:
>   Another security problem is FTP installs; sysinstall doesn't have any 
> sort of signature verification built in, so anyone doing an FTP install 
> could find themselves installing trojans.  The only secure distribution, 
> AFAIK, is the ISO image, because the MD5 sum of that is announced in a 
> (signed) release announcement.

Which is why it's a good idea to purchase the "official" FreeBSD CD set 
and use that to do your installation, or even just mount it on your local 
FTP server.

However, MD5 sums of the contents of the CDs are available here:

  http://www.knowngoods.org/

They even have listings for those dodgy RedHat machines.  ;-)

Other than that, there's certainly something to be said for having a secure,
dedicated "bump-in-the-wire" Snort box to watch for suspicious traffic.

Of course, all of this only applies if you're really paranoid.  :-)

-- 
mwest@uct.ac.za