Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 21 Jun 2003 22:43:57 +0200
From:      Matthew West <mwest@uct.ac.za>
To:        Colin Percival <colin.percival@wadham.ox.ac.uk>
Cc:        ultraviolet@epweb.co.za
Subject:   Re: Cryptographically enabled ports tree.
Message-ID:  <20030621204357.GA60681@ucthpx.uct.ac.za>
In-Reply-To: <5.0.2.1.1.20030621193449.02c91ce8@popserver.sfu.ca>
References:  <5.0.2.1.1.20030621175853.02c92e00@popserver.sfu.ca> <20030621163835.GA18653@tulip.epweb.co.za> <5.0.2.1.1.20030621175853.02c92e00@popserver.sfu.ca> <5.0.2.1.1.20030621193449.02c91ce8@popserver.sfu.ca>

next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Jun 21, 2003 at 07:38:38PM +0100, Colin Percival wrote:
>   Another security problem is FTP installs; sysinstall doesn't have any 
> sort of signature verification built in, so anyone doing an FTP install 
> could find themselves installing trojans.  The only secure distribution, 
> AFAIK, is the ISO image, because the MD5 sum of that is announced in a 
> (signed) release announcement.

Which is why it's a good idea to purchase the "official" FreeBSD CD set 
and use that to do your installation, or even just mount it on your local 
FTP server.

However, MD5 sums of the contents of the CDs are available here:

  http://www.knowngoods.org/

They even have listings for those dodgy RedHat machines.  ;-)

Other than that, there's certainly something to be said for having a secure,
dedicated "bump-in-the-wire" Snort box to watch for suspicious traffic.

Of course, all of this only applies if you're really paranoid.  :-)

-- 
mwest@uct.ac.za



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030621204357.GA60681>