032009
Revision 3 as of 2009-03-27 20:37:36
Clear message
Thank you for your interest in Securing Ubuntu !
BodhiZazen will be running two Q&A sessions on irc to discuss security and security issues.
Please review these threads & bring your questions :
logs
1 [00:00] <bodhi_zazen> 'lo everyone :)
2 [00:01] * Hobbsee is here & watching
3 [00:01] <bodhi_zazen> I am hoping this session can be more interactive then the last ;)
4 [00:01] <bodhi_zazen> Otherwise I was going to discuss a little on encryption
5 [00:02] <HymnToLife> sounds like fun
6 [00:02] <bodhi_zazen> Here is the pastebin from 2 weeks ago
7 [00:02] <bodhi_zazen> http://paste.ubuntu.com/133993/
8 [00:02] <bodhi_zazen> we covered some of the basics and I demoed apparmor in a shared ssh session
9 [00:02] <Snova> bodhi_zazen: I tried to log in just now, got errors regarding screen profiles.
10 [00:02] <bodhi_zazen> which I can do again if you wish
11 [00:03] <bodhi_zazen> yes Snova , the shared screen session is kaput at the moment, but I can fix it if you wish
12 [00:03] <bodhi_zazen> I think ;)
13 [00:04] <bodhi_zazen> I updated the system for ecryptfs, and it borked the shared screen session
14 [00:08] <bodhi_zazen> OK, try to join the shared session Snova ;)
15 [00:08] <bodhi_zazen> sorry this was not working
16 [00:09] <DasEi> bodhi_zazen: do you have the link of the last session ( I missed ?)
17 [00:09] <bodhi_zazen> Let me ask if anyone has any questions then ?
18 [00:10] <bodhi_zazen> DasEi: I do not know off the top of my head where the logs are
19 [00:10] <bodhi_zazen> I can find them
20 [00:10] <bodhi_zazen> cprofitt: do you know ?
21 [00:10] <Snova> Still broken.
22 [00:10] <bodhi_zazen> :(
23 [00:10] <bodhi_zazen> too bad
24 [00:11] <cprofitt> know what?
25 [00:11] <bodhi_zazen> I can try one more thing ..
26 [00:11] <bodhi_zazen> cprofitt: where logs of these sessions are posted ?
27 [00:11] <cprofitt> the logs should be on the wiki page
28 [00:12] <cprofitt> https://wiki.ubuntu.com/BeginnersTeam/FocusGroups/Education/Events
29 [00:12] <cprofitt> I did not get any for your last session though bodhi_zazen
30 [00:12] <bodhi_zazen> oic, lol
31 [00:12] <HymnToLife> bodhi_zazen: I have a question
32 [00:12] <bodhi_zazen> please HymnToLife :)
33 [00:12] <HymnToLife> should I use DSA or RSA for my SSH keys? *evil grin*
34 [00:13] <bodhi_zazen> lol
35 [00:13] <bodhi_zazen> to be honest I am not sure it matters
36 [00:13] <bodhi_zazen> That is like asking DROP or REJECT with iptables
37 [00:14] <bodhi_zazen> If you use RSA (I think) use 1024 bits (whick is now default)
38 [00:14] <bodhi_zazen> do you have a preference ?
39 [00:15] <bodhi_zazen> try again Snova ;)
40 [00:15] <bodhi_zazen> Lets talk a bit about encryption then ;)
41 [00:16] <bodhi_zazen> do people know encryption options on Ubuntu ?
42 [00:16] <Snova> bodhi_zazen: Looks like the same thing again.
43 [00:16] <bodhi_zazen> kk Snova :(
44 [00:16] <bodhi_zazen> thanks
45 [00:16] <HymnToLife> bodhi_zazen: I prefer RSA
46 [00:16] <bodhi_zazen> yes, in general I do too
47 [00:16] <HymnToLife> DSA has been developed by the NSA, and they have had shady practices
48 [00:16] <bodhi_zazen> it seems 70% prefer RSA
49 [00:17] <HymnToLife> also, since SSH-2 uses DSA only for host keys encryption
50 [00:17] <bodhi_zazen> Encryption options on Ubuntu are LUKS and ecryptfs
51 [00:17] <HymnToLife> using is also for user keys is kind of putting all your eggs in the same basket
52 [00:18] <HymnToLife> using it*
53 [00:18] <bodhi_zazen> One can use truecrypt and other tools such as encryptfs and gpg
54 [00:18] <bodhi_zazen> To install an encrypted system, meaning / and swap are encrypted , use the Alternate CD
55 [00:19] <bodhi_zazen> By default this will give you a /boot partition, and LVM + LUKS
56 [00:19] <bodhi_zazen> Post install or during the install, if you wish, you can use ecryptfs to encrypt your /home/user directory, swap, or a private (or other) directories
57 [00:20] <bodhi_zazen> I posted a how to on ecryptfs here : http://bodhizazen.net/Tutorials/Ecryptfs/
58 [00:20] <bodhi_zazen> It still needs a bit of work, but the basic information is there
59 [00:21] <bodhi_zazen> encryption is used basically to protect your personal data if your laptop or hard drive is stolden
60 [00:21] <bodhi_zazen> IMO things like password protecting yoru BIOS and GRUB is a minor deterrent if someone has physical access
61 [00:22] <bodhi_zazen> Some people like those tools, and yes it may stop a casual intruder, but they are easily defeated
62 [00:22] <HymnToLife> also, if it comes down to it, some encryption tools can make encryption plausibly deniable
63 [00:22] <bodhi_zazen> The disadvantage of encryption is there is a, IMO, minor performance hit
64 [00:23] <bodhi_zazen> +1 HymnToLife
65 [00:23] <HymnToLife> meaning that the police, government, etc. cannot *prove* you have encrypted stuff
66 [00:23] <bodhi_zazen> he he he ...
67 [00:23] <bodhi_zazen> Encryption can be defeated by a $ hammer applied to the solar plexus >:)
68 [00:23] <bodhi_zazen> * $10
69 [00:24] <bodhi_zazen> Sometime you need to apply the hammer a few times for it to work
70 [00:24] <bodhi_zazen> lol
71 [00:24] <bodhi_zazen> The other disadvantage of encryption would be if you lost your password or wanted to re-install preserving /home for example
72 [00:25] <bodhi_zazen> It can be done, but none of the installers will preserve /home automatically , even if it is on a separate partition and so you would need to take casre to configure the encryption manually post install
73 [00:26] <bodhi_zazen> Frankly, IMO, it is easier to back up you data, re-install with the defaults, and then restore your data
74 [00:26] <bodhi_zazen> /end rant on encryption
75 [00:26] <bodhi_zazen> :)
76 [00:26] <DasEi> also a more complicared access in case of harddrive-trouble can be added to the disadvantages
77 [00:27] <Hobbsee> actually, if you set a partition as /home, the installer won't try to auto-format it
78 [00:27] <Hobbsee> or at least, not on recent ubuntu releases.
79 [00:27] <bodhi_zazen> Oh, one more thing, you can use keys with some encryption tools to automate decryption
80 [00:27] <bodhi_zazen> No it will not Hobbsee , but I will not set up LUKS or encryptfs either
81 [00:27] <Hobbsee> that's true
82 [00:27] <bodhi_zazen> so post install you may not be able to decrypt it
83 [00:28] <bodhi_zazen> :(
84 [00:28] <Hobbsee> that may not still be true for jaunty, btw.
85 [00:28] <bodhi_zazen> You need to take care with encryptfs if you encrypted /home/user_name because the information was stored on the root partition
86 [00:28] <maxb> Isn't all the "setup" for ecryptfs contained within the homedir anyway?
87 [00:29] <bodhi_zazen> maxb: It depends on how you setup encryptfs
88 [00:29] <Snova> Is encryption only to protect if somebody gets physical access to the HD?
89 [00:29] <bodhi_zazen> If you used encryptfs-setup-private you will be OK
90 [00:29] <maxb> bodhi_zazen: Are you talking about ecryptfs? If so, spell it's name right to avoid confusing us!
91 [00:29] <maxb> oops. I fail at apostrophe usage
92 [00:29] <bodhi_zazen> If you encrypted your home directory during installation, no , the key is on the root partition and linked back to $HOME
93 [00:30] <HymnToLife> Snova: in the case of ecryptfs, yes
94 [00:30] <bodhi_zazen> so you will loose the config info if you install over the top of root
95 [00:30] <HymnToLife> however, there are other kinds of encryption
96 [00:30] <bodhi_zazen> sorry, yes ecryptfs
97 [00:30] <bodhi_zazen> :p
98 [00:30] <HymnToLife> Snova: for example, you can encrypts files using GnuPG to send them by email
99 [00:31] <HymnToLife> (or to store them for later use)
100 [00:31] <maxb> Ah, right, I'm only using ecryptfs in private-subdir setup, because I disagree that encrypting the entire homedir makes sense
101 [00:31] <bodhi_zazen> If your data is sensitive enough to encrypt -
102 [00:31] <Snova> I am fairly familiar with encryption in general, just wondering if there is any point to an encrypted *hard drive* (should have mentioned that previously) beyond physical access.
103 [00:31] <bodhi_zazen> 1. Know that if the data is decrypted, ie you mounted your Private directory or LUKS partition, or truecrypt
104 [00:32] <bodhi_zazen> the data is available to the root user
105 [00:32] <HymnToLife> Snova: that the only one I can think of right now, but it's a pretty big one
106 [00:32] <bodhi_zazen> or any other users allowed by your permissions
107 [00:32] <HymnToLife> especially nowadays when laptops are getting smaller and smaller, thus easier to lose/steal
108 [00:32] <bodhi_zazen> and 2. you should take care to encrypt your back ups as well :p
109 [00:33] <bodhi_zazen> Snova: Only the paranoid would encrypt the entire installation
110 [00:33] <Snova> bodhi_zazen: Any amount of it, really.
111 [00:33] <bodhi_zazen> This would be to prevent someone for say installing a rootkit from a live CD
112 [00:33] <HymnToLife> bodhi_zazen: there are many good reasons to be paranoid nowadays
113 [00:34] <bodhi_zazen> The two potential vulnerabilities with encryption are :
114 [00:34] <DasEi> and even then you'll need extra partitions or containers to avoid online-access
115 [00:34] <bodhi_zazen> 1. Someone , in theory, could recover the key from RAM
116 [00:34] <bodhi_zazen> 2. Your /boot partition is not encrypted so someone could replace your kernel
117 [00:34] <bodhi_zazen> +1 HymnToLife re paranoia
118 [00:35] <bodhi_zazen> Snova: for others , encrypting your private directory in /home , or a data partition, or removable device may be sufficient
119 [00:36] <bodhi_zazen> I guess my point is to raise awareness of the vulnerabilities of physical access and encryption as the best solution, IMO
120 [00:36] <HymnToLife> s/best/only/
121 [00:37] <HymnToLife> encryption is based on math, math never cheats ;)
122 [00:37] <bodhi_zazen> Well, you could wipe the drive or smash it very fast as they are breaking down your door ;)
123 [00:37] <bodhi_zazen> melt it
124 [00:37] <bodhi_zazen> questions on encryption ?
125 [00:38] <bodhi_zazen> hint - this is your chance to ask questions
126 [00:38] <bodhi_zazen> It sounds as if we have a few people here now who use encryption
127 [00:39] <HymnToLife> no, I don't!
128 [00:39] <HymnToLife> you can't prove anything!
129 [00:39] <bodhi_zazen> Guilty by association
130 [00:39] <bodhi_zazen> Off with his head
131 [00:40] <DasEi> I just wonder how f.e. us-gpg needs a backdoor for nsa-related stuff, it is on ubuntu ?
132 [00:40] <bodhi_zazen> We could talk a bit about iptables, root kits, antivirus
133 [00:41] <bodhi_zazen> I know antivirus is boring to some, but it is a FAQ on the forums
134 [00:41] <bodhi_zazen> Did anybody take a look at AppArmor ?
135 [00:42] <DasEi> too less, let's talk
136 [00:42] <HymnToLife> DasEi: if I understand your question, it's because the NSA doesn't like it when people use encryption they can't break :p
137 [00:42] <bodhi_zazen> too less ?
138 [00:43] <HymnToLife> well, they won't admit it, of course, but there's strong suspicion that the NSA-approve"d cryptosystems are the ones they can break
139 [00:43] <DasEi> I recognized appamor f.e. restricts file access of an apache, but are not familiar with it
140 [00:44] <HymnToLife> (hence why I don't use DSA for my SSH keys)
141 [00:44] <DasEi> HymnToLife: pm ? don't stop bod..
142 [00:44] <bodhi_zazen> no, this is an open discussion
143 [00:44] <HymnToLife> well, you asked the question here, so I answer here :p
144 [00:44] <bodhi_zazen> Or at least I hope so
145 [00:45] <bodhi_zazen> DasEi: Apparmor can be used , and is most often used to "confine" network aware applications
146 [00:45] <HymnToLife> or really any application
147 [00:45] <DasEi> k, what I saw when mentioning harddrive encryption where different solutions ( I'm german), and from the same app, there are different releases, some of them are not legal in us
148 [00:45] <bodhi_zazen> It has not been as popular as it *should* be , IMO
149 [00:46] <bodhi_zazen> I posed a how to here : http://ubuntuforums.org/showthread.php?t=1008906
150 [00:46] <HymnToLife> but the network-related ones are the one it makes most sense confining
151 [00:46] <HymnToLife> since they basically process untrusted data all the time
152 [00:46] <bodhi_zazen> and I am starting to post some example profiles here : http://bodhizazen.net/aa-profiles/
153 [00:46] <bodhi_zazen> Looking for contributions in face
154 [00:46] <bodhi_zazen> *fact
155 [00:47] <bodhi_zazen> Apparmor vs SElinux is another issue sometimes debated
156 [00:47] <bodhi_zazen> Apparmor is easier to learn, but IMO takes more time to maintain
157 [00:48] <bodhi_zazen> For example , you need to revise your profile when firefox is updated from 3.0.6 to 3.0.7
158 [00:48] <bodhi_zazen> ;)
159 [00:48] <bodhi_zazen> You have to keep an eye on apparmor, and there are no GUI tools in Ubuntu, although SUSE has some
160 [00:50] <bodhi_zazen> Any questions / comments please jump in >:)
161 [00:50] <bodhi_zazen> Shifting gears a little ...
162 [00:50] <bodhi_zazen> Antivirus
163 [00:50] <bodhi_zazen> IMO the biggest problem with antivirus is the sheer numbers of false postitives
164 [00:50] <bodhi_zazen> If you use antivirus and you do not want to simply delete detected files, you will have to do a fair amount of detective work
165 [00:51] <bodhi_zazen> Example : http://ubuntuforums.org/showthread.php?t=1106160
166 [00:51] <bodhi_zazen> Snova: can you try to connect again please ?
167 [00:51] <Snova> Ok. :)
168 [00:52] <bodhi_zazen> nvr mind, it is still borked
169 [00:52] <Snova> bodhi_zazen: Yep. :)
170 [00:52] <bodhi_zazen> I had to update for ecryptfs , but it broke screen
171 [00:53] <HymnToLife> well, you can always experiment with AA by yourself in a virtual machine (so you don't get locked off your real system)
172 [00:53] <HymnToLife> the basic concepts are really not hard to grasp
173 [00:54] <HymnToLife> Novell advertises it as requiring only 1-2 days of training, I don't think they're very far from the truth
174 [00:54] <bodhi_zazen> I agree with that
175 [00:54] <bodhi_zazen> I would say I am still learning, but it took me about 4 hours to become comfortable with it
176 [00:55] <bodhi_zazen> The advantage of apparmor, it has the potential to stop zero day exploits
177 [00:55] <bodhi_zazen> We have 5 minutes left in this session ;)
178 [00:56] <bodhi_zazen> I will run a session on this channel, same time, every 1-2 weeks depending in interest
179 [00:56] <bodhi_zazen> From last week there was the suggestion we discuss permissions
180 [00:56] <bodhi_zazen> Now I know most of you know basic permissions, but we can review sticky bits and if you wish acl
181 [00:58] <DasEi> I#ve got a question to the initialization of apparmor
182 [00:58] <HymnToLife> basic SSH configuration might be a good topic too
183 [00:59] <HymnToLife> I'm thinking about Issues like that: http://ubuntuforums.org/showthread.php?t=1107057
184 [00:59] <DasEi> what does this 'connecting to repository mean ? isn't this a local mechanism ?
185 [00:59] <HymnToLife> for those who want a bit more control than basic usernames/passwords
186 [00:59] <HymnToLife> DasEi: it means downloading a few pre-made profiles for common applications, IIRC
187 [01:00] <bodhi_zazen> DasEi: and HymnToLife we could have sessions on apparmor or ssh in more depth
188 [01:00] <bodhi_zazen> I happen to like ssh ;)
189 [01:01] <DasEi> HymnToLife: and it does for every app Iagain ?
190 [01:01] <bodhi_zazen> DasEi: AppArmor was developed my Novell
191 [01:01] <HymnToLife> but now they fired all the aa devs :p
192 [01:01] <bodhi_zazen> And I think the idea was to have a central repository for profiles
193 [01:01] <DasEi> deeper sessions.. gotta get coffeine.. great
194 [01:01] <HymnToLife> I heard some of them were working for Microsoft now
195 [01:01] <bodhi_zazen> for things such as say apache or what not
196 [01:02] <bodhi_zazen> I do not think it has been developed, but it still comes up when you generate a profile
197 [01:02] <bodhi_zazen> aa was then added to Ubuntu and we will need to see how much it is used / developed
198 [01:03] <bodhi_zazen> Otherwise we will be back to SELinux :p
199 [01:03] <HymnToLife> Mandriva uses AA too
200 [01:03] <DasEi> sry when bein annoying; apparmor follows an given app in the inital , then asks additional quests and then creates the profile, which can be altered manually again, so no need for external request..
201 [01:03] <HymnToLife> I think that's all
202 [01:03] <bodhi_zazen> no DasEi
203 [01:03] <bodhi_zazen> Most profiles need to be personalized anyways
204 [01:03] <bodhi_zazen> PCLinuxOS ?
205 [01:04] <bodhi_zazen> I have not tried that lately, but I though they were Mandriva based.
206 [01:04] <HymnToLife> I think so too, but I don't go in the RPM world often
207 [01:05] <bodhi_zazen> OK, I will stay for a while if there are additional questions, otherwise 2 weeks
208 [01:05] <bodhi_zazen> Any interest in having weekly sessions ?
209 [01:05] <DasEi> k, reading shall heal me for now, many thanks, bodhi_zazen and all the others
210 [01:05] <bodhi_zazen> topics : add them here : https://wiki.ubuntu.com/BeginnersTeam/FocusGroups/Education/Proposals
211 [01:06] <bodhi_zazen> put my name by the topic and I will try to announce and cover them as we go
212 [01:06] <DasEi> bodhi_zazen: nothing bad, nice would be to follow up missed ons at http://irclogs.ubuntu.com/
213 [01:06] <DasEi> *ones
214 [01:07] <bodhi_zazen> In the long run the Beginners Team is hoping to do continued and more focused in depth sessions, perhaps using something such as Moodle
215 [01:07] <bodhi_zazen> yes DasEi I thought ubuntu-classroom was going to post sessions, I will look into that
216 [01:07] <bodhi_zazen> I do not have a way right now to log sessions
217 [01:07] <bodhi_zazen> as I am @ work and accessing over mibbit
218 [01:08] <DasEi> bodhi_zazen:they do, but last isn't there by now
219 [01:08] <bodhi_zazen> We shall look into it then DasEi
220 [01:08] <bodhi_zazen> but yes the intention is to post logs
221 [01:08] <bodhi_zazen> and grow these sessions
222 [01:09] <bodhi_zazen> I am hoping to spread the word and get some discussion and education going.
223 [01:09] <DasEi> date -u was the greatest tip on UTC, writes this bold, lol
224 [01:09] <bodhi_zazen> lol
225 [01:09] <bodhi_zazen> Thank you everyone for coming
226 [01:10] <DasEi> thank you for rowing
227 [01:10] <bodhi_zazen> I shall spam channels with future meetings, but this time works out for most people, although not all
228 [01:10] <bodhi_zazen> I hope these sessions help educate people ;)
229 [01:11] <bodhi_zazen> we should learn from each other, some people know very much
230 [01:11] <bodhi_zazen> we are planning to do sessions on wiki and development (packageing)