Thank you for your interest in Securing Ubuntu !

BodhiZazen will be running two Q&A sessions on irc to discuss security and security issues.

Please review these threads & bring your questions :

  1. Ubuntu Security

  2. Intrusion Detection

  3. Apparmor


   1 [00:00] <bodhi_zazen> 'lo everyone :)
   2 [00:01]  * Hobbsee is here & watching
   3 [00:01] <bodhi_zazen> I am hoping this session can be more interactive then the last ;)
   4 [00:01] <bodhi_zazen> Otherwise I was going to discuss a little on encryption
   5 [00:02] <HymnToLife> sounds like fun
   6 [00:02] <bodhi_zazen> Here is the pastebin from 2 weeks ago
   7 [00:02] <bodhi_zazen> http://paste.ubuntu.com/133993/
   8 [00:02] <bodhi_zazen> we covered some of the basics and I demoed apparmor in a shared ssh session
   9 [00:02] <Snova> bodhi_zazen: I tried to log in just now, got errors regarding screen profiles.
  10 [00:02] <bodhi_zazen> which I can do again if you wish
  11 [00:03] <bodhi_zazen> yes Snova , the shared screen session is kaput at the moment, but I can fix it if you wish
  12 [00:03] <bodhi_zazen> I think ;)
  13 [00:04] <bodhi_zazen> I updated the system for ecryptfs, and it borked the shared screen session
  14 [00:08] <bodhi_zazen> OK, try to join the shared session Snova ;)
  15 [00:08] <bodhi_zazen> sorry this was not working
  16 [00:09] <DasEi> bodhi_zazen: do you have the link of the last session ( I missed ?)
  17 [00:09] <bodhi_zazen> Let me ask if anyone has any questions then ?
  18 [00:10] <bodhi_zazen> DasEi: I do not know off the top of my head where the logs are
  19 [00:10] <bodhi_zazen> I can find them
  20 [00:10] <bodhi_zazen> cprofitt: do you know ?
  21 [00:10] <Snova> Still broken.
  22 [00:10] <bodhi_zazen> :(
  23 [00:10] <bodhi_zazen> too bad
  24 [00:11] <cprofitt> know what?
  25 [00:11] <bodhi_zazen> I can try one more thing ..
  26 [00:11] <bodhi_zazen> cprofitt: where logs of these sessions are posted ?
  27 [00:11] <cprofitt> the logs should be on the wiki page
  28 [00:12] <cprofitt> https://wiki.ubuntu.com/BeginnersTeam/FocusGroups/Education/Events
  29 [00:12] <cprofitt> I did not get any for your last session though bodhi_zazen
  30 [00:12] <bodhi_zazen> oic, lol
  31 [00:12] <HymnToLife> bodhi_zazen: I have a question
  32 [00:12] <bodhi_zazen> please HymnToLife :)
  33 [00:12] <HymnToLife> should I use DSA or RSA for my SSH keys? *evil grin*
  34 [00:13] <bodhi_zazen> lol
  35 [00:13] <bodhi_zazen> to be honest I am not sure it matters
  36 [00:13] <bodhi_zazen> That is like asking DROP or REJECT with iptables
  37 [00:14] <bodhi_zazen> If you use RSA (I think) use 1024 bits (whick is now default)
  38 [00:14] <bodhi_zazen> do you have a preference ?
  39 [00:15] <bodhi_zazen> try again Snova ;)
  40 [00:15] <bodhi_zazen> Lets talk a bit about encryption then ;)
  41 [00:16] <bodhi_zazen> do people know encryption options on Ubuntu ?
  42 [00:16] <Snova> bodhi_zazen: Looks like the same thing again.
  43 [00:16] <bodhi_zazen> kk Snova :(
  44 [00:16] <bodhi_zazen> thanks
  45 [00:16] <HymnToLife> bodhi_zazen: I prefer RSA
  46 [00:16] <bodhi_zazen> yes, in general I do too
  47 [00:16] <HymnToLife> DSA has been developed by the NSA, and they have had shady practices
  48 [00:16] <bodhi_zazen> it seems 70% prefer RSA
  49 [00:17] <HymnToLife> also, since SSH-2 uses DSA only for host keys encryption
  50 [00:17] <bodhi_zazen> Encryption options on Ubuntu are LUKS and ecryptfs
  51 [00:17] <HymnToLife> using is also for user keys is kind of putting all your eggs in the same basket
  52 [00:18] <HymnToLife> using it*
  53 [00:18] <bodhi_zazen> One can use truecrypt and other tools such as encryptfs and gpg
  54 [00:18] <bodhi_zazen> To install an encrypted system, meaning / and swap are encrypted , use the Alternate CD
  55 [00:19] <bodhi_zazen> By default this will give you a /boot partition, and LVM + LUKS
  56 [00:19] <bodhi_zazen> Post install or during the install, if you wish, you can use ecryptfs to encrypt your /home/user directory, swap, or a private (or other) directories
  57 [00:20] <bodhi_zazen> I posted a how to on ecryptfs here : http://bodhizazen.net/Tutorials/Ecryptfs/
  58 [00:20] <bodhi_zazen> It still needs a bit of work, but the basic information is there
  59 [00:21] <bodhi_zazen> encryption is used basically to protect your personal data if your laptop or hard drive is stolden
  60 [00:21] <bodhi_zazen> IMO things like password protecting yoru BIOS and GRUB is a minor deterrent if someone has physical access
  61 [00:22] <bodhi_zazen> Some people like those tools, and yes it may stop a casual intruder, but they are easily defeated
  62 [00:22] <HymnToLife> also, if it comes down to it, some encryption tools can make encryption plausibly deniable
  63 [00:22] <bodhi_zazen> The disadvantage of encryption is there is a, IMO, minor performance hit
  64 [00:23] <bodhi_zazen> +1 HymnToLife
  65 [00:23] <HymnToLife> meaning that the police, government, etc. cannot *prove* you have encrypted stuff
  66 [00:23] <bodhi_zazen> he he he ...
  67 [00:23] <bodhi_zazen> Encryption can be defeated by a $ hammer applied to the solar plexus >:)
  68 [00:23] <bodhi_zazen> * $10
  69 [00:24] <bodhi_zazen> Sometime you need to apply the hammer a few times for it to work
  70 [00:24] <bodhi_zazen> lol
  71 [00:24] <bodhi_zazen> The other disadvantage of encryption would be if you lost your password or wanted to re-install preserving /home for example
  72 [00:25] <bodhi_zazen> It can be done, but none of the installers will preserve /home automatically , even if it is on a separate partition and so you would need to take casre to configure the encryption manually post install
  73 [00:26] <bodhi_zazen> Frankly, IMO, it is easier to back up you data, re-install with the defaults, and then restore your data
  74 [00:26] <bodhi_zazen>  /end rant on encryption
  75 [00:26] <bodhi_zazen> :)
  76 [00:26] <DasEi> also a more complicared access in case of harddrive-trouble can be added to the disadvantages
  77 [00:27] <Hobbsee> actually, if you set a partition as /home, the installer won't try to auto-format it
  78 [00:27] <Hobbsee> or at least, not on recent ubuntu releases.
  79 [00:27] <bodhi_zazen> Oh, one more thing, you can use keys with some encryption tools to automate decryption
  80 [00:27] <bodhi_zazen> No it will not Hobbsee , but I will not set up LUKS or encryptfs either
  81 [00:27] <Hobbsee> that's true
  82 [00:27] <bodhi_zazen> so post install you may not be able to decrypt it
  83 [00:28] <bodhi_zazen> :(
  84 [00:28] <Hobbsee> that may not still be true for jaunty, btw.
  85 [00:28] <bodhi_zazen> You need to take care with encryptfs if you encrypted /home/user_name because the information was stored on the root partition
  86 [00:28] <maxb> Isn't all the "setup" for ecryptfs contained within the homedir anyway?
  87 [00:29] <bodhi_zazen> maxb: It depends on how you setup encryptfs
  88 [00:29] <Snova> Is encryption only to protect if somebody gets physical access to the HD?
  89 [00:29] <bodhi_zazen> If you used encryptfs-setup-private you will be OK
  90 [00:29] <maxb> bodhi_zazen: Are you talking about ecryptfs? If so, spell it's name right to avoid confusing us!
  91 [00:29] <maxb> oops. I fail at apostrophe usage
  92 [00:29] <bodhi_zazen> If you encrypted your home directory during installation, no , the key is on the root partition and linked back to $HOME
  93 [00:30] <HymnToLife> Snova: in the case of ecryptfs, yes
  94 [00:30] <bodhi_zazen> so you will loose the config info if you install over the top of root
  95 [00:30] <HymnToLife> however, there are other kinds of encryption
  96 [00:30] <bodhi_zazen> sorry, yes ecryptfs
  97 [00:30] <bodhi_zazen> :p
  98 [00:30] <HymnToLife> Snova: for example, you can encrypts files using GnuPG to send them by email
  99 [00:31] <HymnToLife> (or to store them for later use)
 100 [00:31] <maxb> Ah, right, I'm only using ecryptfs in private-subdir setup, because I disagree that encrypting the entire homedir makes sense
 101 [00:31] <bodhi_zazen> If your data is sensitive enough to encrypt -
 102 [00:31] <Snova> I am fairly familiar with encryption in general, just wondering if there is any point to an encrypted *hard drive* (should have mentioned that previously) beyond physical access.
 103 [00:31] <bodhi_zazen> 1. Know that if the data is decrypted, ie you mounted your Private directory or LUKS partition, or truecrypt
 104 [00:32] <bodhi_zazen> the data is available to the root user
 105 [00:32] <HymnToLife> Snova: that the only one I can think of right now, but it's a pretty big one
 106 [00:32] <bodhi_zazen> or any other users allowed by your permissions
 107 [00:32] <HymnToLife> especially nowadays when laptops are getting smaller and smaller, thus easier to lose/steal
 108 [00:32] <bodhi_zazen> and 2. you should take care to encrypt your back ups as well :p
 109 [00:33] <bodhi_zazen> Snova: Only the paranoid would encrypt the entire installation
 110 [00:33] <Snova> bodhi_zazen: Any amount of it, really.
 111 [00:33] <bodhi_zazen> This would be to prevent someone for say installing a rootkit from a live CD
 112 [00:33] <HymnToLife> bodhi_zazen: there are many good reasons to be paranoid nowadays
 113 [00:34] <bodhi_zazen> The two potential vulnerabilities with encryption are :
 114 [00:34] <DasEi> and even then you'll need extra partitions or containers to avoid online-access
 115 [00:34] <bodhi_zazen> 1. Someone , in theory, could recover the key from RAM
 116 [00:34] <bodhi_zazen> 2. Your /boot partition is not encrypted so someone could replace your kernel
 117 [00:34] <bodhi_zazen> +1 HymnToLife re paranoia
 118 [00:35] <bodhi_zazen> Snova: for others , encrypting your private directory in /home , or a data partition, or removable device may be sufficient
 119 [00:36] <bodhi_zazen> I guess my point is to raise awareness of the vulnerabilities of physical access and encryption as the best solution, IMO
 120 [00:36] <HymnToLife> s/best/only/
 121 [00:37] <HymnToLife> encryption is based on math, math never cheats ;)
 122 [00:37] <bodhi_zazen> Well, you could wipe the drive or smash it very fast as they are breaking down your door ;)
 123 [00:37] <bodhi_zazen> melt it
 124 [00:37] <bodhi_zazen> questions on encryption ?
 125 [00:38] <bodhi_zazen> hint - this is your chance to ask questions
 126 [00:38] <bodhi_zazen> It sounds as if we have a few people here now who use encryption
 127 [00:39] <HymnToLife> no, I don't!
 128 [00:39] <HymnToLife> you can't prove anything!
 129 [00:39] <bodhi_zazen> Guilty by association
 130 [00:39] <bodhi_zazen> Off with his head
 131 [00:40] <DasEi> I just wonder how f.e. us-gpg needs a backdoor for nsa-related stuff, it is on ubuntu ?
 132 [00:40] <bodhi_zazen> We could talk a bit about iptables, root kits, antivirus
 133 [00:41] <bodhi_zazen> I know antivirus is boring to some, but it is a FAQ on the forums
 134 [00:41] <bodhi_zazen> Did anybody take a look at AppArmor ?
 135 [00:42] <DasEi> too less, let's talk
 136 [00:42] <HymnToLife> DasEi: if I understand your question, it's because the NSA doesn't like it when people use encryption they can't break :p
 137 [00:42] <bodhi_zazen> too less ?
 138 [00:43] <HymnToLife> well, they won't admit it, of course, but there's strong suspicion that the NSA-approve"d cryptosystems are the ones they can break
 139 [00:43] <DasEi> I recognized appamor f.e. restricts file access of an apache, but are not familiar with it
 140 [00:44] <HymnToLife> (hence why I don't use DSA for my SSH keys)
 141 [00:44] <DasEi> HymnToLife: pm ? don't stop bod..
 142 [00:44] <bodhi_zazen> no, this is an open discussion
 143 [00:44] <HymnToLife> well, you asked the question here, so I answer here :p
 144 [00:44] <bodhi_zazen> Or at least I hope so
 145 [00:45] <bodhi_zazen> DasEi: Apparmor can be used , and is most often used to "confine" network aware applications
 146 [00:45] <HymnToLife> or really any application
 147 [00:45] <DasEi> k, what I saw when mentioning harddrive encryption where different solutions ( I'm german), and from the same app, there are different releases, some of them are not legal in us
 148 [00:45] <bodhi_zazen> It has not been as popular as it *should* be , IMO
 149 [00:46] <bodhi_zazen> I posed a how to here : http://ubuntuforums.org/showthread.php?t=1008906
 150 [00:46] <HymnToLife> but the network-related ones are the one it makes most sense confining
 151 [00:46] <HymnToLife> since they basically process untrusted data all the time
 152 [00:46] <bodhi_zazen> and I am starting to post some example profiles here : http://bodhizazen.net/aa-profiles/
 153 [00:46] <bodhi_zazen> Looking for contributions in face
 154 [00:46] <bodhi_zazen> *fact
 155 [00:47] <bodhi_zazen> Apparmor vs SElinux is another issue sometimes debated
 156 [00:47] <bodhi_zazen> Apparmor is easier to learn, but IMO takes more time to maintain
 157 [00:48] <bodhi_zazen> For example , you need to revise your profile when firefox is updated from 3.0.6 to 3.0.7
 158 [00:48] <bodhi_zazen> ;)
 159 [00:48] <bodhi_zazen> You have to keep an eye on apparmor, and there are no GUI tools in Ubuntu, although SUSE has some
 160 [00:50] <bodhi_zazen> Any questions / comments please jump in >:)
 161 [00:50] <bodhi_zazen> Shifting gears a little ...
 162 [00:50] <bodhi_zazen> Antivirus
 163 [00:50] <bodhi_zazen> IMO the biggest problem with antivirus is the sheer numbers of false postitives
 164 [00:50] <bodhi_zazen> If you use antivirus and you do not want to simply delete detected files, you will have to do a fair amount of detective work
 165 [00:51] <bodhi_zazen> Example : http://ubuntuforums.org/showthread.php?t=1106160
 166 [00:51] <bodhi_zazen> Snova: can you try to connect again please ?
 167 [00:51] <Snova> Ok. :)
 168 [00:52] <bodhi_zazen> nvr mind, it is still borked
 169 [00:52] <Snova> bodhi_zazen: Yep. :)
 170 [00:52] <bodhi_zazen> I had to update for ecryptfs , but it broke screen
 171 [00:53] <HymnToLife> well, you can always experiment with AA by yourself in a virtual machine (so you don't get locked off your real system)
 172 [00:53] <HymnToLife> the basic concepts are really not hard to grasp
 173 [00:54] <HymnToLife> Novell advertises it as requiring only 1-2 days of training, I don't think they're very far from the truth
 174 [00:54] <bodhi_zazen> I agree with that
 175 [00:54] <bodhi_zazen> I would say I am still learning, but it took me about 4 hours to become comfortable with it
 176 [00:55] <bodhi_zazen> The advantage of apparmor, it has the potential to stop zero day exploits
 177 [00:55] <bodhi_zazen> We have 5 minutes left in this session ;)
 178 [00:56] <bodhi_zazen> I will run a session on this channel, same time, every 1-2 weeks depending in interest
 179 [00:56] <bodhi_zazen> From last week there was the suggestion we discuss permissions
 180 [00:56] <bodhi_zazen> Now I know most of you know basic permissions, but we can review sticky bits and if you wish acl
 181 [00:58] <DasEi> I#ve got a question to the initialization of apparmor
 182 [00:58] <HymnToLife> basic SSH configuration might be a good topic too
 183 [00:59] <HymnToLife> I'm thinking about Issues like that: http://ubuntuforums.org/showthread.php?t=1107057
 184 [00:59] <DasEi> what does this 'connecting to repository mean ? isn't this a local mechanism ?
 185 [00:59] <HymnToLife> for those who want a bit more control than basic usernames/passwords
 186 [00:59] <HymnToLife> DasEi: it means downloading a few pre-made profiles for common applications, IIRC
 187 [01:00] <bodhi_zazen> DasEi: and HymnToLife we could have sessions on apparmor or ssh in more depth
 188 [01:00] <bodhi_zazen> I happen to like ssh ;)
 189 [01:01] <DasEi> HymnToLife: and it does for every app Iagain ?
 190 [01:01] <bodhi_zazen> DasEi: AppArmor was developed my Novell
 191 [01:01] <HymnToLife> but now they fired all the aa devs :p
 192 [01:01] <bodhi_zazen> And I think the idea was to have a central repository for profiles
 193 [01:01] <DasEi> deeper sessions.. gotta get coffeine.. great
 194 [01:01] <HymnToLife> I heard some of them were working for Microsoft now
 195 [01:01] <bodhi_zazen> for things such as say apache or what not
 196 [01:02] <bodhi_zazen> I do not think it has been developed, but it still comes up when you generate a profile
 197 [01:02] <bodhi_zazen> aa was then added to Ubuntu and we will need to see how much it is used / developed
 198 [01:03] <bodhi_zazen> Otherwise we will be back to SELinux :p
 199 [01:03] <HymnToLife> Mandriva uses AA too
 200 [01:03] <DasEi> sry when bein annoying; apparmor follows an given app in the inital , then asks additional quests and then creates the profile, which can be altered manually again, so no need for external request..
 201 [01:03] <HymnToLife> I think that's all
 202 [01:03] <bodhi_zazen> no DasEi
 203 [01:03] <bodhi_zazen> Most profiles need to be personalized anyways
 204 [01:03] <bodhi_zazen> PCLinuxOS ?
 205 [01:04] <bodhi_zazen> I have not tried that lately, but I though they were Mandriva based.
 206 [01:04] <HymnToLife> I think so too, but I don't go in the RPM world often
 207 [01:05] <bodhi_zazen> OK, I will stay for a while if there are additional questions, otherwise 2 weeks
 208 [01:05] <bodhi_zazen> Any interest in having weekly sessions ?
 209 [01:05] <DasEi> k, reading shall heal me for now, many thanks, bodhi_zazen and all the others
 210 [01:05] <bodhi_zazen> topics : add them here : https://wiki.ubuntu.com/BeginnersTeam/FocusGroups/Education/Proposals
 211 [01:06] <bodhi_zazen> put my name by the topic and I will try to announce and cover them as we go
 212 [01:06] <DasEi> bodhi_zazen: nothing bad, nice would be to follow up missed ons at http://irclogs.ubuntu.com/
 213 [01:06] <DasEi> *ones
 214 [01:07] <bodhi_zazen> In the long run the Beginners Team is hoping to do continued and more focused in depth sessions, perhaps using something such as Moodle
 215 [01:07] <bodhi_zazen> yes DasEi I thought ubuntu-classroom was going to post sessions, I will look into that
 216 [01:07] <bodhi_zazen> I do not have a way right now to log sessions
 217 [01:07] <bodhi_zazen> as I am @ work and accessing over mibbit
 218 [01:08] <DasEi> bodhi_zazen:they do, but last isn't there by now
 219 [01:08] <bodhi_zazen> We shall look into it then DasEi
 220 [01:08] <bodhi_zazen> but yes the intention is to post logs
 221 [01:08] <bodhi_zazen> and grow these sessions
 222 [01:09] <bodhi_zazen> I am hoping to spread the word and get some discussion and education going.
 223 [01:09] <DasEi> date -u was the greatest tip on UTC, writes this bold, lol
 224 [01:09] <bodhi_zazen> lol
 225 [01:09] <bodhi_zazen> Thank you everyone for coming
 226 [01:10] <DasEi> thank you for rowing
 227 [01:10] <bodhi_zazen> I shall spam channels with future meetings, but this time works out for most people, although not all
 228 [01:10] <bodhi_zazen> I hope these sessions help educate people ;)
 229 [01:11] <bodhi_zazen> we should learn from each other, some people know very much
 230 [01:11] <bodhi_zazen> we are planning to do sessions on wiki and development (packageing)


BeginnersTeam/FocusGroups/EducationOLD/Events/03262009 (last edited 2009-10-15 20:34:28 by host-84-13-223-244)