Thank you for your interest in Securing Ubuntu !
BodhiZazen will be running two Q&A sessions on irc to discuss security and security issues.
Please review these threads & bring your questions :
1 [00:00] <bodhi_zazen> 'lo everyone :) 2 [00:01] * Hobbsee is here & watching 3 [00:01] <bodhi_zazen> I am hoping this session can be more interactive then the last ;) 4 [00:01] <bodhi_zazen> Otherwise I was going to discuss a little on encryption 5 [00:02] <HymnToLife> sounds like fun 6 [00:02] <bodhi_zazen> Here is the pastebin from 2 weeks ago 7 [00:02] <bodhi_zazen> http://paste.ubuntu.com/133993/ 8 [00:02] <bodhi_zazen> we covered some of the basics and I demoed apparmor in a shared ssh session 9 [00:02] <Snova> bodhi_zazen: I tried to log in just now, got errors regarding screen profiles. 10 [00:02] <bodhi_zazen> which I can do again if you wish 11 [00:03] <bodhi_zazen> yes Snova , the shared screen session is kaput at the moment, but I can fix it if you wish 12 [00:03] <bodhi_zazen> I think ;) 13 [00:04] <bodhi_zazen> I updated the system for ecryptfs, and it borked the shared screen session 14 [00:08] <bodhi_zazen> OK, try to join the shared session Snova ;) 15 [00:08] <bodhi_zazen> sorry this was not working 16 [00:09] <DasEi> bodhi_zazen: do you have the link of the last session ( I missed ?) 17 [00:09] <bodhi_zazen> Let me ask if anyone has any questions then ? 18 [00:10] <bodhi_zazen> DasEi: I do not know off the top of my head where the logs are 19 [00:10] <bodhi_zazen> I can find them 20 [00:10] <bodhi_zazen> cprofitt: do you know ? 21 [00:10] <Snova> Still broken. 22 [00:10] <bodhi_zazen> :( 23 [00:10] <bodhi_zazen> too bad 24 [00:11] <cprofitt> know what? 25 [00:11] <bodhi_zazen> I can try one more thing .. 26 [00:11] <bodhi_zazen> cprofitt: where logs of these sessions are posted ? 27 [00:11] <cprofitt> the logs should be on the wiki page 28 [00:12] <cprofitt> https://wiki.ubuntu.com/BeginnersTeam/FocusGroups/Education/Events 29 [00:12] <cprofitt> I did not get any for your last session though bodhi_zazen 30 [00:12] <bodhi_zazen> oic, lol 31 [00:12] <HymnToLife> bodhi_zazen: I have a question 32 [00:12] <bodhi_zazen> please HymnToLife :) 33 [00:12] <HymnToLife> should I use DSA or RSA for my SSH keys? *evil grin* 34 [00:13] <bodhi_zazen> lol 35 [00:13] <bodhi_zazen> to be honest I am not sure it matters 36 [00:13] <bodhi_zazen> That is like asking DROP or REJECT with iptables 37 [00:14] <bodhi_zazen> If you use RSA (I think) use 1024 bits (whick is now default) 38 [00:14] <bodhi_zazen> do you have a preference ? 39 [00:15] <bodhi_zazen> try again Snova ;) 40 [00:15] <bodhi_zazen> Lets talk a bit about encryption then ;) 41 [00:16] <bodhi_zazen> do people know encryption options on Ubuntu ? 42 [00:16] <Snova> bodhi_zazen: Looks like the same thing again. 43 [00:16] <bodhi_zazen> kk Snova :( 44 [00:16] <bodhi_zazen> thanks 45 [00:16] <HymnToLife> bodhi_zazen: I prefer RSA 46 [00:16] <bodhi_zazen> yes, in general I do too 47 [00:16] <HymnToLife> DSA has been developed by the NSA, and they have had shady practices 48 [00:16] <bodhi_zazen> it seems 70% prefer RSA 49 [00:17] <HymnToLife> also, since SSH-2 uses DSA only for host keys encryption 50 [00:17] <bodhi_zazen> Encryption options on Ubuntu are LUKS and ecryptfs 51 [00:17] <HymnToLife> using is also for user keys is kind of putting all your eggs in the same basket 52 [00:18] <HymnToLife> using it* 53 [00:18] <bodhi_zazen> One can use truecrypt and other tools such as encryptfs and gpg 54 [00:18] <bodhi_zazen> To install an encrypted system, meaning / and swap are encrypted , use the Alternate CD 55 [00:19] <bodhi_zazen> By default this will give you a /boot partition, and LVM + LUKS 56 [00:19] <bodhi_zazen> Post install or during the install, if you wish, you can use ecryptfs to encrypt your /home/user directory, swap, or a private (or other) directories 57 [00:20] <bodhi_zazen> I posted a how to on ecryptfs here : http://bodhizazen.net/Tutorials/Ecryptfs/ 58 [00:20] <bodhi_zazen> It still needs a bit of work, but the basic information is there 59 [00:21] <bodhi_zazen> encryption is used basically to protect your personal data if your laptop or hard drive is stolden 60 [00:21] <bodhi_zazen> IMO things like password protecting yoru BIOS and GRUB is a minor deterrent if someone has physical access 61 [00:22] <bodhi_zazen> Some people like those tools, and yes it may stop a casual intruder, but they are easily defeated 62 [00:22] <HymnToLife> also, if it comes down to it, some encryption tools can make encryption plausibly deniable 63 [00:22] <bodhi_zazen> The disadvantage of encryption is there is a, IMO, minor performance hit 64 [00:23] <bodhi_zazen> +1 HymnToLife 65 [00:23] <HymnToLife> meaning that the police, government, etc. cannot *prove* you have encrypted stuff 66 [00:23] <bodhi_zazen> he he he ... 67 [00:23] <bodhi_zazen> Encryption can be defeated by a $ hammer applied to the solar plexus >:) 68 [00:23] <bodhi_zazen> * $10 69 [00:24] <bodhi_zazen> Sometime you need to apply the hammer a few times for it to work 70 [00:24] <bodhi_zazen> lol 71 [00:24] <bodhi_zazen> The other disadvantage of encryption would be if you lost your password or wanted to re-install preserving /home for example 72 [00:25] <bodhi_zazen> It can be done, but none of the installers will preserve /home automatically , even if it is on a separate partition and so you would need to take casre to configure the encryption manually post install 73 [00:26] <bodhi_zazen> Frankly, IMO, it is easier to back up you data, re-install with the defaults, and then restore your data 74 [00:26] <bodhi_zazen> /end rant on encryption 75 [00:26] <bodhi_zazen> :) 76 [00:26] <DasEi> also a more complicared access in case of harddrive-trouble can be added to the disadvantages 77 [00:27] <Hobbsee> actually, if you set a partition as /home, the installer won't try to auto-format it 78 [00:27] <Hobbsee> or at least, not on recent ubuntu releases. 79 [00:27] <bodhi_zazen> Oh, one more thing, you can use keys with some encryption tools to automate decryption 80 [00:27] <bodhi_zazen> No it will not Hobbsee , but I will not set up LUKS or encryptfs either 81 [00:27] <Hobbsee> that's true 82 [00:27] <bodhi_zazen> so post install you may not be able to decrypt it 83 [00:28] <bodhi_zazen> :( 84 [00:28] <Hobbsee> that may not still be true for jaunty, btw. 85 [00:28] <bodhi_zazen> You need to take care with encryptfs if you encrypted /home/user_name because the information was stored on the root partition 86 [00:28] <maxb> Isn't all the "setup" for ecryptfs contained within the homedir anyway? 87 [00:29] <bodhi_zazen> maxb: It depends on how you setup encryptfs 88 [00:29] <Snova> Is encryption only to protect if somebody gets physical access to the HD? 89 [00:29] <bodhi_zazen> If you used encryptfs-setup-private you will be OK 90 [00:29] <maxb> bodhi_zazen: Are you talking about ecryptfs? If so, spell it's name right to avoid confusing us! 91 [00:29] <maxb> oops. I fail at apostrophe usage 92 [00:29] <bodhi_zazen> If you encrypted your home directory during installation, no , the key is on the root partition and linked back to $HOME 93 [00:30] <HymnToLife> Snova: in the case of ecryptfs, yes 94 [00:30] <bodhi_zazen> so you will loose the config info if you install over the top of root 95 [00:30] <HymnToLife> however, there are other kinds of encryption 96 [00:30] <bodhi_zazen> sorry, yes ecryptfs 97 [00:30] <bodhi_zazen> :p 98 [00:30] <HymnToLife> Snova: for example, you can encrypts files using GnuPG to send them by email 99 [00:31] <HymnToLife> (or to store them for later use) 100 [00:31] <maxb> Ah, right, I'm only using ecryptfs in private-subdir setup, because I disagree that encrypting the entire homedir makes sense 101 [00:31] <bodhi_zazen> If your data is sensitive enough to encrypt - 102 [00:31] <Snova> I am fairly familiar with encryption in general, just wondering if there is any point to an encrypted *hard drive* (should have mentioned that previously) beyond physical access. 103 [00:31] <bodhi_zazen> 1. Know that if the data is decrypted, ie you mounted your Private directory or LUKS partition, or truecrypt 104 [00:32] <bodhi_zazen> the data is available to the root user 105 [00:32] <HymnToLife> Snova: that the only one I can think of right now, but it's a pretty big one 106 [00:32] <bodhi_zazen> or any other users allowed by your permissions 107 [00:32] <HymnToLife> especially nowadays when laptops are getting smaller and smaller, thus easier to lose/steal 108 [00:32] <bodhi_zazen> and 2. you should take care to encrypt your back ups as well :p 109 [00:33] <bodhi_zazen> Snova: Only the paranoid would encrypt the entire installation 110 [00:33] <Snova> bodhi_zazen: Any amount of it, really. 111 [00:33] <bodhi_zazen> This would be to prevent someone for say installing a rootkit from a live CD 112 [00:33] <HymnToLife> bodhi_zazen: there are many good reasons to be paranoid nowadays 113 [00:34] <bodhi_zazen> The two potential vulnerabilities with encryption are : 114 [00:34] <DasEi> and even then you'll need extra partitions or containers to avoid online-access 115 [00:34] <bodhi_zazen> 1. Someone , in theory, could recover the key from RAM 116 [00:34] <bodhi_zazen> 2. Your /boot partition is not encrypted so someone could replace your kernel 117 [00:34] <bodhi_zazen> +1 HymnToLife re paranoia 118 [00:35] <bodhi_zazen> Snova: for others , encrypting your private directory in /home , or a data partition, or removable device may be sufficient 119 [00:36] <bodhi_zazen> I guess my point is to raise awareness of the vulnerabilities of physical access and encryption as the best solution, IMO 120 [00:36] <HymnToLife> s/best/only/ 121 [00:37] <HymnToLife> encryption is based on math, math never cheats ;) 122 [00:37] <bodhi_zazen> Well, you could wipe the drive or smash it very fast as they are breaking down your door ;) 123 [00:37] <bodhi_zazen> melt it 124 [00:37] <bodhi_zazen> questions on encryption ? 125 [00:38] <bodhi_zazen> hint - this is your chance to ask questions 126 [00:38] <bodhi_zazen> It sounds as if we have a few people here now who use encryption 127 [00:39] <HymnToLife> no, I don't! 128 [00:39] <HymnToLife> you can't prove anything! 129 [00:39] <bodhi_zazen> Guilty by association 130 [00:39] <bodhi_zazen> Off with his head 131 [00:40] <DasEi> I just wonder how f.e. us-gpg needs a backdoor for nsa-related stuff, it is on ubuntu ? 132 [00:40] <bodhi_zazen> We could talk a bit about iptables, root kits, antivirus 133 [00:41] <bodhi_zazen> I know antivirus is boring to some, but it is a FAQ on the forums 134 [00:41] <bodhi_zazen> Did anybody take a look at AppArmor ? 135 [00:42] <DasEi> too less, let's talk 136 [00:42] <HymnToLife> DasEi: if I understand your question, it's because the NSA doesn't like it when people use encryption they can't break :p 137 [00:42] <bodhi_zazen> too less ? 138 [00:43] <HymnToLife> well, they won't admit it, of course, but there's strong suspicion that the NSA-approve"d cryptosystems are the ones they can break 139 [00:43] <DasEi> I recognized appamor f.e. restricts file access of an apache, but are not familiar with it 140 [00:44] <HymnToLife> (hence why I don't use DSA for my SSH keys) 141 [00:44] <DasEi> HymnToLife: pm ? don't stop bod.. 142 [00:44] <bodhi_zazen> no, this is an open discussion 143 [00:44] <HymnToLife> well, you asked the question here, so I answer here :p 144 [00:44] <bodhi_zazen> Or at least I hope so 145 [00:45] <bodhi_zazen> DasEi: Apparmor can be used , and is most often used to "confine" network aware applications 146 [00:45] <HymnToLife> or really any application 147 [00:45] <DasEi> k, what I saw when mentioning harddrive encryption where different solutions ( I'm german), and from the same app, there are different releases, some of them are not legal in us 148 [00:45] <bodhi_zazen> It has not been as popular as it *should* be , IMO 149 [00:46] <bodhi_zazen> I posed a how to here : http://ubuntuforums.org/showthread.php?t=1008906 150 [00:46] <HymnToLife> but the network-related ones are the one it makes most sense confining 151 [00:46] <HymnToLife> since they basically process untrusted data all the time 152 [00:46] <bodhi_zazen> and I am starting to post some example profiles here : http://bodhizazen.net/aa-profiles/ 153 [00:46] <bodhi_zazen> Looking for contributions in face 154 [00:46] <bodhi_zazen> *fact 155 [00:47] <bodhi_zazen> Apparmor vs SElinux is another issue sometimes debated 156 [00:47] <bodhi_zazen> Apparmor is easier to learn, but IMO takes more time to maintain 157 [00:48] <bodhi_zazen> For example , you need to revise your profile when firefox is updated from 3.0.6 to 3.0.7 158 [00:48] <bodhi_zazen> ;) 159 [00:48] <bodhi_zazen> You have to keep an eye on apparmor, and there are no GUI tools in Ubuntu, although SUSE has some 160 [00:50] <bodhi_zazen> Any questions / comments please jump in >:) 161 [00:50] <bodhi_zazen> Shifting gears a little ... 162 [00:50] <bodhi_zazen> Antivirus 163 [00:50] <bodhi_zazen> IMO the biggest problem with antivirus is the sheer numbers of false postitives 164 [00:50] <bodhi_zazen> If you use antivirus and you do not want to simply delete detected files, you will have to do a fair amount of detective work 165 [00:51] <bodhi_zazen> Example : http://ubuntuforums.org/showthread.php?t=1106160 166 [00:51] <bodhi_zazen> Snova: can you try to connect again please ? 167 [00:51] <Snova> Ok. :) 168 [00:52] <bodhi_zazen> nvr mind, it is still borked 169 [00:52] <Snova> bodhi_zazen: Yep. :) 170 [00:52] <bodhi_zazen> I had to update for ecryptfs , but it broke screen 171 [00:53] <HymnToLife> well, you can always experiment with AA by yourself in a virtual machine (so you don't get locked off your real system) 172 [00:53] <HymnToLife> the basic concepts are really not hard to grasp 173 [00:54] <HymnToLife> Novell advertises it as requiring only 1-2 days of training, I don't think they're very far from the truth 174 [00:54] <bodhi_zazen> I agree with that 175 [00:54] <bodhi_zazen> I would say I am still learning, but it took me about 4 hours to become comfortable with it 176 [00:55] <bodhi_zazen> The advantage of apparmor, it has the potential to stop zero day exploits 177 [00:55] <bodhi_zazen> We have 5 minutes left in this session ;) 178 [00:56] <bodhi_zazen> I will run a session on this channel, same time, every 1-2 weeks depending in interest 179 [00:56] <bodhi_zazen> From last week there was the suggestion we discuss permissions 180 [00:56] <bodhi_zazen> Now I know most of you know basic permissions, but we can review sticky bits and if you wish acl 181 [00:58] <DasEi> I#ve got a question to the initialization of apparmor 182 [00:58] <HymnToLife> basic SSH configuration might be a good topic too 183 [00:59] <HymnToLife> I'm thinking about Issues like that: http://ubuntuforums.org/showthread.php?t=1107057 184 [00:59] <DasEi> what does this 'connecting to repository mean ? isn't this a local mechanism ? 185 [00:59] <HymnToLife> for those who want a bit more control than basic usernames/passwords 186 [00:59] <HymnToLife> DasEi: it means downloading a few pre-made profiles for common applications, IIRC 187 [01:00] <bodhi_zazen> DasEi: and HymnToLife we could have sessions on apparmor or ssh in more depth 188 [01:00] <bodhi_zazen> I happen to like ssh ;) 189 [01:01] <DasEi> HymnToLife: and it does for every app Iagain ? 190 [01:01] <bodhi_zazen> DasEi: AppArmor was developed my Novell 191 [01:01] <HymnToLife> but now they fired all the aa devs :p 192 [01:01] <bodhi_zazen> And I think the idea was to have a central repository for profiles 193 [01:01] <DasEi> deeper sessions.. gotta get coffeine.. great 194 [01:01] <HymnToLife> I heard some of them were working for Microsoft now 195 [01:01] <bodhi_zazen> for things such as say apache or what not 196 [01:02] <bodhi_zazen> I do not think it has been developed, but it still comes up when you generate a profile 197 [01:02] <bodhi_zazen> aa was then added to Ubuntu and we will need to see how much it is used / developed 198 [01:03] <bodhi_zazen> Otherwise we will be back to SELinux :p 199 [01:03] <HymnToLife> Mandriva uses AA too 200 [01:03] <DasEi> sry when bein annoying; apparmor follows an given app in the inital , then asks additional quests and then creates the profile, which can be altered manually again, so no need for external request.. 201 [01:03] <HymnToLife> I think that's all 202 [01:03] <bodhi_zazen> no DasEi 203 [01:03] <bodhi_zazen> Most profiles need to be personalized anyways 204 [01:03] <bodhi_zazen> PCLinuxOS ? 205 [01:04] <bodhi_zazen> I have not tried that lately, but I though they were Mandriva based. 206 [01:04] <HymnToLife> I think so too, but I don't go in the RPM world often 207 [01:05] <bodhi_zazen> OK, I will stay for a while if there are additional questions, otherwise 2 weeks 208 [01:05] <bodhi_zazen> Any interest in having weekly sessions ? 209 [01:05] <DasEi> k, reading shall heal me for now, many thanks, bodhi_zazen and all the others 210 [01:05] <bodhi_zazen> topics : add them here : https://wiki.ubuntu.com/BeginnersTeam/FocusGroups/Education/Proposals 211 [01:06] <bodhi_zazen> put my name by the topic and I will try to announce and cover them as we go 212 [01:06] <DasEi> bodhi_zazen: nothing bad, nice would be to follow up missed ons at http://irclogs.ubuntu.com/ 213 [01:06] <DasEi> *ones 214 [01:07] <bodhi_zazen> In the long run the Beginners Team is hoping to do continued and more focused in depth sessions, perhaps using something such as Moodle 215 [01:07] <bodhi_zazen> yes DasEi I thought ubuntu-classroom was going to post sessions, I will look into that 216 [01:07] <bodhi_zazen> I do not have a way right now to log sessions 217 [01:07] <bodhi_zazen> as I am @ work and accessing over mibbit 218 [01:08] <DasEi> bodhi_zazen:they do, but last isn't there by now 219 [01:08] <bodhi_zazen> We shall look into it then DasEi 220 [01:08] <bodhi_zazen> but yes the intention is to post logs 221 [01:08] <bodhi_zazen> and grow these sessions 222 [01:09] <bodhi_zazen> I am hoping to spread the word and get some discussion and education going. 223 [01:09] <DasEi> date -u was the greatest tip on UTC, writes this bold, lol 224 [01:09] <bodhi_zazen> lol 225 [01:09] <bodhi_zazen> Thank you everyone for coming 226 [01:10] <DasEi> thank you for rowing 227 [01:10] <bodhi_zazen> I shall spam channels with future meetings, but this time works out for most people, although not all 228 [01:10] <bodhi_zazen> I hope these sessions help educate people ;) 229 [01:11] <bodhi_zazen> we should learn from each other, some people know very much 230 [01:11] <bodhi_zazen> we are planning to do sessions on wiki and development (packageing)