| bodhi_zazen | 'lo everyone :) | 00:00 |
|---|---|---|
| * Hobbsee is here & watching | 00:01 | |
| bodhi_zazen | I am hoping this session can be more interactive then the last ;) | 00:01 |
| bodhi_zazen | Otherwise I was going to discuss a little on encryption | 00:01 |
| HymnToLife | sounds like fun | 00:02 |
| bodhi_zazen | Here is the pastebin from 2 weeks ago | 00:02 |
| bodhi_zazen | http://paste.ubuntu.com/133993/ | 00:02 |
| bodhi_zazen | we covered some of the basics and I demoed apparmor in a shared ssh session | 00:02 |
| Snova | bodhi_zazen: I tried to log in just now, got errors regarding screen profiles. | 00:02 |
| bodhi_zazen | which I can do again if you wish | 00:02 |
| bodhi_zazen | yes Snova , the shared screen session is kaput at the moment, but I can fix it if you wish | 00:03 |
| bodhi_zazen | I think ;) | 00:03 |
| bodhi_zazen | I updated the system for ecryptfs, and it borked the shared screen session | 00:04 |
| bodhi_zazen | OK, try to join the shared session Snova ;) | 00:08 |
| bodhi_zazen | sorry this was not working | 00:08 |
| DasEi | bodhi_zazen: do you have the link of the last session ( I missed ?) | 00:09 |
| bodhi_zazen | Let me ask if anyone has any questions then ? | 00:09 |
| bodhi_zazen | DasEi: I do not know off the top of my head where the logs are | 00:10 |
| bodhi_zazen | I can find them | 00:10 |
| bodhi_zazen | cprofitt: do you know ? | 00:10 |
| Snova | Still broken. | 00:10 |
| bodhi_zazen | :( | 00:10 |
| bodhi_zazen | too bad | 00:10 |
| cprofitt | know what? | 00:11 |
| bodhi_zazen | I can try one more thing .. | 00:11 |
| bodhi_zazen | cprofitt: where logs of these sessions are posted ? | 00:11 |
| cprofitt | the logs should be on the wiki page | 00:11 |
| cprofitt | https://wiki.ubuntu.com/BeginnersTeam/FocusGroups/Education/Events | 00:12 |
| cprofitt | I did not get any for your last session though bodhi_zazen | 00:12 |
| bodhi_zazen | oic, lol | 00:12 |
| HymnToLife | bodhi_zazen: I have a question | 00:12 |
| bodhi_zazen | please HymnToLife :) | 00:12 |
| HymnToLife | should I use DSA or RSA for my SSH keys? *evil grin* | 00:12 |
| bodhi_zazen | lol | 00:13 |
| bodhi_zazen | to be honest I am not sure it matters | 00:13 |
| bodhi_zazen | That is like asking DROP or REJECT with iptables | 00:13 |
| bodhi_zazen | If you use RSA (I think) use 1024 bits (whick is now default) | 00:14 |
| bodhi_zazen | do you have a preference ? | 00:14 |
| bodhi_zazen | try again Snova ;) | 00:15 |
| bodhi_zazen | Lets talk a bit about encryption then ;) | 00:15 |
| bodhi_zazen | do people know encryption options on Ubuntu ? | 00:16 |
| Snova | bodhi_zazen: Looks like the same thing again. | 00:16 |
| bodhi_zazen | kk Snova :( | 00:16 |
| bodhi_zazen | thanks | 00:16 |
| HymnToLife | bodhi_zazen: I prefer RSA | 00:16 |
| bodhi_zazen | yes, in general I do too | 00:16 |
| HymnToLife | DSA has been developed by the NSA, and they have had shady practices | 00:16 |
| bodhi_zazen | it seems 70% prefer RSA | 00:16 |
| HymnToLife | also, since SSH-2 uses DSA only for host keys encryption | 00:17 |
| bodhi_zazen | Encryption options on Ubuntu are LUKS and ecryptfs | 00:17 |
| HymnToLife | using is also for user keys is kind of putting all your eggs in the same basket | 00:17 |
| HymnToLife | using it* | 00:18 |
| bodhi_zazen | One can use truecrypt and other tools such as encryptfs and gpg | 00:18 |
| bodhi_zazen | To install an encrypted system, meaning / and swap are encrypted , use the Alternate CD | 00:18 |
| bodhi_zazen | By default this will give you a /boot partition, and LVM + LUKS | 00:19 |
| bodhi_zazen | Post install or during the install, if you wish, you can use ecryptfs to encrypt your /home/user directory, swap, or a private (or other) directories | 00:19 |
| bodhi_zazen | I posted a how to on ecryptfs here : http://bodhizazen.net/Tutorials/Ecryptfs/ | 00:20 |
| bodhi_zazen | It still needs a bit of work, but the basic information is there | 00:20 |
| bodhi_zazen | encryption is used basically to protect your personal data if your laptop or hard drive is stolden | 00:21 |
| bodhi_zazen | IMO things like password protecting yoru BIOS and GRUB is a minor deterrent if someone has physical access | 00:21 |
| bodhi_zazen | Some people like those tools, and yes it may stop a casual intruder, but they are easily defeated | 00:22 |
| HymnToLife | also, if it comes down to it, some encryption tools can make encryption plausibly deniable | 00:22 |
| bodhi_zazen | The disadvantage of encryption is there is a, IMO, minor performance hit | 00:22 |
| bodhi_zazen | +1 HymnToLife | 00:23 |
| HymnToLife | meaning that the police, government, etc. cannot *prove* you have encrypted stuff | 00:23 |
| bodhi_zazen | he he he ... | 00:23 |
| bodhi_zazen | Encryption can be defeated by a $ hammer applied to the solar plexus >:) | 00:23 |
| bodhi_zazen | * $10 | 00:23 |
| bodhi_zazen | Sometime you need to apply the hammer a few times for it to work | 00:24 |
| bodhi_zazen | lol | 00:24 |
| bodhi_zazen | The other disadvantage of encryption would be if you lost your password or wanted to re-install preserving /home for example | 00:24 |
| bodhi_zazen | It can be done, but none of the installers will preserve /home automatically , even if it is on a separate partition and so you would need to take casre to configure the encryption manually post install | 00:25 |
| bodhi_zazen | Frankly, IMO, it is easier to back up you data, re-install with the defaults, and then restore your data | 00:26 |
| bodhi_zazen | /end rant on encryption | 00:26 |
| bodhi_zazen | :) | 00:26 |
| DasEi | also a more complicared access in case of harddrive-trouble can be added to the disadvantages | 00:26 |
| Hobbsee | actually, if you set a partition as /home, the installer won't try to auto-format it | 00:27 |
| Hobbsee | or at least, not on recent ubuntu releases. | 00:27 |
| bodhi_zazen | Oh, one more thing, you can use keys with some encryption tools to automate decryption | 00:27 |
| bodhi_zazen | No it will not Hobbsee , but I will not set up LUKS or encryptfs either | 00:27 |
| Hobbsee | that's true | 00:27 |
| bodhi_zazen | so post install you may not be able to decrypt it | 00:27 |
| bodhi_zazen | :( | 00:28 |
| Hobbsee | that may not still be true for jaunty, btw. | 00:28 |
| bodhi_zazen | You need to take care with encryptfs if you encrypted /home/user_name because the information was stored on the root partition | 00:28 |
| maxb | Isn't all the "setup" for ecryptfs contained within the homedir anyway? | 00:28 |
| bodhi_zazen | maxb: It depends on how you setup encryptfs | 00:29 |
| Snova | Is encryption only to protect if somebody gets physical access to the HD? | 00:29 |
| bodhi_zazen | If you used encryptfs-setup-private you will be OK | 00:29 |
| maxb | bodhi_zazen: Are you talking about ecryptfs? If so, spell it's name right to avoid confusing us! | 00:29 |
| maxb | oops. I fail at apostrophe usage | 00:29 |
| bodhi_zazen | If you encrypted your home directory during installation, no , the key is on the root partition and linked back to $HOME | 00:29 |
| HymnToLife | Snova: in the case of ecryptfs, yes | 00:30 |
| bodhi_zazen | so you will loose the config info if you install over the top of root | 00:30 |
| HymnToLife | however, there are other kinds of encryption | 00:30 |
| bodhi_zazen | sorry, yes ecryptfs | 00:30 |
| bodhi_zazen | :p | 00:30 |
| HymnToLife | Snova: for example, you can encrypts files using GnuPG to send them by email | 00:30 |
| HymnToLife | (or to store them for later use) | 00:31 |
| maxb | Ah, right, I'm only using ecryptfs in private-subdir setup, because I disagree that encrypting the entire homedir makes sense | 00:31 |
| bodhi_zazen | If your data is sensitive enough to encrypt - | 00:31 |
| Snova | I am fairly familiar with encryption in general, just wondering if there is any point to an encrypted *hard drive* (should have mentioned that previously) beyond physical access. | 00:31 |
| bodhi_zazen | 1. Know that if the data is decrypted, ie you mounted your Private directory or LUKS partition, or truecrypt | 00:31 |
| bodhi_zazen | the data is available to the root user | 00:32 |
| HymnToLife | Snova: that the only one I can think of right now, but it's a pretty big one | 00:32 |
| bodhi_zazen | or any other users allowed by your permissions | 00:32 |
| HymnToLife | especially nowadays when laptops are getting smaller and smaller, thus easier to lose/steal | 00:32 |
| bodhi_zazen | and 2. you should take care to encrypt your back ups as well :p | 00:32 |
| bodhi_zazen | Snova: Only the paranoid would encrypt the entire installation | 00:33 |
| Snova | bodhi_zazen: Any amount of it, really. | 00:33 |
| bodhi_zazen | This would be to prevent someone for say installing a rootkit from a live CD | 00:33 |
| HymnToLife | bodhi_zazen: there are many good reasons to be paranoid nowadays | 00:33 |
| bodhi_zazen | The two potential vulnerabilities with encryption are : | 00:34 |
| DasEi | and even then you'll need extra partitions or containers to avoid online-access | 00:34 |
| bodhi_zazen | 1. Someone , in theory, could recover the key from RAM | 00:34 |
| bodhi_zazen | 2. Your /boot partition is not encrypted so someone could replace your kernel | 00:34 |
| bodhi_zazen | +1 HymnToLife re paranoia | 00:34 |
| bodhi_zazen | Snova: for others , encrypting your private directory in /home , or a data partition, or removable device may be sufficient | 00:35 |
| bodhi_zazen | I guess my point is to raise awareness of the vulnerabilities of physical access and encryption as the best solution, IMO | 00:36 |
| HymnToLife | s/best/only/ | 00:36 |
| HymnToLife | encryption is based on math, math never cheats ;) | 00:37 |
| bodhi_zazen | Well, you could wipe the drive or smash it very fast as they are breaking down your door ;) | 00:37 |
| bodhi_zazen | melt it | 00:37 |
| bodhi_zazen | questions on encryption ? | 00:37 |
| bodhi_zazen | hint - this is your chance to ask questions | 00:38 |
| bodhi_zazen | It sounds as if we have a few people here now who use encryption | 00:38 |
| HymnToLife | no, I don't! | 00:39 |
| HymnToLife | you can't prove anything! | 00:39 |
| bodhi_zazen | Guilty by association | 00:39 |
| bodhi_zazen | Off with his head | 00:39 |
| DasEi | I just wonder how f.e. us-gpg needs a backdoor for nsa-related stuff, it is on ubuntu ? | 00:40 |
| bodhi_zazen | We could talk a bit about iptables, root kits, antivirus | 00:40 |
| bodhi_zazen | I know antivirus is boring to some, but it is a FAQ on the forums | 00:41 |
| bodhi_zazen | Did anybody take a look at AppArmor ? | 00:41 |
| DasEi | too less, let's talk | 00:42 |
| HymnToLife | DasEi: if I understand your question, it's because the NSA doesn't like it when people use encryption they can't break :p | 00:42 |
| bodhi_zazen | too less ? | 00:42 |
| HymnToLife | well, they won't admit it, of course, but there's strong suspicion that the NSA-approve"d cryptosystems are the ones they can break | 00:43 |
| DasEi | I recognized appamor f.e. restricts file access of an apache, but are not familiar with it | 00:43 |
| HymnToLife | (hence why I don't use DSA for my SSH keys) | 00:44 |
| DasEi | HymnToLife: pm ? don't stop bod.. | 00:44 |
| bodhi_zazen | no, this is an open discussion | 00:44 |
| HymnToLife | well, you asked the question here, so I answer here :p | 00:44 |
| bodhi_zazen | Or at least I hope so | 00:44 |
| bodhi_zazen | DasEi: Apparmor can be used , and is most often used to "confine" network aware applications | 00:45 |
| HymnToLife | or really any application | 00:45 |
| DasEi | k, what I saw when mentioning harddrive encryption where different solutions ( I'm german), and from the same app, there are different releases, some of them are not legal in us | 00:45 |
| bodhi_zazen | It has not been as popular as it *should* be , IMO | 00:45 |
| bodhi_zazen | I posed a how to here : http://ubuntuforums.org/showthread.php?t=1008906 | 00:46 |
| HymnToLife | but the network-related ones are the one it makes most sense confining | 00:46 |
| HymnToLife | since they basically process untrusted data all the time | 00:46 |
| bodhi_zazen | and I am starting to post some example profiles here : http://bodhizazen.net/aa-profiles/ | 00:46 |
| bodhi_zazen | Looking for contributions in face | 00:46 |
| bodhi_zazen | *fact | 00:46 |
| bodhi_zazen | Apparmor vs SElinux is another issue sometimes debated | 00:47 |
| bodhi_zazen | Apparmor is easier to learn, but IMO takes more time to maintain | 00:47 |
| bodhi_zazen | For example , you need to revise your profile when firefox is updated from 3.0.6 to 3.0.7 | 00:48 |
| bodhi_zazen | ;) | 00:48 |
| bodhi_zazen | You have to keep an eye on apparmor, and there are no GUI tools in Ubuntu, although SUSE has some | 00:48 |
| bodhi_zazen | Any questions / comments please jump in >:) | 00:50 |
| bodhi_zazen | Shifting gears a little ... | 00:50 |
| bodhi_zazen | Antivirus | 00:50 |
| bodhi_zazen | IMO the biggest problem with antivirus is the sheer numbers of false postitives | 00:50 |
| bodhi_zazen | If you use antivirus and you do not want to simply delete detected files, you will have to do a fair amount of detective work | 00:50 |
| bodhi_zazen | Example : http://ubuntuforums.org/showthread.php?t=1106160 | 00:51 |
| bodhi_zazen | Snova: can you try to connect again please ? | 00:51 |
| Snova | Ok. :) | 00:51 |
| bodhi_zazen | nvr mind, it is still borked | 00:52 |
| Snova | bodhi_zazen: Yep. :) | 00:52 |
| bodhi_zazen | I had to update for ecryptfs , but it broke screen | 00:52 |
| HymnToLife | well, you can always experiment with AA by yourself in a virtual machine (so you don't get locked off your real system) | 00:53 |
| HymnToLife | the basic concepts are really not hard to grasp | 00:53 |
| HymnToLife | Novell advertises it as requiring only 1-2 days of training, I don't think they're very far from the truth | 00:54 |
| bodhi_zazen | I agree with that | 00:54 |
| bodhi_zazen | I would say I am still learning, but it took me about 4 hours to become comfortable with it | 00:54 |
| bodhi_zazen | The advantage of apparmor, it has the potential to stop zero day exploits | 00:55 |
| bodhi_zazen | We have 5 minutes left in this session ;) | 00:55 |
| bodhi_zazen | I will run a session on this channel, same time, every 1-2 weeks depending in interest | 00:56 |
| bodhi_zazen | From last week there was the suggestion we discuss permissions | 00:56 |
| bodhi_zazen | Now I know most of you know basic permissions, but we can review sticky bits and if you wish acl | 00:56 |
| DasEi | I#ve got a question to the initialization of apparmor | 00:58 |
| HymnToLife | basic SSH configuration might be a good topic too | 00:58 |
| HymnToLife | I'm thinking about Issues like that: http://ubuntuforums.org/showthread.php?t=1107057 | 00:59 |
| DasEi | what does this 'connecting to repository mean ? isn't this a local mechanism ? | 00:59 |
| HymnToLife | for those who want a bit more control than basic usernames/passwords | 00:59 |
| HymnToLife | DasEi: it means downloading a few pre-made profiles for common applications, IIRC | 00:59 |
| bodhi_zazen | DasEi: and HymnToLife we could have sessions on apparmor or ssh in more depth | 01:00 |
| bodhi_zazen | I happen to like ssh ;) | 01:00 |
| DasEi | HymnToLife: and it does for every app Iagain ? | 01:01 |
| bodhi_zazen | DasEi: AppArmor was developed my Novell | 01:01 |
| HymnToLife | but now they fired all the aa devs :p | 01:01 |
| bodhi_zazen | And I think the idea was to have a central repository for profiles | 01:01 |
| DasEi | deeper sessions.. gotta get coffeine.. great | 01:01 |
| HymnToLife | I heard some of them were working for Microsoft now | 01:01 |
| bodhi_zazen | for things such as say apache or what not | 01:01 |
| bodhi_zazen | I do not think it has been developed, but it still comes up when you generate a profile | 01:02 |
| bodhi_zazen | aa was then added to Ubuntu and we will need to see how much it is used / developed | 01:02 |
| bodhi_zazen | Otherwise we will be back to SELinux :p | 01:03 |
| HymnToLife | Mandriva uses AA too | 01:03 |
| DasEi | sry when bein annoying; apparmor follows an given app in the inital , then asks additional quests and then creates the profile, which can be altered manually again, so no need for external request.. | 01:03 |
| HymnToLife | I think that's all | 01:03 |
| bodhi_zazen | no DasEi | 01:03 |
| bodhi_zazen | Most profiles need to be personalized anyways | 01:03 |
| bodhi_zazen | PCLinuxOS ? | 01:03 |
| bodhi_zazen | I have not tried that lately, but I though they were Mandriva based. | 01:04 |
| HymnToLife | I think so too, but I don't go in the RPM world often | 01:04 |
| bodhi_zazen | OK, I will stay for a while if there are additional questions, otherwise 2 weeks | 01:05 |
| bodhi_zazen | Any interest in having weekly sessions ? | 01:05 |
| DasEi | k, reading shall heal me for now, many thanks, bodhi_zazen and all the others | 01:05 |
| bodhi_zazen | topics : add them here : https://wiki.ubuntu.com/BeginnersTeam/FocusGroups/Education/Proposals | 01:05 |
| bodhi_zazen | put my name by the topic and I will try to announce and cover them as we go | 01:06 |
| DasEi | bodhi_zazen: nothing bad, nice would be to follow up missed ons at http://irclogs.ubuntu.com/ | 01:06 |
| DasEi | *ones | 01:06 |
| bodhi_zazen | In the long run the Beginners Team is hoping to do continued and more focused in depth sessions, perhaps using something such as Moodle | 01:07 |
| bodhi_zazen | yes DasEi I thought ubuntu-classroom was going to post sessions, I will look into that | 01:07 |
| bodhi_zazen | I do not have a way right now to log sessions | 01:07 |
| bodhi_zazen | as I am @ work and accessing over mibbit | 01:07 |
| DasEi | bodhi_zazen:they do, but last isn't there by now | 01:08 |
| bodhi_zazen | We shall look into it then DasEi | 01:08 |
| bodhi_zazen | but yes the intention is to post logs | 01:08 |
| bodhi_zazen | and grow these sessions | 01:08 |
| bodhi_zazen | I am hoping to spread the word and get some discussion and education going. | 01:09 |
| DasEi | date -u was the greatest tip on UTC, writes this bold, lol | 01:09 |
| bodhi_zazen | lol | 01:09 |
| bodhi_zazen | Thank you everyone for coming | 01:09 |
| DasEi | thank you for rowing | 01:10 |
| bodhi_zazen | I shall spam channels with future meetings, but this time works out for most people, although not all | 01:10 |
| bodhi_zazen | I hope these sessions help educate people ;) | 01:10 |
| bodhi_zazen | we should learn from each other, some people know very much | 01:11 |
| bodhi_zazen | we are planning to do sessions on wiki and development (packageing) | 01:11 |
| _Purple_ | hi | 08:14 |
| _Purple_ | is the Q and A still going on? | 08:14 |
| sanzilla | hi | 10:48 |
| sanzilla | is this is a newbie channel ? | 10:49 |
| pleia2 | sanzilla: we use this channel for hosting classes (see the /topic for our resources), you want to use #ubuntu for tech questions | 10:49 |
| sanzilla | is other than ubunthu isn't welcome ? | 10:50 |
| _Purple_ | sanzilla, looking for a channel for newbies? | 10:55 |
| sanzilla | yes | 10:55 |
| _Purple_ | try #ubuntuforums-beginners | 10:56 |
| sanzilla | I mean a channel for general linux | 10:56 |
| sanzilla | I loving the xfe windows manager and not KDE | 10:56 |
| sanzilla | so I can't install ubunthu | 10:56 |
| pleia2 | sanzilla: xubuntu is based on xfce | 10:58 |
| sanzilla | I will give up a try | 10:59 |
| === _Purple_ is now known as __Purple__ | ||
| === __Purple__ is now known as ___Purple___ | ||
| === ___Purple___ is now known as _Purple_ | ||
| === MaWaLe1 is now known as MaWaLe | ||
| === __Purple__ is now known as _Purple_ | ||
| === amigos is now known as sua | ||
| === sua is now known as Amigos | ||
| === __Purple__ is now known as _Purple_ | ||
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!