[00:00] 'lo everyone :) [00:01] * Hobbsee is here & watching [00:01] I am hoping this session can be more interactive then the last ;) [00:01] Otherwise I was going to discuss a little on encryption [00:02] sounds like fun [00:02] Here is the pastebin from 2 weeks ago [00:02] http://paste.ubuntu.com/133993/ [00:02] we covered some of the basics and I demoed apparmor in a shared ssh session [00:02] bodhi_zazen: I tried to log in just now, got errors regarding screen profiles. [00:02] which I can do again if you wish [00:03] yes Snova , the shared screen session is kaput at the moment, but I can fix it if you wish [00:03] I think ;) [00:04] I updated the system for ecryptfs, and it borked the shared screen session [00:08] OK, try to join the shared session Snova ;) [00:08] sorry this was not working [00:09] bodhi_zazen: do you have the link of the last session ( I missed ?) [00:09] Let me ask if anyone has any questions then ? [00:10] DasEi: I do not know off the top of my head where the logs are [00:10] I can find them [00:10] cprofitt: do you know ? [00:10] Still broken. [00:10] :( [00:10] too bad [00:11] know what? [00:11] I can try one more thing .. [00:11] cprofitt: where logs of these sessions are posted ? [00:11] the logs should be on the wiki page [00:12] https://wiki.ubuntu.com/BeginnersTeam/FocusGroups/Education/Events [00:12] I did not get any for your last session though bodhi_zazen [00:12] oic, lol [00:12] bodhi_zazen: I have a question [00:12] please HymnToLife :) [00:12] should I use DSA or RSA for my SSH keys? *evil grin* [00:13] lol [00:13] to be honest I am not sure it matters [00:13] That is like asking DROP or REJECT with iptables [00:14] If you use RSA (I think) use 1024 bits (whick is now default) [00:14] do you have a preference ? [00:15] try again Snova ;) [00:15] Lets talk a bit about encryption then ;) [00:16] do people know encryption options on Ubuntu ? [00:16] bodhi_zazen: Looks like the same thing again. [00:16] kk Snova :( [00:16] thanks [00:16] bodhi_zazen: I prefer RSA [00:16] yes, in general I do too [00:16] DSA has been developed by the NSA, and they have had shady practices [00:16] it seems 70% prefer RSA [00:17] also, since SSH-2 uses DSA only for host keys encryption [00:17] Encryption options on Ubuntu are LUKS and ecryptfs [00:17] using is also for user keys is kind of putting all your eggs in the same basket [00:18] using it* [00:18] One can use truecrypt and other tools such as encryptfs and gpg [00:18] To install an encrypted system, meaning / and swap are encrypted , use the Alternate CD [00:19] By default this will give you a /boot partition, and LVM + LUKS [00:19] Post install or during the install, if you wish, you can use ecryptfs to encrypt your /home/user directory, swap, or a private (or other) directories [00:20] I posted a how to on ecryptfs here : http://bodhizazen.net/Tutorials/Ecryptfs/ [00:20] It still needs a bit of work, but the basic information is there [00:21] encryption is used basically to protect your personal data if your laptop or hard drive is stolden [00:21] IMO things like password protecting yoru BIOS and GRUB is a minor deterrent if someone has physical access [00:22] Some people like those tools, and yes it may stop a casual intruder, but they are easily defeated [00:22] also, if it comes down to it, some encryption tools can make encryption plausibly deniable [00:22] The disadvantage of encryption is there is a, IMO, minor performance hit [00:23] +1 HymnToLife [00:23] meaning that the police, government, etc. cannot *prove* you have encrypted stuff [00:23] he he he ... [00:23] Encryption can be defeated by a $ hammer applied to the solar plexus >:) [00:23] * $10 [00:24] Sometime you need to apply the hammer a few times for it to work [00:24] lol [00:24] The other disadvantage of encryption would be if you lost your password or wanted to re-install preserving /home for example [00:25] It can be done, but none of the installers will preserve /home automatically , even if it is on a separate partition and so you would need to take casre to configure the encryption manually post install [00:26] Frankly, IMO, it is easier to back up you data, re-install with the defaults, and then restore your data [00:26] /end rant on encryption [00:26] :) [00:26] also a more complicared access in case of harddrive-trouble can be added to the disadvantages [00:27] actually, if you set a partition as /home, the installer won't try to auto-format it [00:27] or at least, not on recent ubuntu releases. [00:27] Oh, one more thing, you can use keys with some encryption tools to automate decryption [00:27] No it will not Hobbsee , but I will not set up LUKS or encryptfs either [00:27] that's true [00:27] so post install you may not be able to decrypt it [00:28] :( [00:28] that may not still be true for jaunty, btw. [00:28] You need to take care with encryptfs if you encrypted /home/user_name because the information was stored on the root partition [00:28] Isn't all the "setup" for ecryptfs contained within the homedir anyway? [00:29] maxb: It depends on how you setup encryptfs [00:29] Is encryption only to protect if somebody gets physical access to the HD? [00:29] If you used encryptfs-setup-private you will be OK [00:29] bodhi_zazen: Are you talking about ecryptfs? If so, spell it's name right to avoid confusing us! [00:29] oops. I fail at apostrophe usage [00:29] If you encrypted your home directory during installation, no , the key is on the root partition and linked back to $HOME [00:30] Snova: in the case of ecryptfs, yes [00:30] so you will loose the config info if you install over the top of root [00:30] however, there are other kinds of encryption [00:30] sorry, yes ecryptfs [00:30] :p [00:30] Snova: for example, you can encrypts files using GnuPG to send them by email [00:31] (or to store them for later use) [00:31] Ah, right, I'm only using ecryptfs in private-subdir setup, because I disagree that encrypting the entire homedir makes sense [00:31] If your data is sensitive enough to encrypt - [00:31] I am fairly familiar with encryption in general, just wondering if there is any point to an encrypted *hard drive* (should have mentioned that previously) beyond physical access. [00:31] 1. Know that if the data is decrypted, ie you mounted your Private directory or LUKS partition, or truecrypt [00:32] the data is available to the root user [00:32] Snova: that the only one I can think of right now, but it's a pretty big one [00:32] or any other users allowed by your permissions [00:32] especially nowadays when laptops are getting smaller and smaller, thus easier to lose/steal [00:32] and 2. you should take care to encrypt your back ups as well :p [00:33] Snova: Only the paranoid would encrypt the entire installation [00:33] bodhi_zazen: Any amount of it, really. [00:33] This would be to prevent someone for say installing a rootkit from a live CD [00:33] bodhi_zazen: there are many good reasons to be paranoid nowadays [00:34] The two potential vulnerabilities with encryption are : [00:34] and even then you'll need extra partitions or containers to avoid online-access [00:34] 1. Someone , in theory, could recover the key from RAM [00:34] 2. Your /boot partition is not encrypted so someone could replace your kernel [00:34] +1 HymnToLife re paranoia [00:35] Snova: for others , encrypting your private directory in /home , or a data partition, or removable device may be sufficient [00:36] I guess my point is to raise awareness of the vulnerabilities of physical access and encryption as the best solution, IMO [00:36] s/best/only/ [00:37] encryption is based on math, math never cheats ;) [00:37] Well, you could wipe the drive or smash it very fast as they are breaking down your door ;) [00:37] melt it [00:37] questions on encryption ? [00:38] hint - this is your chance to ask questions [00:38] It sounds as if we have a few people here now who use encryption [00:39] no, I don't! [00:39] you can't prove anything! [00:39] Guilty by association [00:39] Off with his head [00:40] I just wonder how f.e. us-gpg needs a backdoor for nsa-related stuff, it is on ubuntu ? [00:40] We could talk a bit about iptables, root kits, antivirus [00:41] I know antivirus is boring to some, but it is a FAQ on the forums [00:41] Did anybody take a look at AppArmor ? [00:42] too less, let's talk [00:42] DasEi: if I understand your question, it's because the NSA doesn't like it when people use encryption they can't break :p [00:42] too less ? [00:43] well, they won't admit it, of course, but there's strong suspicion that the NSA-approve"d cryptosystems are the ones they can break [00:43] I recognized appamor f.e. restricts file access of an apache, but are not familiar with it [00:44] (hence why I don't use DSA for my SSH keys) [00:44] HymnToLife: pm ? don't stop bod.. [00:44] no, this is an open discussion [00:44] well, you asked the question here, so I answer here :p [00:44] Or at least I hope so [00:45] DasEi: Apparmor can be used , and is most often used to "confine" network aware applications [00:45] or really any application [00:45] k, what I saw when mentioning harddrive encryption where different solutions ( I'm german), and from the same app, there are different releases, some of them are not legal in us [00:45] It has not been as popular as it *should* be , IMO [00:46] I posed a how to here : http://ubuntuforums.org/showthread.php?t=1008906 [00:46] but the network-related ones are the one it makes most sense confining [00:46] since they basically process untrusted data all the time [00:46] and I am starting to post some example profiles here : http://bodhizazen.net/aa-profiles/ [00:46] Looking for contributions in face [00:46] *fact [00:47] Apparmor vs SElinux is another issue sometimes debated [00:47] Apparmor is easier to learn, but IMO takes more time to maintain [00:48] For example , you need to revise your profile when firefox is updated from 3.0.6 to 3.0.7 [00:48] ;) [00:48] You have to keep an eye on apparmor, and there are no GUI tools in Ubuntu, although SUSE has some [00:50] Any questions / comments please jump in >:) [00:50] Shifting gears a little ... [00:50] Antivirus [00:50] IMO the biggest problem with antivirus is the sheer numbers of false postitives [00:50] If you use antivirus and you do not want to simply delete detected files, you will have to do a fair amount of detective work [00:51] Example : http://ubuntuforums.org/showthread.php?t=1106160 [00:51] Snova: can you try to connect again please ? [00:51] Ok. :) [00:52] nvr mind, it is still borked [00:52] bodhi_zazen: Yep. :) [00:52] I had to update for ecryptfs , but it broke screen [00:53] well, you can always experiment with AA by yourself in a virtual machine (so you don't get locked off your real system) [00:53] the basic concepts are really not hard to grasp [00:54] Novell advertises it as requiring only 1-2 days of training, I don't think they're very far from the truth [00:54] I agree with that [00:54] I would say I am still learning, but it took me about 4 hours to become comfortable with it [00:55] The advantage of apparmor, it has the potential to stop zero day exploits [00:55] We have 5 minutes left in this session ;) [00:56] I will run a session on this channel, same time, every 1-2 weeks depending in interest [00:56] From last week there was the suggestion we discuss permissions [00:56] Now I know most of you know basic permissions, but we can review sticky bits and if you wish acl [00:58] I#ve got a question to the initialization of apparmor [00:58] basic SSH configuration might be a good topic too [00:59] I'm thinking about Issues like that: http://ubuntuforums.org/showthread.php?t=1107057 [00:59] what does this 'connecting to repository mean ? isn't this a local mechanism ? [00:59] for those who want a bit more control than basic usernames/passwords [00:59] DasEi: it means downloading a few pre-made profiles for common applications, IIRC [01:00] DasEi: and HymnToLife we could have sessions on apparmor or ssh in more depth [01:00] I happen to like ssh ;) [01:01] HymnToLife: and it does for every app Iagain ? [01:01] DasEi: AppArmor was developed my Novell [01:01] but now they fired all the aa devs :p [01:01] And I think the idea was to have a central repository for profiles [01:01] deeper sessions.. gotta get coffeine.. great [01:01] I heard some of them were working for Microsoft now [01:01] for things such as say apache or what not [01:02] I do not think it has been developed, but it still comes up when you generate a profile [01:02] aa was then added to Ubuntu and we will need to see how much it is used / developed [01:03] Otherwise we will be back to SELinux :p [01:03] Mandriva uses AA too [01:03] sry when bein annoying; apparmor follows an given app in the inital , then asks additional quests and then creates the profile, which can be altered manually again, so no need for external request.. [01:03] I think that's all [01:03] no DasEi [01:03] Most profiles need to be personalized anyways [01:03] PCLinuxOS ? [01:04] I have not tried that lately, but I though they were Mandriva based. [01:04] I think so too, but I don't go in the RPM world often [01:05] OK, I will stay for a while if there are additional questions, otherwise 2 weeks [01:05] Any interest in having weekly sessions ? [01:05] k, reading shall heal me for now, many thanks, bodhi_zazen and all the others [01:05] topics : add them here : https://wiki.ubuntu.com/BeginnersTeam/FocusGroups/Education/Proposals [01:06] put my name by the topic and I will try to announce and cover them as we go [01:06] bodhi_zazen: nothing bad, nice would be to follow up missed ons at http://irclogs.ubuntu.com/ [01:06] *ones [01:07] In the long run the Beginners Team is hoping to do continued and more focused in depth sessions, perhaps using something such as Moodle [01:07] yes DasEi I thought ubuntu-classroom was going to post sessions, I will look into that [01:07] I do not have a way right now to log sessions [01:07] as I am @ work and accessing over mibbit [01:08] bodhi_zazen:they do, but last isn't there by now [01:08] We shall look into it then DasEi [01:08] but yes the intention is to post logs [01:08] and grow these sessions [01:09] I am hoping to spread the word and get some discussion and education going. [01:09] date -u was the greatest tip on UTC, writes this bold, lol [01:09] lol [01:09] Thank you everyone for coming [01:10] thank you for rowing [01:10] I shall spam channels with future meetings, but this time works out for most people, although not all [01:10] I hope these sessions help educate people ;) [01:11] we should learn from each other, some people know very much [01:11] we are planning to do sessions on wiki and development (packageing) [08:14] <_Purple_> hi [08:14] <_Purple_> is the Q and A still going on? [10:48] hi [10:49] is this is a newbie channel ? [10:49] sanzilla: we use this channel for hosting classes (see the /topic for our resources), you want to use #ubuntu for tech questions [10:50] is other than ubunthu isn't welcome ? [10:55] <_Purple_> sanzilla, looking for a channel for newbies? [10:55] yes [10:56] <_Purple_> try #ubuntuforums-beginners [10:56] I mean a channel for general linux [10:56] I loving the xfe windows manager and not KDE [10:56] so I can't install ubunthu [10:58] sanzilla: xubuntu is based on xfce [10:59] I will give up a try === _Purple_ is now known as __Purple__ === __Purple__ is now known as ___Purple___ === ___Purple___ is now known as _Purple_ === MaWaLe1 is now known as MaWaLe === __Purple__ is now known as _Purple_ === amigos is now known as sua === sua is now known as Amigos === __Purple__ is now known as _Purple_