[00:00] <bodhi_zazen> 'lo everyone :)
[00:01]  * Hobbsee is here & watching
[00:01] <bodhi_zazen> I am hoping this session can be more interactive then the last ;)
[00:01] <bodhi_zazen> Otherwise I was going to discuss a little on encryption
[00:02] <HymnToLife> sounds like fun
[00:02] <bodhi_zazen> Here is the pastebin from 2 weeks ago
[00:02] <bodhi_zazen> http://paste.ubuntu.com/133993/
[00:02] <bodhi_zazen> we covered some of the basics and I demoed apparmor in a shared ssh session
[00:02] <Snova> bodhi_zazen: I tried to log in just now, got errors regarding screen profiles.
[00:02] <bodhi_zazen> which I can do again if you wish
[00:03] <bodhi_zazen> yes Snova , the shared screen session is kaput at the moment, but I can fix it if you wish
[00:03] <bodhi_zazen> I think ;)
[00:04] <bodhi_zazen> I updated the system for ecryptfs, and it borked the shared screen session
[00:08] <bodhi_zazen> OK, try to join the shared session Snova ;)
[00:08] <bodhi_zazen> sorry this was not working
[00:09] <DasEi> bodhi_zazen: do you have the link of the last session ( I missed ?)
[00:09] <bodhi_zazen> Let me ask if anyone has any questions then ?
[00:10] <bodhi_zazen> DasEi: I do not know off the top of my head where the logs are
[00:10] <bodhi_zazen> I can find them
[00:10] <bodhi_zazen> cprofitt: do you know ?
[00:10] <Snova> Still broken.
[00:10] <bodhi_zazen> :(
[00:10] <bodhi_zazen> too bad
[00:11] <cprofitt> know what?
[00:11] <bodhi_zazen> I can try one more thing ..
[00:11] <bodhi_zazen> cprofitt: where logs of these sessions are posted ?
[00:11] <cprofitt> the logs should be on the wiki page
[00:12] <cprofitt> https://wiki.ubuntu.com/BeginnersTeam/FocusGroups/Education/Events
[00:12] <cprofitt> I did not get any for your last session though bodhi_zazen
[00:12] <bodhi_zazen> oic, lol
[00:12] <HymnToLife> bodhi_zazen: I have a question
[00:12] <bodhi_zazen> please HymnToLife :)
[00:12] <HymnToLife> should I use DSA or RSA for my SSH keys? *evil grin*
[00:13] <bodhi_zazen> lol
[00:13] <bodhi_zazen> to be honest I am not sure it matters
[00:13] <bodhi_zazen> That is like asking DROP or REJECT with iptables
[00:14] <bodhi_zazen> If you use RSA (I think) use 1024 bits (whick is now default)
[00:14] <bodhi_zazen> do you have a preference ?
[00:15] <bodhi_zazen> try again Snova ;)
[00:15] <bodhi_zazen> Lets talk a bit about encryption then ;)
[00:16] <bodhi_zazen> do people know encryption options on Ubuntu ?
[00:16] <Snova> bodhi_zazen: Looks like the same thing again.
[00:16] <bodhi_zazen> kk Snova :(
[00:16] <bodhi_zazen> thanks
[00:16] <HymnToLife> bodhi_zazen: I prefer RSA
[00:16] <bodhi_zazen> yes, in general I do too
[00:16] <HymnToLife> DSA has been developed by the NSA, and they have had shady practices
[00:16] <bodhi_zazen> it seems 70% prefer RSA
[00:17] <HymnToLife> also, since SSH-2 uses DSA only for host keys encryption
[00:17] <bodhi_zazen> Encryption options on Ubuntu are LUKS and ecryptfs
[00:17] <HymnToLife> using is also for user keys is kind of putting all your eggs in the same basket
[00:18] <HymnToLife> using it*
[00:18] <bodhi_zazen> One can use truecrypt and other tools such as encryptfs and gpg
[00:18] <bodhi_zazen> To install an encrypted system, meaning / and swap are encrypted , use the Alternate CD
[00:19] <bodhi_zazen> By default this will give you a /boot partition, and LVM + LUKS
[00:19] <bodhi_zazen> Post install or during the install, if you wish, you can use ecryptfs to encrypt your /home/user directory, swap, or a private (or other) directories
[00:20] <bodhi_zazen> I posted a how to on ecryptfs here : http://bodhizazen.net/Tutorials/Ecryptfs/
[00:20] <bodhi_zazen> It still needs a bit of work, but the basic information is there
[00:21] <bodhi_zazen> encryption is used basically to protect your personal data if your laptop or hard drive is stolden
[00:21] <bodhi_zazen> IMO things like password protecting yoru BIOS and GRUB is a minor deterrent if someone has physical access
[00:22] <bodhi_zazen> Some people like those tools, and yes it may stop a casual intruder, but they are easily defeated
[00:22] <HymnToLife> also, if it comes down to it, some encryption tools can make encryption plausibly deniable
[00:22] <bodhi_zazen> The disadvantage of encryption is there is a, IMO, minor performance hit
[00:23] <bodhi_zazen> +1 HymnToLife
[00:23] <HymnToLife> meaning that the police, government, etc. cannot *prove* you have encrypted stuff
[00:23] <bodhi_zazen> he he he ...
[00:23] <bodhi_zazen> Encryption can be defeated by a $ hammer applied to the solar plexus >:)
[00:23] <bodhi_zazen> * $10
[00:24] <bodhi_zazen> Sometime you need to apply the hammer a few times for it to work
[00:24] <bodhi_zazen> lol
[00:24] <bodhi_zazen> The other disadvantage of encryption would be if you lost your password or wanted to re-install preserving /home for example
[00:25] <bodhi_zazen> It can be done, but none of the installers will preserve /home automatically , even if it is on a separate partition and so you would need to take casre to configure the encryption manually post install
[00:26] <bodhi_zazen> Frankly, IMO, it is easier to back up you data, re-install with the defaults, and then restore your data
[00:26] <bodhi_zazen>  /end rant on encryption
[00:26] <bodhi_zazen> :)
[00:26] <DasEi> also a more complicared access in case of harddrive-trouble can be added to the disadvantages
[00:27] <Hobbsee> actually, if you set a partition as /home, the installer won't try to auto-format it
[00:27] <Hobbsee> or at least, not on recent ubuntu releases.
[00:27] <bodhi_zazen> Oh, one more thing, you can use keys with some encryption tools to automate decryption
[00:27] <bodhi_zazen> No it will not Hobbsee , but I will not set up LUKS or encryptfs either
[00:27] <Hobbsee> that's true
[00:27] <bodhi_zazen> so post install you may not be able to decrypt it
[00:28] <bodhi_zazen> :(
[00:28] <Hobbsee> that may not still be true for jaunty, btw.
[00:28] <bodhi_zazen> You need to take care with encryptfs if you encrypted /home/user_name because the information was stored on the root partition
[00:28] <maxb> Isn't all the "setup" for ecryptfs contained within the homedir anyway?
[00:29] <bodhi_zazen> maxb: It depends on how you setup encryptfs
[00:29] <Snova> Is encryption only to protect if somebody gets physical access to the HD?
[00:29] <bodhi_zazen> If you used encryptfs-setup-private you will be OK
[00:29] <maxb> bodhi_zazen: Are you talking about ecryptfs? If so, spell it's name right to avoid confusing us!
[00:29] <maxb> oops. I fail at apostrophe usage
[00:29] <bodhi_zazen> If you encrypted your home directory during installation, no , the key is on the root partition and linked back to $HOME
[00:30] <HymnToLife> Snova: in the case of ecryptfs, yes
[00:30] <bodhi_zazen> so you will loose the config info if you install over the top of root
[00:30] <HymnToLife> however, there are other kinds of encryption
[00:30] <bodhi_zazen> sorry, yes ecryptfs
[00:30] <bodhi_zazen> :p
[00:30] <HymnToLife> Snova: for example, you can encrypts files using GnuPG to send them by email
[00:31] <HymnToLife> (or to store them for later use)
[00:31] <maxb> Ah, right, I'm only using ecryptfs in private-subdir setup, because I disagree that encrypting the entire homedir makes sense
[00:31] <bodhi_zazen> If your data is sensitive enough to encrypt -
[00:31] <Snova> I am fairly familiar with encryption in general, just wondering if there is any point to an encrypted *hard drive* (should have mentioned that previously) beyond physical access.
[00:31] <bodhi_zazen> 1. Know that if the data is decrypted, ie you mounted your Private directory or LUKS partition, or truecrypt
[00:32] <bodhi_zazen> the data is available to the root user
[00:32] <HymnToLife> Snova: that the only one I can think of right now, but it's a pretty big one
[00:32] <bodhi_zazen> or any other users allowed by your permissions
[00:32] <HymnToLife> especially nowadays when laptops are getting smaller and smaller, thus easier to lose/steal
[00:32] <bodhi_zazen> and 2. you should take care to encrypt your back ups as well :p
[00:33] <bodhi_zazen> Snova: Only the paranoid would encrypt the entire installation
[00:33] <Snova> bodhi_zazen: Any amount of it, really.
[00:33] <bodhi_zazen> This would be to prevent someone for say installing a rootkit from a live CD
[00:33] <HymnToLife> bodhi_zazen: there are many good reasons to be paranoid nowadays
[00:34] <bodhi_zazen> The two potential vulnerabilities with encryption are :
[00:34] <DasEi> and even then you'll need extra partitions or containers to avoid online-access
[00:34] <bodhi_zazen> 1. Someone , in theory, could recover the key from RAM
[00:34] <bodhi_zazen> 2. Your /boot partition is not encrypted so someone could replace your kernel
[00:34] <bodhi_zazen> +1 HymnToLife re paranoia
[00:35] <bodhi_zazen> Snova: for others , encrypting your private directory in /home , or a data partition, or removable device may be sufficient
[00:36] <bodhi_zazen> I guess my point is to raise awareness of the vulnerabilities of physical access and encryption as the best solution, IMO
[00:36] <HymnToLife> s/best/only/
[00:37] <HymnToLife> encryption is based on math, math never cheats ;)
[00:37] <bodhi_zazen> Well, you could wipe the drive or smash it very fast as they are breaking down your door ;)
[00:37] <bodhi_zazen> melt it
[00:37] <bodhi_zazen> questions on encryption ?
[00:38] <bodhi_zazen> hint - this is your chance to ask questions
[00:38] <bodhi_zazen> It sounds as if we have a few people here now who use encryption
[00:39] <HymnToLife> no, I don't!
[00:39] <HymnToLife> you can't prove anything!
[00:39] <bodhi_zazen> Guilty by association
[00:39] <bodhi_zazen> Off with his head
[00:40] <DasEi> I just wonder how f.e. us-gpg needs a backdoor for nsa-related stuff, it is on ubuntu ?
[00:40] <bodhi_zazen> We could talk a bit about iptables, root kits, antivirus
[00:41] <bodhi_zazen> I know antivirus is boring to some, but it is a FAQ on the forums
[00:41] <bodhi_zazen> Did anybody take a look at AppArmor ?
[00:42] <DasEi> too less, let's talk
[00:42] <HymnToLife> DasEi: if I understand your question, it's because the NSA doesn't like it when people use encryption they can't break :p
[00:42] <bodhi_zazen> too less ?
[00:43] <HymnToLife> well, they won't admit it, of course, but there's strong suspicion that the NSA-approve"d cryptosystems are the ones they can break
[00:43] <DasEi> I recognized appamor f.e. restricts file access of an apache, but are not familiar with it
[00:44] <HymnToLife> (hence why I don't use DSA for my SSH keys)
[00:44] <DasEi> HymnToLife: pm ? don't stop bod..
[00:44] <bodhi_zazen> no, this is an open discussion
[00:44] <HymnToLife> well, you asked the question here, so I answer here :p
[00:44] <bodhi_zazen> Or at least I hope so
[00:45] <bodhi_zazen> DasEi: Apparmor can be used , and is most often used to "confine" network aware applications
[00:45] <HymnToLife> or really any application
[00:45] <DasEi> k, what I saw when mentioning harddrive encryption where different solutions ( I'm german), and from the same app, there are different releases, some of them are not legal in us
[00:45] <bodhi_zazen> It has not been as popular as it *should* be , IMO
[00:46] <bodhi_zazen> I posed a how to here : http://ubuntuforums.org/showthread.php?t=1008906
[00:46] <HymnToLife> but the network-related ones are the one it makes most sense confining
[00:46] <HymnToLife> since they basically process untrusted data all the time
[00:46] <bodhi_zazen> and I am starting to post some example profiles here : http://bodhizazen.net/aa-profiles/
[00:46] <bodhi_zazen> Looking for contributions in face
[00:46] <bodhi_zazen> *fact
[00:47] <bodhi_zazen> Apparmor vs SElinux is another issue sometimes debated
[00:47] <bodhi_zazen> Apparmor is easier to learn, but IMO takes more time to maintain
[00:48] <bodhi_zazen> For example , you need to revise your profile when firefox is updated from 3.0.6 to 3.0.7
[00:48] <bodhi_zazen> ;)
[00:48] <bodhi_zazen> You have to keep an eye on apparmor, and there are no GUI tools in Ubuntu, although SUSE has some
[00:50] <bodhi_zazen> Any questions / comments please jump in >:)
[00:50] <bodhi_zazen> Shifting gears a little ...
[00:50] <bodhi_zazen> Antivirus
[00:50] <bodhi_zazen> IMO the biggest problem with antivirus is the sheer numbers of false postitives
[00:50] <bodhi_zazen> If you use antivirus and you do not want to simply delete detected files, you will have to do a fair amount of detective work
[00:51] <bodhi_zazen> Example : http://ubuntuforums.org/showthread.php?t=1106160
[00:51] <bodhi_zazen> Snova: can you try to connect again please ?
[00:51] <Snova> Ok. :)
[00:52] <bodhi_zazen> nvr mind, it is still borked
[00:52] <Snova> bodhi_zazen: Yep. :)
[00:52] <bodhi_zazen> I had to update for ecryptfs , but it broke screen
[00:53] <HymnToLife> well, you can always experiment with AA by yourself in a virtual machine (so you don't get locked off your real system)
[00:53] <HymnToLife> the basic concepts are really not hard to grasp
[00:54] <HymnToLife> Novell advertises it as requiring only 1-2 days of training, I don't think they're very far from the truth
[00:54] <bodhi_zazen> I agree with that
[00:54] <bodhi_zazen> I would say I am still learning, but it took me about 4 hours to become comfortable with it
[00:55] <bodhi_zazen> The advantage of apparmor, it has the potential to stop zero day exploits
[00:55] <bodhi_zazen> We have 5 minutes left in this session ;)
[00:56] <bodhi_zazen> I will run a session on this channel, same time, every 1-2 weeks depending in interest
[00:56] <bodhi_zazen> From last week there was the suggestion we discuss permissions
[00:56] <bodhi_zazen> Now I know most of you know basic permissions, but we can review sticky bits and if you wish acl
[00:58] <DasEi> I#ve got a question to the initialization of apparmor
[00:58] <HymnToLife> basic SSH configuration might be a good topic too
[00:59] <HymnToLife> I'm thinking about Issues like that: http://ubuntuforums.org/showthread.php?t=1107057
[00:59] <DasEi> what does this 'connecting to repository mean ? isn't this a local mechanism ?
[00:59] <HymnToLife> for those who want a bit more control than basic usernames/passwords
[00:59] <HymnToLife> DasEi: it means downloading a few pre-made profiles for common applications, IIRC
[01:00] <bodhi_zazen> DasEi: and HymnToLife we could have sessions on apparmor or ssh in more depth
[01:00] <bodhi_zazen> I happen to like ssh ;)
[01:01] <DasEi> HymnToLife: and it does for every app Iagain ?
[01:01] <bodhi_zazen> DasEi: AppArmor was developed my Novell
[01:01] <HymnToLife> but now they fired all the aa devs :p
[01:01] <bodhi_zazen> And I think the idea was to have a central repository for profiles
[01:01] <DasEi> deeper sessions.. gotta get coffeine.. great
[01:01] <HymnToLife> I heard some of them were working for Microsoft now
[01:01] <bodhi_zazen> for things such as say apache or what not
[01:02] <bodhi_zazen> I do not think it has been developed, but it still comes up when you generate a profile
[01:02] <bodhi_zazen> aa was then added to Ubuntu and we will need to see how much it is used / developed
[01:03] <bodhi_zazen> Otherwise we will be back to SELinux :p
[01:03] <HymnToLife> Mandriva uses AA too
[01:03] <DasEi> sry when bein annoying; apparmor follows an given app in the inital , then asks additional quests and then creates the profile, which can be altered manually again, so no need for external request..
[01:03] <HymnToLife> I think that's all
[01:03] <bodhi_zazen> no DasEi
[01:03] <bodhi_zazen> Most profiles need to be personalized anyways
[01:03] <bodhi_zazen> PCLinuxOS ?
[01:04] <bodhi_zazen> I have not tried that lately, but I though they were Mandriva based.
[01:04] <HymnToLife> I think so too, but I don't go in the RPM world often
[01:05] <bodhi_zazen> OK, I will stay for a while if there are additional questions, otherwise 2 weeks
[01:05] <bodhi_zazen> Any interest in having weekly sessions ?
[01:05] <DasEi> k, reading shall heal me for now, many thanks, bodhi_zazen and all the others
[01:05] <bodhi_zazen> topics : add them here : https://wiki.ubuntu.com/BeginnersTeam/FocusGroups/Education/Proposals
[01:06] <bodhi_zazen> put my name by the topic and I will try to announce and cover them as we go
[01:06] <DasEi> bodhi_zazen: nothing bad, nice would be to follow up missed ons at http://irclogs.ubuntu.com/
[01:06] <DasEi> *ones
[01:07] <bodhi_zazen> In the long run the Beginners Team is hoping to do continued and more focused in depth sessions, perhaps using something such as Moodle
[01:07] <bodhi_zazen> yes DasEi I thought ubuntu-classroom was going to post sessions, I will look into that
[01:07] <bodhi_zazen> I do not have a way right now to log sessions
[01:07] <bodhi_zazen> as I am @ work and accessing over mibbit
[01:08] <DasEi> bodhi_zazen:they do, but last isn't there by now
[01:08] <bodhi_zazen> We shall look into it then DasEi
[01:08] <bodhi_zazen> but yes the intention is to post logs
[01:08] <bodhi_zazen> and grow these sessions
[01:09] <bodhi_zazen> I am hoping to spread the word and get some discussion and education going.
[01:09] <DasEi> date -u was the greatest tip on UTC, writes this bold, lol
[01:09] <bodhi_zazen> lol
[01:09] <bodhi_zazen> Thank you everyone for coming
[01:10] <DasEi> thank you for rowing
[01:10] <bodhi_zazen> I shall spam channels with future meetings, but this time works out for most people, although not all
[01:10] <bodhi_zazen> I hope these sessions help educate people ;)
[01:11] <bodhi_zazen> we should learn from each other, some people know very much
[01:11] <bodhi_zazen> we are planning to do sessions on wiki and development (packageing)
[08:14] <_Purple_> hi
[08:14] <_Purple_> is the Q and A still going on?
[10:48] <sanzilla> hi
[10:49] <sanzilla> is this is a newbie channel ?
[10:49] <pleia2> sanzilla: we use this channel for hosting classes (see the /topic for our resources), you want to use #ubuntu for tech questions
[10:50] <sanzilla> is other than ubunthu isn't welcome ?
[10:55] <_Purple_> sanzilla, looking for a channel for newbies?
[10:55] <sanzilla> yes
[10:56] <_Purple_> try #ubuntuforums-beginners
[10:56] <sanzilla> I mean a channel for general linux
[10:56] <sanzilla> I loving the xfe windows manager and not KDE
[10:56] <sanzilla> so I can't install ubunthu
[10:58] <pleia2> sanzilla: xubuntu is based on xfce
[10:59] <sanzilla> I will give up a try